Edit tour

Windows Analysis Report
UV0zBp62hW.dll

Overview

General Information

Sample name:	UV0zBp62hW.dll renamed because original name is a hash value
Original sample name:	8f8708b1decd1d3fd40d224ce8a68fa09b8ffc29.dll
Analysis ID:	1578322
MD5:	a8c86e45545ee01024abeafb9b21c72f
SHA1:	8f8708b1decd1d3fd40d224ce8a68fa09b8ffc29
SHA256:	649fb2d4763c3125492a886f3d9da2870ccc37444a841a7780ee6633798eb93d
Tags:	dlluser-NDA0E
Infos:

Detection

Virut

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Virut

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Creates files in the system32 config directory

Found evasive API chain (may stop execution after checking mutex)

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to evade debugger and weak emulator (self modifying code)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7300 cmdline: loaddll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7376 cmdline: rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

hrlBCB3.tmp (PID: 7408 cmdline: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp MD5: 0BD4AE2BDF462F97DD03D6218A741789)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 4468 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 752 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1176 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rundll32.exe (PID: 7360 cmdline: rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDllInitialize MD5: 889B99C52A60DD49227C5E485A016679)

hrlBCA3.tmp (PID: 7400 cmdline: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp MD5: 0BD4AE2BDF462F97DD03D6218A741789)

WerFault.exe (PID: 7496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 380 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7600 cmdline: rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDrawTextEx MD5: 889B99C52A60DD49227C5E485A016679)

hrlC86B.tmp (PID: 7616 cmdline: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp MD5: 0BD4AE2BDF462F97DD03D6218A741789)

fontdrvhost.exe (PID: 776 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

fontdrvhost.exe (PID: 784 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

svchost.exe (PID: 872 cmdline: C:\Windows\system32\svchost.exe -k RPCSS -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rundll32.exe (PID: 7700 cmdline: rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkEditControl MD5: 889B99C52A60DD49227C5E485A016679)

hrlD452.tmp (PID: 7716 cmdline: C:\Users\user\AppData\Local\Temp\hrlD452.tmp MD5: 0BD4AE2BDF462F97DD03D6218A741789)

WerFault.exe (PID: 7756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 380 MD5: C31336C1EFC2CCB44B4326EA793040F2)

hrlDFFA.tmp (PID: 7876 cmdline: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp MD5: 0BD4AE2BDF462F97DD03D6218A741789)

WerFault.exe (PID: 7940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 380 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Virut		No Attribution	https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/ https://chrisdietri.ch/post/virut-resurrects/ https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/ https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/ https://www.mandiant.com/resources/pe-file-infecting-malware-ot	https://malpedia.caad.fkie.fraunhofer.de/details/win.virut

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
UV0zBp62hW.dll	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x9153:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
UV0zBp62hW.dll	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x73b8:$xc2: GET ^&&%$%$^ 0x73e9:$xc2: GET ^&&%$%$^ 0x741a:$xc2: GET ^&&%$%$^ 0x744b:$xc2: GET ^&&%$%$^ 0x747c:$xc2: GET ^&&%$%$^ 0x74ad:$xc2: GET ^&&%$%$^ 0x74de:$xc2: GET ^&&%$%$^ 0x750f:$xc2: GET ^&&%$%$^ 0x7540:$xc2: GET ^&&%$%$^ 0x7571:$xc2: GET ^&&%$%$^ 0x75a2:$xc2: GET ^&&%$%$^ 0x75d3:$xc2: GET ^&&%$%$^ 0x7604:$xc2: GET ^&&%$%$^ 0x7635:$xc2: GET ^&&%$%$^ 0x7666:$xc2: GET ^&&%$%$^ 0x7697:$xc2: GET ^&&%$%$^ 0x76c8:$xc2: GET ^&&%$%$^ 0x76f9:$xc2: GET ^&&%$%$^ 0x772a:$xc2: GET ^&&%$%$^ 0x775b:$xc2: GET ^&&%$%$^ 0x73e5:$n1: .htmGET

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrlD452.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlD452.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000008.00000000.1833082714.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000002.3074948867.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000002.3075291406.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000022.00000002.3075976845.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000002.3074778934.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000014.00000002.3074791213.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000B.00000002.3075563324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000002.3075681181.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000005.00000002.2136560000.000000007FE30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001E.00000002.3075099086.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000002.3075450654.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000002.3075369973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2051509578.000000007FE30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000000.1874806385.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000002.3075100920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000B.00000000.1840981002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001E.00000000.1921150104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000002.3076284976.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.3074704354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000000.1877415236.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000000.1890975257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000025.00000002.3075481202.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000023.00000002.3075101490.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000023.00000000.1938547190.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000000.1963882445.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000000.1871949899.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000022.00000000.1935460960.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000026.00000002.3075568717.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000002.3074777533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000000.1860100553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000002.3075257509.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001D.00000002.3075099305.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000000.1974078167.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000002.3075918696.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000024.00000002.3075427157.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001D.00000000.1900998061.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001C.00000000.1894430516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001C.00000002.3074742466.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000002.3074679188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: hrlBCA3.tmp PID: 7400	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: hrlBCB3.tmp PID: 7408	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: winlogon.exe PID: 552	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: lsass.exe PID: 628	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 4468	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 752	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: fontdrvhost.exe PID: 776	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: fontdrvhost.exe PID: 784	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 872	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 920	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: dwm.exe PID: 988	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 364	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 356	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 696	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 592	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1044	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1084	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1176	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1200	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1252	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1296	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1316	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1408	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1488	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1496	JoeSecurity_Virut	Yara detected Virut	Joe Security
Click to see the 61 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.loaddll32.exe.10004094.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4d24:$xc2: GET ^&&%$%$^ 0x4d55:$xc2: GET ^&&%$%$^ 0x4d86:$xc2: GET ^&&%$%$^ 0x4db7:$xc2: GET ^&&%$%$^ 0x4de8:$xc2: GET ^&&%$%$^ 0x4e19:$xc2: GET ^&&%$%$^ 0x4e4a:$xc2: GET ^&&%$%$^ 0x4e7b:$xc2: GET ^&&%$%$^ 0x4eac:$xc2: GET ^&&%$%$^ 0x4edd:$xc2: GET ^&&%$%$^ 0x4f0e:$xc2: GET ^&&%$%$^ 0x4f3f:$xc2: GET ^&&%$%$^ 0x4f70:$xc2: GET ^&&%$%$^ 0x4fa1:$xc2: GET ^&&%$%$^ 0x4fd2:$xc2: GET ^&&%$%$^ 0x5003:$xc2: GET ^&&%$%$^ 0x5034:$xc2: GET ^&&%$%$^ 0x5065:$xc2: GET ^&&%$%$^ 0x5096:$xc2: GET ^&&%$%$^ 0x50c7:$xc2: GET ^&&%$%$^ 0x4d51:$n1: .htmGET
14.2.rundll32.exe.10004094.1.raw.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x7497:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x7534:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x713f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x72a7:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x7008:$s1: \Program Files\Internet Explorer\iexplore.exe 0x6ed0:$s2: %c%c%c%c%c%c.exe 0x7107:$s5: Accept-Language: zh-cn 0x726f:$s5: Accept-Language: zh-cn 0x7687:$s5: Accept-Language: zh-cn
14.2.rundll32.exe.10004094.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
14.2.rundll32.exe.10004094.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
15.0.hrlC86B.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
15.0.hrlC86B.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
0.2.loaddll32.exe.10004094.1.raw.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x7497:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x7534:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x713f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x72a7:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x7008:$s1: \Program Files\Internet Explorer\iexplore.exe 0x6ed0:$s2: %c%c%c%c%c%c.exe 0x7107:$s5: Accept-Language: zh-cn 0x726f:$s5: Accept-Language: zh-cn 0x7687:$s5: Accept-Language: zh-cn
0.2.loaddll32.exe.10004094.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0.2.loaddll32.exe.10004094.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
5.0.hrlBCA3.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
5.0.hrlBCA3.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
0.2.loaddll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x93f3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0.2.loaddll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7658:$xc2: GET ^&&%$%$^ 0x7689:$xc2: GET ^&&%$%$^ 0x76ba:$xc2: GET ^&&%$%$^ 0x76eb:$xc2: GET ^&&%$%$^ 0x771c:$xc2: GET ^&&%$%$^ 0x774d:$xc2: GET ^&&%$%$^ 0x777e:$xc2: GET ^&&%$%$^ 0x77af:$xc2: GET ^&&%$%$^ 0x77e0:$xc2: GET ^&&%$%$^ 0x7811:$xc2: GET ^&&%$%$^ 0x7842:$xc2: GET ^&&%$%$^ 0x7873:$xc2: GET ^&&%$%$^ 0x78a4:$xc2: GET ^&&%$%$^ 0x78d5:$xc2: GET ^&&%$%$^ 0x7906:$xc2: GET ^&&%$%$^ 0x7937:$xc2: GET ^&&%$%$^ 0x7968:$xc2: GET ^&&%$%$^ 0x7999:$xc2: GET ^&&%$%$^ 0x79ca:$xc2: GET ^&&%$%$^ 0x79fb:$xc2: GET ^&&%$%$^ 0x7685:$n1: .htmGET
24.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x93f3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
24.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7658:$xc2: GET ^&&%$%$^ 0x7689:$xc2: GET ^&&%$%$^ 0x76ba:$xc2: GET ^&&%$%$^ 0x76eb:$xc2: GET ^&&%$%$^ 0x771c:$xc2: GET ^&&%$%$^ 0x774d:$xc2: GET ^&&%$%$^ 0x777e:$xc2: GET ^&&%$%$^ 0x77af:$xc2: GET ^&&%$%$^ 0x77e0:$xc2: GET ^&&%$%$^ 0x7811:$xc2: GET ^&&%$%$^ 0x7842:$xc2: GET ^&&%$%$^ 0x7873:$xc2: GET ^&&%$%$^ 0x78a4:$xc2: GET ^&&%$%$^ 0x78d5:$xc2: GET ^&&%$%$^ 0x7906:$xc2: GET ^&&%$%$^ 0x7937:$xc2: GET ^&&%$%$^ 0x7968:$xc2: GET ^&&%$%$^ 0x7999:$xc2: GET ^&&%$%$^ 0x79ca:$xc2: GET ^&&%$%$^ 0x79fb:$xc2: GET ^&&%$%$^ 0x7685:$n1: .htmGET
25.2.hrlD452.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
25.2.hrlD452.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
4.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x93f3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
4.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7658:$xc2: GET ^&&%$%$^ 0x7689:$xc2: GET ^&&%$%$^ 0x76ba:$xc2: GET ^&&%$%$^ 0x76eb:$xc2: GET ^&&%$%$^ 0x771c:$xc2: GET ^&&%$%$^ 0x774d:$xc2: GET ^&&%$%$^ 0x777e:$xc2: GET ^&&%$%$^ 0x77af:$xc2: GET ^&&%$%$^ 0x77e0:$xc2: GET ^&&%$%$^ 0x7811:$xc2: GET ^&&%$%$^ 0x7842:$xc2: GET ^&&%$%$^ 0x7873:$xc2: GET ^&&%$%$^ 0x78a4:$xc2: GET ^&&%$%$^ 0x78d5:$xc2: GET ^&&%$%$^ 0x7906:$xc2: GET ^&&%$%$^ 0x7937:$xc2: GET ^&&%$%$^ 0x7968:$xc2: GET ^&&%$%$^ 0x7999:$xc2: GET ^&&%$%$^ 0x79ca:$xc2: GET ^&&%$%$^ 0x79fb:$xc2: GET ^&&%$%$^ 0x7685:$n1: .htmGET
4.2.rundll32.exe.10004094.2.raw.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x7497:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x7534:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x713f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x72a7:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x7008:$s1: \Program Files\Internet Explorer\iexplore.exe 0x6ed0:$s2: %c%c%c%c%c%c.exe 0x7107:$s5: Accept-Language: zh-cn 0x726f:$s5: Accept-Language: zh-cn 0x7687:$s5: Accept-Language: zh-cn
4.2.rundll32.exe.10004094.2.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
4.2.rundll32.exe.10004094.2.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
15.2.hrlC86B.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
15.2.hrlC86B.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
3.2.rundll32.exe.10004094.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4d24:$xc2: GET ^&&%$%$^ 0x4d55:$xc2: GET ^&&%$%$^ 0x4d86:$xc2: GET ^&&%$%$^ 0x4db7:$xc2: GET ^&&%$%$^ 0x4de8:$xc2: GET ^&&%$%$^ 0x4e19:$xc2: GET ^&&%$%$^ 0x4e4a:$xc2: GET ^&&%$%$^ 0x4e7b:$xc2: GET ^&&%$%$^ 0x4eac:$xc2: GET ^&&%$%$^ 0x4edd:$xc2: GET ^&&%$%$^ 0x4f0e:$xc2: GET ^&&%$%$^ 0x4f3f:$xc2: GET ^&&%$%$^ 0x4f70:$xc2: GET ^&&%$%$^ 0x4fa1:$xc2: GET ^&&%$%$^ 0x4fd2:$xc2: GET ^&&%$%$^ 0x5003:$xc2: GET ^&&%$%$^ 0x5034:$xc2: GET ^&&%$%$^ 0x5065:$xc2: GET ^&&%$%$^ 0x5096:$xc2: GET ^&&%$%$^ 0x50c7:$xc2: GET ^&&%$%$^ 0x4d51:$n1: .htmGET
14.2.rundll32.exe.10004094.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4d24:$xc2: GET ^&&%$%$^ 0x4d55:$xc2: GET ^&&%$%$^ 0x4d86:$xc2: GET ^&&%$%$^ 0x4db7:$xc2: GET ^&&%$%$^ 0x4de8:$xc2: GET ^&&%$%$^ 0x4e19:$xc2: GET ^&&%$%$^ 0x4e4a:$xc2: GET ^&&%$%$^ 0x4e7b:$xc2: GET ^&&%$%$^ 0x4eac:$xc2: GET ^&&%$%$^ 0x4edd:$xc2: GET ^&&%$%$^ 0x4f0e:$xc2: GET ^&&%$%$^ 0x4f3f:$xc2: GET ^&&%$%$^ 0x4f70:$xc2: GET ^&&%$%$^ 0x4fa1:$xc2: GET ^&&%$%$^ 0x4fd2:$xc2: GET ^&&%$%$^ 0x5003:$xc2: GET ^&&%$%$^ 0x5034:$xc2: GET ^&&%$%$^ 0x5065:$xc2: GET ^&&%$%$^ 0x5096:$xc2: GET ^&&%$%$^ 0x50c7:$xc2: GET ^&&%$%$^ 0x4d51:$n1: .htmGET
31.0.hrlDFFA.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
31.0.hrlDFFA.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
4.2.rundll32.exe.10004094.2.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4d24:$xc2: GET ^&&%$%$^ 0x4d55:$xc2: GET ^&&%$%$^ 0x4d86:$xc2: GET ^&&%$%$^ 0x4db7:$xc2: GET ^&&%$%$^ 0x4de8:$xc2: GET ^&&%$%$^ 0x4e19:$xc2: GET ^&&%$%$^ 0x4e4a:$xc2: GET ^&&%$%$^ 0x4e7b:$xc2: GET ^&&%$%$^ 0x4eac:$xc2: GET ^&&%$%$^ 0x4edd:$xc2: GET ^&&%$%$^ 0x4f0e:$xc2: GET ^&&%$%$^ 0x4f3f:$xc2: GET ^&&%$%$^ 0x4f70:$xc2: GET ^&&%$%$^ 0x4fa1:$xc2: GET ^&&%$%$^ 0x4fd2:$xc2: GET ^&&%$%$^ 0x5003:$xc2: GET ^&&%$%$^ 0x5034:$xc2: GET ^&&%$%$^ 0x5065:$xc2: GET ^&&%$%$^ 0x5096:$xc2: GET ^&&%$%$^ 0x50c7:$xc2: GET ^&&%$%$^ 0x4d51:$n1: .htmGET
3.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x93f3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
3.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7658:$xc2: GET ^&&%$%$^ 0x7689:$xc2: GET ^&&%$%$^ 0x76ba:$xc2: GET ^&&%$%$^ 0x76eb:$xc2: GET ^&&%$%$^ 0x771c:$xc2: GET ^&&%$%$^ 0x774d:$xc2: GET ^&&%$%$^ 0x777e:$xc2: GET ^&&%$%$^ 0x77af:$xc2: GET ^&&%$%$^ 0x77e0:$xc2: GET ^&&%$%$^ 0x7811:$xc2: GET ^&&%$%$^ 0x7842:$xc2: GET ^&&%$%$^ 0x7873:$xc2: GET ^&&%$%$^ 0x78a4:$xc2: GET ^&&%$%$^ 0x78d5:$xc2: GET ^&&%$%$^ 0x7906:$xc2: GET ^&&%$%$^ 0x7937:$xc2: GET ^&&%$%$^ 0x7968:$xc2: GET ^&&%$%$^ 0x7999:$xc2: GET ^&&%$%$^ 0x79ca:$xc2: GET ^&&%$%$^ 0x79fb:$xc2: GET ^&&%$%$^ 0x7685:$n1: .htmGET
6.2.hrlBCB3.tmp.400000.0.unpack	JoeSecurity_Virut	Yara detected Virut	Joe Security
6.2.hrlBCB3.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
6.2.hrlBCB3.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
24.2.rundll32.exe.10004094.1.raw.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x7497:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x7534:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x713f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x72a7:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x7008:$s1: \Program Files\Internet Explorer\iexplore.exe 0x6ed0:$s2: %c%c%c%c%c%c.exe 0x7107:$s5: Accept-Language: zh-cn 0x726f:$s5: Accept-Language: zh-cn 0x7687:$s5: Accept-Language: zh-cn
24.2.rundll32.exe.10004094.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
24.2.rundll32.exe.10004094.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
14.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x93f3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
14.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7658:$xc2: GET ^&&%$%$^ 0x7689:$xc2: GET ^&&%$%$^ 0x76ba:$xc2: GET ^&&%$%$^ 0x76eb:$xc2: GET ^&&%$%$^ 0x771c:$xc2: GET ^&&%$%$^ 0x774d:$xc2: GET ^&&%$%$^ 0x777e:$xc2: GET ^&&%$%$^ 0x77af:$xc2: GET ^&&%$%$^ 0x77e0:$xc2: GET ^&&%$%$^ 0x7811:$xc2: GET ^&&%$%$^ 0x7842:$xc2: GET ^&&%$%$^ 0x7873:$xc2: GET ^&&%$%$^ 0x78a4:$xc2: GET ^&&%$%$^ 0x78d5:$xc2: GET ^&&%$%$^ 0x7906:$xc2: GET ^&&%$%$^ 0x7937:$xc2: GET ^&&%$%$^ 0x7968:$xc2: GET ^&&%$%$^ 0x7999:$xc2: GET ^&&%$%$^ 0x79ca:$xc2: GET ^&&%$%$^ 0x79fb:$xc2: GET ^&&%$%$^ 0x7685:$n1: .htmGET
24.2.rundll32.exe.10004094.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4d24:$xc2: GET ^&&%$%$^ 0x4d55:$xc2: GET ^&&%$%$^ 0x4d86:$xc2: GET ^&&%$%$^ 0x4db7:$xc2: GET ^&&%$%$^ 0x4de8:$xc2: GET ^&&%$%$^ 0x4e19:$xc2: GET ^&&%$%$^ 0x4e4a:$xc2: GET ^&&%$%$^ 0x4e7b:$xc2: GET ^&&%$%$^ 0x4eac:$xc2: GET ^&&%$%$^ 0x4edd:$xc2: GET ^&&%$%$^ 0x4f0e:$xc2: GET ^&&%$%$^ 0x4f3f:$xc2: GET ^&&%$%$^ 0x4f70:$xc2: GET ^&&%$%$^ 0x4fa1:$xc2: GET ^&&%$%$^ 0x4fd2:$xc2: GET ^&&%$%$^ 0x5003:$xc2: GET ^&&%$%$^ 0x5034:$xc2: GET ^&&%$%$^ 0x5065:$xc2: GET ^&&%$%$^ 0x5096:$xc2: GET ^&&%$%$^ 0x50c7:$xc2: GET ^&&%$%$^ 0x4d51:$n1: .htmGET
31.2.hrlDFFA.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
31.2.hrlDFFA.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
3.2.rundll32.exe.10004094.1.raw.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x7497:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x7534:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x713f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x72a7:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x7008:$s1: \Program Files\Internet Explorer\iexplore.exe 0x6ed0:$s2: %c%c%c%c%c%c.exe 0x7107:$s5: Accept-Language: zh-cn 0x726f:$s5: Accept-Language: zh-cn 0x7687:$s5: Accept-Language: zh-cn
3.2.rundll32.exe.10004094.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
3.2.rundll32.exe.10004094.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
5.2.hrlBCA3.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
5.2.hrlBCA3.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
25.0.hrlD452.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
25.0.hrlD452.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
6.0.hrlBCB3.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x76bf:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
6.0.hrlBCB3.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5924:$xc2: GET ^&&%$%$^ 0x5955:$xc2: GET ^&&%$%$^ 0x5986:$xc2: GET ^&&%$%$^ 0x59b7:$xc2: GET ^&&%$%$^ 0x59e8:$xc2: GET ^&&%$%$^ 0x5a19:$xc2: GET ^&&%$%$^ 0x5a4a:$xc2: GET ^&&%$%$^ 0x5a7b:$xc2: GET ^&&%$%$^ 0x5aac:$xc2: GET ^&&%$%$^ 0x5add:$xc2: GET ^&&%$%$^ 0x5b0e:$xc2: GET ^&&%$%$^ 0x5b3f:$xc2: GET ^&&%$%$^ 0x5b70:$xc2: GET ^&&%$%$^ 0x5ba1:$xc2: GET ^&&%$%$^ 0x5bd2:$xc2: GET ^&&%$%$^ 0x5c03:$xc2: GET ^&&%$%$^ 0x5c34:$xc2: GET ^&&%$%$^ 0x5c65:$xc2: GET ^&&%$%$^ 0x5c96:$xc2: GET ^&&%$%$^ 0x5cc7:$xc2: GET ^&&%$%$^ 0x5951:$n1: .htmGET
Click to see the 46 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\lsass.exe, ParentImage: C:\Windows\System32\lsass.exe, ParentProcessId: 628, ParentProcessName: lsass.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc, ProcessId: 4468, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: winlogon.exe, CommandLine: winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, ParentProcessId: 7408, ParentProcessName: hrlBCB3.tmp, ProcessCommandLine: winlogon.exe, ProcessId: 552, ProcessName: winlogon.exe

Suricata Signatures

ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T15:33:32.667497+0100	2012730	1	A Network Trojan was detected	192.168.2.4	50267	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UV0zBp62hW.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Avira: detection malicious, Label: W32/Virut.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: UV0zBp62hW.dll

ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UV0zBp62hW.dll

Joe Sandbox ML: detected

Source: UV0zBp62hW.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,	0_2_10001677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,	3_2_10001677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,	14_2_10001677

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.4:50267 -> 1.1.1.1:53

Source: svchost.exe, 0000000C.00000002.3101286818.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/S
Source: svchost.exe, 0000000C.00000002.3108463080.000002928CB8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080350316.000002928D26C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS0
Source: svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2110382528.000002928CB74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2135080780.000002928CB69000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: Microsoft-Windows-LiveId%4Operational.evtx.35.dr	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000C.00000002.3112338019.000002928D280000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2176269678.000002928D2FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3117474208.000002928D2FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000C.00000002.3110461543.000002928D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3109669808.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2167490991.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855238288.000002928D233000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3094048689.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2005770262.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3103128170.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002965196.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1914551244.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002507506.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1969565162.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855377798.000002928D28A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3109669808.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2167490991.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855238288.000002928D233000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3094048689.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2005770262.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3103128170.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002965196.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1914551244.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002507506.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1969565162.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855377798.000002928D28A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1846691107.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1842520275.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3097628112.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3109669808.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2167490991.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855238288.000002928D233000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3094048689.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2005770262.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3103128170.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002965196.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1914551244.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002507506.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1969565162.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855377798.000002928D28A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000000B.00000002.3094048689.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000000B.00000002.3097628112.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1846691107.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 0000000C.00000003.2023393654.000002928CB69000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.oX
Source: svchost.exe, 0000000C.00000000.1850454052.000002928C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3091161016.000002928C240000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org
Source: lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000000B.00000000.1845436765.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3092201768.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2
Source: svchost.exe, 0000000C.00000002.3106934502.000002928CB13000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/
Source: svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs
Source: svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000C.00000003.2023167018.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(
Source: svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilitBT3dYO7l2pnpY88136NZG2R/fYR
Source: svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x
Source: svchost.exe, 0000000C.00000000.1855261015.000002928D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(
Source: svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx
Source: svchost.exe, 00000023.00000000.1956933106.000001D559AAC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3094048689.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3109669808.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2167490991.000002928D231000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855238288.000002928D233000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1846691107.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1842520275.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3097628112.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2005770262.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3103128170.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002965196.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1914551244.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002507506.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1969565162.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855377798.000002928D28A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: svchost.exe, 0000000C.00000002.3108847794.000002928D200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855088616.000002928D200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootCA.crlhttp://crl4.digicert.com/Di
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2005770262.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3103128170.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1846691107.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3097628112.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002965196.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1914551244.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002507506.00000202C0351000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000C.00000002.3116096421.000002928D2DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 0000000C.00000002.3101851449.000002928C313000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853065149.000002928C313000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://port.NET
Source: svchost.exe, 00000024.00000000.1954113347.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 0000000C.00000002.3093138686.000002928C28C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023393654.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080258173.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023167018.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2051190271.000002928CB29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2079755180.000002928CB2C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2110382528.000002928CB74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854676184.000002928CB70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy200
Source: svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854676184.000002928CB70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2110382528.000002928CB74000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc(
Source: svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scURI
Source: svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scf1p
Source: svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
Source: svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scuc
Source: svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080258173.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1994613636.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2135080780.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853315941.000002928CB13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2052833662.000002928D252000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000C.00000003.2023167018.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust(
Source: svchost.exe, 0000000C.00000000.1852878560.000002928C2DB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 0000000C.00000000.1853038514.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853315941.000002928CB13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3101286818.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustc
Source: svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustcuri
Source: lsass.exe, 0000000B.00000000.1845436765.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3092201768.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: lsass.exe, 0000000B.00000000.1847374968.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03A9000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2005770262.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3103128170.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002965196.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.1914551244.00000202C037D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000003.2002507506.00000202C0351000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3104302579.00000202C03B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1847881182.00000202C03B2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1969565162.000002928D286000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855377798.000002928D28A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 0000000C.00000002.3108847794.000002928D200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855088616.000002928D200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000D.00000002.3115443721.0000022929EA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3113408053.0000022929E27000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1864423945.0000022929E27000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.onenote.net/livetile/?Language=
Source: svchost.exe, 0000000C.00000002.3114047089.000002928D2AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://logilive.com/ppsecure/InlineClient
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D271000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3116096421.000002928D2DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000C.00000000.1855167413.000002928D220000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D271000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855424387.000002928D293000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000C.00000000.1855261015.000002928D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000C.00000000.1855114215.000002928D213000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf0
Source: svchost.exe, 0000000C.00000000.1855114215.000002928D213000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfvfufdm
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000C.00000003.2051190271.000002928CB29000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Du1yEu9ec0jGtwpGUyQ9jrqLXODeng7RuaFBlGyy
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2051190271.000002928CB29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3110461543.000002928D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855424387.000002928D293000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000C.00000000.1855424387.000002928D293000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf2(
Source: svchost.exe, 0000000C.00000003.1969565162.000002928D27E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3112338019.000002928D280000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000C.00000000.1853038514.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852878560.000002928C2C8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3110461543.000002928D237000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853315941.000002928CB13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3101286818.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855261015.000002928D237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf256
Source: svchost.exe, 0000000C.00000000.1855114215.000002928D213000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comdm
Source: svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/Dev
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen
Source: svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 0000000D.00000000.1867340320.000002292A506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3125757753.000002292A506000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.cn/shellRESP
Source: svchost.exe, 0000000D.00000000.1867340320.000002292A506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3125757753.000002292A506000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com/shell
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.35.dr	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

System Summary

Malicious sample detected (through community Yara rule)

Source: UV0zBp62hW.dll, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: UV0zBp62hW.dll, type: SAMPLE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 0.2.loaddll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 14.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 14.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 14.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 15.0.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.0.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 0.2.loaddll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 0.2.loaddll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.loaddll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 5.0.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.0.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 24.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 24.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 25.2.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.2.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.rundll32.exe.10004094.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 4.2.rundll32.exe.10004094.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.rundll32.exe.10004094.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 15.2.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 15.2.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 3.2.rundll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 14.2.rundll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 31.0.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 31.0.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.rundll32.exe.10004094.2.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 6.2.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 24.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 24.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 24.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 14.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 14.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 24.2.rundll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 31.2.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 31.2.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 3.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 3.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 5.2.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 25.0.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 25.0.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 6.0.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.0.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Code function: 5_2_00440807 NtSetInformationProcess,	5_2_00440807
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00447907 NtSetInformationProcess,	6_2_00447907
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0044112D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_0044112D
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004431AE lstrcpyW,lstrlenW,NtCreateSection,	6_2_004431AE
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004412F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_004412F2
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00444078 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_00444078
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0044409D NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_0044409D
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0044214A NtAdjustPrivilegesToken,	6_2_0044214A
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00443177 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_00443177
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00442122 NtAdjustPrivilegesToken,	6_2_00442122
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00441E6F LoadLibraryA,GetModuleHandleA,lstrcpyW,lstrlenA,CreateRemoteThread,CreateThread,GlobalAlloc,LoadLibraryA,SetEvent,SetFileAttributesA,Sleep,NtMapViewOfSection,	6_2_00441E6F
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00443274 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_00443274
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0044322F NtOpenSection,	6_2_0044322F
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00672477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_00672477
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_0067144A
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_0067042D
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067116F LoadLibraryA,GetModuleHandleA,lstrcpyW,lstrlen,CreateRemoteThread,CreateThread,GlobalAlloc,LoadLibraryA,SetEvent,SetFileAttributesA,Sleep,NtMapViewOfSection,	6_2_0067116F
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00672574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_00672574
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067252F NtOpenSection,	6_2_0067252F
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_006705F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_006705F2
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00671422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_00671422
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_006724AE lstrcpyW,lstrlenW,NtCreateSection,	6_2_006724AE
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673378 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_00673378
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067339D NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_0067339D
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00440807 NtSetInformationProcess,	15_2_00440807
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043A12D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	15_2_0043A12D
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043C1AE lstrcpyW,lstrlenW,NtCreateSection,	15_2_0043C1AE
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043A2F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	15_2_0043A2F2
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043B14A NtAdjustPrivilegesToken,	15_2_0043B14A
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043C177 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	15_2_0043C177
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043B122 NtAdjustPrivilegesToken,	15_2_0043B122
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043AE6F LoadLibraryA,GetModuleHandleA,lstrcpyW,lstrlenA,CreateRemoteThread,CreateThread,GlobalAlloc,LoadLibraryA,SetEvent,SetFileAttributesA,Sleep,NtMapViewOfSection,	15_2_0043AE6F
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043C274 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	15_2_0043C274
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043C22F NtOpenSection,	15_2_0043C22F
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00772477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	15_2_00772477
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	15_2_0077144A
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	15_2_0077042D
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00772574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	15_2_00772574
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077116F LoadLibraryA,GetModuleHandleA,lstrcpyW,lstrlen,CreateRemoteThread,CreateThread,GlobalAlloc,LoadLibraryA,SetEvent,SetFileAttributesA,Sleep,NtMapViewOfSection,	15_2_0077116F
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077252F NtOpenSection,	15_2_0077252F
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_007705F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	15_2_007705F2
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00771422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	15_2_00771422
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_007724AE lstrcpyW,lstrlenW,NtCreateSection,	15_2_007724AE
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773378 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	15_2_00773378
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077339D NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	15_2_0077339D

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\35b1e4c2-e4af-4401-8fe8-c15cf44126a7	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior

Source: C:\Windows\System32\lsass.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004448D5	6_2_004448D5
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0044495A	6_2_0044495A
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004449CE	6_2_004449CE
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004435C8	6_2_004435C8
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004449E3	6_2_004449E3
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00444988	6_2_00444988
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004449B7	6_2_004449B7
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00441E6F	6_2_00441E6F
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067116F	6_2_0067116F
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673C5A	6_2_00673C5A
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673CE3	6_2_00673CE3
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673CCE	6_2_00673CCE
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_006728C8	6_2_006728C8
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673CB7	6_2_00673CB7
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673C88	6_2_00673C88
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00673BD5	6_2_00673BD5
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043D8D5	15_2_0043D8D5
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043D95A	15_2_0043D95A
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043C5C8	15_2_0043C5C8
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043D9CE	15_2_0043D9CE
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043D9E3	15_2_0043D9E3
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043D988	15_2_0043D988
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043D9B7	15_2_0043D9B7
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043AE6F	15_2_0043AE6F
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077116F	15_2_0077116F
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773C5A	15_2_00773C5A
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773CE3	15_2_00773CE3
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773CCE	15_2_00773CCE
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_007728C8	15_2_007728C8
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773CB7	15_2_00773CB7
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773C88	15_2_00773C88
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00773BD5	15_2_00773BD5

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Code function: String function: 00403B10 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: String function: 00403B10 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: String function: 00403B10 appears 34 times

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 380

Source: UV0zBp62hW.dll	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: hrlDFFA.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrlBCA3.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrlBCB3.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrlC86B.tmp.14.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrlD452.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: UV0zBp62hW.dll

Binary or memory string: OriginalFilenameserver.EXE8 vs UV0zBp62hW.dll

Source: UV0zBp62hW.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: UV0zBp62hW.dll, type: SAMPLE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: UV0zBp62hW.dll, type: SAMPLE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 0.2.loaddll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 14.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 15.0.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.0.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 0.2.loaddll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.loaddll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.loaddll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 5.0.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 24.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 25.2.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.rundll32.exe.10004094.2.raw.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10004094.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10004094.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 15.2.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.hrlC86B.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 3.2.rundll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 14.2.rundll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 31.0.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.0.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.rundll32.exe.10004094.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 6.2.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 24.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 14.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 24.2.rundll32.exe.10004094.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 31.2.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 31.2.hrlDFFA.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 3.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10004094.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 5.2.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.hrlBCA3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 25.0.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.0.hrlD452.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 6.0.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721

Source: Microsoft-Windows-SMBServer%4Operational.evtx.35.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.35.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.35.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.35.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.35.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.35.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exed
Source: System.evtx.35.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.35.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.35.dr	Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.35.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.35.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.35.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.35.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.35.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.35.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.35.dr	Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.35.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.35.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.35.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe\|
Source: Microsoft-Windows-SMBServer%4Operational.evtx.35.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: classification engine

Classification label: mal100.troj.evad.winDLL@25/84@0/0

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp

Code function: 6_2_0044112D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,

6_2_0044112D

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001193 FindResourceW,SizeofResource,LoadResource,LockResource,GetTempPathW,GetTempFileNameW,CreateFileW,WriteFile,CloseHandle,CloseHandle,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,

0_2_10001193

Source: C:\Windows\System32\lsass.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1002\c193d48c-717c-4ef8-bf44-1581d963a47d

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Distribuoeq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7716
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7876
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7400

Source: C:\Windows\System32\loaddll32.exe

File created: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp

Jump to behavior

Source: UV0zBp62hW.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDllInitialize

Source: UV0zBp62hW.dll

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDllInitialize
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 380
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDrawTextEx
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp C:\Users\user\AppData\Local\Temp\hrlC86B.tmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkEditControl
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlD452.tmp C:\Users\user\AppData\Local\Temp\hrlD452.tmp
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 380
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 380
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDllInitialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDrawTextEx	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkEditControl	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlD452.tmp C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Section loaded: mfc42.dll

Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001E.00000002.3084260211.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924437611.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 0000001E.00000000.1924675963.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3085289535.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001E.00000002.3085948096.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1924992538.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp

Code function: 5_2_00401A40 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,CloseHandle,CloseHandle,LoadLibraryA,lstrcpynA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,lstrcpynA,lstrcpynA,lstrlenA,lstrcpynA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,OpenMutexA,GetLastError,ReleaseMutex,CloseHandle,LoadLibraryA,GetProcAddress,lstrcatA,LoadLibraryA,GetProcAddress,WinExec,CloseHandle,

5_2_00401A40

Source: initial sample

Static PE information: section where entry point is pointing to: biixxts

Source: hrlDFFA.tmp.0.dr	Static PE information: section name: awnxcvk
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: feubjmb
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: ngruaea
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: biixxts
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: mwewpvq
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: awnxcvk
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: feubjmb
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: ngruaea
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: biixxts
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: mwewpvq
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: awnxcvk
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: feubjmb
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: ngruaea
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: biixxts
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: mwewpvq
Source: hrlC86B.tmp.14.dr	Static PE information: section name: awnxcvk
Source: hrlC86B.tmp.14.dr	Static PE information: section name: feubjmb
Source: hrlC86B.tmp.14.dr	Static PE information: section name: ngruaea
Source: hrlC86B.tmp.14.dr	Static PE information: section name: biixxts
Source: hrlC86B.tmp.14.dr	Static PE information: section name: mwewpvq
Source: hrlD452.tmp.24.dr	Static PE information: section name: awnxcvk
Source: hrlD452.tmp.24.dr	Static PE information: section name: feubjmb
Source: hrlD452.tmp.24.dr	Static PE information: section name: ngruaea
Source: hrlD452.tmp.24.dr	Static PE information: section name: biixxts
Source: hrlD452.tmp.24.dr	Static PE information: section name: mwewpvq

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Code function: 5_2_00405D60 push eax; ret	5_2_00405D8E
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00405D60 push eax; ret	6_2_00405D8E
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00405D60 push eax; ret	15_2_00405D8E

Source: hrlDFFA.tmp.0.dr	Static PE information: section name: .rsrc entropy: 7.284236490255826
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: awnxcvk entropy: 7.442751988028532
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: feubjmb entropy: 7.443987358292404
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: ngruaea entropy: 7.409112853135643
Source: hrlDFFA.tmp.0.dr	Static PE information: section name: biixxts entropy: 7.617408577195756
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: .rsrc entropy: 7.284236490255826
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: awnxcvk entropy: 7.442751988028532
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: feubjmb entropy: 7.443987358292404
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: ngruaea entropy: 7.409112853135643
Source: hrlBCA3.tmp.3.dr	Static PE information: section name: biixxts entropy: 7.617408577195756
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: .rsrc entropy: 7.284236490255826
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: awnxcvk entropy: 7.442751988028532
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: feubjmb entropy: 7.443987358292404
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: ngruaea entropy: 7.409112853135643
Source: hrlBCB3.tmp.4.dr	Static PE information: section name: biixxts entropy: 7.617408577195756
Source: hrlC86B.tmp.14.dr	Static PE information: section name: .rsrc entropy: 7.284236490255826
Source: hrlC86B.tmp.14.dr	Static PE information: section name: awnxcvk entropy: 7.442751988028532
Source: hrlC86B.tmp.14.dr	Static PE information: section name: feubjmb entropy: 7.443987358292404
Source: hrlC86B.tmp.14.dr	Static PE information: section name: ngruaea entropy: 7.409112853135643
Source: hrlC86B.tmp.14.dr	Static PE information: section name: biixxts entropy: 7.617408577195756
Source: hrlD452.tmp.24.dr	Static PE information: section name: .rsrc entropy: 7.284236490255826
Source: hrlD452.tmp.24.dr	Static PE information: section name: awnxcvk entropy: 7.442751988028532
Source: hrlD452.tmp.24.dr	Static PE information: section name: feubjmb entropy: 7.443987358292404
Source: hrlD452.tmp.24.dr	Static PE information: section name: ngruaea entropy: 7.409112853135643
Source: hrlD452.tmp.24.dr	Static PE information: section name: biixxts entropy: 7.617408577195756

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Jump to dropped file

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_5-1877
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_3-214
Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_0-214

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Special instruction interceptor: First address: 4478FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Special instruction interceptor: First address: 440801 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Special instruction interceptor: First address: 4411E4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Special instruction interceptor: First address: 440801 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Special instruction interceptor: First address: 43A1E4 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp

Code function: 5_2_00440646 rdtsc

5_2_00440646

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	API coverage: 0.4 %
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	API coverage: 7.8 %
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	API coverage: 9.5 %

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,	0_2_10001677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,	3_2_10001677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,	14_2_10001677

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.35.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000000C.00000000.1850454052.000002928C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3091161016.000002928C22B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0E/
Source: svchost.exe, 0000001D.00000002.3123834738.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.35.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.35.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicshutdownge
Source: WerFault.exe, 0000000A.00000002.2132180146.0000000003164000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1852933142.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3099728688.000002928C2F0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3091455509.00000252A4800000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1871199051.00000252A4800000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000001B.00000003.2188438404.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000001B.00000003.2188438404.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000001B.00000002.2190874401.00000000008A3000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000001B.00000002.2190874401.00000000008B6000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 00000021.00000002.2157273876.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000021.00000003.2154538273.0000000002F10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000021.00000002.2157435570.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000021.00000003.2154538273.0000000002F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnL
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: WerFault.exe, 0000001B.00000002.2190769831.00000000007E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.35.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.35.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000023.00000000.1942768409.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 00000013.00000002.3085254562.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.35.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 00000023.00000000.1942768409.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: svchost.exe, 0000000D.00000000.1863326119.00000229294DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.35.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000023.00000000.1941570347.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3087847481.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.35.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicshutdown
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000023.00000000.1948338096.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Ntfs%4Operational.evtx.35.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.35.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000023.00000000.1942768409.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicshutdown
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: svchost.exe, 00000023.00000000.1942768409.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: cativmicvss
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.35.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 00000014.00000002.3140089769.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.35.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000000D.00000002.3112149856.0000022929E0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.35.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: WerFault.exe, 0000000A.00000002.2132180146.0000000003164000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\XO"
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 0000000B.00000002.3090768490.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845329041.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1872998150.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3084598338.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3084346835.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.1879054559.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1892258963.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3084037429.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3092478443.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1903556147.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000023.00000000.1941570347.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 0000000A.00000002.2133879627.0000000005E6B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhN
Source: lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 629.vmicvss
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicheartbeat
Source: svchost.exe, 0000000C.00000000.1851666139.000002928C296000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.35.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000023.00000000.1942768409.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000023.00000002.3088619107.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000013.00000003.1890214521.000002A66066B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000017.00000000.1891959858.000002295CE00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: lsass.exe, 0000000B.00000000.1845887838.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000012.00000000.1871346733.00000252A482B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3092857673.00000252A482B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 00000023.00000000.1942768409.000001D558DE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000014.00000002.3140089769.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000D.00000002.3107007453.0000022929837000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicheartbeat

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	API call chain: ExitProcess graph end node	graph_5-1742
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	API call chain: ExitProcess graph end node	graph_5-1975
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	API call chain: ExitProcess graph end node	graph_5-1879

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp

Code function: 5_2_00440646 rdtsc

5_2_00440646

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp

5_2_00401A40

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Code function: 5_2_00440807 mov edx, dword ptr fs:[00000030h]	5_2_00440807
Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Code function: 5_2_00447907 mov edx, dword ptr fs:[00000030h]	5_2_00447907
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00447907 mov edx, dword ptr fs:[00000030h]	6_2_00447907
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0044112D mov eax, dword ptr fs:[00000030h]	6_2_0044112D
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_004412F2 mov eax, dword ptr fs:[00000030h]	6_2_004412F2
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_00440807 mov edx, dword ptr fs:[00000030h]	6_2_00440807
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067042D mov eax, dword ptr fs:[00000030h]	6_2_0067042D
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_006705F2 mov eax, dword ptr fs:[00000030h]	6_2_006705F2
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: 6_2_0067025E mov edx, dword ptr fs:[00000030h]	6_2_0067025E
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00440807 mov edx, dword ptr fs:[00000030h]	15_2_00440807
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043A12D mov eax, dword ptr fs:[00000030h]	15_2_0043A12D
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0043A2F2 mov eax, dword ptr fs:[00000030h]	15_2_0043A2F2
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_00447907 mov edx, dword ptr fs:[00000030h]	15_2_00447907
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077042D mov eax, dword ptr fs:[00000030h]	15_2_0077042D
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_007705F2 mov eax, dword ptr fs:[00000030h]	15_2_007705F2
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: 15_2_0077025E mov edx, dword ptr fs:[00000030h]	15_2_0077025E

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Thread created: unknown EIP: 7F643BD0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Thread created: unknown EIP: 7F653BD0			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Memory written: PID: 2580 base: 76F02FE0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Memory written: PID: 2580 base: 76F02DC0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Memory written: PID: 2580 base: 76F03620 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Memory written: PID: 2580 base: 76F02F60 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Memory written: PID: 2580 base: 76F03710 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Memory written: PID: 2580 base: 76F02C00 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Memory written: PID: 2580 base: 76F02FE0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Memory written: PID: 2580 base: 76F02DC0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Memory written: PID: 2580 base: 76F03620 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Memory written: PID: 2580 base: 76F02F60 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Memory written: PID: 2580 base: 76F03710 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Memory written: PID: 2580 base: 76F02C00 value: E8	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Section loaded: \BaseNamedObjects\vlatVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Section loaded: \BaseNamedObjects\efdtVt target: C:\Windows\SysWOW64\WerFault.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928C9E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5460000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5350000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5160000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4F80000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 252A4770000	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1

Jump to behavior

Source: dwm.exe, 00000014.00000000.1875534193.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000014.00000002.3131829000.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000008.00000000.1835271544.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3101485748.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000014.00000002.3135814346.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000008.00000000.1835271544.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3101485748.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000014.00000002.3135814346.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000008.00000000.1835271544.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3101485748.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000014.00000002.3135814346.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: winlogon.exe, 00000008.00000000.1835271544.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.3101485748.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000014.00000002.3135814346.000002BAA8050000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,GlobalMemoryStatusEx,lstrcpyA,GetTickCount,	5_2_00403160
Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,GlobalMemoryStatusEx,lstrcpyA,GetTickCount,	6_2_00403160
Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,GlobalMemoryStatusEx,lstrcpyA,GetTickCount,	15_2_00403160

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp

Code function: 6_2_00444526 GetSystemTime,Sleep,Sleep,

6_2_00444526

Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp

6_2_0044112D

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.35.dr, Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Virut

Source: Yara match	File source: 6.2.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1833082714.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3074948867.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3075291406.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3075976845.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3074778934.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3074791213.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3075563324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3075681181.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2136560000.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3075099086.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3075450654.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3075369973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2051509578.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.1874806385.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3075100920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1840981002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1921150104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3076284976.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3074704354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1877415236.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1890975257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.3075481202.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3075101490.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1938547190.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.1963882445.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1871949899.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.1935460960.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.3075568717.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3074777533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1860100553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3075257509.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3075099305.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1974078167.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3075918696.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.3075427157.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.1900998061.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1894430516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3074742466.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3074679188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hrlBCA3.tmp PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrlBCB3.tmp PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogon.exe PID: 552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1496, type: MEMORYSTR

Remote Access Functionality

Yara detected Virut

Source: Yara match	File source: 6.2.hrlBCB3.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.1833082714.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3074948867.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3075291406.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3075976845.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3074778934.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3074791213.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3075563324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3075681181.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2136560000.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3075099086.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3075450654.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3075369973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2051509578.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.1874806385.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3075100920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1840981002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1921150104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3076284976.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3074704354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1877415236.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1890975257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.3075481202.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.3075101490.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1938547190.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.1963882445.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1871949899.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.1935460960.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.3075568717.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3074777533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1860100553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3075257509.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3075099305.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1974078167.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3075918696.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.3075427157.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.1900998061.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1894430516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3074742466.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3074679188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hrlBCA3.tmp PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrlBCB3.tmp PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogon.exe PID: 552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	412 Process Injection	111 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 File Deletion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
UV0zBp62hW.dll	97%	ReversingLabs	Win32.Backdoor.Nitol
UV0zBp62hW.dll	100%	Avira	TR/Nitol.blanu
UV0zBp62hW.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlD452.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlD452.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp	97%	ReversingLabs	Win32.Virus.Virut
C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp	97%	ReversingLabs	Win32.Virus.Virut
C:\Users\user\AppData\Local\Temp\hrlC86B.tmp	97%	ReversingLabs	Win32.Virus.Virut
C:\Users\user\AppData\Local\Temp\hrlD452.tmp	97%	ReversingLabs	Win32.Virus.Virut
C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp	97%	ReversingLabs	Win32.Virus.Virut

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://windows.msn.com/shell	svchost.exe, 0000000D.00000000.1867340320.000002292A506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3125757753.000002292A506000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trustc	svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trustcuri	svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.microsoft.co	lsass.exe, 0000000B.00000000.1847881182.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://ocsp.msocsp.	lsass.exe, 0000000B.00000000.1847881182.00000202C03C5000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/soap/envelope/	svchost.exe, 0000000C.00000002.3093138686.000002928C28C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080258173.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1994613636.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2135080780.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853315941.000002928CB13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2052833662.000002928D252000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-	svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.micro	svchost.exe, 00000024.00000000.1954113347.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	false	high
https://login.microsoftonline.com/MSARST2.srf	svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600e	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/STS	svchost.exe, 0000000C.00000002.3108463080.000002928CB8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080350316.000002928D26C000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID	svchost.exe, 00000023.00000000.1956933106.000001D559AAC000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2	svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/scf1p	svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 0000000B.00000000.1845436765.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3092201768.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org	svchost.exe, 0000000C.00000000.1850454052.000002928C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3091161016.000002928C240000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/scURI	svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs	svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/Dev	svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.cn/shellRESP	svchost.exe, 0000000D.00000000.1867340320.000002292A506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3125757753.000002292A506000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.35.dr	false	high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 0000000B.00000000.1845436765.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3092201768.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 0000000C.00000000.1855261015.000002928D237000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2110382528.000002928CB74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2135080780.000002928CB69000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/scuc	svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	false	high
https://signup.live.com/signup.aspx	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/tb_	svchost.exe, 0000000C.00000002.3110461543.000002928D237000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust(	svchost.exe, 0000000C.00000003.2023167018.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy200	svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023393654.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080258173.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023167018.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2051190271.000002928CB29000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2023501376.000002928CB6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2079755180.000002928CB2C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2110382528.000002928CB74000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854676184.000002928CB70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utilitBT3dYO7l2pnpY88136NZG2R/fYR	svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/S	svchost.exe, 0000000C.00000002.3101286818.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp	false	high
http://port.NET	svchost.exe, 0000000C.00000002.3101851449.000002928C313000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853065149.000002928C313000.00000004.00000001.00020000.00000000.sdmp	false	unknown
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x	svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/msangcwam	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx	svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp	false	high
http://passport.net/tb	svchost.exe, 0000000C.00000002.3116096421.000002928D2DF000.00000004.00000001.00020000.00000000.sdmp	false	high
http://upx.sf.net	Amcache.hve.10.dr	false	high
https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.35.dr	false	high
http://www.microsoft.	svchost.exe, 0000000C.00000002.3108847794.000002928D200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1855088616.000002928D200000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/scst	svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc(	svchost.exe, 0000000C.00000003.2108058832.000002928CB69000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2110382528.000002928CB74000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue	svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	svchost.exe, 0000000C.00000000.1852878560.000002928C2DB000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd(	svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2080807328.000002928CB77000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/Wizard/Password/Change?id=80601	svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.oX	svchost.exe, 0000000C.00000003.2023393654.000002928CB69000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc	svchost.exe, 0000000C.00000000.1853350933.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107366677.000002928CB37000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854676184.000002928CB70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 0000000C.00000002.3092415823.000002928C247000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1851515422.000002928C247000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd(	svchost.exe, 0000000C.00000003.2023167018.000002928CB7A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp	false	high
https://logilive.com/ppsecure/InlineClient	svchost.exe, 0000000C.00000002.3114047089.000002928D2AA000.00000004.00000001.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 0000000B.00000000.1845387139.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000B.00000002.3091515066.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 0000000C.00000000.1853038514.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1853315941.000002928CB13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3101286818.000002928C2F9000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/tb:pp	svchost.exe, 0000000C.00000002.3112338019.000002928D280000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2176269678.000002928D2FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3117474208.000002928D2FD000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes	svchost.exe, 0000000C.00000000.1854434937.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/STS0	svchost.exe, 0000000C.00000002.3108072357.000002928CB6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2134564445.000002928CB75000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee	svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue	svchost.exe, 0000000C.00000002.3107748072.000002928CB5F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/	svchost.exe, 0000000C.00000002.3106934502.000002928CB13000.00000004.00000001.00020000.00000000.sdmp	false	high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 0000000C.00000000.1851550591.000002928C25F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3093138686.000002928C25F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	svchost.exe, 0000000C.00000000.1854924557.000002928CB78000.00000004.00000001.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578322
Start date and time:	2024-12-19 15:32:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	23
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UV0zBp62hW.dll renamed because original name is a hash value
Original Sample Name:	8f8708b1decd1d3fd40d224ce8a68fa09b8ffc29.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@25/84@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 203
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.53.21, 40.126.53.17, 40.126.53.10, 20.190.181.1, 40.126.53.12, 20.190.181.6, 40.126.53.6, 40.126.53.11, 199.232.210.172, 20.189.173.20, 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): u0a.cing.pl, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, yu.timid.pl, ant.trenz.pl, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, jqu.meiu.pl, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, ilo.brenz.pl, li.merts.pl, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: UV0zBp62hW.dll

Simulations

Behavior and APIs

Time	Type	Description
09:33:45	API Interceptor	3x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdf	Get hash	malicious	PDFPhish	Browse	199.232.214.172
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	199.232.214.172
	RECOUVREMENT -FACTURER1184521.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	199.232.210.172
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	199.232.214.172
	gCXzb0K8Ci.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	H2PspQWoHE.ps1	Get hash	malicious	Unknown	Browse	199.232.214.172
	H6epOhxoPY.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	KcKtHBkskI.ps1	Get hash	malicious	Unknown	Browse	199.232.214.172

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hrlBCA3.tmp_c58139d8be6d964ce7a827dd4433f8741736607a_fdf12c9f_d1783c8b-cb68-4c51-ad0f-963aa2f39ab8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7364782572484969
Encrypted:	false
SSDEEP:	96:T/FFZGiyncMQsBhYz79fZQXIDcQvc6QcEVcw3cE//+HbHg/5DeugaVDPCarOyWZ2:jRGikcMQg0BU/Yj7qzuiFgZ24IO8j
MD5:	0C8B0FAD88C8DDB6D59585C30ED56DB1
SHA1:	DAAE0951FE0AF776C9D79AC242D60E399F4DED22
SHA-256:	33B1FF30CE9D2E4BDF86DEEFD92E603D8F0CE987F3C8E572494838DDD31A5A4A
SHA-512:	C1AA8D834F1A245D9D335FA60797006BA33B5C0B453CA289A1C5525550131CBC586693F6B456BD0BABD9271669FB64C20258AE2C5C369AA8E46AA11C7E12C37D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.3.9.6.0.7.9.1.4.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.3.9.6.8.7.6.0.0.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.7.8.3.c.8.b.-.c.b.6.8.-.4.c.5.1.-.a.d.0.f.-.9.6.3.a.a.2.f.3.9.a.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.8.6.a.0.3.8.-.d.4.6.8.-.4.3.f.e.-.8.d.c.d.-.c.7.2.b.0.8.b.a.c.b.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.r.l.B.C.A.3...t.m.p.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.e.r.v.e.r...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.8.-.0.0.0.1.-.0.0.1.4.-.a.d.2.b.-.7.9.f.0.2.2.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.b.c.c.f.2.6.a.d.c.5.9.1.f.a.5.7.7.2.f.3.f.4.a.0.b.7.4.f.9.1.d.0.0.0.0.0.4.0.8.!.0.0.0.0.b.0.f.6.e.4.3.3.7.6.d.5.b.6.8.8.c.5.1.6.4.3.5.8.6.3.8.f.5.f.c.8.0.3.8.9.8.1.3.c.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hrlD452.tmp_385e217972a215e311fc37a4ee20ba5f24b17c_085fd521_67a6bf32-e823-49a6-ad0c-97c778b97c1d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7354190497671559
Encrypted:	false
SSDEEP:	96:6vF2206UWynIpmsVhYn79fZQXIDcQvc6QcEVcw3cE//+HbHg/5DeugaVDPCarOyS:AbnUWkI4g0BU/Yj7qzuiFgZ24IO8X
MD5:	EDF15984EA168C542A8FE0FAD24FE2E7
SHA1:	8D1C9328921D0B4BF5C88FAEB2F67112D87EFC4A
SHA-256:	A4C61C8C0EB0376221A45FA96DF2610065CA1E07B9B36E4EF19D46B7C7E007DC
SHA-512:	45A432FBBBDAF2E0FC20DE2A51D88481B923885F9F22ECD2523651D6B9E7910B45B28466A27686FBEFA45EF65F03D4B7D5102BA36D6C6BAB0930E61D2C39741F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.4.0.1.7.8.5.7.1.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.4.0.2.2.8.5.7.0.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.a.6.b.f.3.2.-.e.8.2.3.-.4.9.a.6.-.a.d.0.c.-.9.7.c.7.7.8.b.9.7.c.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.8.e.0.d.d.c.-.8.2.1.b.-.4.8.3.f.-.8.8.2.1.-.a.9.1.4.3.a.d.3.5.4.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.r.l.D.4.5.2...t.m.p.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.e.r.v.e.r...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.4.-.0.0.0.1.-.0.0.1.4.-.7.8.0.6.-.1.0.f.4.2.2.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.b.c.c.f.2.6.a.d.c.5.9.1.f.a.5.7.7.2.f.3.f.4.a.0.b.7.4.f.9.1.d.0.0.0.0.0.4.0.8.!.0.0.0.0.b.0.f.6.e.4.3.3.7.6.d.5.b.6.8.8.c.5.1.6.4.3.5.8.6.3.8.f.5.f.c.8.0.3.8.9.8.1.3.c.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hrlDFFA.tmp_21de373451925dcec6af935bf02dc4dddb2532_bf421634_9b6cbb7c-826e-49da-b94b-e0bfc1631c3a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7365787236734416
Encrypted:	false
SSDEEP:	96:mNfFfpLMynC6s/hYN79fZQXIDcQvc6QcEVcw3cE/v+HbHg/5DeugaVDPCarOyWZZ:qDLMkC6A0BU/oj7qzuiFgZ24IO89M
MD5:	8CDDB9C35134434E3993A17A5F28F366
SHA1:	3FADF935F03966D89EEBF226176D0AA8060003F3
SHA-256:	6EF67C5DC31789E28ECEF1BF7ABF9CC4C403F5DE1392DD7F93B3E616029E666C
SHA-512:	CC0809CCD62E67A48D8B60E4607B699E325AAC900C2BBD68F153D0BF879EED6A03B05AA1E5FB725F85C5C43E0E5F6937EDB221842BFD364ACE665B3656544336
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.9.2.4.0.4.9.0.2.0.1.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.9.2.4.0.5.3.3.9.5.1.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.6.c.b.b.7.c.-.8.2.6.e.-.4.9.d.a.-.b.9.4.b.-.e.0.b.f.c.1.6.3.1.c.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.b.b.1.7.9.7.-.8.2.0.d.-.4.e.d.8.-.8.b.b.c.-.b.6.2.d.b.a.b.4.6.1.9.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.r.l.D.F.F.A...t.m.p.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.s.e.r.v.e.r...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.c.4.-.0.0.0.1.-.0.0.1.4.-.8.d.8.c.-.d.4.f.5.2.2.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.b.c.c.f.2.6.a.d.c.5.9.1.f.a.5.7.7.2.f.3.f.4.a.0.b.7.4.f.9.1.d.0.0.0.0.0.4.0.8.!.0.0.0.0.b.0.f.6.e.4.3.3.7.6.d.5.b.6.8.8.c.5.1.6.4.3.5.8.6.3.8.f.5.f.c.8.0.3.8.9.8.1.3.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF91.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:33:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	33900
Entropy (8bit):	1.9252724284844065
Encrypted:	false
SSDEEP:	96:5c8eRY6G0h9nHYb4UQHwwuBcDbki7hGJmKQZYHmnrQHwsoifDTwBeetWIkWIQ0I5:Fc3UM3wOSQamnrQHwsp/MeelQePl8S
MD5:	7B0EB0689AC0902D42430577FA383C69
SHA1:	67A5A022DE9AECF193E33848AC063B7A08FACA9D
SHA-256:	D8AE3E593449EB6DB6BAD93F33271564936757D1C591FA767C32BBC4120960E7
SHA-512:	9BC9F808143C0146B7E1B64FE330C848893DB48E6548A49F2575233CB828FBF875B95986F765100AA91329663A7B29F1C690BAA4B54E932BADFFF65A5913212F
Malicious:	false
Preview:	MDMP..a..... .........dg........................................l...........T.......8...........T...........`....u......................................................................................................eJ......(.......GenuineIntel............T.............dg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0BB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8222
Entropy (8bit):	3.695138129402515
Encrypted:	false
SSDEEP:	192:R6l7wVeJm264aH26YwQa6AngmfAAprZ89bPEsf9lm:R6lXJv64d6YNa6AngmfADP3f+
MD5:	B51205D1F0046AA44014CF985A506D09
SHA1:	386BF2E0D2B308B74FF679BA775D6D6E385C49B2
SHA-256:	2F05F633FA5900074FB1374164A910DA5B3E67F9F687455F2FACC2B62835FA01
SHA-512:	1F31D30DF58AB98B6124B1EB01EA6EC001DD83CCAC918DA495886DDD46F2E5FEAF93E8A77C6AD4FA7639970AF3B8BD1B9FC29435728402828AD4AB37998A7ADA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0DC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.457815692110173
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI9xmWpW8VYjYm8M4JFAFhOd+q8wIT1TOTMJ4D9d:uIjffI77n7VLJnaT1iMJ4D9d
MD5:	2684CA22760890C737618563D1B4CBBE
SHA1:	E45423F107C5690FAC2C5C34CDBC525C27AAC287
SHA-256:	050DF7D9BDDAEA0D76589974A89F1D055BADC9A22133166E1AEFAC612A20C655
SHA-512:	4B66D755B31BF2CF9A3555C9DAA073C5AFB347AD149F3498ED8DA8DC857A84F14299CDE7DB769A143534622D73AAB0F351C8B3AB1AE75E3047D853D32C51D4A1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638255" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5C9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:33:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	33900
Entropy (8bit):	1.9299412173467811
Encrypted:	false
SSDEEP:	96:5R8WjCY6G0h9nHYb4UQEbI0gi7hGJOo6UkAIxcllA5ZFKuGYsoifjTwzWIUWIQUH:4Wm3UXbIROHUkA80lA5+uGYspfgEpQW
MD5:	EFF9B98873997CDF153CBBCE4648487F
SHA1:	A39FC3E91273C6F58D52243A29846F7C8728B276
SHA-256:	A85B7BA6BF18DD9A45894C8309DF5455C8970E75BA528EE8F5CF65F3281344EC
SHA-512:	F3962AF78C2B86480276D9443EF9FCAE3007BD20B87EF9344E45E5D6D488FBBC173E81DC3B5FC4E10127E6AD9746727C462A79D548D1A52AE878BDA87E0720F1
Malicious:	false
Preview:	MDMP..a..... .........dg........................................l...........T.......8...........T...........`....u......................................................................................................eJ......(.......GenuineIntel............T.......$.....dg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD666.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8216
Entropy (8bit):	3.693239080536701
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+ab6K626YyR6AYgmfAAprG89bzwsfSwRm:R6lXJDb6Kb6Ys6AYgmfAKzDfSb
MD5:	1CF7175E5D5D5D138F5B6EBE8309DEA5
SHA1:	F71B2D0E28E6DDAD398A03664C5DF90908466A32
SHA-256:	8460C0911FE10DC1F9B42A77B728B9B15CB69516C13CC577178D2E5F81B91EE4
SHA-512:	F11730100F020E3BA61518466769D9193E3269554F1A573ABF1B0334CA231D521DF2FC949B58582FD3C5605F0B85987435DD1B95A69E38FA9ABE39C1001DB0EF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD696.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.451278422473984
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMtJg77aI9xmWpW8VYdYm8M4JNoFi+q8kyTOTMF4f7d:uIjfyI77n7V9JdMiMF4f7d
MD5:	76BC394F5E70FC075E1A8D56343FCF1B
SHA1:	F0D7B8FDE6A0E2B713BA3391EBE2182A7C273FC6
SHA-256:	98104412A57D83B77F1D8DBC088F34EBCA1101097317F044EDC7871E0372A12C
SHA-512:	473EF90191C20535B606A6DBE8F08D2AFB7EF4EAC1C0736C30B88B22C9806CC2776D75C302E19A365D17996FEEF414B6B81E8D68332FE9D9CA02FB0F1134B2A4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638256" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE21D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Dec 19 14:33:25 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	33900
Entropy (8bit):	1.927230651896795
Encrypted:	false
SSDEEP:	192:s8Urs3U7KOtxva0BgfvRRYspvL2Y/8mhQS:h1E7VtxyCAvRRYs5fkm
MD5:	99E20DAF78B22B8904F348067FF6B4DA
SHA1:	AE267846431395A03AE8B8421501A9F149603478
SHA-256:	C5E3D2557616A066022B803DD76423E5050FDAC7B9441C637E00960AA53C6FEE
SHA-512:	C9D1DBBAF9625D78EBA4B430D6ACC9E80967D9F1B7C709B57D95BA761B308191A4A3035997944A596CBBFF529167F185E3195913AF5CB55F2264604F6713B18F
Malicious:	false
Preview:	MDMP..a..... .........dg........................................l...........T.......8...........T...........`....u......................................................................................................eJ......(.......GenuineIntel............T.............dg.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE27C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6964039573477314
Encrypted:	false
SSDEEP:	192:R6l7wVeJtr6K626YGh61S9sgmfwApr089bXGsfDdm:R6lXJh6Kb6Yg61SmgmfwkXlfU
MD5:	09B0CAF669FED4F8D38475C353A015CF
SHA1:	4E9A6EFF0746ADC746D7EE8CDFBDF888549A9CDF
SHA-256:	DEC45DAA5377B8D9AFF1D2807C3B825E027E22FDA2C222C3396F0D892D9C6DBD
SHA-512:	E939108E3A1A9B55632D25FAEE5100FBDDCF733001C83024834E42800FA135DF0F18546B04079673E0A224AF8BFB1BA87DBC178D8B0C4D6D14FA3395D076BA95
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2BB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4619
Entropy (8bit):	4.461615239262426
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMtJg77aI9xmWpW8VYHYm8M4JtkFvm+q8QtTOTMJ4nUd:uIjfyI77n7VjJxfiMJ4nUd
MD5:	E4940B8CEED0FA3178366BA323DA8497
SHA1:	102E799D8467C81E4BD969324B32CC271EAEC7B3
SHA-256:	C8B655B0C9E175AC0017CBB28C402D26D9D7E275142FAA2E9D4EE9C94936B210
SHA-512:	BA5B1E030D17C426C348BA2471621B70C91924C08833C1CF8A0C5261DADD200BE970D29B5C65C72E845E22FCACDF2FA17534C91AE887FC32E42774CA7F993841
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638256" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	340
Entropy (8bit):	3.5333950223904114
Encrypted:	false
SSDEEP:	6:kKyk3C8OC3G7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:f3CpCGLkPlE99SCQl2DUeXJlOA
MD5:	AAD02CDE450298BF535CC00C3D043E20
SHA1:	A3A2D6D6DEDAF54C7FD5272BCE9CE750A3F29CB8
SHA-256:	681FFF789F7F07E3F901D91A6D20F490F23E3240C52C007B14AC59A723ADD8EA
SHA-512:	146E7E9D706FE91FAC35C343F870C1178AF6D5B23A1AB7CF44F112FCF554A6E9DC404E4E316F9E3A4D1EFC78B9F3117E508020C6857BAE9A3C9F5E367F0B4887
Malicious:	false
Preview:	p...... ..........M."R..(.................................................o.@... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	11152
Entropy (8bit):	7.976941323189359
Encrypted:	false
SSDEEP:	192:0bC0q4/xZHYLSlKy5GZwCIAuRXujFfUKIKsgphg1no/ItHZ82TYLZr3brKqbM9jK:0+0h/nhK5LLSX8UcsgKno/ItHZHYtbbV
MD5:	C94F2C2A96DA52FA520A0FCD594953E4
SHA1:	E3F75C3E57AE0ADB277B3A3250E4B19A0940512C
SHA-256:	872BA80458F9C7262BB4103A68C79DF7D641CBB513E0FDF0553F6368E5982681
SHA-512:	923391091C969819A3CA36489869BE46877C21AC347931ED252586716CFC5313DE52A7867F89F4335B2256FE7D32FE35814329A3297059C3F83682C83E61AF41
Malicious:	false
Preview:	.....+..................z..O.........\|q.N.D...c.}... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... .....Z.x8.........wGj.-..h....r.............. ....`..fR....il8.....(97sz#.o....G9..M.....\n7...G?L..!unA<..........3<.....Y..,..)...2...r..@l.:........vh.t......Ce.E.<.M.;.`.Q.6.....\|....\|cF?9...c.n.7L..w.B.+.Js.;`...?(...y<X.A..v.YZ\L.&._...r7..~.e...vb..@..r.p...cE.N~;....d).....!.2f...c......\m(...@.....V.g..................d.Jm0..RHz..fPD..~t../g..G.....T.^....W]0....f..~..d.:Zz.i..$S8.B<.....&f.}..lsO.w..\|OD3....7..]hB...b.pT V/.v.4kn..T/.t.7..~.r..r{B..w86p..>...Z.@&...v...q;.....u...X...S....6.......\|..8j.cfs..}z.#. S.BP.S.:..y.:...q.0w.W.?K..!.C....3.A......3.{Z....1..2.+]...X...(P'I........9.A....M.8/H.y.5..._by.....84.i.!...@d.L..A...?G.....^.Vw@.h.&C..FR..p..D.../.q;.lp=......!.k?e..;%w.\I4g........WR..7.e.X.......;..9..^..1Mu'.3.f.\|0.C.{.v}....}..W....w.."...;_,.(.....E.L...pu.Ne.>96.].P #.........@.

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	7.376825653341274
Encrypted:	false
SSDEEP:	6144:qqi7l4yzr919mWfehA9ghbThsEVt15aiC4d7qNRck:qqi3XGAyBqat1Bq
MD5:	0BD4AE2BDF462F97DD03D6218A741789
SHA1:	B0F6E43376D5B688C5164358638F5FC80389813C
SHA-256:	DB8B87FD7797EF9A166572BAF54069398B42B370C9A975C62338831E7255B923
SHA-512:	FC8EF9E87C403984AA0EF1DF6D942EED3854DC7C108D18159D15624E4682F922ECA53A3A3475B349E2CB344EC418E3D48B422469D7463CE2F3AC753DB1720CB6
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................W.....\|...............<...........w.......x.....Rich............PE..L...d`w3.................P...H......Ix.......`....@..........................................................................m..P........b...........................................................................`..t...xi.......................text...2N.......P.................. ..`.rdata.......`.......T..............@..@.data................j..............@....rsrc....b.......^...z..............`...awnxcvk..........\|.................. ...feubjmb..........\|...T.............. ...ngruaea..........\|.................. ...biixxts..............L.............. ...mwewpvq..............8..................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	7.376825653341274
Encrypted:	false
SSDEEP:	6144:qqi7l4yzr919mWfehA9ghbThsEVt15aiC4d7qNRck:qqi3XGAyBqat1Bq
MD5:	0BD4AE2BDF462F97DD03D6218A741789
SHA1:	B0F6E43376D5B688C5164358638F5FC80389813C
SHA-256:	DB8B87FD7797EF9A166572BAF54069398B42B370C9A975C62338831E7255B923
SHA-512:	FC8EF9E87C403984AA0EF1DF6D942EED3854DC7C108D18159D15624E4682F922ECA53A3A3475B349E2CB344EC418E3D48B422469D7463CE2F3AC753DB1720CB6
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................W.....\|...............<...........w.......x.....Rich............PE..L...d`w3.................P...H......Ix.......`....@..........................................................................m..P........b...........................................................................`..t...xi.......................text...2N.......P.................. ..`.rdata.......`.......T..............@..@.data................j..............@....rsrc....b.......^...z..............`...awnxcvk..........\|.................. ...feubjmb..........\|...T.............. ...ngruaea..........\|.................. ...biixxts..............L.............. ...mwewpvq..............8..................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hrlC86B.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	7.376825653341274
Encrypted:	false
SSDEEP:	6144:qqi7l4yzr919mWfehA9ghbThsEVt15aiC4d7qNRck:qqi3XGAyBqat1Bq
MD5:	0BD4AE2BDF462F97DD03D6218A741789
SHA1:	B0F6E43376D5B688C5164358638F5FC80389813C
SHA-256:	DB8B87FD7797EF9A166572BAF54069398B42B370C9A975C62338831E7255B923
SHA-512:	FC8EF9E87C403984AA0EF1DF6D942EED3854DC7C108D18159D15624E4682F922ECA53A3A3475B349E2CB344EC418E3D48B422469D7463CE2F3AC753DB1720CB6
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................W.....\|...............<...........w.......x.....Rich............PE..L...d`w3.................P...H......Ix.......`....@..........................................................................m..P........b...........................................................................`..t...xi.......................text...2N.......P.................. ..`.rdata.......`.......T..............@..@.data................j..............@....rsrc....b.......^...z..............`...awnxcvk..........\|.................. ...feubjmb..........\|...T.............. ...ngruaea..........\|.................. ...biixxts..............L.............. ...mwewpvq..............8..................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hrlD452.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	7.376825653341274
Encrypted:	false
SSDEEP:	6144:qqi7l4yzr919mWfehA9ghbThsEVt15aiC4d7qNRck:qqi3XGAyBqat1Bq
MD5:	0BD4AE2BDF462F97DD03D6218A741789
SHA1:	B0F6E43376D5B688C5164358638F5FC80389813C
SHA-256:	DB8B87FD7797EF9A166572BAF54069398B42B370C9A975C62338831E7255B923
SHA-512:	FC8EF9E87C403984AA0EF1DF6D942EED3854DC7C108D18159D15624E4682F922ECA53A3A3475B349E2CB344EC418E3D48B422469D7463CE2F3AC753DB1720CB6
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................W.....\|...............<...........w.......x.....Rich............PE..L...d`w3.................P...H......Ix.......`....@..........................................................................m..P........b...........................................................................`..t...xi.......................text...2N.......P.................. ..`.rdata.......`.......T..............@..@.data................j..............@....rsrc....b.......^...z..............`...awnxcvk..........\|.................. ...feubjmb..........\|...T.............. ...ngruaea..........\|.................. ...biixxts..............L.............. ...mwewpvq..............8..................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp

Download File

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	7.376825653341274
Encrypted:	false
SSDEEP:	6144:qqi7l4yzr919mWfehA9ghbThsEVt15aiC4d7qNRck:qqi3XGAyBqat1Bq
MD5:	0BD4AE2BDF462F97DD03D6218A741789
SHA1:	B0F6E43376D5B688C5164358638F5FC80389813C
SHA-256:	DB8B87FD7797EF9A166572BAF54069398B42B370C9A975C62338831E7255B923
SHA-512:	FC8EF9E87C403984AA0EF1DF6D942EED3854DC7C108D18159D15624E4682F922ECA53A3A3475B349E2CB344EC418E3D48B422469D7463CE2F3AC753DB1720CB6
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................W.....\|...............<...........w.......x.....Rich............PE..L...d`w3.................P...H......Ix.......`....@..........................................................................m..P........b...........................................................................`..t...xi.......................text...2N.......P.................. ..`.rdata.......`.......T..............@..@.data................j..............@....rsrc....b.......^...z..............`...awnxcvk..........\|.................. ...feubjmb..........\|...T.............. ...ngruaea..........\|.................. ...biixxts..............L.............. ...mwewpvq..............8..................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1002\Preferred

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:f2kmrQXameeb:e/Qq8
MD5:	347C26C3448D96551BE474376CFE2FF4
SHA1:	8A053A8DC8417002FA40BCF18D81C4DF67BD263A
SHA-256:	2B5B7233F97783435267AC1A0F2D97C354CC65EFBF1ADC83A637C4BA46542E9F
SHA-512:	8505237ABA37C5355F87F08BF57B3D589ECDFED83B27B07302D3839F7537E94E8105BB2581472B22E802CA528FBC8825CC436DED85812D967B5C071B8E10686F
Malicious:	true
Preview:	...\|q.N.D...c.}.......

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1002\c193d48c-717c-4ef8-bf44-1581d963a47d

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	6.4037053668868165
Encrypted:	false
SSDEEP:	12:nTWxiWZw4s266O8xhKvCwaW1syL5/ri1W8A3xON:TWyt2hKa+hLxrTs
MD5:	F13019B71CB33D7CC4496C64F4B320CF
SHA1:	B725D89051DB4F828A5A23E4A423AC4BD7FC1D2A
SHA-256:	53FE8FB620BFEC994136F1C1528F93F759B5D48BE38365256D9F76260B86459D
SHA-512:	65B72FF29CE010E3CB9FFAA6D0DA3D062EFE9470BD826D164DCD3290C3797D1006148D383FE69C74A79CDBA3AF65DBC714809B1C2FA41F326AADED439EA76AD1
Malicious:	false
Preview:	............c.1.9.3.d.4.8.c.-.7.1.7.c.-.4.e.f.8.-.b.f.4.4.-.1.5.8.1.d.9.6.3.a.4.7.d.................................................. .y.`.....O..N@........f..$u...1..`.}[..."......N.&w..l.B....u..9.x5^....m..)j....#..x.?0..=..*.Hq.....d.vB5.....&vV...Hkp........8q.=..Ut5..uP...)...$..)S....A......=.N.F).f..V.....@........f...m.P<....&g3"q..76....2.Y{..[n,.....[..X..C.yOe..K=GF@.h.&e.y3P.7.]c8...N..>>....`c..O....(...kT..Kw.......\|...lN..X..q.

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\35b1e4c2-e4af-4401-8fe8-c15cf44126a7

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	6.18246386824523
Encrypted:	false
SSDEEP:	6:w32iAFIg73Pdmb3QM0t69mWITmPz2HxKONxCLufjsMApJ/diDQYh2/p967qkW:XjFTR/ymWzr2HxvCCj4iQGqk
MD5:	4C3C6D2983BA2DE98BFB9406E7A89E41
SHA1:	7E80B2596DC10395B0167EC2D2A6D632E21967EB
SHA-256:	913D158DA42D7DBA98080D14C45CFAB735054C1436E050AD7884CF56C6D4992A
SHA-512:	3779097668BFAEB13555CA558E02BD339D74647E2131649064C49D5BD77D42D2EFD33E6C0F4FCC0FE79D1ADC728B3885C23727C5C83EC9FA6B2281CF61CB5DBD
Malicious:	false
Preview:	............3.5.b.1.e.4.c.2.-.e.4.a.f.-.4.4.0.1.-.8.f.e.8.-.c.1.5.c.f.4.4.1.2.6.a.7.................................................!..}D.MM..)..`@........f...(v.%7QX...:..9.iv\..Jx.<...O`.-.T..L....._..S...>....I~..N.D.w..H.b..-.......#.,vAq..:P.&.D..Vr5.I.z_BF.P..ju/)y..5....R.3..k.."........fq`.K3.@..a....@........f.....>..-.'.1.....R{.(..a....O........? 0.5.#.....S.......w-Hk...u12@{7...q...<.^..wy.n.f..p11.......(y.......................

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.334962500721156
Encrypted:	false
SSDEEP:	3:oCF1p9+k:o69b
MD5:	00D242336892D7465D28A93FA6A77B99
SHA1:	B1BA10E1DD9108289EB30CE0B583451A27DB6584
SHA-256:	F9EC111EEBBD98B5281E1C1C790499ED7E31E54BCE11C56544000BA4783C4C5B
SHA-512:	BD8E52D9F4624C36A6244883FFBE841309699F9A7C2BC30F333EE1C052015516338CE48513BD18186A39530F58720CB1897C4053D4FF9F5E6AF94B32CBFC0EA6
Malicious:	false
Preview:	..5...D...\.A&..Px....

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	11136
Entropy (8bit):	7.977483260382901
Encrypted:	false
SSDEEP:	192:/XDKcOw0aPn6v0C9tvbRPfnHn/win1SRAiVh7wqDVz/fAq21CcjWKLEtDOH:/XpO2Sv0ktjFffwiUAiU47Z6C8WKH
MD5:	90717110F067DC7786BF5498D67DAF77
SHA1:	3069D86BE3BF9729777C65AF9A20466F7B417AD4
SHA-256:	1A672C83C7899FF717D0C88D432D160868D885F929C06B43B81B432E3E215E24
SHA-512:	F7E3109255BD38A76BDB72DA8DB44E54E556A6EC31EB1AC1D68AF1B6DB4311F14DEE1E22EEA587A157D3CD7938B6B08CB9EBBCDB668E3A9F25F6D86626DD583B
Malicious:	false
Preview:	....t+..................z..O........5...D...\.A&.... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ....@..\..(G...%.'4Ph.........%............... ...S.;.~..Q.J.3.^!....%.Z..].U.oXp...%+.'Y....@H.N?e..(.......h'.n.Z.w(.^n..mX.q...c..d.x.r.&.w.TA.X.~.J..m1P.c<...a..F...=}.......f.p."U..f.....<....1.....\9..sQ6..^...1....:c..jb.R4E.....v?/....Y...ET.6...s^/o-..v.'.Kh.-...9,....G.BT_......s;.k........[._.7.....P...b..^.J...I,.?c."{iK.!....,........U..(.l\|./.?..`..E.G.n].;...2@...y_./...[+L. t.....f~..b......f.....#../d...=.......f;,.....s.\b.-.K....X..5.O(..9.:.D.h....I...........U.&...g.~X._j.......{.rerX_.@.?t.".c....i.D...F. 'u.._..c..Y.O4.......:G..T....6..O}{..>hi...=.!.....o5+?...1D%.............e/..m...9!!...E/..AW...Sz.O..y..V..ze..~..'.gXtU7Uv....j..0........_.^....Ja)Q..tK..h.F.zP..bR.........aM(...V..Y..V....'................79~{.H..B.W....,'.rv.d.ZSq.HkCsF...'@.s..9B..W..........`0..r......>l"!.K2.f$.OV.........

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	79944
Entropy (8bit):	4.092974873046999
Encrypted:	false
SSDEEP:	768:IkdWdkdWSQZUE1lA6vOUZucxvbNp8CCAxNcOXbUAjQwEPnPK0xvpkdW1W8hIG:tDTQZUE1lTkctNp8qc6UAjs72MhIG
MD5:	89DCE063A5A534094F4F882ABEC1E3EC
SHA1:	DF054BF3A3682ECB04D4FD025CC207D332539528
SHA-256:	C48600CFE1B16EDE779960C20F3EFFA5453345F6CA42ACB9B11461D383E4E2FD
SHA-512:	B1F4B9846835968EA5F5C65CEEDD0816DE3DA1A784B0107D337A99A53ADADA7212760BF394B5ABB781F2B51302A8E2C446DE6990CDE8095CCB9333025DA45CBC
Malicious:	false
Preview:	ElfChnk.................r.......u...............(...-!^......................................................................#.}............$...............................=...........................................................................................$...............................m...............F...........................t...................M...c...........................n.......................................................................................&...............................**......r..........."R...........g&..........g.".Y. .3............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..`............{..P.r.o.v.i.d.e.r...=....=.......K...N.a.m.e.......A.p.p.l.i.c.a.t.i.o.n. .E.r.r.o.r..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 304, DIRTY
Category:	dropped
Size (bytes):	46432
Entropy (8bit):	4.283645087492445
Encrypted:	false
SSDEEP:	384:cxhe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842Wc:4VUHiapX7xadptrDT9W84Fc
MD5:	4481F1B238A1DFFC3C7F4F0462F1E1EF
SHA1:	56F75CB14524845AA2A7E291F4C97BE3BB36579F
SHA-256:	AEB0B96F33F4B1E62EE8AED01A5F5269D5B8F2A200197A9EF5D3D522AFF32260
SHA-512:	3CE4AB4CEE5CAAF39339F1002198DBB18B6C913A9CDA077DB64502A7604D35C0B84006C9C34977E9836F8741DA20B99DA855C54BA02A69991091298F2363B515
Malicious:	false
Preview:	ElfFile.................0...................................................................................................Fo.xElfChnk.........1...............1...........p.......q.F......................................................................1.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.010692427789071
Encrypted:	false
SSDEEP:	384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
MD5:	26C4C5213F3C6B727417EF07207AC1E0
SHA1:	1815CC405C8B70939C252390E2A1AEC87EFF45F2
SHA-256:	767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
SHA-512:	0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
Malicious:	false
Preview:	ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66960
Entropy (8bit):	4.167113283244607
Encrypted:	false
SSDEEP:	384:BR7VlVrhfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVl:FhfMIt
MD5:	FC1716D2BC63B95478EEBEC6DFE4C8DF
SHA1:	9D23122551344642F569A447F460284B4DF659D0
SHA-256:	CB61B473F938E73A612DCB0ADCF333D19BF83492A76A91F60869F1B5649BF2D6
SHA-512:	DEA2E25AF7C51C209C2469E06A503615660F55128F826D428B78E00757C803FF4B304537DA950FA27AD285A01934914F5569C4077AEF13DFCCE9EDE2BE312100
Malicious:	false
Preview:	ElfChnk.....................................X... ...c..T....................................................................eYN.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................................m."R............&...............................................................@.......X...a.!.....E..........@..m."R....&O....~Y'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....i.c....................r."R..........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.428071255913406
Encrypted:	false
SSDEEP:	384:OhTm5mcwmNQZmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:O4LD6CL49mVpgwQFQ
MD5:	38CAFE7141B316B9DF1A5BB2E355CC68
SHA1:	21CD8C3613143D32FB884B66F3DD21749C1ED431
SHA-256:	BE5271D3ED1864665A5CAE8C79FCCADCDA59D95E42EE538711761CD5E430EDC1
SHA-512:	F384A3DCF2AAA4A3DEAC87768E0924707275E7361F386A043E7FEEF43E7F560A2D78DF2401F7D9182E37047D3C4EC6498EDF5EEB0782A9D8777940F1F70E20CE
Malicious:	false
Preview:	ElfChnk..!.......!.......!.......!....................4......................................................................n.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.35237032418516373
Encrypted:	false
SSDEEP:	48:MPWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHyCdHLP7jMTckH58ykHc:+NVaO8sMa3Z85ZMLfrjju3Z85Zu
MD5:	8A6071B1D7F35A2D42A55305C9A95B11
SHA1:	0BA034F46D4F3DEEA70987543246695CEDB97594
SHA-256:	8D8CDF7EBD575F31C0526A79B2DB608B8594B6DFFA069EA4F115A5FF604003BB
SHA-512:	0FA859A08F8095A76DFB917B818071D128B2D6CDD91A6B0FC56512716CCADFBA57347C2D854C6393F316DEB4C897CC21CF95F4E88156FA860A931DC7442A3F7C
Malicious:	false
Preview:	ElfChnk.....................................p........;.........................................................................X............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.014860518194814
Encrypted:	false
SSDEEP:	1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
MD5:	4FB8E2CF8B3F20534836684947962DC2
SHA1:	B263607E627C81DA77DB65DF5AED2F3FD84B83E2
SHA-256:	DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
SHA-512:	D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
Malicious:	false
Preview:	ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.15655690871689
Encrypted:	false
SSDEEP:	768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
MD5:	2DE60575CB719BF51FAB8A63F696B052
SHA1:	BD44E6B92412898F185D5565865FEA3778573578
SHA-256:	7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
SHA-512:	0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
Malicious:	false
Preview:	ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	93800
Entropy (8bit):	2.1535165388304156
Encrypted:	false
SSDEEP:	384:+osKpolhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorRor9orwTorYon:IDCYgDCYPW
MD5:	35763B64DFD18CEF93295C2D6B98567E
SHA1:	16DDA08D691FE8A3A95BAEABB4748328BFE0A5D5
SHA-256:	6B163B409203B2243739B35AA03F7401E2F79B30D977BDE035A62255B54B6FFA
SHA-512:	5C973DF7C971740D9EFD6C54BD295F8C9062A32FEB5A18937982414443E79AE0A95CE485FF6F30E128126C82141D546B25D0FE5F7BF8545C7A61173F3C82EF79
Malicious:	false
Preview:	ElfChnk......................................+...-...!.I....................................................................C...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................$..U)..............................**..............y..."R.............$..............................................................>.......V...X.!..e..............y..."R....&O....J!'O.................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8524226245257144
Encrypted:	false
SSDEEP:	384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
MD5:	B8E105CC52B7107E2757421373CBA144
SHA1:	39B61BEA2065C4FBEC143881220B37F3BA50A372
SHA-256:	B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
SHA-512:	7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
Malicious:	false
Preview:	ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8432997252442703
Encrypted:	false
SSDEEP:	384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
MD5:	39EE3557626C7F112A88A4DE12E904C1
SHA1:	C307FECC944D746A49EEA6451B7DA7301F03504C
SHA-256:	2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
SHA-512:	304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
Malicious:	false
Preview:	ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	101768
Entropy (8bit):	3.635831918739567
Encrypted:	false
SSDEEP:	384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28Y:wbCyhLfIXBS5fbCyhLfIXBS5P
MD5:	DD60C7A300E84B28E9B3C98F92A9F3EC
SHA1:	9F96C449B5282FDDFB8DECDB7FAEA3A39BA11D5E
SHA-256:	047920912ACF3A89708467E86FFD52B30034EA979D2E601EC847D86F7271D5A7
SHA-512:	9E3F5A6B4CFA229B2639553E7C338A56662B4A400FFBAE8ECBF050DE5D9855F368C1AE67575BAD05308BACD986464694B8199E35B8DC58DE7EAE87D1133AC211
Malicious:	false
Preview:	ElfChnk.........F...............F...............P............................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................*..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.838106263184782
Encrypted:	false
SSDEEP:	768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
MD5:	A2D41740C1BAF781019F282E37288DDF
SHA1:	A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
SHA-256:	7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
SHA-512:	E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
Malicious:	false
Preview:	ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.634418630947688
Encrypted:	false
SSDEEP:	768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
MD5:	A00BAFFCABB00428EA0512FCECCC55E5
SHA1:	19F7C942DC26C3FF56D6240158734AFF67D6B93E
SHA-256:	92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
SHA-512:	DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
Malicious:	false
Preview:	ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0646587531847893
Encrypted:	false
SSDEEP:	384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
MD5:	399CAF70AC6E1E0C918905B719A0B3DD
SHA1:	62360CD0CA66E23C70E6DE3340698E7C0D789972
SHA-256:	FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
SHA-512:	A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
Malicious:	false
Preview:	ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4364303862010575
Encrypted:	false
SSDEEP:	384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
MD5:	2BB73ACC8F7419459C4BF931AB85352C
SHA1:	F1CE2EB960D3886F76094E2327DD092FC1208C7E
SHA-256:	1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
SHA-512:	7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
Malicious:	false
Preview:	ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m..............................%................ ..................&............0......................*......p..........T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.0631557320109892
Encrypted:	false
SSDEEP:	384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
MD5:	86AEA3A9CA3E5909FD44812754E52BD6
SHA1:	F79B583F83F118AC724A5A4206FC439B88BB8C65
SHA-256:	2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
SHA-512:	17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
Malicious:	false
Preview:	ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4467272005363894
Encrypted:	false
SSDEEP:	384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
MD5:	155681C222D825199B738E8DEC707DC8
SHA1:	704C800E7313F77A218203554E1428DF2819BC34
SHA-256:	1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
SHA-512:	ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
Malicious:	false
Preview:	ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.156155224835584
Encrypted:	false
SSDEEP:	384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
MD5:	F22AC858C2ACC96E8F189E43FFE46FBD
SHA1:	540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
SHA-256:	771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
SHA-512:	B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
Malicious:	false
Preview:	ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9197999988543422
Encrypted:	false
SSDEEP:	384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
MD5:	6C3F290FC62CFA9C240AEE8DB1DBA277
SHA1:	CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
SHA-256:	7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
SHA-512:	D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	101584
Entropy (8bit):	5.697234352469456
Encrypted:	false
SSDEEP:	768:0AAUdqltYAA3FNAFtuwKaIB6qWLgzvJm52M:0F8qXYF+tuw3IB6qCgzvJm52M
MD5:	103A6312FF7F7A59C0CB73DE7DADAE5D
SHA1:	C60BA40EA8B5C4E83117E95DEDED79B345287B51
SHA-256:	BB9F196B90146FD0EDAA8EFADE3857439443C8F5F6FB930567BA41EB7A4E8F78
SHA-512:	648D57C3EF94E2F1F108F9AD2B2169CDB182E263E13C1056901A09A590634D85AA7FE7398899AA842812601A9E6E2510E26B06BA90D18D2029FF0B8F5FAFE858
Malicious:	false
Preview:	ElfChnk.%.......4.......%.......4...............(...-D......................................................................3.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........*..x...0.......=.f."R............&...............................................................0.......H...-.!........... ....@=.f."R......J./B..]..g.t.......0....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.L.i.v.e.I.d..%....gN.BiVz..OM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.L.i.v.e.I.d./.O.p.e.r.a.t.i.o.n.a.l......s............<s:Envelope><s:Header><wsa:Action s:mustUnderstand="1"></wsa:Action><wsa:To s:mustUnderstand="1"></wsa:To><wsa:MessageID></wsa:MessageID><ps:AuthInf

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9963080376858662
Encrypted:	false
SSDEEP:	384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
MD5:	A51AFE78FA4481FA05EDC1133C92B1D8
SHA1:	5BA44E7A99EE615E323696742DA6B930E9FF6198
SHA-256:	44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
SHA-512:	792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
Malicious:	false
Preview:	ElfChnk......................................)..0-....\.....................................................................\|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.076996627399968
Encrypted:	false
SSDEEP:	384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
MD5:	A8ADBDC2B39B55444B2C844F7D81EBDE
SHA1:	F97F40E314C8A2A39953A28CB72C9270D3073418
SHA-256:	93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
SHA-512:	922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
Malicious:	false
Preview:	ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	83848
Entropy (8bit):	3.496614947427581
Encrypted:	false
SSDEEP:	384:QkILj9InIxIPIDIVasIz+IUKkIgIMIUINIgIBIPXIbIoIOIQI5I7vYgIZIaITZhL:QDKY2ZZxGp9hKY
MD5:	ACFCC08116AB4A9B8350F283C71F4FB8
SHA1:	3BB5F8BAC2B9028CD36B83A6B2B6CA004B2ECF07
SHA-256:	A991372DC934633063E05B11842505C54CB70715D023855AEF7A4A7C93DB8798
SHA-512:	40820DA08BD2C37FC685EFD5B7F9A2F6CFA201A9155B1ABD76AD94EAB86CDFB6268BD2E15DB498E39CA96EC5A424322C47F5692097B1B2E29676C026397C1A0B
Malicious:	false
Preview:	ElfChnk.T...............T...................0... ......................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a..................................**......z......./,.."R.............a..............................................................,.......D.....!........... ....@/,.."R....&O....J!'O............z....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l........n..&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.801423310886069
Encrypted:	false
SSDEEP:	384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
MD5:	9EAAD7982F42DFF47B8EF784DD2EE1CC
SHA1:	542608204AF6B709B06807E9466F7543C0F08818
SHA-256:	5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
SHA-512:	036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
Malicious:	false
Preview:	ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.996272372482282
Encrypted:	false
SSDEEP:	768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
MD5:	4F68D6AF0C7DB9E98F8B592C9A07811C
SHA1:	9F519109344DD57150F16B540AAA417483EF44FE
SHA-256:	44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
SHA-512:	E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
Malicious:	false
Preview:	ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.73963208002991
Encrypted:	false
SSDEEP:	384:Dh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKnz:DkN2cTOsKOPQujEzbbYv9NrjzDbRt
MD5:	9D008AF9C1265812B691BF7FDA18E099
SHA1:	FE4B92DFB56F57F6AC8C831ED102BE100EFFF0E8
SHA-256:	65E64C749BE7E1115D04B869439F86D0BD22F4D5B2E2F9D7EE05B7408049F78D
SHA-512:	C5D9C3880A232ADEFF887B1A304835278C3F6203AB426FC318E59CB50F5D4419E79F9B068D901B90F0F2B5CE26F11178C4AAA366EC2E22ED54BB18A42AA9006F
Malicious:	false
Preview:	ElfChnk......................................... ....m.d.....................................................................N..................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7590316238843728
Encrypted:	false
SSDEEP:	384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
MD5:	B074238315662886E2BD70106D08A747
SHA1:	5ADA158D19401565E76349FCA97489E9FB9BFA36
SHA-256:	53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
SHA-512:	9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
Malicious:	false
Preview:	ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.751299732224545
Encrypted:	false
SSDEEP:	1536:FXhDUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:FXtnS
MD5:	CE90DF06B6754EB4B2C13ADA13DA12E0
SHA1:	B18BF0DF4E9CD0277C5464F0867B4874FFE70A57
SHA-256:	B18EAC903D9770FCCD4F43266066C3BB93CC1CDF8A257244D7138F42BEECD795
SHA-512:	D351F7DE31467C85156FFE7717BFE754BADDA9B1A401D5EDB41D3872DB97E583DA138AFAA90CB6B0A0A9914C2F8692203D878A7ED5477C11932B22D407689AF2
Malicious:	false
Preview:	ElfChnk.........%...............%............E..`G...).........................................................................................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3069197485541766
Encrypted:	false
SSDEEP:	768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
MD5:	E6E4C860CE7DD1BB499D6A082B461B90
SHA1:	11330861B23B1D29D777D9BD10619A07B6A6A9C0
SHA-256:	C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
SHA-512:	7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
Malicious:	false
Preview:	ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&........................................................................l..............]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8593445672690927
Encrypted:	false
SSDEEP:	384:ahHBiQk1bdzpFEVQCd3iDzJiLQKiDBi4k1bdzpFEVQ35yY3dik5pmik5pbik5pKU:ah0w+qLpBVi7CPME79nCxkSq
MD5:	5AE0C3F2DDDBD1C231ABBE6B13B712DF
SHA1:	E337AC48B8A0192A9C09C2B747AF2BB52DCA67E7
SHA-256:	B9CD7A241840A211B585113857AC9B56BC631423B61E12F300050F79815BCAD8
SHA-512:	3C7CA015F3834519AD1AC4881D649B2065858B1368C2CFC590C50DF695F09B5C4AE7CD435F76D032A9978772B79F945706B21802172B33E0AD6847763048BEE5
Malicious:	false
Preview:	ElfChnk.........#...............#........... ..............................................................................\.f................T.......................\|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................*.. ............#................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2909571978750325
Encrypted:	false
SSDEEP:	384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
MD5:	B0BF4D9EC91ABBDA5D328631B125A5C0
SHA1:	E672D69127AE7C1A51046ADAA911871EC0C10ABB
SHA-256:	8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
SHA-512:	3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
Malicious:	false
Preview:	ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.488768580471203
Encrypted:	false
SSDEEP:	1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
MD5:	E3FB1708C64D250E4D801AFB8688DF35
SHA1:	8B889F0358683733257411E451A86E3A1D42159D
SHA-256:	0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
SHA-512:	2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
Malicious:	false
Preview:	ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70808
Entropy (8bit):	4.496322631689166
Encrypted:	false
SSDEEP:	1536:CkDoV9Ej6yWlmicRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAp:CCoVqj6yWlmicRFkL1TWX0gkB/J7oas7
MD5:	A5E11E478E529072DC3B9195BF1EC476
SHA1:	CAA866656E192F2F02B5959A1F45F138331E321C
SHA-256:	82A3E1E14BB3AA2EC430CC20234D384E1463FB450DB5312D7BECEFBB767F9A28
SHA-512:	28163D0C7A3C373384CEE93168BCC89850470B4C38F7DF96C961A76B999D202EF4DA479C6FFCF168D689E01F437D15434155181F4F327F5877DC1AB911D3B003
Malicious:	false
Preview:	ElfChnk.>...............>....................................................................................................CG................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~........................x...........S.................&...............................................................8.......P.....!....nqm......... S.........&O....X.'O.....................................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L.~.........n30'x.....(...........................&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66976
Entropy (8bit):	4.476845769116429
Encrypted:	false
SSDEEP:	384:S7q7YhN7s7o787l7r787a7J7z7+7N17g7P7q7g7gY7hZ7D7k7F7r7wm7NP7Y7+7I:g9buCg
MD5:	A0460A8DDD671CA4C75213C7DD17E043
SHA1:	D7720EEEC4DD4F82A889DB535A44BFB4D13D3E73
SHA-256:	4280C603597E23BF202FB47FDCE40588D060374169F0CE84BE8B045B63829F4E
SHA-512:	4AA924ADBE1EC536D6C0CF70F32993BFC5CACA948037ECAFBB4D15E328DF2C8A08A54B81151DDFE47ED4BAE0D8CBEF781D528582EF344D3384EBABB8C366BA11
Malicious:	false
Preview:	ElfChnk.Y.......g.......Y.......g............%...&....1.....................................................................Kh..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.............................f.......B.................................................................................f.......~.....!.....z..........@B.........&O......'O....x.......f........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n.B.....K..p...1.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.C.o.m.m.o.n.-.S.t.a.r.t.L.a.y.o.u.t.P.o.p.u.l.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l......Ls....................g.......hs%.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1499045494600955
Encrypted:	false
SSDEEP:	384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
MD5:	2045FB0D54CA8F456B545859B9F9B0A8
SHA1:	35854F87588C367DE32A3931E01BC71535E3F400
SHA-256:	E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
SHA-512:	013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
Malicious:	false
Preview:	ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8164696340947971
Encrypted:	false
SSDEEP:	384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
MD5:	1AB19FA472669F4334C7A9D44E94E1B3
SHA1:	F71C16706CFA9930045C9A888FDB3EF46CACC5BC
SHA-256:	549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
SHA-512:	72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
Malicious:	false
Preview:	ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9855903635327656
Encrypted:	false
SSDEEP:	384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
MD5:	7BCA54AC75C7185ADFBB42B1A84F86E3
SHA1:	AD91EE55A6F9F77AD871ACA9A5B59987CA679968
SHA-256:	A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
SHA-512:	79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
Malicious:	false
Preview:	ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.165454452307923
Encrypted:	false
SSDEEP:	384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
MD5:	B6B6F199DA64422984403D7374F32528
SHA1:	980D66401DFCCF96ADDDAF22334A5CE735554E7F
SHA-256:	8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
SHA-512:	5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
Malicious:	false
Preview:	ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8519554794255333
Encrypted:	false
SSDEEP:	384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
MD5:	4140628CA3CEC29C0B506CEEBDF684F6
SHA1:	A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
SHA-256:	1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
SHA-512:	779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
Malicious:	false
Preview:	ElfChnk.\...............\.......................0..../........................................................................v.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1642919553794224
Encrypted:	false
SSDEEP:	384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
MD5:	D7EECF043241FDB9486580582E208603
SHA1:	045D5672A8E9884B78CD31C52D372375503CBF4F
SHA-256:	6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
SHA-512:	6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
Malicious:	false
Preview:	ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	114264
Entropy (8bit):	4.653134157338501
Encrypted:	false
SSDEEP:	384:GhOMpYC9MdY/MdY7oMsV4M6StMTOMWq7MpMMlBMpSMKPMjgMp1Mx2MQDMZJrMBYL:GRlezIJhRlezIJJbg
MD5:	83A6915AAB4F92081D7351C03E958C89
SHA1:	86371F6A67532D87891B2A30DAEC9090D5593218
SHA-256:	718EB42FA889594615777A9642B5E617FD5528AD471AEAF378016F2F61E4C1A0
SHA-512:	8AB0227F40E50382E03D9BE131C8F74B40D311DBED6B33313622C9C36AC92508EAB422EE3FD7A357097C76017055822BC8CB73DD2F009846F7757E3F42B41BDE
Malicious:	false
Preview:	ElfChnk.........Q...............Q........... ...X..........................................................................>.s.........................................4...=...........................................................................................................................f...............?...........................m...................M...F................................=..........................}...................................................&........B..........................**..0...........Y.................&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
Category:	dropped
Size (bytes):	79016
Entropy (8bit):	1.8189025285334417
Encrypted:	false
SSDEEP:	384:yZhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmPeUmjhL6UsE0Z3:qY7LKkY7LK
MD5:	01C9B93483F653EDBAE5F99638FCA367
SHA1:	25A939ACF2DA4E38D0CA1D3C583BEF88F5EBB8C1
SHA-256:	2F095007DE4947DB6935FF39F0093787853BB23C1DD669886F2E2388F87D8BC5
SHA-512:	88BD06A6B526A2836980929179FB1B119AF72C01AB96C77282069AEE1AAAE3C10B202634D6B3719E799D144A5E0DD33361A5C58FCE94B30D651BE1D253BA6505
Malicious:	false
Preview:	ElfFile.....................................................................................................................\>.eElfChnk....................................../..(4...s.0....................................................................?................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	0.36780265116559163
Encrypted:	false
SSDEEP:	96:O+KNVaO80oPIj/6FgR+KNVaO80oPIj/6Fg:O+8V7YwiFgR+8V7YwiFg
MD5:	798DA2EE20B270C728E9D6896126F55B
SHA1:	BED11959164D8ECBD123EB89282D99AC0CBBE456
SHA-256:	EEBFE7AE42FB57CADBACC3B9564D033E456987840DCD6B628D2EE53E325D2168
SHA-512:	4BCEAC1A3AC96A019F1C08107CA79D1C5C5D2CECF043E5FC0082CB74C416E73B430EDE336ED1C4E9A20034316B4CF1831F36121C9AB588A0919C50066AFACA87
Malicious:	false
Preview:	ElfChnk...............................................$.....................................................................D6.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**................{...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.6469884746870727
Encrypted:	false
SSDEEP:	384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
MD5:	FC81D9FBA555C6BC7223594B8F6B46DE
SHA1:	971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
SHA-256:	9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
SHA-512:	7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
Malicious:	false
Preview:	ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	87888
Entropy (8bit):	3.631823777755507
Encrypted:	false
SSDEEP:	768:Oat9aXazaPafaTaRxa3aXamaanavaHafafaPaTara7araHa7aHaXafaLabaTarae:lPNUd
MD5:	F8509AF781D34033BC8CCD16C3F2C65E
SHA1:	025488B6747B93F023C154B1D421A3226725C0F2
SHA-256:	9D01F81D37EE738B36FD949F2E0072A201E3728BD94FC257DDDB3B2FE61AE60D
SHA-512:	A115020B70A414BE6B4B3920D11138654DACB28A9F86F919B8F3AFFB76C4B3879500B53A06F64084BF830374FE66D4DA0CA953938D3F8FE39C6E004CAB2E7555
Malicious:	false
Preview:	ElfChnk.........@...............@...............`....0v1........................................................................................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................*......#........#...............&...............................................................P.......h...C.!..................#.....@..^<.....fX....\|...h...#........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.A.C.-.F.i.l.e.V.i.r.t.u.a.l.i.z.a.t.i.o.n.+..N.ID.v...W^.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.A.C.-.F.i.l.e.V.i.r.t.u.a.l.i.z.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l...7..{9.......................r.......~...........................$.N......9.\.D.e.v.i

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3132453844344478
Encrypted:	false
SSDEEP:	384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
MD5:	6237EE0458A0478242B975E9BB7AA97D
SHA1:	6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
SHA-256:	C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
SHA-512:	56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
Malicious:	false
Preview:	ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.325262033408211
Encrypted:	false
SSDEEP:	384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
MD5:	D13189B45679E53F5744A4D449F8B00F
SHA1:	ED410CAB42772E329F656B4793B46AC7159CF05B
SHA-256:	BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
SHA-512:	83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
Malicious:	false
Preview:	ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7947046118743749
Encrypted:	false
SSDEEP:	384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
MD5:	55E73A924B170FBFFF862E8E195E839A
SHA1:	3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
SHA-256:	1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
SHA-512:	E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
Malicious:	false
Preview:	ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	1.281353891237621
Encrypted:	false
SSDEEP:	768:1PEpP9JcY6+g4+Ga6ot1xIb13xIb13xIt13xI:1MpP9JcY6+g4+Ga6
MD5:	9509AA1F11FBD9CC435B40AD9E9F164D
SHA1:	B7B24D7E3137E1EE8FB657CA0C87D12EF3286F79
SHA-256:	216DF3AF70497DF8A4E720D3C82C232BDC90D436CC1D761C7385572D48ED49A5
SHA-512:	75C974E1E5B41D5BE467CCC54357C5F160C6330316BEF696A9436B156D2F27FF45438D5AA8BFA17A4ACF69892058BB15650E7C3B411C871B336711FD09872024
Malicious:	false
Preview:	ElfFile.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	129824
Entropy (8bit):	4.363184075850739
Encrypted:	false
SSDEEP:	384:UxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+PRdR3Bu:UxA8nPLGbqxA8nPLGbGD
MD5:	C6D6F46858C0E3668358AF62B382B805
SHA1:	CB5A2EDF3EF07A2A3F0D24C31B8C77F3DDFC187A
SHA-256:	27F444803FB8772DB84084042CFE4E2AC7F2A7D6D7EFC9DA26A84696D8839388
SHA-512:	3788FE6B853C113226D16E29E1861F1EF5B7F97309A64C28F2A5085505E0A0DE527FC3DBBA85CD548817F8796EFFB6BE7BD3ACBF6261427DAEB84E83A2A26285
Malicious:	false
Preview:	ElfChnk......................................... ....T......................................................................j.S.....................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**..(...........~.n............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.273338343434408
Encrypted:	false
SSDEEP:	384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
MD5:	C37372EB51AEDB4552CB839C7294403A
SHA1:	7B7C408D72B084CE36AA6B623AC6B907FD21D569
SHA-256:	C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
SHA-512:	69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
Malicious:	false
Preview:	ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.231195890775603
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
MD5:	3365A34953FD7B16667108A049B64DA5
SHA1:	C72421A58E063D64072152344B266F8306A78702
SHA-256:	AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
SHA-512:	A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
Category:	dropped
Size (bytes):	4360
Entropy (8bit):	3.994659990895505
Encrypted:	false
SSDEEP:	96:PpqRNVaO8sow/sTYS5oz/sTf/sTpPrjjV8/sTz:PpAV7Xk8kozkDkNjvCk/
MD5:	F03B83BFB9BD0AC02AF337777BDAB94F
SHA1:	7E826CD861793503070DA08E25DB926E5BF2CE80
SHA-256:	3342F1A29A748449C38449ADD71C7B946AEAE11DB65228C95C84C5015D3B1395
SHA-512:	E1667A848B81693DDB6F518EED59932B48195D82FDE9809AD302D12894D3D90E1002C3DFB5B5A1813EED63C0B95B1954ACF3ED1955ED5754A5EE83D64923C655
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................................................................................................]..m................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...............&.......................................................................................**..............r..!..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.350110105914519
Encrypted:	false
SSDEEP:	384:Nh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwK:NOqabeGTnbuSxuO+P
MD5:	804751BBE85EB2E4C3E8BB328B64F774
SHA1:	ED80BC13FA10390504878FBD7C3D51CB92B986B3
SHA-256:	879C110ED933F6E612C9E708644562882E2DE821810CE2C8E9BF25EF2D24E725
SHA-512:	22B00A3E7D1A983E205867C37CDEB956328E9548984AD28E04AE8539CFC1F0C448D5AC77DBD5145739A3783AACE4C4720E55CB2FC6BCB23FC749DD40C4700D93
Malicious:	false
Preview:	ElfChnk.....................................H...x...D.R.......................................................................Q.............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.421206160086997
Encrypted:	false
SSDEEP:	384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
MD5:	67CAD90771EBC0BD20736201D89C1586
SHA1:	EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
SHA-256:	7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
SHA-512:	27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
Malicious:	false
Preview:	ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	47632
Entropy (8bit):	4.449668557236007
Encrypted:	false
SSDEEP:	384:GEFRYBGj2M7tf/oqRMtgoO1nMoc+o+zyyKoh1aconEh+eRo+3oyxjaZon0oyxjol:nUamc1R
MD5:	7E173DC28A2132A1F102CA2E52DBE9CD
SHA1:	2E6407E5881611137A731BFC1781FF719D8719FB
SHA-256:	6C3A8CF9DB9102D7FB39199E1062655CD16E05100D1946C2E41D068A24186C3F
SHA-512:	11D03E8C1F9F4C4269F88FECCABD2B6718A3CE7BE9DB7D8DF94B0CC77ED53EE30DBF496690A2265A4FEC096112BE3513AB724AA0880F413D906DE5E1E1859C77
Malicious:	false
Preview:	ElfChnk.................U......._...........X4..x9....{........................................................................\|................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:....................$......C+..3...........................&...............................................>.......................s5..........**......U........K.."R.........Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76832
Entropy (8bit):	4.392813540743338
Encrypted:	false
SSDEEP:	384:EFRYJWBpoFRYJWBpPYJQI+uAaStDdND+7YHVqDIqCfqutmAQA/AXGAgXZIpURCOQ:SzczRJnLmLQXHmtpJnqiNHpzoQpSzvD6
MD5:	0823C460D8D07F6ADAA2F14BBEA7A5C8
SHA1:	5C2D135A519ED0860E720BF6475F3C0ED4E5A471
SHA-256:	D959DF7B9C362F6341296BF87743A4DEE164E5695FF4BD505B9C08F18B5DB2DB
SHA-512:	EDCCAEFB55AE8485BD06899043B49DB31150E47D8BC32D17645281FFAD8E91ABBAC1F24A1A7968EC1E43451EB6677C925AA50BBC26C5D8755DDC782979E8BA8F
Malicious:	false
Preview:	ElfChnk.................o.......u....................]4v.......................................................................................4...s...h...............\...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......o........K.."R.........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.462944341690359
Encrypted:	false
SSDEEP:	6144:5IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbn:KXD94+WlLZMM6YFHg+n
MD5:	5BCD1A6096DF0CFF6681AB0D1ECCB15E
SHA1:	8F67FED4E1A663FFE9D1640088E6919BA83DA056
SHA-256:	8A127F44BB5E73EB4C1BDFF7A31639B92534D88FD9CB2CC97A1B480EAC251A3D
SHA-512:	70478115C99C2795D9B8A4FBEEA7C22A20B442EEDACBEB6527601AB8BC60DFF1204E06101EA2AB097CA31FBBBAEB3489468133E57708A01D73E12A58C2DF9B33
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.\.."R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.3470753248453216
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UV0zBp62hW.dll
File size:	284'160 bytes
MD5:	a8c86e45545ee01024abeafb9b21c72f
SHA1:	8f8708b1decd1d3fd40d224ce8a68fa09b8ffc29
SHA256:	649fb2d4763c3125492a886f3d9da2870ccc37444a841a7780ee6633798eb93d
SHA512:	4c20956993dfe52ce2cb30b23f9a7f93ce80022f7eb5e9b0b48cdd7abda7195df353be65442c8603afa1650ce383bab12c8fefe58460d5aafdff072acde2d811
SSDEEP:	6144:m6qi7l4yzr919mWfehA9ghbThsEVt15aiC4d7qNRck:m6qi3XGAyBqat1Bq
TLSH:	D8540286E68564B3E896F434753AE73536B6583DCA1A0297EF01CD0C18B4724FEFA6C1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ur:.1.T.1.T.1.T.../.8.T.1.U...T./A..0.T./A..0.T./A..0.T./A..0.T.Rich1.T.........PE..L......L...........!.........F......2......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001a32
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	NO_SEH
Time Stamp:	0x4C0E1488 [Tue Jun 8 09:59:36 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	00c5fd00087020a0645079ce30f4148b

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
push esi
jne 00007F9DE8BAE051h
mov esi, dword ptr [esp+08h]
push 00000104h
push 10003018h
push esi
mov dword ptr [10003290h], esi
call dword ptr [10002058h]
push esi
call dword ptr [100020ACh]
call 00007F9DE8BAD6B8h
cmp eax, 01h
jne 00007F9DE8BAE01Eh
call 00007F9DE8BAD8B2h
test eax, eax
jne 00007F9DE8BADFF0h
call 00007F9DE8BAD82Eh
test eax, eax
jne 00007F9DE8BADFE7h
call 00007F9DE8BAD6FBh
call 00007F9DE8BAD859h
cmp eax, 01h
jne 00007F9DE8BADFFDh
push 00000000h
push 00000000h
push eax
push 00000000h
call dword ptr [100020A8h]
mov dword ptr [1000329Ch], eax
test eax, eax
je 00007F9DE8BADFE7h
call 00007F9DE8BADF29h
call 00007F9DE8BAD60Ch
jmp 00007F9DE8BAE025h
cmp dword ptr [esp+0Ch], 00000000h
jne 00007F9DE8BAE01Bh
mov eax, dword ptr [1000329Ch]
test eax, eax
je 00007F9DE8BAE00Dh
push eax
call dword ptr [100020A4h]
push FFFFFFFFh
push dword ptr [10003298h]
call dword ptr [10002064h]
push dword ptr [10003298h]
mov esi, dword ptr [10002038h]
call esi
push dword ptr [1000329Ch]
call esi
call 00007F9DE8BAD61Fh
xor eax, eax
inc eax
pop esi
retn 000Ch
jmp dword ptr [10003244h]
jmp dword ptr [00003014h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[EXP] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2870	0x159	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2380	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x43894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0x164	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0xe4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb2c	0xc00	c9b6b9fbded3d4764666702b145428d1	False	0.5309244791666666	data	5.5469519714251785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x9c9	0xa00	6951ee1a0ff3a7f5a44727b4713506a3	False	0.45625	data	4.848258137282876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x2a0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x43894	0x43a00	3404de75ea401a71fc5211fbe5ae8f70	False	0.7913080522181146	data	7.376109495459092	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0x1ee	0x200	cfa8d04dd000bb30ab126902176ed40d	False	0.7265625	data	5.091827714746989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x4088	0xc	data			1.6666666666666667
RT_RCDATA	0x4094	0x43800	PE32 executable (GUI) Intel 80386, for MS Windows			0.7925130208333333

Imports

DLL	Import
KERNEL32.dll	ExitProcess, GetProcAddress, RtlMoveMemory, LoadLibraryW, lstrcatW, GetSystemDirectoryW, FreeLibrary, lstrcpynA, LockResource, LoadResource, SizeofResource, FindResourceW, CreateProcessW, RtlZeroMemory, CloseHandle, WriteFile, CreateFileW, GetTempFileNameW, GetTempPathW, GetLastError, CreateMutexA, lstrcmpiW, GetModuleFileNameW, GetExitCodeProcess, TerminateProcess, WaitForSingleObject, GetCurrentThreadId, GetFileAttributesW, lstrcpyW, GetTickCount, GetLogicalDrives, FindNextFileW, SetFileAttributesW, CopyFileW, FindClose, FindFirstFileW, WaitForMultipleObjects, TerminateThread, ResumeThread, SetThreadPriority, CreateThread, SetEvent, CreateEventW, DisableThreadLibraryCalls
USER32.dll	wsprintfW
SHELL32.dll
SHLWAPI.dll	SHRegGetValueW, PathFindExtensionW, PathFindFileNameW, PathAppendW, PathRemoveFileSpecW, StrStrIW

Exports

Name	Ordinal	Address
LpkDllInitialize	2	0x10001af6
LpkDrawTextEx	3	0x10001afc
LpkEditControl	4	0x10003250
LpkExtTextOut	5	0x10001b02
LpkGetCharacterPlacement	6	0x10001b08
LpkGetTextExtentExPoint	7	0x10001b0e
LpkInitialize	8	0x10001b14
LpkPSMTextOut	9	0x10001b1a
LpkTabbedTextOut	1	0x10001af0
LpkUseGDIWidthCache	10	0x10001b20
ftsWordBreak	11	0x10001b26

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 15:33:33.028563023 CET	53	57603	1.1.1.1	192.168.2.4
Dec 19, 2024 15:33:33.208966017 CET	53	50267	1.1.1.1	192.168.2.4
Dec 19, 2024 15:33:33.552942038 CET	53	49396	1.1.1.1	192.168.2.4
Dec 19, 2024 15:33:33.738169909 CET	53	63634	1.1.1.1	192.168.2.4
Dec 19, 2024 15:33:34.064157963 CET	53	52344	1.1.1.1	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 15:33:21.774168015 CET	1.1.1.1	192.168.2.4	0xa8e5	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:21.774168015 CET	1.1.1.1	192.168.2.4	0xa8e5	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:33.028563023 CET	1.1.1.1	192.168.2.4	0x5466	Server failure (2)	yu.timid.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:33.208966017 CET	1.1.1.1	192.168.2.4	0x4412	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:33.552942038 CET	1.1.1.1	192.168.2.4	0x7f8f	Server failure (2)	li.merts.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:33.738169909 CET	1.1.1.1	192.168.2.4	0x3f30	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:34.064157963 CET	1.1.1.1	192.168.2.4	0x7d0a	Server failure (2)	jqu.meiu.pl	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll"
Imagebase:	0x9c0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDllInitialize
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\UV0zBp62hW.dll",#1
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp
Imagebase:	0x400000
File size:	276'480 bytes
MD5 hash:	0BD4AE2BDF462F97DD03D6218A741789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000005.00000002.2136560000.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlBCA3.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp
Imagebase:	0x400000
File size:	276'480 bytes
MD5 hash:	0BD4AE2BDF462F97DD03D6218A741789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2051509578.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlBCB3.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.1833082714.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.3075450654.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:33:15
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7400 -s 380
Imagebase:	0xb60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:33:16
Start date:	19/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.3075563324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.1840981002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	09:33:17
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.3075918696.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:33:18
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.3074777533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.1860100553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:33:18
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkDrawTextEx
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:33:18
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlC86B.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlC86B.tmp
Imagebase:	0x400000
File size:	276'480 bytes
MD5 hash:	0BD4AE2BDF462F97DD03D6218A741789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlC86B.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:33:18
Start date:	19/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.3074778934.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:33:18
Start date:	19/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff72c440000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.3074704354.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:33:19
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k RPCSS -p
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.3075291406.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	09:33:19
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.3075100920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000000.1871949899.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:33:19
Start date:	19/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74e710000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000002.3074791213.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	09:33:19
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000000.1874806385.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.3074679188.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	09:33:20
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.3075369973.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.1877415236.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:33:21
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.3075681181.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000000.1890975257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	09:33:21
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\UV0zBp62hW.dll,LpkEditControl
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:33:21
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlD452.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlD452.tmp
Imagebase:	0x400000
File size:	276'480 bytes
MD5 hash:	0BD4AE2BDF462F97DD03D6218A741789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlD452.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:33:21
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 380
Imagebase:	0xb60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:33:21
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000000.1894430516.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000002.3074742466.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	09:33:22
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.3075099305.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000000.1900998061.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000002.3075099086.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000000.1921150104.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp
Imagebase:	0x400000
File size:	276'480 bytes
MD5 hash:	0BD4AE2BDF462F97DD03D6218A741789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlDFFA.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 380
Imagebase:	0xb60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:33:25
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.3075976845.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000000.1935460960.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	09:33:26
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.3075101490.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000000.1938547190.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.3075427157.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.3075481202.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	09:33:28
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.3075568717.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	09:33:28
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.3076284976.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000000.1963882445.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	09:33:29
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.3074948867.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	09:33:29
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.3075257509.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000000.1974078167.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	32.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.4%
Total number of Nodes:	138
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001193 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 104
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

Strings

D, xrefs: 10001294
hrl, xrefs: 10001218

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$CloseFileHandle$CreateTemp$FindLoadLockMemoryNamePathProcessSizeofWriteZero
String ID: D$hrl
API String ID: 3860286866-1539874146
Opcode ID: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction ID: 7e218033b22d9d8325d54e1b04e0e1002b9ec3418c8ade03e82d96821e86f301
Opcode Fuzzy Hash: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction Fuzzy Hash: 0A31E8B1D01228ABEB11EFA0CC8CEEE7BBDEB49791F104566F605E2165D7344A54CB60

Function 10001A32 Relevance: 10.6, APIs: 7, Instructions: 55
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000001,10003018,00000104), ref: 10001A4F
DisableThreadLibraryCalls.KERNEL32(00000001), ref: 10001A56

Part of subcall function 10001134: FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
Part of subcall function 10001134: SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
Part of subcall function 10001134: LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
Part of subcall function 10001134: LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
Part of subcall function 10001134: lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Part of subcall function 10001338: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
Part of subcall function 10001338: PathFindFileNameW.SHLWAPI(?), ref: 1000135C
Part of subcall function 10001338: PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
Part of subcall function 10001338: lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10001A8E

Part of subcall function 100012BD: CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7

Part of subcall function 10001193: FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
Part of subcall function 10001193: SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
Part of subcall function 10001193: LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
Part of subcall function 10001193: LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
Part of subcall function 10001193: GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
Part of subcall function 10001193: GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
Part of subcall function 10001193: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
Part of subcall function 10001193: WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
Part of subcall function 10001193: CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
Part of subcall function 10001193: RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
Part of subcall function 10001193: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

SetEvent.KERNEL32(?), ref: 10001ABA
WaitForSingleObject.KERNEL32(000000FF), ref: 10001AC8
CloseHandle.KERNEL32 ref: 10001ADA
CloseHandle.KERNEL32 ref: 10001AE2

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$File$CloseHandle$CreateFindName$Path$EventLoadLockModuleSizeofTemp$CallsDisableExtensionLibraryMemoryMutexObjectProcessSingleThreadWaitWriteZerolstrcmpilstrcpyn
String ID:
API String ID: 3535865480-0
Opcode ID: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction ID: ffd36879a7497b368e77efcd0eb173f2275a3137c17b7fd903d544f692c8100a
Opcode Fuzzy Hash: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction Fuzzy Hash: 78115B34606332AAF612EBA18C89BCF3BACEF023E5F118116F554D10ADDB609950CA63

Function 100010CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100010E3
lstrcatW.KERNEL32(?,\lpk), ref: 100010F5
LoadLibraryW.KERNELBASE(?), ref: 10001102

Part of subcall function 1000101F: RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

\lpk, xrefs: 100010E9

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: DirectoryLibraryLoadMemoryMoveSystemlstrcat
String ID: \lpk
API String ID: 3372298440-336436324
Opcode ID: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction ID: be4007e3f20e417fa77d5d5c324e07ec6705456ad939ec99c1b7038da3bba866
Opcode Fuzzy Hash: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction Fuzzy Hash: B2E0127480032A9BFB50EBB08C8EAC777BCE704381F000562E755D206AEF74D585CB50

Function 100012F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001311
PathFindFileNameW.SHLWAPI(?), ref: 1000131E
lstrcmpiW.KERNELBASE(00000000,lpk.dll), ref: 1000132A

Strings

lpk.dll, xrefs: 10001324

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FileName$FindModulePathlstrcmpi
String ID: lpk.dll
API String ID: 1239673384-3066363995
Opcode ID: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction ID: 2c49bb99bc8642171fc9961312980d4ab0a4eef97db440158d685f58edb63067
Opcode Fuzzy Hash: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction Fuzzy Hash: 35E0127554032D6BEB116B70CC8DDD7376CA700745F004251F65AD20BADA74958DCF50

Function 100019E6 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,100018D3,00000000,00000004,00000000), ref: 100019F4
SetThreadPriority.KERNELBASE(00000000,000000F1), ref: 10001A02
ResumeThread.KERNELBASE ref: 10001A12
TerminateThread.KERNEL32(00000000), ref: 10001A24

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$CreatePriorityResumeTerminate
String ID:
API String ID: 2154424394-0
Opcode ID: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction ID: e961737a7aae76fd0c4580525259ff7f5de2b8d71232f79ea42e210bb63285d4
Opcode Fuzzy Hash: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction Fuzzy Hash: AFE07570502230BAFA119B769C8CB873F6AEB076F1B554316F62E915BAC7204581CBA1

Function 100012BD Relevance: 4.5, APIs: 3, Instructions: 24
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7
GetLastError.KERNEL32(00000001,?,10001A74), ref: 100012D7
CloseHandle.KERNELBASE(00000000,?,10001A74), ref: 100012EB

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction ID: 226164d0f01b805de613a55782abc57cedde5fe5c7c82aa8690d380dee59acf0
Opcode Fuzzy Hash: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction Fuzzy Hash: 1BD05E3660873067F212937CBC0CB8F2A35EBC5BF2F128265FE4AD229CCB24490685D5

Function 10001000 Relevance: 3.0, APIs: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
ExitProcess.KERNEL32 ref: 10001016

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction ID: 5188076986118a0aee3e910be33b50d7ca781def4220dbbbf73b176a37f9c490
Opcode Fuzzy Hash: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction Fuzzy Hash: F6C04C35104261ABFA11AB618E8CB067B66AB547D1B114215E255800BED6318450EA15

Non-executed Functions

Function 10001677 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 172
stringfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 1000168F
lstrcpyW.KERNEL32(?,A:\,0000EA60,75BF73E0), ref: 100016C2
lstrcpyW.KERNEL32(?,?), ref: 100016DF
PathAppendW.SHLWAPI(?,10002374), ref: 100016F3
FindFirstFileW.KERNEL32(?,?), ref: 10001703
PathFindExtensionW.SHLWAPI(?), ref: 100017CA
lstrcmpiW.KERNEL32(00000000,.EXE), ref: 100017E1
lstrcpyW.KERNEL32(?,?), ref: 100017F5
PathAppendW.SHLWAPI(?,lpk.dll), ref: 10001803
GetFileAttributesW.KERNEL32(?), ref: 1000180C
CopyFileW.KERNEL32(10003018,?,00000001), ref: 10001829
SetFileAttributesW.KERNEL32(?,00000007), ref: 10001838
lstrcmpiW.KERNEL32(100015A2,.RAR), ref: 10001846
lstrcmpiW.KERNEL32(100015A2,.ZIP), ref: 10001854
lstrcpyW.KERNEL32(?,?), ref: 1000187D
PathAppendW.SHLWAPI(?,?), ref: 1000188D
WaitForSingleObject.KERNEL32(00000014), ref: 100018A4
FindNextFileW.KERNEL32(100015A2,?), ref: 100018BF

Strings

.ZIP, xrefs: 1000184C
A:\, xrefs: 100016BC
.EXE, xrefs: 100017DB
lpk.dll, xrefs: 100017F7
.RAR, xrefs: 1000183E

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: File$Pathlstrcpy$AppendFindlstrcmpi$AttributesObjectSingleWait$CopyExtensionFirstNext
String ID: .EXE$.RAR$.ZIP$A:\$lpk.dll
API String ID: 3771388200-3932496361
Opcode ID: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction ID: 14b84c573bc6bfc0103a48903cae28372ea9a580d345985b263a6e171d24a783
Opcode Fuzzy Hash: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction Fuzzy Hash: 5651DDB290022DAAEB10DBA4CC88BDE77BDEB44390F1445A6E605E2055DB75DB84CFA0

Function 1000142B Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 129
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHRegGetValueW.SHLWAPI(80000000,WinRAR\shell\open\command,00000000,00000002,00000000,?,?), ref: 10001456
lstrcpyW.KERNEL32(00000022,?), ref: 10001485
StrStrIW.SHLWAPI(00000022,1000230C), ref: 10001498
PathRemoveFileSpecW.SHLWAPI(00000022), ref: 100014B2
PathAppendW.SHLWAPI(00000022,rar.exe), ref: 100014C4
GetFileAttributesW.KERNEL32(00000022), ref: 100014D1
PathGetShortPath.SHELL32(00000022), ref: 100014E9
GetTempPathW.KERNEL32(00000104,?), ref: 100014FB
GetCurrentThreadId.KERNEL32 ref: 10001508
GetTempFileNameW.KERNEL32(?,IRAR,00000000), ref: 1000151B
wsprintfW.USER32 ref: 10001544

Part of subcall function 10001398: RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
Part of subcall function 10001398: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
Part of subcall function 10001398: GetLastError.KERNEL32 ref: 100013DB

wsprintfW.USER32 ref: 10001580

Part of subcall function 10001398: WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
Part of subcall function 10001398: TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
Part of subcall function 10001398: GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 1000141E
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 10001423

Part of subcall function 10001677: WaitForSingleObject.KERNEL32(00000000), ref: 1000168F

wsprintfW.USER32 ref: 100015C0
wsprintfW.USER32 ref: 100015E6

Strings

rar.exe, xrefs: 100014B8
WinRAR\shell\open\command, xrefs: 10001445
IRAR, xrefs: 1000150F
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll", xrefs: 100015BA
"%s" x "%s" *.exe "%s\", xrefs: 1000157A
", xrefs: 10001464
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll", xrefs: 1000153E
cmd /c RD /s /q "%s", xrefs: 100015E0

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Path$wsprintf$FileProcess$CloseHandleObjectSingleTempWait$AppendAttributesCodeCreateCurrentErrorExitLastMemoryNameRemoveShortSpecTerminateThreadValueZerolstrcpy
String ID: "$"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"$"%s" x "%s" *.exe "%s\"$IRAR$WinRAR\shell\open\command$cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"$cmd /c RD /s /q "%s"$rar.exe
API String ID: 2025278562-176847598
Opcode ID: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction ID: 53c986b37aabe2969284ac0dd55f15aa40eaa0efec7de0ac8071c71bfebae4df
Opcode Fuzzy Hash: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction Fuzzy Hash: 1041C4B690021DAAEF10DB90CD48EDA77BCEB44340F1045A2B619D6055E674EB85CFB1

Function 1000101F Relevance: 21.0, APIs: 1, Strings: 11, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001000: GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
Part of subcall function 10001000: ExitProcess.KERNEL32 ref: 10001016

RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

LpkPSMTextOut, xrefs: 1000109B
LpkInitialize, xrefs: 1000108C
LpkEditControl, xrefs: 10001049
LpkTabbedTextOut, xrefs: 1000101F
LpkUseGDIWidthCache, xrefs: 100010AA
LpkGetTextExtentExPoint, xrefs: 1000107D
ftsWordBreak, xrefs: 100010B9
LpkGetCharacterPlacement, xrefs: 1000106E
LpkExtTextOut, xrefs: 10001064
LpkDrawTextEx, xrefs: 10001038
LpkDllInitialize, xrefs: 10001029

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressExitMemoryMoveProcProcess
String ID: LpkDllInitialize$LpkDrawTextEx$LpkEditControl$LpkExtTextOut$LpkGetCharacterPlacement$LpkGetTextExtentExPoint$LpkInitialize$LpkPSMTextOut$LpkTabbedTextOut$LpkUseGDIWidthCache$ftsWordBreak
API String ID: 598812106-3128392633
Opcode ID: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction ID: aa075801c4fef1efc4910219ef897301fe87f4caca160f87edb01903a9b0afcb
Opcode Fuzzy Hash: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction Fuzzy Hash: 48015474C0239065FB27EFB14D95BCA3B54E7196C1F10C515F3446712EDBB470849B59

Function 100018D3 Relevance: 16.6, APIs: 11, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000060), ref: 100018E6
DriveType.SHELL32(00000002), ref: 10001902
CreateThread.KERNEL32(00000000,00000000,10001677,00000002,00000004,00000000), ref: 1000191D
SetThreadPriority.KERNEL32(00000000,000000F1), ref: 10001930
ResumeThread.KERNEL32(?), ref: 1000193D
TerminateThread.KERNEL32(?,00000000), ref: 10001956
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,00000000), ref: 10001975
RtlZeroMemory.KERNEL32(?,00000060), ref: 10001989
CloseHandle.KERNEL32(?), ref: 10001997
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 100019C0
CloseHandle.KERNEL32(?), ref: 100019D0

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$CloseHandleMemoryMultipleObjectsWaitZero$CreateDrivePriorityResumeTerminateType
String ID:
API String ID: 1898017378-0
Opcode ID: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction ID: a0013d5da517d4d5a33f6e42946cb667d24e2e6983c8dbf7389f749baf9380a9
Opcode Fuzzy Hash: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction Fuzzy Hash: A631B671540721ABF712EB20CC98BAB7BEEEF807D0F500615F6A6D10A9C772C945C762

Function 10001398 Relevance: 12.1, APIs: 8, Instructions: 54
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
GetLastError.KERNEL32 ref: 100013DB
WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
CloseHandle.KERNEL32(?), ref: 1000141E
CloseHandle.KERNEL32(?), ref: 10001423

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Process$CloseHandle$CodeCreateErrorExitLastMemoryObjectSingleTerminateWaitZero
String ID:
API String ID: 479851863-0
Opcode ID: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction ID: 7f4f93b674e2ec955674b2195e50ebeabb8675a41d593902dc04bf7fa736d272
Opcode Fuzzy Hash: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction Fuzzy Hash: 4411E271900229EBEB01EFE1CD88ADE7FB9EF08791F104011EA05A6169D6319A54DBA1

Function 10001606 Relevance: 9.0, APIs: 6, Instructions: 43
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 1000160C
GetTickCount.KERNEL32 ref: 1000161C
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001634
GetTickCount.KERNEL32 ref: 1000163D
GetLogicalDrives.KERNEL32 ref: 10001650
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001663

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CountDrivesLogicalObjectSingleTickWait
String ID:
API String ID: 42545375-0
Opcode ID: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction ID: 3f6e6b7f54fa11ca4b0782ed1666a21edfd725203009cfb413e51542acf73e8d
Opcode Fuzzy Hash: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction Fuzzy Hash: 56F0F6319083259FF700EF30ECC886FBBEDEB802D5B25492FF500C2158C632AC049A61

Function 10001338 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
PathFindFileNameW.SHLWAPI(?), ref: 1000135C
PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

Strings

.TMP, xrefs: 10001381

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FileFindNamePath$ExtensionModulelstrcmpi
String ID: .TMP
API String ID: 597247504-614523329
Opcode ID: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction ID: 1fd35f4ed13ad4ccd143400fde8a975121882a3ba8c08806c051296bf98cdfa8
Opcode Fuzzy Hash: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction Fuzzy Hash: 43F03760A003159AFB50AF608D4DED737FCEB003C5F028555E559D74AAEBF4CAC9CA60

Function 10001134 Relevance: 7.5, APIs: 5, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Memory Dump Source

Source File: 00000000.00000002.1930310403.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1929423845.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930566708.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930766503.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeoflstrcpyn
String ID:
API String ID: 3315616855-0
Opcode ID: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction ID: 8471c72c1caef8166e4ab4b94a4b144f79c53e762d3decfbeebc5ecea59f4515
Opcode Fuzzy Hash: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction Fuzzy Hash: 99F01C35A01334BBFB261BA59CCCF973FADEB497D5F01C126FA05D21A9DA21C815C660

Analysis Process: rundll32.exePID: 7360, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	32%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001193 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 104
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
CloseHandle.KERNELBASE(00000000,?,?,00000001), ref: 10001265
RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

Strings

hrl, xrefs: 10001218
D, xrefs: 10001294

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$CloseFileHandle$CreateTemp$FindLoadLockMemoryNamePathProcessSizeofWriteZero
String ID: D$hrl
API String ID: 3860286866-1539874146
Opcode ID: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction ID: 7e218033b22d9d8325d54e1b04e0e1002b9ec3418c8ade03e82d96821e86f301
Opcode Fuzzy Hash: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction Fuzzy Hash: 0A31E8B1D01228ABEB11EFA0CC8CEEE7BBDEB49791F104566F605E2165D7344A54CB60

Function 10001A32 Relevance: 10.6, APIs: 7, Instructions: 55
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000001,10003018,00000104), ref: 10001A4F
DisableThreadLibraryCalls.KERNEL32(00000001), ref: 10001A56

Part of subcall function 10001134: FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
Part of subcall function 10001134: SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
Part of subcall function 10001134: LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
Part of subcall function 10001134: LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
Part of subcall function 10001134: lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Part of subcall function 10001338: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
Part of subcall function 10001338: PathFindFileNameW.SHLWAPI(?), ref: 1000135C
Part of subcall function 10001338: PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
Part of subcall function 10001338: lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10001A8E

Part of subcall function 100012BD: CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7

Part of subcall function 10001193: FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
Part of subcall function 10001193: SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
Part of subcall function 10001193: LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
Part of subcall function 10001193: LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
Part of subcall function 10001193: GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
Part of subcall function 10001193: GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
Part of subcall function 10001193: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
Part of subcall function 10001193: WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
Part of subcall function 10001193: CloseHandle.KERNELBASE(00000000,?,?,00000001), ref: 10001265
Part of subcall function 10001193: RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
Part of subcall function 10001193: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

SetEvent.KERNEL32(?), ref: 10001ABA
WaitForSingleObject.KERNEL32(000000FF), ref: 10001AC8
CloseHandle.KERNEL32 ref: 10001ADA
CloseHandle.KERNEL32 ref: 10001AE2

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$File$CloseHandle$CreateFindName$Path$EventLoadLockModuleSizeofTemp$CallsDisableExtensionLibraryMemoryMutexObjectProcessSingleThreadWaitWriteZerolstrcmpilstrcpyn
String ID:
API String ID: 3535865480-0
Opcode ID: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction ID: ffd36879a7497b368e77efcd0eb173f2275a3137c17b7fd903d544f692c8100a
Opcode Fuzzy Hash: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction Fuzzy Hash: 78115B34606332AAF612EBA18C89BCF3BACEF023E5F118116F554D10ADDB609950CA63

Function 100010CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100010E3
lstrcatW.KERNEL32(?,\lpk), ref: 100010F5
LoadLibraryW.KERNELBASE(?), ref: 10001102

Part of subcall function 1000101F: RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

\lpk, xrefs: 100010E9

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryLibraryLoadMemoryMoveSystemlstrcat
String ID: \lpk
API String ID: 3372298440-336436324
Opcode ID: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction ID: be4007e3f20e417fa77d5d5c324e07ec6705456ad939ec99c1b7038da3bba866
Opcode Fuzzy Hash: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction Fuzzy Hash: B2E0127480032A9BFB50EBB08C8EAC777BCE704381F000562E755D206AEF74D585CB50

Function 100012F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001311
PathFindFileNameW.SHLWAPI(?), ref: 1000131E
lstrcmpiW.KERNELBASE(00000000,lpk.dll), ref: 1000132A

Strings

lpk.dll, xrefs: 10001324

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileName$FindModulePathlstrcmpi
String ID: lpk.dll
API String ID: 1239673384-3066363995
Opcode ID: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction ID: 2c49bb99bc8642171fc9961312980d4ab0a4eef97db440158d685f58edb63067
Opcode Fuzzy Hash: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction Fuzzy Hash: 35E0127554032D6BEB116B70CC8DDD7376CA700745F004251F65AD20BADA74958DCF50

Function 100019E6 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,100018D3,00000000,00000004,00000000), ref: 100019F4
SetThreadPriority.KERNELBASE(00000000,000000F1), ref: 10001A02
ResumeThread.KERNELBASE ref: 10001A12
TerminateThread.KERNEL32(00000000), ref: 10001A24

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$CreatePriorityResumeTerminate
String ID:
API String ID: 2154424394-0
Opcode ID: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction ID: e961737a7aae76fd0c4580525259ff7f5de2b8d71232f79ea42e210bb63285d4
Opcode Fuzzy Hash: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction Fuzzy Hash: AFE07570502230BAFA119B769C8CB873F6AEB076F1B554316F62E915BAC7204581CBA1

Function 100012BD Relevance: 4.5, APIs: 3, Instructions: 24
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7
GetLastError.KERNEL32(00000001,?,10001A74), ref: 100012D7
CloseHandle.KERNEL32(00000000,?,10001A74), ref: 100012EB

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction ID: 226164d0f01b805de613a55782abc57cedde5fe5c7c82aa8690d380dee59acf0
Opcode Fuzzy Hash: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction Fuzzy Hash: 1BD05E3660873067F212937CBC0CB8F2A35EBC5BF2F128265FE4AD229CCB24490685D5

Function 10001000 Relevance: 3.0, APIs: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
ExitProcess.KERNEL32 ref: 10001016

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction ID: 5188076986118a0aee3e910be33b50d7ca781def4220dbbbf73b176a37f9c490
Opcode Fuzzy Hash: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction Fuzzy Hash: F6C04C35104261ABFA11AB618E8CB067B66AB547D1B114215E255800BED6318450EA15

Non-executed Functions

Function 10001677 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 172
stringfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 1000168F
lstrcpyW.KERNEL32(?,A:\,0000EA60,75BF73E0), ref: 100016C2
lstrcpyW.KERNEL32(?,?), ref: 100016DF
PathAppendW.SHLWAPI(?,10002374), ref: 100016F3
FindFirstFileW.KERNEL32(?,?), ref: 10001703
PathFindExtensionW.SHLWAPI(?), ref: 100017CA
lstrcmpiW.KERNEL32(00000000,.EXE), ref: 100017E1
lstrcpyW.KERNEL32(?,?), ref: 100017F5
PathAppendW.SHLWAPI(?,lpk.dll), ref: 10001803
GetFileAttributesW.KERNEL32(?), ref: 1000180C
CopyFileW.KERNEL32(10003018,?,00000001), ref: 10001829
SetFileAttributesW.KERNEL32(?,00000007), ref: 10001838
lstrcmpiW.KERNEL32(100015A2,.RAR), ref: 10001846
lstrcmpiW.KERNEL32(100015A2,.ZIP), ref: 10001854
lstrcpyW.KERNEL32(?,?), ref: 1000187D
PathAppendW.SHLWAPI(?,?), ref: 1000188D
WaitForSingleObject.KERNEL32(00000014), ref: 100018A4
FindNextFileW.KERNEL32(100015A2,?), ref: 100018BF

Strings

lpk.dll, xrefs: 100017F7
.RAR, xrefs: 1000183E
.ZIP, xrefs: 1000184C
.EXE, xrefs: 100017DB
A:\, xrefs: 100016BC

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pathlstrcpy$AppendFindlstrcmpi$AttributesObjectSingleWait$CopyExtensionFirstNext
String ID: .EXE$.RAR$.ZIP$A:\$lpk.dll
API String ID: 3771388200-3932496361
Opcode ID: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction ID: 14b84c573bc6bfc0103a48903cae28372ea9a580d345985b263a6e171d24a783
Opcode Fuzzy Hash: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction Fuzzy Hash: 5651DDB290022DAAEB10DBA4CC88BDE77BDEB44390F1445A6E605E2055DB75DB84CFA0

Function 1000142B Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 129
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHRegGetValueW.SHLWAPI(80000000,WinRAR\shell\open\command,00000000,00000002,00000000,?,?), ref: 10001456
lstrcpyW.KERNEL32(00000022,?), ref: 10001485
StrStrIW.SHLWAPI(00000022,1000230C), ref: 10001498
PathRemoveFileSpecW.SHLWAPI(00000022), ref: 100014B2
PathAppendW.SHLWAPI(00000022,rar.exe), ref: 100014C4
GetFileAttributesW.KERNEL32(00000022), ref: 100014D1
PathGetShortPath.SHELL32(00000022), ref: 100014E9
GetTempPathW.KERNEL32(00000104,?), ref: 100014FB
GetCurrentThreadId.KERNEL32 ref: 10001508
GetTempFileNameW.KERNEL32(?,IRAR,00000000), ref: 1000151B
wsprintfW.USER32 ref: 10001544

Part of subcall function 10001398: RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
Part of subcall function 10001398: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
Part of subcall function 10001398: GetLastError.KERNEL32 ref: 100013DB

wsprintfW.USER32 ref: 10001580

Part of subcall function 10001398: WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
Part of subcall function 10001398: TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
Part of subcall function 10001398: GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 1000141E
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 10001423

Part of subcall function 10001677: WaitForSingleObject.KERNEL32(00000000), ref: 1000168F

wsprintfW.USER32 ref: 100015C0
wsprintfW.USER32 ref: 100015E6

Strings

"%s" x "%s" *.exe "%s\", xrefs: 1000157A
IRAR, xrefs: 1000150F
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll", xrefs: 100015BA
", xrefs: 10001464
cmd /c RD /s /q "%s", xrefs: 100015E0
WinRAR\shell\open\command, xrefs: 10001445
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll", xrefs: 1000153E
rar.exe, xrefs: 100014B8

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Path$wsprintf$FileProcess$CloseHandleObjectSingleTempWait$AppendAttributesCodeCreateCurrentErrorExitLastMemoryNameRemoveShortSpecTerminateThreadValueZerolstrcpy
String ID: "$"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"$"%s" x "%s" *.exe "%s\"$IRAR$WinRAR\shell\open\command$cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"$cmd /c RD /s /q "%s"$rar.exe
API String ID: 2025278562-176847598
Opcode ID: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction ID: 53c986b37aabe2969284ac0dd55f15aa40eaa0efec7de0ac8071c71bfebae4df
Opcode Fuzzy Hash: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction Fuzzy Hash: 1041C4B690021DAAEF10DB90CD48EDA77BCEB44340F1045A2B619D6055E674EB85CFB1

Function 1000101F Relevance: 21.0, APIs: 1, Strings: 11, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001000: GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
Part of subcall function 10001000: ExitProcess.KERNEL32 ref: 10001016

RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

ftsWordBreak, xrefs: 100010B9
LpkInitialize, xrefs: 1000108C
LpkGetCharacterPlacement, xrefs: 1000106E
LpkExtTextOut, xrefs: 10001064
LpkDllInitialize, xrefs: 10001029
LpkEditControl, xrefs: 10001049
LpkUseGDIWidthCache, xrefs: 100010AA
LpkPSMTextOut, xrefs: 1000109B
LpkDrawTextEx, xrefs: 10001038
LpkTabbedTextOut, xrefs: 1000101F
LpkGetTextExtentExPoint, xrefs: 1000107D

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitMemoryMoveProcProcess
String ID: LpkDllInitialize$LpkDrawTextEx$LpkEditControl$LpkExtTextOut$LpkGetCharacterPlacement$LpkGetTextExtentExPoint$LpkInitialize$LpkPSMTextOut$LpkTabbedTextOut$LpkUseGDIWidthCache$ftsWordBreak
API String ID: 598812106-3128392633
Opcode ID: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction ID: aa075801c4fef1efc4910219ef897301fe87f4caca160f87edb01903a9b0afcb
Opcode Fuzzy Hash: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction Fuzzy Hash: 48015474C0239065FB27EFB14D95BCA3B54E7196C1F10C515F3446712EDBB470849B59

Function 100018D3 Relevance: 16.6, APIs: 11, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000060), ref: 100018E6
DriveType.SHELL32(00000002), ref: 10001902
CreateThread.KERNEL32(00000000,00000000,10001677,00000002,00000004,00000000), ref: 1000191D
SetThreadPriority.KERNEL32(00000000,000000F1), ref: 10001930
ResumeThread.KERNEL32(?), ref: 1000193D
TerminateThread.KERNEL32(?,00000000), ref: 10001956
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,00000000), ref: 10001975
RtlZeroMemory.KERNEL32(?,00000060), ref: 10001989
CloseHandle.KERNEL32(?), ref: 10001997
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 100019C0
CloseHandle.KERNEL32(?), ref: 100019D0

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$CloseHandleMemoryMultipleObjectsWaitZero$CreateDrivePriorityResumeTerminateType
String ID:
API String ID: 1898017378-0
Opcode ID: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction ID: a0013d5da517d4d5a33f6e42946cb667d24e2e6983c8dbf7389f749baf9380a9
Opcode Fuzzy Hash: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction Fuzzy Hash: A631B671540721ABF712EB20CC98BAB7BEEEF807D0F500615F6A6D10A9C772C945C762

Function 10001398 Relevance: 12.1, APIs: 8, Instructions: 54
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
GetLastError.KERNEL32 ref: 100013DB
WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
CloseHandle.KERNEL32(?), ref: 1000141E
CloseHandle.KERNEL32(?), ref: 10001423

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CloseHandle$CodeCreateErrorExitLastMemoryObjectSingleTerminateWaitZero
String ID:
API String ID: 479851863-0
Opcode ID: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction ID: 7f4f93b674e2ec955674b2195e50ebeabb8675a41d593902dc04bf7fa736d272
Opcode Fuzzy Hash: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction Fuzzy Hash: 4411E271900229EBEB01EFE1CD88ADE7FB9EF08791F104011EA05A6169D6319A54DBA1

Function 10001606 Relevance: 9.0, APIs: 6, Instructions: 43
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 1000160C
GetTickCount.KERNEL32 ref: 1000161C
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001634
GetTickCount.KERNEL32 ref: 1000163D
GetLogicalDrives.KERNEL32 ref: 10001650
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001663

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CountDrivesLogicalObjectSingleTickWait
String ID:
API String ID: 42545375-0
Opcode ID: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction ID: 3f6e6b7f54fa11ca4b0782ed1666a21edfd725203009cfb413e51542acf73e8d
Opcode Fuzzy Hash: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction Fuzzy Hash: 56F0F6319083259FF700EF30ECC886FBBEDEB802D5B25492FF500C2158C632AC049A61

Function 10001338 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
PathFindFileNameW.SHLWAPI(?), ref: 1000135C
PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

Strings

.TMP, xrefs: 10001381

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileFindNamePath$ExtensionModulelstrcmpi
String ID: .TMP
API String ID: 597247504-614523329
Opcode ID: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction ID: 1fd35f4ed13ad4ccd143400fde8a975121882a3ba8c08806c051296bf98cdfa8
Opcode Fuzzy Hash: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction Fuzzy Hash: 43F03760A003159AFB50AF608D4DED737FCEB003C5F028555E559D74AAEBF4CAC9CA60

Function 10001134 Relevance: 7.5, APIs: 5, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Memory Dump Source

Source File: 00000003.00000002.1832798748.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1832774684.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832822288.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1832861462.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeoflstrcpyn
String ID:
API String ID: 3315616855-0
Opcode ID: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction ID: 8471c72c1caef8166e4ab4b94a4b144f79c53e762d3decfbeebc5ecea59f4515
Opcode Fuzzy Hash: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction Fuzzy Hash: 99F01C35A01334BBFB261BA59CCCF973FADEB497D5F01C126FA05D21A9DA21C815C660

Analysis Process: hrlBCA3.tmpPID: 7400, Parent PID: 7360COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.7%
Total number of Nodes:	402
Total number of Limit Nodes:	1

Executed Functions

Function 00440807 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88ad1f2753a32e2db0abe4e2562e0719c56c9d377691ccc2ee5589576cce55a
Instruction ID: b765a96d28626ebff7f28c112232a2e79a51613436dd4c68951b298813778f37
Opcode Fuzzy Hash: d88ad1f2753a32e2db0abe4e2562e0719c56c9d377691ccc2ee5589576cce55a
Instruction Fuzzy Hash: FC014832A041419BFB10EE29CD89A9DB762EBC0328F10831AE6145F18AC779D665CAC1

Non-executed Functions

Function 00401A40 Relevance: 154.4, APIs: 29, Strings: 59, Instructions: 421
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00401A9E
GetProcAddress.KERNEL32(00000000), ref: 00401AA7
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 00401AB7
GetProcAddress.KERNEL32(00000000), ref: 00401ABA

Part of subcall function 004016C0: strstr.MSVCRT ref: 00401730
Part of subcall function 004016C0: strcspn.MSVCRT ref: 0040174D
Part of subcall function 004016C0: strncpy.MSVCRT ref: 0040175C
Part of subcall function 004016C0: strcspn.MSVCRT ref: 0040176C
Part of subcall function 004016C0: atoi.MSVCRT(00000000), ref: 004017A8

Part of subcall function 00403160: GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,74DEF550,74DF0BD0,00000072), ref: 0040317B
Part of subcall function 00403160: GetComputerNameA.KERNEL32 ref: 00403192
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 004031AB
Part of subcall function 00403160: strstr.MSVCRT ref: 00403214
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,Windows NT), ref: 00403304
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040332D

Part of subcall function 00401A00: LoadLibraryA.KERNEL32 ref: 00401A20

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2

Strings

Distribuoeq, xrefs: 00401FA5, 00401FE4
PlusCtrl.dll, xrefs: 00401CC5
L, xrefs: 00401BA5
e, xrefs: 00402029
o, xrefs: 00401BC2
8@, xrefs: 00401FEA
m, xrefs: 00401B74
o, xrefs: 00402015
l, xrefs: 00402024
t, xrefs: 0040200B
SetFileAttributesA, xrefs: 00401F7F
R, xrefs: 00401BA0
l, xrefs: 00401B91
d, xrefs: 00401BCC
F, xrefs: 00401BDB
F, xrefs: 0040202E
., xrefs: 00401B82
a, xrefs: 00401BC7
i, xrefs: 00401A7B
d, xrefs: 00401B87
o, xrefs: 00401B79
t, xrefs: 00401A80
w, xrefs: 00401B35
ExitProcess, xrefs: 00401F94
u, xrefs: 0040201F
l, xrefs: 00402038
m, xrefs: 0040204C
i, xrefs: 00401BE0
a, xrefs: 00402047
o, xrefs: 00401BD6
e, xrefs: 00402006
U, xrefs: 00401B9B
l, xrefs: 00401B6F
d, xrefs: 0040201A
,8@, xrefs: 004020E8
l, xrefs: 00401A94
D, xrefs: 00401BAA
W, xrefs: 00401A72
e, xrefs: 0040203D
T, xrefs: 00401BD1
w, xrefs: 00401BB4
kernel32.dll, xrefs: 00401A65, 00401AAE, 00401F84, 00401F99, 00402001
l, xrefs: 00401BE5
i, xrefs: 00402033
A, xrefs: 00402056
l, xrefs: 00401BBD
A, xrefs: 00401BEF
e, xrefs: 00402051
GetTempPathA, xrefs: 00401AA9
u, xrefs: 00401B66
e, xrefs: 00401A99
N, xrefs: 00402042
F, xrefs: 00401A8A
M, xrefs: 00402010
o, xrefs: 00401BAF
G, xrefs: 00401FFB
i, xrefs: 00401A8F
e, xrefs: 00401BEA
l, xrefs: 00401B8C

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: LibraryLoad$lstrcpy$AddressCloseHandleProcstrcspnstrstr$ComputerInfoLocaleNameatoistrncpy
String ID: ,8@$.$A$A$D$Distribuoeq$ExitProcess$F$F$F$G$GetTempPathA$L$M$N$PlusCtrl.dll$R$SetFileAttributesA$T$U$W$a$a$d$d$d$e$e$e$e$e$e$i$i$i$i$kernel32.dll$l$l$l$l$l$l$l$l$m$m$o$o$o$o$o$t$t$u$u$w$w$8@
API String ID: 3864303722-4133879002
Opcode ID: 8fad84325013aa2872d693e4a5823aaf4a1b65688ad2ea7df792892cca219c5c
Instruction ID: 3c3143e3e5472c0825c52dd3c823dc81544a2ddb207d74fe6334a4c7ffd002c2
Opcode Fuzzy Hash: 8fad84325013aa2872d693e4a5823aaf4a1b65688ad2ea7df792892cca219c5c
Instruction Fuzzy Hash: 0502C270548380DEE310CB64DD48B5BBBE5AB95704F04492DF6C5A72D2DBBAD808CB6B

Function 00403160 Relevance: 64.9, APIs: 14, Strings: 23, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,74DEF550,74DF0BD0,00000072), ref: 0040317B
GetComputerNameA.KERNEL32 ref: 00403192
lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 004031AB
strstr.MSVCRT ref: 00403214
strstr.MSVCRT ref: 00403242
strstr.MSVCRT ref: 00403265
lstrcpyA.KERNEL32(?,Windows NT), ref: 00403304
lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040332D
GlobalMemoryStatusEx.KERNEL32(?), ref: 004033B5
lstrcpyA.KERNEL32(?,20108K), ref: 004033F1
GetTickCount.KERNEL32 ref: 004033FC

Strings

$9@, xrefs: 004031F3, 0040337B
Windows 2000, xrefs: 00403223
~MHz, xrefs: 00403365
Windows Vista, xrefs: 0040329F
@, xrefs: 0040318A
,8@, xrefs: 00403390
2008, xrefs: 004032B1
Vista, xrefs: 0040328A
ProductName, xrefs: 004031E5
Windows 2008, xrefs: 004032CA
Windows 7, xrefs: 004032F0
Windows XP, xrefs: 00403251
%u MB, xrefs: 004033DA
2000, xrefs: 0040320E
2003, xrefs: 0040325F
69@, xrefs: 004031C7, 00403347
%u MHz, xrefs: 0040339D
Windows 2003, xrefs: 00403274
@, xrefs: 004033AC
Windows NT, xrefs: 004032F8
20108K, xrefs: 004033EB
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004031A5
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403326

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: lstrcpy$strstr$ComputerCountGlobalInfoLocaleMemoryNameStatusTick
String ID: $9@$%u MB$%u MHz$,8@$2000$2003$2008$20108K$69@$@$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 2000$Windows 2003$Windows 2008$Windows 7$Windows NT$Windows Vista$Windows XP$~MHz
API String ID: 13981014-3249776645
Opcode ID: b890d30ee0b0790192ef3d330c4cc97dd10b39269747d7349394549379db7efe
Instruction ID: 796351ffad0513cd72b75cf0597ba2326a6d71879f4fa0a8f8748fb66bcde97c
Opcode Fuzzy Hash: b890d30ee0b0790192ef3d330c4cc97dd10b39269747d7349394549379db7efe
Instruction Fuzzy Hash: EC617570144305AFD310DF60DE85FAB7BACAB88745F10493EF685B21D0EA78A609CB6D

Function 00447907 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0009517e454c8d5100fc340b0ea3626389ffad213adf61342b8038743361b0
Instruction ID: 357fe6ae4ef08bac6b491023afff3cf9a93833a3c28455eab367effd12a56041
Opcode Fuzzy Hash: 1e0009517e454c8d5100fc340b0ea3626389ffad213adf61342b8038743361b0
Instruction Fuzzy Hash: 24115772A081205FEB19AE29CC85F9EB3A2ABC5724F00832ED1245B2C5DB79D546CA94

Function 00440646 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7528ccbc54291cf828129b84b00d45dd4e7a2c73fe3772a29b066a21d2aeea6
Instruction ID: e47e49ce774d3fe9883cab64ce365b5a25cca8981845ddeb62c8376c0b71d793
Opcode Fuzzy Hash: d7528ccbc54291cf828129b84b00d45dd4e7a2c73fe3772a29b066a21d2aeea6
Instruction Fuzzy Hash: E4D017300082508FD7002BB4EC4D2DFFBA4AFC0382F11882AF58790164CEB888828F53

Function 00402D30 Relevance: 52.7, APIs: 12, Strings: 18, Instructions: 217
stringlibraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000047,00000000,0000009C), ref: 00402DE5
GetProcAddress.KERNEL32(00000000), ref: 00402DEC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402E0F
strncmp.MSVCRT ref: 00402E34
lstrcatA.KERNEL32(?,004084CC), ref: 00402EC0
lstrcatA.KERNEL32(?,?), ref: 00402ED0
CopyFileA.KERNEL32(?,?,00000000), ref: 00402EE1
lstrcpyA.KERNEL32(?,?), ref: 00402F04
GetLastError.KERNEL32 ref: 00402F7F
lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402FD1
lstrcatA.KERNEL32(?,?), ref: 00402FDF
lstrlenA.KERNEL32(00000000), ref: 00402FFE

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Strings

o, xrefs: 00402D73
i, xrefs: 00402D9D
d, xrefs: 00402D7A
M, xrefs: 00402D6C
,8@, xrefs: 00402EA5
SYSTEM\CurrentControlSet\Services\, xrefs: 00402FC5
%c%c%c%c%c%c.exe, xrefs: 00402E99
8@, xrefs: 00402F99
u, xrefs: 00402D81
a, xrefs: 00402DB7
Description, xrefs: 0040300A
N, xrefs: 00402DB0
F, xrefs: 00402D96
m, xrefs: 00402DBE
kernel32.dll, xrefs: 00402DE0
G, xrefs: 00402D56
t, xrefs: 00402D65
A, xrefs: 00402DCB

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: lstrcat$lstrcpy$AddressCopyCountDirectoryErrorFileLastLibraryLoadProcSystemTicklstrlenrandstrncmp
String ID: %c%c%c%c%c%c.exe$,8@$A$Description$F$G$M$N$SYSTEM\CurrentControlSet\Services\$a$d$i$kernel32.dll$m$o$t$u$8@
API String ID: 2930506891-1316125334
Opcode ID: 4cad2e7bd832c944ab44e5aa06c1b8362982bd4035659bc22fff8856b8ad885a
Instruction ID: 0e0e6dca43d9b0313fe333de96fee7407300e1d87e337aa7371e7680423aad75
Opcode Fuzzy Hash: 4cad2e7bd832c944ab44e5aa06c1b8362982bd4035659bc22fff8856b8ad885a
Instruction Fuzzy Hash: 478119B2900258ABD722DB60DD89FDA7B7CAF55700F0401E9F609B61C1DA789F44CF65

Function 00402600 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402613
lstrcatA.KERNEL32(?,Distribuoeq), ref: 00402623

Strings

$9@, xrefs: 00402680
Distribuoeq, xrefs: 0040261D, 004027B9, 004027C6
69@, xrefs: 0040263F
SYSTEM\CurrentControlSet\Services\, xrefs: 0040260D
ImagePath, xrefs: 0040267A

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: lstrcatlstrcpy
String ID: $9@$69@$Distribuoeq$ImagePath$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-738438224
Opcode ID: 4993b40f7886f15423b6108ea60fa8a6cb83f6d371995b2a9da2af4ffd17cede
Instruction ID: cff8f841e93e58ab4234d6d93627b2c916986187481524a3f77962f8d504dc07
Opcode Fuzzy Hash: 4993b40f7886f15423b6108ea60fa8a6cb83f6d371995b2a9da2af4ffd17cede
Instruction Fuzzy Hash: 1551D4357407056BE320DB34ED49FEB37A8EB84721F404839FA06F11D0E6BD95194669

Function 004023B0 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 114
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 00402438
GetProcAddress.KERNEL32(00000000), ref: 0040243F
GetTempPathA.KERNEL32(00000104,?), ref: 0040247C
lstrcatA.KERNEL32(?,SOFTWARE.LOG), ref: 0040248E
MoveFileExA.KERNEL32(00000000,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 004024AA
MoveFileExA.KERNEL32(?,00000000,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004024BB

Strings

d, xrefs: 0040240E
u, xrefs: 00402412
m, xrefs: 0040242C
a, xrefs: 00402428
M, xrefs: 00402406
F, xrefs: 00402419
N, xrefs: 00402424
t, xrefs: 00402402
G, xrefs: 004023F8
i, xrefs: 0040241D
o, xrefs: 0040240A
SOFTWARE.LOG, xrefs: 00402488
kernel32.dll, xrefs: 004023FD
A, xrefs: 00402430

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: FileMove$AddressLibraryLoadPathProcTemplstrcat
String ID: A$F$G$M$N$SOFTWARE.LOG$a$d$i$kernel32.dll$m$o$t$u
API String ID: 20907805-1765106238
Opcode ID: 3574a8691a983e4fb58ac25ab56cb1c955f97815db305d7cfbd3ec60fc5b3c7d
Instruction ID: f0613c91973a543e40f7bda577bceb9edfdbe02e48fb26baed1209212c166b8f
Opcode Fuzzy Hash: 3574a8691a983e4fb58ac25ab56cb1c955f97815db305d7cfbd3ec60fc5b3c7d
Instruction Fuzzy Hash: 43219171D482CCEEEB11C7A8CD09BDEBFB45B22704F0480D9964477282D6B91B48CBB6

Function 00404905 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 203
sleepprocessthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403E00: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
Part of subcall function 00403E00: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
Part of subcall function 00403E00: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404A1E
Sleep.KERNEL32(00001388), ref: 00404A2D
Sleep.KERNEL32(0000000A,?,00000000), ref: 00404B7D
ExitThread.KERNEL32 ref: 00404B87

Strings

,8@, xrefs: 0040496F
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00404AD7
GET %s HTTP/1.1Host: %s:%d, xrefs: 00404A92
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 004049D0
D, xrefs: 004049A4
%s %s%s, xrefs: 00404991
GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00404B1A
GET %s HTTP/1.1Host: %s, xrefs: 00404A6D

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: Sleep$CreateDirectoryExitProcessSystemThreadlstrcatlstrcpy
String ID: %s %s%s$,8@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#
API String ID: 2825703556-2499878509
Opcode ID: df2cad709f29754dcafc4a0d25050df2d5ba39f326bf680629eab38fb005b706
Instruction ID: da6923137c11df0d7ab68030686ac7cd269fa33bd206a37efab997621938c878
Opcode Fuzzy Hash: df2cad709f29754dcafc4a0d25050df2d5ba39f326bf680629eab38fb005b706
Instruction Fuzzy Hash: 2551A8B15443456BD324DB64CD41FEB77A9AFC4304F00493EF64AA72C1EA79AA04CB9B

Function 004024D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00402504
LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 00402516
GetProcAddress.KERNEL32(00000000), ref: 0040251D
LoadResource.KERNEL32(?,00000000), ref: 00402533
LockResource.KERNEL32(00000000), ref: 0040254A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004025A1
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004025BE
CloseHandle.KERNEL32(00000000), ref: 004025C5

Strings

hra%u.dll, xrefs: 00402560
SizeofResource, xrefs: 0040250A
,8@, xrefs: 00402566
kernel32.dll, xrefs: 0040250F

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: Resource$FileLoad$AddressCloseCreateFindHandleLibraryLockProcWrite
String ID: ,8@$SizeofResource$hra%u.dll$kernel32.dll
API String ID: 2921964263-4168475015
Opcode ID: a79a88351d4ee55d91fec4b12707c34b880592affa0a33c76b31672086c36472
Instruction ID: 05619c64b77a0a6437fb081d8a4bc4abd72332ae768d0b043ea742f75d8c896d
Opcode Fuzzy Hash: a79a88351d4ee55d91fec4b12707c34b880592affa0a33c76b31672086c36472
Instruction Fuzzy Hash: 1F11D2716402047BD7209F649E4DFAB376CEB85B24F114529FE06B72C0DBB498148ABC

Function 00402810 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 83
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000001F4), ref: 00402888
CreateMutexA.KERNEL32(00000000,00000000,Distribuoeq), ref: 004028A8
GetLastError.KERNEL32 ref: 004028AE
ExitProcess.KERNEL32 ref: 004028BC
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_00001A40,00000000), ref: 00402944
CloseHandle.KERNEL32(?), ref: 0040294D
Sleep.KERNEL32(0000012C), ref: 00402967

Strings

hra%u.dll, xrefs: 004028D1
Distribuoeq, xrefs: 0040281F, 004028A1
H9@, xrefs: 0040282A
,8@, xrefs: 004028D7
Z9@, xrefs: 00402824

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: Sleep$CloseCreateErrorExitHandleLastMutexObjectProcessSingleWait
String ID: ,8@$Distribuoeq$H9@$Z9@$hra%u.dll
API String ID: 482528292-2211841438
Opcode ID: 735153542032c615ee15675859b1d42246c009a904f63fe55f3969934729beb0
Instruction ID: 9e342082198d0c0f17f09a8a404d76bdda1f71cbb84061cebe59b1f914c361f5
Opcode Fuzzy Hash: 735153542032c615ee15675859b1d42246c009a904f63fe55f3969934729beb0
Instruction Fuzzy Hash: 2A314DB0540305AFD310EB61EF4AF5A3AA8EB54718F21413EB655B61E2CFF958048FAD

Function 00404C83 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 287
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A), ref: 00405087
ExitThread.KERNEL32 ref: 00405093

Strings

P, xrefs: 00404E37
<:@, xrefs: 00404D6A
,8@, xrefs: 00404F5B
`:@, xrefs: 00404D1E
%d.%d.%d.%d, xrefs: 00404F55
192.168.1.244, xrefs: 00404CC8
]@, xrefs: 00404E24, 00404FB2
@, xrefs: 00404DAF
E, xrefs: 00404D93

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$192.168.1.244$<:@$@$E$P$`:@$]@
API String ID: 896407411-2643560063
Opcode ID: d604f48981dc178444f468b20bfd3291236b9bb87fd842ba203fa14314ef6784
Instruction ID: a11e23f07e89fd79917e8136cf8e3326afab1f20c2e29fb6b7df3ea0f310ee3b
Opcode Fuzzy Hash: d604f48981dc178444f468b20bfd3291236b9bb87fd842ba203fa14314ef6784
Instruction Fuzzy Hash: BBB159715083859AE710DF60C845B6BB7E5FFD4308F004D2DFA89A7291DB749A09CB9B

Function 00405320 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 274
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A), ref: 00405717
ExitThread.KERNEL32 ref: 00405723

Strings

<:@, xrefs: 004053FA
,8@, xrefs: 004055EB
`:@, xrefs: 004053AE
%d.%d.%d.%d, xrefs: 004055E5
192.168.1.244, xrefs: 00405358
@, xrefs: 0040543F
P, xrefs: 004054C7
]@, xrefs: 004054B4, 00405642
E, xrefs: 00405423

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$192.168.1.244$<:@$@$E$P$`:@$]@
API String ID: 896407411-2643560063
Opcode ID: fb4a31642ab8506c44b56105cc454ed5c2899b6acfb7622cd7005f80403f0be3
Instruction ID: bee5a320e23260b0ccfa8ee8b9c418d69dfc131687e79230085c79d38b805ed6
Opcode Fuzzy Hash: fb4a31642ab8506c44b56105cc454ed5c2899b6acfb7622cd7005f80403f0be3
Instruction Fuzzy Hash: 90B179715083859AE710DF60C845B6BB7E5FFD4308F004D2DFA89A7291DBB49A09CB9B

Function 00404720 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142
sleepthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404817
Sleep.KERNEL32(000007D0), ref: 00404822
Sleep.KERNEL32(0000000A), ref: 00404833
ExitThread.KERNEL32 ref: 00404839
Sleep.KERNEL32(00000032,?,00000000), ref: 004048F4
ExitThread.KERNEL32 ref: 004048FF

Part of subcall function 00403E00: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
Part of subcall function 00403E00: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
Part of subcall function 00403E00: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

Strings

GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00404882
,8@, xrefs: 004047B4, 0040488F
GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00404863
D, xrefs: 004047CB
%s %s%s, xrefs: 004047AE

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: Sleep$ExitThread$CreateDirectoryProcessSystemlstrcatlstrcpy
String ID: %s %s%s$,8@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache
API String ID: 4106849892-1440346242
Opcode ID: 5eb02f3b8431406fad96daf4aa59b50a38eec1cead9eb88fe7224a995bb05ed2
Instruction ID: 794b02a4c492586d25d224780bf78908b263a50c21f6d464f885ce95802daaf6
Opcode Fuzzy Hash: 5eb02f3b8431406fad96daf4aa59b50a38eec1cead9eb88fe7224a995bb05ed2
Instruction Fuzzy Hash: A1416672144345AFE320DB50CD45BEB77A9AFC4700F004D3EF686A31C1DA7999048BAA

Function 00402153 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 98
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32(001F0001,00000000,Distribuoeq), ref: 0040215F
ReleaseMutex.KERNEL32(00000000), ref: 0040216C
CloseHandle.KERNEL32(00000000), ref: 00402173
lstrcatA.KERNEL32(?,?), ref: 0040222C
GetProcAddress.KERNEL32(00000000,?), ref: 0040223F

Strings

Distribuoeq, xrefs: 00402153, 004022F9
,8@, xrefs: 00402213
8@, xrefs: 004022FF
stf%c%c%c%c%c.exe, xrefs: 0040220D

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: Mutex$AddressCloseHandleOpenProcReleaselstrcat
String ID: ,8@$Distribuoeq$stf%c%c%c%c%c.exe$8@
API String ID: 2376757572-3791897913
Opcode ID: 3fee883449239276f1948b4b83ab1ea6cde5b5cab6033c52ad3544baa1033d71
Instruction ID: 07dd3426e8a5cfa61062460b71f0a3489c34bdea3db5e388aae2d5ac9104c876
Opcode Fuzzy Hash: 3fee883449239276f1948b4b83ab1ea6cde5b5cab6033c52ad3544baa1033d71
Instruction Fuzzy Hash: 6C31F6F26403417BE7209BA0DD0AFAF369CAF44701F00493DF746B61C1EEB896048A6B

Function 00403B10 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00403BB6
GetLastError.KERNEL32 ref: 00403BC2
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00403BF5
InterlockedExchange.KERNEL32(?,00000000), ref: 00403C07
LocalAlloc.KERNEL32(00000040,00000008), ref: 00403C1B
FreeLibrary.KERNEL32(00000000), ref: 00403C38
GetProcAddress.KERNEL32(?,?), ref: 00403C99
GetLastError.KERNEL32 ref: 00403CA5
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00403CD7

Strings

$, xrefs: 00403B2C

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 36fe4dab1de80df83a616e5d2683970340db3ca332fec087ab461386fbccdab3
Instruction ID: 52b406d3f103219c093564718a3b2c2d18ed8ca5132a2492024d70ce187348d6
Opcode Fuzzy Hash: 36fe4dab1de80df83a616e5d2683970340db3ca332fec087ab461386fbccdab3
Instruction Fuzzy Hash: F8613C71600205AFEB15CF99C984AAA7BF9AB48301F11803EE916F7390D774EE04CB64

Function 0040367F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004036AC
__p__fmode.MSVCRT ref: 004036C1
__p__commode.MSVCRT ref: 004036CF
__setusermatherr.MSVCRT ref: 004036FB
_initterm.MSVCRT ref: 00403711
__getmainargs.MSVCRT ref: 00403734
_initterm.MSVCRT ref: 00403744
GetStartupInfoA.KERNEL32(?), ref: 00403783
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004037A7
exit.MSVCRT ref: 004037B7
_XcptFilter.MSVCRT ref: 004037C9

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: bdb5c9794a0d6897bb365cab6c7c557ce66239c653fb92b30b56ff46a497ed67
Instruction ID: ba1f1da14ff76bb8750f1f60014ed55525f4e47ea4881a3bfc32ef867773b9a2
Opcode Fuzzy Hash: bdb5c9794a0d6897bb365cab6c7c557ce66239c653fb92b30b56ff46a497ed67
Instruction Fuzzy Hash: A1415EF5840304AFDB20AFA4D949A5ABFACEB09711B20453FE452B72D1C7785941CF68

Function 00402B20 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

#4710.MFC42 ref: 00402B2A
#6197.MFC42(00000000,0000009C,0000009C,00000000,00000000,00000001), ref: 00402B7E

Part of subcall function 00402D30: LoadLibraryA.KERNEL32(kernel32.dll,00000047,00000000,0000009C), ref: 00402DE5
Part of subcall function 00402D30: GetProcAddress.KERNEL32(00000000), ref: 00402DEC
Part of subcall function 00402D30: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402E0F
Part of subcall function 00402D30: strncmp.MSVCRT ref: 00402E34

ExitProcess.KERNEL32 ref: 00402C4B

Strings

Distribuoeq, xrefs: 00402BB1, 00402C0A
P8@, xrefs: 00402B6A
Distribufqy Transaction Coordinator Service, xrefs: 00402C05
Distribucjx Transaction Coordinator Service., xrefs: 00402C00
b8@, xrefs: 00402B35
l9@, xrefs: 00402BCE

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: #4710#6197AddressDirectoryExitLibraryLoadProcProcessSystemstrncmp
String ID: Distribucjx Transaction Coordinator Service.$Distribufqy Transaction Coordinator Service$Distribuoeq$P8@$b8@$l9@
API String ID: 3958467283-4228543752
Opcode ID: 117839834650e7e938ed014b9244ee9cb0d5573d962b4e8f455a6211bd4cceb4
Instruction ID: cf9320a1031b7b380acfe78e02c8ba282f3c83360672a311bdaa638afd64cd46
Opcode Fuzzy Hash: 117839834650e7e938ed014b9244ee9cb0d5573d962b4e8f455a6211bd4cceb4
Instruction Fuzzy Hash: 4311B130640304BBD760AF658E0AF6B77A8AB45B04F10462DFA85B72C1DAF9A904865C

Function 00405810 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00405A85

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000028), ref: 00405A77

Strings

<:@, xrefs: 0040588D
,8@, xrefs: 004059A6
`:@, xrefs: 004058C6
%d.%d.%d.%d, xrefs: 004059A0
E, xrefs: 00405934
AAAA, xrefs: 00405854

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$<:@$AAAA$E$`:@
API String ID: 896407411-2836906244
Opcode ID: ea2dd581bac7c8cef9c5bdfd95272e9f0afcf65b51e7e46ad9891951b0c6bac6
Instruction ID: e9a3f02c22eb15b260bf825b8ca02d5a946cb04ee5495d7803f8191399606438
Opcode Fuzzy Hash: ea2dd581bac7c8cef9c5bdfd95272e9f0afcf65b51e7e46ad9891951b0c6bac6
Instruction Fuzzy Hash: 1F51D2B0548381AAE320DF64CC45B6BB7E8EFD4304F004D2DF695A72D1E7B585098BAB

Function 004050B0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A,?,?,?,00000200), ref: 004052FF
ExitThread.KERNEL32 ref: 00405308

Strings

P, xrefs: 00405219
<:@, xrefs: 00405152
`:@, xrefs: 00405106
E, xrefs: 0040517B
@, xrefs: 00405197
]@, xrefs: 00405206

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: <:@$@$E$P$`:@$]@
API String ID: 896407411-2684562160
Opcode ID: 69fcc90e96dea77de8cc62438d1ff4d5379d368cbce85fec8dadd9f28f38ca4b
Instruction ID: 39b009766a04849488636733dbf50ff139f1285f39767be3529f9717fe43e04f
Opcode Fuzzy Hash: 69fcc90e96dea77de8cc62438d1ff4d5379d368cbce85fec8dadd9f28f38ca4b
Instruction Fuzzy Hash: 13614C71548344AAD710DF648C45B5FBBE9FF88304F40092EF689A72E1DBB49909CB9B

Function 004043BF Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 159threadCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040443F
ExitThread.KERNEL32 ref: 004045AB

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

sprintf.MSVCRT ref: 00404507
sprintf.MSVCRT ref: 00404538

Strings

<:@, xrefs: 0040441E
#0%s!, xrefs: 00404532
%s/%s, xrefs: 00404501
*:@, xrefs: 004043F5

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: sprintf$CountExitThreadTickmallocrand
String ID: #0%s!$%s/%s$*:@$<:@
API String ID: 3712263441-3613801517
Opcode ID: 00b75b3de8d93dc31a74d50db6e5e73740eefd36b768d78ccac709e30f348c81
Instruction ID: 19c619330cfb283f4556bae5eafdd7ef04c8a47010b92698e7a8e45263eab30c
Opcode Fuzzy Hash: 00b75b3de8d93dc31a74d50db6e5e73740eefd36b768d78ccac709e30f348c81
Instruction Fuzzy Hash: 1651B1B1104340ABE310DF748D45B9BB6E4EFC4704F004E3EF69AA72D1E7789A058B6A

Function 004016C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00401730
strcspn.MSVCRT ref: 0040174D
strncpy.MSVCRT ref: 0040175C
strcspn.MSVCRT ref: 0040176C
atoi.MSVCRT(00000000), ref: 004017A8

Strings

<:@, xrefs: 004017B2
*:@, xrefs: 004017D4

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: strcspn$atoistrncpystrstr
String ID: *:@$<:@
API String ID: 896909712-1525120602
Opcode ID: 70288e223b217b753ca0d46052b630638dcf25dcd2a199c3146b493787b399b8
Instruction ID: f8a19cff3734ad80dd224e4d4fa567c6fc112c9a2d060b15b6745f6d38997baa
Opcode Fuzzy Hash: 70288e223b217b753ca0d46052b630638dcf25dcd2a199c3146b493787b399b8
Instruction Fuzzy Hash: DD215C31E002186BC710A778DD06BEA7765BF48710F0006BEFA59F32D1DEB44A448B9D

Function 00401D35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110libraryfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2
CreateFileA.KERNEL32(PlusCtrl.dll,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401D79
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00401DB7

Strings

PlusCtrl.dll, xrefs: 00401CC5, 00401D74

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CloseHandle$CreateFileLibraryLoad
String ID: PlusCtrl.dll
API String ID: 4073770061-3813448905
Opcode ID: 276a740126fdbb8642ac7236fc26bc1fb47062cc569460620264d7a81443eeee
Instruction ID: 678e4eeabf8f2deab5107e84c4a66d22c971bafb6cfac5e257f318dcc26d0ccf
Opcode Fuzzy Hash: 276a740126fdbb8642ac7236fc26bc1fb47062cc569460620264d7a81443eeee
Instruction Fuzzy Hash: 3241A4315443029BE320CF64DD44B6B7BE4AF84754F140A2EF961B22E0E778E8458B9A

Function 00402C60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,SYSTEM\CurrentControlSet\Services\,00403862), ref: 00402CCF
lstrcatA.KERNEL32(00000000,Distribuoeq), ref: 00402CE1

Strings

Distribuoeq, xrefs: 00402CDB
69@, xrefs: 00402D1A
SYSTEM\CurrentControlSet\Services\, xrefs: 00402CC9

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: lstrcatlstrcpy
String ID: 69@$Distribuoeq$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-1248136302
Opcode ID: e66b1be437945f124023d56c1bdd6389618300147cf61839c5c59340b3a33dba
Instruction ID: c16f20cbba010059dd829025b88d8e0ac7ec225dfd2f823269786c1a3f48f5c0
Opcode Fuzzy Hash: e66b1be437945f124023d56c1bdd6389618300147cf61839c5c59340b3a33dba
Instruction Fuzzy Hash: 1CF0B43164820CBBDB60C774DD05FE577B8E755701F1005B9A7C9F20C0DDB46A988A54

Function 004045B1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000), ref: 004046DC
ExitThread.KERNEL32 ref: 004046E6

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Strings

GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404633
,8@, xrefs: 00404639, 0040467B
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404675

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: ,8@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 896407411-2728580657
Opcode ID: 03551809c68347d44f03a8e8098e885f0497282a7a7c0524782b2bd92df2901a
Instruction ID: ed96877d601846c175f9a107851c42ea53cf3a02b77a1f13df8ed6ecda56d954
Opcode Fuzzy Hash: 03551809c68347d44f03a8e8098e885f0497282a7a7c0524782b2bd92df2901a
Instruction Fuzzy Hash: 8B31A4B15142446BE220DB60DD46FFB73ACEF95305F050D3DF645A21C1FA796A08866B

Function 00403F5B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00404073

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000005), ref: 0040405D

Strings

<:@, xrefs: 00403FB7
`:@, xrefs: 00403FF0
*:@, xrefs: 00403FCE

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: *:@$<:@$`:@
API String ID: 896407411-1978189025
Opcode ID: 67827bdd94f09c8e4a8428c72f103af8ad3767357eff487082fd3e5c6fe3f275
Instruction ID: b9c020bd257d16025c789386b94bafe435fe5cc7bb509be09224f6c53715fa15
Opcode Fuzzy Hash: 67827bdd94f09c8e4a8428c72f103af8ad3767357eff487082fd3e5c6fe3f275
Instruction Fuzzy Hash: E82105312443016BE3209B15DD45BAB77E9AFC4705F00483DF789B72D0DAB459088BAB

Function 00401F1C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84librarystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2
lstrlenA.KERNEL32(?), ref: 00401F31

Strings

PlusCtrl.dll, xrefs: 00401CC5

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CloseHandle$LibraryLoadlstrlen
String ID: PlusCtrl.dll
API String ID: 1302537757-3813448905
Opcode ID: 8b81bdb92c0fb83030933092d185a2b517c2c3c20cc09dc9aafab582fb3a248c
Instruction ID: 354abdcd05cd2bf0f73582f64dd16865d1a564750717cbbe5506fc225f074c98
Opcode Fuzzy Hash: 8b81bdb92c0fb83030933092d185a2b517c2c3c20cc09dc9aafab582fb3a248c
Instruction Fuzzy Hash: 673172715483019BE720CF64DD44B6B77E8AB84754F144A3EF991A32E0E738E845CF5A

Function 00403E50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000014), ref: 00403F43
ExitThread.KERNEL32 ref: 00403F55

Strings

<:@, xrefs: 00403EDB
`:@, xrefs: 00403F0E
*:@, xrefs: 00403EEC

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: *:@$<:@$`:@
API String ID: 896407411-1978189025
Opcode ID: 58e52e15e8708b750c7b593d4532e1dc8ecc44a5eaeeec1c10d20306b6376e07
Instruction ID: 1aa1a50a868dfdc426b5470280aee9243670915e3d1e7e507b5142f6f6797285
Opcode Fuzzy Hash: 58e52e15e8708b750c7b593d4532e1dc8ecc44a5eaeeec1c10d20306b6376e07
Instruction Fuzzy Hash: BC21D131644300AFE7249B14DD06BAB77E9EF84704F00493DF289A72D0CBB59E088B9A

Function 00401890 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessTrans), ref: 004018BA

Strings

%u.%u.%u.%u, xrefs: 0040190E
,8@, xrefs: 00401914
ProcessTrans, xrefs: 004018B4
r:@, xrefs: 00401927

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: AddressProc
String ID: %u.%u.%u.%u$,8@$ProcessTrans$r:@
API String ID: 190572456-3036480515
Opcode ID: 0d9dd16706f6b930d6d57109fc15d559f869456c61a1f1dd963bc1d5b8d49efc
Instruction ID: a057d568f8cbf7d36185e8a16d9019903c22752d08b1d8e26d53945e98208902
Opcode Fuzzy Hash: 0d9dd16706f6b930d6d57109fc15d559f869456c61a1f1dd963bc1d5b8d49efc
Instruction Fuzzy Hash: 35118EB195020AABDB14DB94CE45EBFB379EF84704F108279BC41B72D5DA389D049BA8

Function 00403070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

#470.MFC42 ref: 0040308F
#755.MFC42 ref: 0040310B
#2379.MFC42 ref: 00403119

Strings

b8@, xrefs: 004030AB
t8@, xrefs: 00403101

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: #2379#470#755
String ID: b8@$t8@
API String ID: 3024983488-745822901
Opcode ID: bd1fef225f27e3e765584d2d1b50f287eb6c34b8cefa70481d492fc26062ce55
Instruction ID: 23b8168f71ff80b0920836344aa8155c5e6477b8b6503ddd266453aefce758f2
Opcode Fuzzy Hash: bd1fef225f27e3e765584d2d1b50f287eb6c34b8cefa70481d492fc26062ce55
Instruction Fuzzy Hash: 72116D712143019FC214DF39DE49D6B77E9FFC8204F084A2DB5CAD3290DA34E9058A55

Function 00405B70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000F), ref: 00405C26
ExitThread.KERNEL32 ref: 00405C30

Strings

<:@, xrefs: 00405BBF
`:@, xrefs: 00405BF2
*:@, xrefs: 00405BD0

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: ExitSleepThread
String ID: *:@$<:@$`:@
API String ID: 2532117645-1978189025
Opcode ID: 0b160bee8590a9feaa90095d80f7b6cabd1019267ee4be1ece85caba017e34c7
Instruction ID: 4104fc32b431a330129af2c8e51cee684ef8fc9b11a9caa93217bf55ecdcdacd
Opcode Fuzzy Hash: 0b160bee8590a9feaa90095d80f7b6cabd1019267ee4be1ece85caba017e34c7
Instruction Fuzzy Hash: D9116070248301ABE324DB50DE4AF6B77E9EF95704F00092DF689B61D1DBB49D088B5B

Function 004028C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004025E0: EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_000024D0,00000000), ref: 004025EB

Part of subcall function 00402600: lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402613
Part of subcall function 00402600: lstrcatA.KERNEL32(?,Distribuoeq), ref: 00402623

Part of subcall function 00401A00: LoadLibraryA.KERNEL32 ref: 00401A20

Part of subcall function 004012B0: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004012C2

WaitForSingleObject.KERNEL32(00000000,000000FF,Function_00001A40,00000000), ref: 00402944
CloseHandle.KERNEL32(?), ref: 0040294D
Sleep.KERNEL32(0000012C), ref: 00402967

Strings

hra%u.dll, xrefs: 004028D1
,8@, xrefs: 004028D7

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: CloseCreateEnumHandleLibraryLoadNamesObjectResourceSingleSleepThreadWaitlstrcatlstrcpy
String ID: ,8@$hra%u.dll
API String ID: 3019664125-1682502944
Opcode ID: 5ccd0519ab355be5024abd0711c82a46054f02262ec7dfd481542cb7669b5a23
Instruction ID: 46b2761210bd7351e1acdc70686b2ba36b0e2774d37aa7cde017ba267fd11447
Opcode Fuzzy Hash: 5ccd0519ab355be5024abd0711c82a46054f02262ec7dfd481542cb7669b5a23
Instruction Fuzzy Hash: 4401F5712403006BD204EBB0AF4AFAA3364EB88724F10063EF611721E3DEF8A8045B6D

Function 00404079 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0040418E
ExitThread.KERNEL32 ref: 0040419B

Strings

<:@, xrefs: 004040CE
*:@, xrefs: 004040F0

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: ExitSleepThread
String ID: *:@$<:@
API String ID: 2532117645-1525120602
Opcode ID: 489a674434dd79bd1cd95d87094fd23d0865ee3d3cf51ba8a6b23f5a7c25bf35
Instruction ID: 67d8ddba5409ffce38fdec036543afa66e7020f410cbc9efe6a496dc460af4ba
Opcode Fuzzy Hash: 489a674434dd79bd1cd95d87094fd23d0865ee3d3cf51ba8a6b23f5a7c25bf35
Instruction Fuzzy Hash: C231F171604300ABE3109F24ED49BEF77A5EFA5311F00853DF68AA73D1CA789949CB5A

Function 00404B8D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,00000000), ref: 00404C70
ExitThread.KERNEL32 ref: 00404C7D

Strings

,8@, xrefs: 00404BD2
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404C1E

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: ExitSleepThread
String ID: ,8@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 2532117645-1548460504
Opcode ID: b4116cea720f3c054be25ad523dc78a633388379998c86f4e6064588cdf672b1
Instruction ID: fcf92245488759253a7268ef054163d6874dfe110737c38e6750fee933bc3a6f
Opcode Fuzzy Hash: b4116cea720f3c054be25ad523dc78a633388379998c86f4e6064588cdf672b1
Instruction Fuzzy Hash: 7821A571104340AFD324DB24DD45FEB73A8EFD6305F014A2DF285A7180EB7566098BAB

Function 00403E00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

Strings

\Program Files\Internet Explorer\iexplore.exe, xrefs: 00403E1A

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: DirectorySystemlstrcatlstrcpy
String ID: \Program Files\Internet Explorer\iexplore.exe
API String ID: 2630975639-1907246925
Opcode ID: b65ced3afa1010b117ea438fd43ae358f07f39bee29bead101c46353a56f49ca
Instruction ID: 9106fefdb625428a61e5fc355ea8c8d419b7259a9281d561dea26b2b043bae92
Opcode Fuzzy Hash: b65ced3afa1010b117ea438fd43ae358f07f39bee29bead101c46353a56f49ca
Instruction Fuzzy Hash: 5CE086F454C341ABD710D764DE48FAA77E4BB94305F45492CB6C9D2190D6B89058CB1A

Function 004046EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,TerminateProcess), ref: 0040470A
GetProcAddress.KERNEL32(00000000), ref: 00404711

Strings

kernel32.dll, xrefs: 00404705
TerminateProcess, xrefs: 00404700

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: TerminateProcess$kernel32.dll
API String ID: 2574300362-189552057
Opcode ID: b5eaaf0141d6078d17560b1a0c42e59a086fb3de11d860db1d2ac48d1d58cc35
Instruction ID: 6234211f27a0ee7e56edea027cbfabecb5e332b867d42f8a1c4da6211805d416
Opcode Fuzzy Hash: b5eaaf0141d6078d17560b1a0c42e59a086fb3de11d860db1d2ac48d1d58cc35
Instruction Fuzzy Hash: B8C08CB2781300DAC6407BE0BE496A57711E2CAB27330003BFA02F10E0CE3A00148B2D

Function 004012D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 004012EA
GetProcAddress.KERNEL32(00000000), ref: 004012F1

Strings

SizeofResource, xrefs: 004012E0
kernel32.dll, xrefs: 004012E5

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SizeofResource$kernel32.dll
API String ID: 2574300362-1445693867
Opcode ID: 4b093c2f19e2f6703a235c920fd83a05b68be8ff96e2aabb20befe6985bddcc5
Instruction ID: 95eb9911caf4fa21a6ef5e617abe4a02a41252af43e6d184f25434936a232e00
Opcode Fuzzy Hash: 4b093c2f19e2f6703a235c920fd83a05b68be8ff96e2aabb20befe6985bddcc5
Instruction Fuzzy Hash: 48C09B70581300DBC7407BE07F0D60637555645B41312407F7C47F11F0CEB910155B1D

Function 00402970 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 151sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00402A2D
Sleep.KERNEL32(000001F4), ref: 00402A80
Sleep.KERNEL32(000001F4), ref: 00402AD4

Strings

H9@, xrefs: 00402993

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: Sleep
String ID: H9@
API String ID: 3472027048-4187015488
Opcode ID: e1895029d93275b0449bae78078f8bc4f68a4563e2c20b19454be42c37018b9e
Instruction ID: ed3428e1d1f1db40b83d8743f65f7dc7aa56edce5a66b806c87c14721956b620
Opcode Fuzzy Hash: e1895029d93275b0449bae78078f8bc4f68a4563e2c20b19454be42c37018b9e
Instruction Fuzzy Hash: 0F21C9B22802259BD300DF95EF08B567BA9E754759F20807EE684F62E1CEFA50449FDC

Function 00401A00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00401A20

Strings

hra%u.dll, xrefs: 00401A0C
,8@, xrefs: 00401A12

Memory Dump Source

Source File: 00000005.00000002.2134755763.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2134694294.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134818195.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134873885.0000000000408000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2134929789.0000000000419000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135063272.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135124877.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135191440.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135227062.000000000042A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135265577.0000000000430000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135305372.0000000000432000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135354509.0000000000438000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135408354.000000000043A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135451021.0000000000440000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135490775.0000000000441000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2135529641.0000000000447000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_hrlBCA3.jbxd

Similarity

API ID: LibraryLoad
String ID: ,8@$hra%u.dll
API String ID: 1029625771-1682502944
Opcode ID: 35d89bcc790b1656c578160c71392fb5b744eb91aab05cf506bcb9e0b22284b5
Instruction ID: d94e0402731fb128af6b950281fe7e8085e8897a8f6bb0695ae2b7902bddec47
Opcode Fuzzy Hash: 35d89bcc790b1656c578160c71392fb5b744eb91aab05cf506bcb9e0b22284b5
Instruction Fuzzy Hash: C3D0A77059020567C710A770ED4AEA633646B50700F444A3D7686D10D0EABD815CC689

Analysis Process: hrlBCB3.tmpPID: 7408, Parent PID: 7376COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	984
Total number of Limit Nodes:	1

Executed Functions

Function 0044112D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004411BE
GetVersion.KERNEL32 ref: 00441200
VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 00441228
CloseHandle.KERNEL32(?), ref: 004412AD

Strings

\BaseNamedObjects\vlatVt, xrefs: 00441408
csrs, xrefs: 0044152C
\BaseNamedObjects\vlatVt, xrefs: 00441409, 0044142C, 0044143A

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\vlatVt$\BaseNamedObjects\vlatVt$csrs
API String ID: 3017432202-509049503
Opcode ID: f20c1230cab8c55a77f3496402398c0cd3a535c1d38722b1df025da5ca1180a2
Instruction ID: 06d9eaca7eea92006015bd5d2743b797f058439f2a8b5b3cee3ed761928005e6
Opcode Fuzzy Hash: f20c1230cab8c55a77f3496402398c0cd3a535c1d38722b1df025da5ca1180a2
Instruction Fuzzy Hash: 83B1CD31604249FBFB219F61C80ABEA3BADEF45715F10011AED099E1A1C7F89F85CB59

Function 0067042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 006704BE
GetVersion.KERNEL32 ref: 00670500
VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 00670528
CloseHandle.KERNELBASE(?), ref: 006705AD

Strings

\BaseNamedObjects\vlatVt, xrefs: 00670708
\BaseNamedObjects\vlatVt, xrefs: 00670709, 0067072C, 0067073A
csrs, xrefs: 0067082C

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\vlatVt$\BaseNamedObjects\vlatVt$csrs
API String ID: 3017432202-509049503
Opcode ID: 603cb5b1f6c97094729b8da404212ac0b9a3ea159595c86bbcf870932334aa72
Instruction ID: 0e60be75c5a344f6f7ffe95179514c3648d4cd9fbd8773c2dc43ab03b13c6937
Opcode Fuzzy Hash: 603cb5b1f6c97094729b8da404212ac0b9a3ea159595c86bbcf870932334aa72
Instruction Fuzzy Hash: 2DB19A71604249FFFB219F24C80ABEA3BAAEF44711F108528E90D9E181D7F09B55CB69

Function 004412F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 004412AD
GetModuleHandleA.KERNEL32(004412EC), ref: 004412F2
lstrcpyW.KERNEL32(\BaseNamedObjects\vlatVt,\BaseNamedObjects\vlatVt,?,?,?,?), ref: 0044140A
lstrcpyW.KERNEL32(\BaseNamedObjects\vlatVt,?), ref: 0044142D
lstrcatW.KERNEL32(\BaseNamedObjects\vlatVt,\vlatVt), ref: 0044143B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 0044146B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00441486
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 004414C9
Process32First.KERNEL32 ref: 004414DC
Process32Next.KERNEL32 ref: 004414ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00441505
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00441542
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0044155D
CloseHandle.KERNEL32 ref: 0044156C

Strings

\BaseNamedObjects\vlatVt, xrefs: 00441408
csrs, xrefs: 0044152C
\BaseNamedObjects\vlatVt, xrefs: 00441409, 0044142C, 0044143A

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\vlatVt$\BaseNamedObjects\vlatVt$csrs
API String ID: 1545766225-509049503
Opcode ID: 2f3472c8446c58d95511e935b1dd20198f8eca49a9d84a4e846b87979b95016a
Instruction ID: f2828c8792c817a201039f0e1a8ccc39e296c8713d2eabab6fc974faf4790051
Opcode Fuzzy Hash: 2f3472c8446c58d95511e935b1dd20198f8eca49a9d84a4e846b87979b95016a
Instruction Fuzzy Hash: BB71BB31600209FFEF219F51C849BAE3BADEF84715F10012AED099E1A1C7B89F859B5D

Function 006705F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 006705AD
GetModuleHandleA.KERNEL32(006705EC), ref: 006705F2
lstrcpyW.KERNEL32(\BaseNamedObjects\vlatVt,\BaseNamedObjects\vlatVt,?,?,?,?), ref: 0067070A
lstrcpyW.KERNEL32(\BaseNamedObjects\vlatVt,?), ref: 0067072D
lstrcatW.KERNEL32(\BaseNamedObjects\vlatVt,\vlatVt), ref: 0067073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 0067076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00670786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 006707C9
Process32First.KERNEL32 ref: 006707DC
Process32Next.KERNEL32 ref: 006707ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00670805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00670842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0067085D
CloseHandle.KERNEL32 ref: 0067086C

Strings

\BaseNamedObjects\vlatVt, xrefs: 00670708
\BaseNamedObjects\vlatVt, xrefs: 00670709, 0067072C, 0067073A
csrs, xrefs: 0067082C

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\vlatVt$\BaseNamedObjects\vlatVt$csrs
API String ID: 1545766225-509049503
Opcode ID: aeacf155ae98d9e25108885e2d3f01e07a5e1a141713b4532b4305dff09f0537
Instruction ID: 29b392bac4807e19a8c392b07fb564c56e7ff95571d3f762290859e90abe117d
Opcode Fuzzy Hash: aeacf155ae98d9e25108885e2d3f01e07a5e1a141713b4532b4305dff09f0537
Instruction Fuzzy Hash: CF719971204209FFEB219F10C849BAE3BAEEF44711F248129ED0D9E191C7B4AF459B69

Function 004431AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
stringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\vlatVt), ref: 004431BA
lstrlenW.KERNEL32(?), ref: 004431C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00443216

Strings

\BaseNamedObjects\vlatVt, xrefs: 004431B8

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\vlatVt
API String ID: 2597515329-2976639972
Opcode ID: a54c8803a08581c9da36486dfecbc61c94a0088590b78a339b52d0a767c5b7b1
Instruction ID: 85f32f54fe849b6f55c3a26324dbfd30208d518f47784298ed83e2e08e179766
Opcode Fuzzy Hash: a54c8803a08581c9da36486dfecbc61c94a0088590b78a339b52d0a767c5b7b1
Instruction Fuzzy Hash: C20181B0790304BAF7305B29CC4BF5B7969DF81B50F948159F608AE1C4DAB89A0483A9

Function 0067116F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 279
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00671162,00670796,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 0067116F

Part of subcall function 00671196: GetProcAddress.KERNEL32(00000000,00671180), ref: 00671197

Strings

\vlatVt, xrefs: 006711C6

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \vlatVt
API String ID: 2574300362-2471180080
Opcode ID: 972416c805f74faa5c68dffd9ac27e7a261fd60b21639a3324f16a8d6bd22efe
Instruction ID: 1c7ae91b6f3197e9fc8d263687caf0a841a96d6131b9bf02d486921c30d2f6f1
Opcode Fuzzy Hash: 972416c805f74faa5c68dffd9ac27e7a261fd60b21639a3324f16a8d6bd22efe
Instruction Fuzzy Hash: E891D062D581D18BC733CB7C4469AD6BF63AA1332078DC9CFC0995F5B3CB12D91A824A

Function 0067252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 0067255E

Strings

\BaseNamedObjects\vlatVt, xrefs: 0067254B

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\vlatVt
API String ID: 1950954290-2976639972
Opcode ID: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
Instruction ID: be79e926c7ba3cdd2c7dd474d1815d54d5159c487d34c6ebacd093897ac0aaf8
Opcode Fuzzy Hash: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
Instruction Fuzzy Hash: 75E09AF17402063AFB288A29CC17FA7228DCB80602F0C8604F918DA080E5B4AB108268

Function 00672574 Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0067252F: NtOpenSection.NTDLL(?,0000000E), ref: 0067255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B700,00000000,?,00000002,00100000,00000040), ref: 006725A4
CloseHandle.KERNELBASE(00000000,0000B700,00000000,?,00000002,00100000,00000040,00000000,0000B700,00000000,?,00670815), ref: 006725AC

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
Instruction ID: 462fd53adc3c77a81fbb57eb8ab1152fffa88872439e5845dd9342f86f87d401
Opcode Fuzzy Hash: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
Instruction Fuzzy Hash: BE212F70300647ABDB24EF25CCA6FAA736ABF80744F40811CF81D8E295DBB1AE54C658

Function 00671422 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 0067145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0067146A

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
Instruction ID: d6f38f481fcad269b120698a2c1356ff37e0dff7a02be2eff211d383f83c851a
Opcode Fuzzy Hash: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
Instruction Fuzzy Hash: F8F0E932542010BBD6201B42CC8EED73E28EF533A0F040455F4484E151C2624BA1D3F4

Function 00672477 Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 0067249B
NtWriteVirtualMemory.NTDLL ref: 006724A4

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 0067144A Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 0067145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0067146A

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
Instruction ID: 47fd2fdfef69c01f2383a78087d1294dd7e4f4bd71475d1ca0affc6c0d2f20e2
Opcode Fuzzy Hash: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
Instruction Fuzzy Hash: 1BD06771643034BBD6312A568C0EEE77D1DEF577A0F015441F9089A1A1C5A28EA1C6F5

Function 006707AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0067144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 0067145A
Part of subcall function 0067144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0067146A

CloseHandle.KERNELBASE(?), ref: 006705AD
FreeLibrary.KERNELBASE(75A70000,?,0067079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 006707B8
CloseHandle.KERNELBASE(?,?,0067079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 006707BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 006707C9
Process32First.KERNEL32 ref: 006707DC
Process32Next.KERNEL32 ref: 006707ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00670805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00670842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0067085D
CloseHandle.KERNEL32 ref: 0067086C

Strings

csrs, xrefs: 0067082C

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction ID: 28e1779f867dbd1a39295f96da8ed61ed7b5208a360b975119a8d389345a3e31
Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction Fuzzy Hash: 15112E31506205FBFB256F21CC49BBF3A6EEF44701F00812DFD4A99151D6B09A419A7A

Function 006705BA Relevance: 1.3, APIs: 1, Instructions: 7
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000000A,0067085C,?,00000000,00000000,-00003BD0,00000002,00000000,?,00000000), ref: 006705C1

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction ID: 88933c961bb61905179b2b383c409cc46d029fbad71720e78a2e910f8ac2994f
Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction Fuzzy Hash: 87B01228240301D5FA140910460DB0516267F00B11FE04059E20E4C0C087E407011C29

Non-executed Functions

Function 00403160 Relevance: 64.9, APIs: 14, Strings: 23, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,74DEF550,74DF0BD0,00000072), ref: 0040317B
GetComputerNameA.KERNEL32 ref: 00403192
lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 004031AB
strstr.MSVCRT ref: 00403214
strstr.MSVCRT ref: 00403242
strstr.MSVCRT ref: 00403265
lstrcpyA.KERNEL32(?,Windows NT), ref: 00403304
lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040332D
GlobalMemoryStatusEx.KERNEL32(?), ref: 004033B5
lstrcpyA.KERNEL32(?,20108K), ref: 004033F1
GetTickCount.KERNEL32 ref: 004033FC

Strings

Windows NT, xrefs: 004032F8
2003, xrefs: 0040325F
Windows 2003, xrefs: 00403274
ProductName, xrefs: 004031E5
20108K, xrefs: 004033EB
%u MB, xrefs: 004033DA
Windows 2008, xrefs: 004032CA
Windows XP, xrefs: 00403251
Windows Vista, xrefs: 0040329F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004031A5
@, xrefs: 0040318A
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403326
Vista, xrefs: 0040328A
Windows 2000, xrefs: 00403223
@, xrefs: 004033AC
,8@, xrefs: 00403390
~MHz, xrefs: 00403365
2000, xrefs: 0040320E
Windows 7, xrefs: 004032F0
69@, xrefs: 004031C7, 00403347
%u MHz, xrefs: 0040339D
2008, xrefs: 004032B1
$9@, xrefs: 004031F3, 0040337B

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: lstrcpy$strstr$ComputerCountGlobalInfoLocaleMemoryNameStatusTick
String ID: $9@$%u MB$%u MHz$,8@$2000$2003$2008$20108K$69@$@$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 2000$Windows 2003$Windows 2008$Windows 7$Windows NT$Windows Vista$Windows XP$~MHz
API String ID: 13981014-3249776645
Opcode ID: b890d30ee0b0790192ef3d330c4cc97dd10b39269747d7349394549379db7efe
Instruction ID: 796351ffad0513cd72b75cf0597ba2326a6d71879f4fa0a8f8748fb66bcde97c
Opcode Fuzzy Hash: b890d30ee0b0790192ef3d330c4cc97dd10b39269747d7349394549379db7efe
Instruction Fuzzy Hash: EC617570144305AFD310DF60DE85FAB7BACAB88745F10493EF685B21D0EA78A609CB6D

Function 00673BD5 Relevance: 35.5, APIs: 16, Strings: 4, Instructions: 472libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#73f7ea65b +*,00000104), ref: 00673C39
GetProcAddress.KERNEL32(00000000,00000002), ref: 00673C6C
GetProcAddress.KERNEL32(00000000,00673CD9), ref: 00673CE4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00673CF7
GetTickCount.KERNEL32 ref: 00673D2B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00676E36,00000000,00000000,00000000,00000000), ref: 00673DFD

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ADVAPI32.DLL, xrefs: 00673CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00673C38, 00673C9E, 00673CAE, 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
String ID: 020a00 . . :#73f7ea65b +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 3969011833-3173251495
Opcode ID: a75af25427755c50cbc525abdca94071cb62041e141fb9baf0ce760b3959265f
Instruction ID: 1fa582200d4a25f1585e5665506572743b7def678c59518fcb06768318d7e385
Opcode Fuzzy Hash: a75af25427755c50cbc525abdca94071cb62041e141fb9baf0ce760b3959265f
Instruction Fuzzy Hash: A6F13671519258BEDB35AF24CC1ABEA3BADEF42300F00851EE84D9F182D7F05F4596A6

Function 00673C5A Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 417libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00673C52), ref: 00673C5A
GetProcAddress.KERNEL32(00000000,00000002), ref: 00673C6C
GetProcAddress.KERNEL32(00000000,00673CD9), ref: 00673CE4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00673CF7
GetTickCount.KERNEL32 ref: 00673D2B

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ADVAPI32.DLL, xrefs: 00673CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00673CAE, 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#73f7ea65b +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2837544101-3173251495
Opcode ID: 290e4937c294f2dacd017ce108aa9fdd1647da35db75973d469f888a9b07d284
Instruction ID: abd8f94119769cb3894e44fdf171c22465aaceff045e78152eb5881ccffd75ee
Opcode Fuzzy Hash: 290e4937c294f2dacd017ce108aa9fdd1647da35db75973d469f888a9b07d284
Instruction Fuzzy Hash: EBE13771518258BEDB25AF34CC1ABEA3BADEF42300F00851EEC5D9E182D7F45F45866A

Function 00673C88 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 394COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00673C7D), ref: 00673C88
GetSystemDirectoryA.KERNEL32(020a00 . . :#73f7ea65b +*,00000104), ref: 00673C9F

Part of subcall function 00673CB7: lstrcat.KERNEL32(020a00 . . :#73f7ea65b +*,00673CAA), ref: 00673CB8
Part of subcall function 00673CB7: GetProcAddress.KERNEL32(00000000,00673CD9), ref: 00673CE4
Part of subcall function 00673CB7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00673CF7
Part of subcall function 00673CB7: GetTickCount.KERNEL32 ref: 00673D2B
Part of subcall function 00673CB7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00676E36,00000000,00000000,00000000,00000000), ref: 00673DFD

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ADVAPI32.DLL, xrefs: 00673CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00673C9E, 00673CAE, 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#73f7ea65b +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 215653160-3173251495
Opcode ID: 972ea9fe758ad61498fa905a2af55a5fe962971626424dc297f7e0ee4fa24247
Instruction ID: b07b3230735bef8c3888cd85d22213544e451398715965248a6c35a2a4b18d46
Opcode Fuzzy Hash: 972ea9fe758ad61498fa905a2af55a5fe962971626424dc297f7e0ee4fa24247
Instruction Fuzzy Hash: BCD12571515258BEDB25AF24CC1ABEA3BADEF42300F00811EEC5D9E182D7F45F4586AA

Function 00673CB7 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 374stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#73f7ea65b +*,00673CAA), ref: 00673CB8

Part of subcall function 00673CCE: LoadLibraryA.KERNEL32(00673CC3), ref: 00673CCE
Part of subcall function 00673CCE: GetProcAddress.KERNEL32(00000000,00673CD9), ref: 00673CE4
Part of subcall function 00673CCE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00673CF7
Part of subcall function 00673CCE: GetTickCount.KERNEL32 ref: 00673D2B
Part of subcall function 00673CCE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00676E36,00000000,00000000,00000000,00000000), ref: 00673DFD

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ADVAPI32.DLL, xrefs: 00673CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00673CB7, 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#73f7ea65b +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2038497427-3173251495
Opcode ID: 56e93c90d77e9e6d0bf239f1da59192074b970334a8f3e5c27127f4ef71f8e1e
Instruction ID: 88a0c8b1e79c811815a9cd09945299d70f85a7ffc4053532074938155a758825
Opcode Fuzzy Hash: 56e93c90d77e9e6d0bf239f1da59192074b970334a8f3e5c27127f4ef71f8e1e
Instruction Fuzzy Hash: 8BD11471514258BEDB35AF34CC1ABEA3BADEF42300F00851EE85D9E182D7F45F45866A

Function 00673CCE Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 364libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00673CC3), ref: 00673CCE

Part of subcall function 00673CE3: GetProcAddress.KERNEL32(00000000,00673CD9), ref: 00673CE4
Part of subcall function 00673CE3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00673CF7
Part of subcall function 00673CE3: GetTickCount.KERNEL32 ref: 00673D2B
Part of subcall function 00673CE3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00676E36,00000000,00000000,00000000,00000000), ref: 00673DFD

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ADVAPI32.DLL, xrefs: 00673CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#73f7ea65b +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 3734769084-3173251495
Opcode ID: 24615a2a6e608e5e210aabe11be12ef2be2fd7585194f75b16dac252123e08b8
Instruction ID: abebc093414ccc99a01b8076df561806c8cb0bf97e1687d33e397c423d295ecf
Opcode Fuzzy Hash: 24615a2a6e608e5e210aabe11be12ef2be2fd7585194f75b16dac252123e08b8
Instruction Fuzzy Hash: AFD13371514258BEDB35AF34CC1ABEA3BADEF41300F00861EE85D9E182DBF45F45866A

Function 004448D5 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 472libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(004476E2,00000104), ref: 00444939
GetProcAddress.KERNEL32(00000000,00000002), ref: 0044496C
GetProcAddress.KERNEL32(00000000,004449D9), ref: 004449E4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004449F7
GetTickCount.KERNEL32 ref: 00444A2B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00447B36,00000000,00000000,00000000,00000000), ref: 00444AFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4
ADVAPI32.DLL, xrefs: 004449F6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3969011833-2287716718
Opcode ID: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
Instruction ID: b7ff74dc5daf5e5a9ee5758988ddb38aa82f1b054c9a459499abfaea7c7c868d
Opcode Fuzzy Hash: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
Instruction Fuzzy Hash: F5F10971519284BEFB21AF24CC4ABEB7BACEF81304F04051EED455F182D6F85F0586AA

Function 00673CE3 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 371librarythreadsleepCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00673CD9), ref: 00673CE4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00673CF7
GetTickCount.KERNEL32 ref: 00673D2B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00676E36,00000000,00000000,00000000,00000000), ref: 00673DFD
CreateThread.KERNEL32(00000000,00000000,00673629,00000000,00000000), ref: 00673ED8
CloseHandle.KERNEL32(?,987AB7B1), ref: 00673EE1
CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00673F81
CloseHandle.KERNEL32(?,00000000), ref: 00673F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00673F97
GetVersionExA.KERNEL32(?,?,00000000), ref: 0067408C
wsprintfA.USER32 ref: 0067410A
SetEvent.KERNEL32(000005E8,?,00000000), ref: 00674225
Sleep.KERNEL32(00007530,?,00000000), ref: 00674236
ResetEvent.KERNEL32(000005E8,?,00000000), ref: 00674249

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ADVAPI32.DLL, xrefs: 00673CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepTickVersionVolumewsprintf
String ID: 020a00 . . :#73f7ea65b +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 4085262208-3173251495
Opcode ID: 920848306093e86a6cc3aacb5580ee3141d408a9262e6263b04d04d65f89574a
Instruction ID: 99b60dc5ee4c0526cb47b728b06b5b7380d9db9986c06af41256c86199cf0fa6
Opcode Fuzzy Hash: 920848306093e86a6cc3aacb5580ee3141d408a9262e6263b04d04d65f89574a
Instruction Fuzzy Hash: 5FD12271515258BEEB35AF24CC1ABEA3BADEF41300F00861EE85C9E182D7F45F45866A

Function 0044495A Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 417libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00444952), ref: 0044495A
GetProcAddress.KERNEL32(00000000,00000002), ref: 0044496C
GetProcAddress.KERNEL32(00000000,004449D9), ref: 004449E4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004449F7
GetTickCount.KERNEL32 ref: 00444A2B

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4
ADVAPI32.DLL, xrefs: 004449F6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-2287716718
Opcode ID: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
Instruction ID: 5d819bdb3f07d7a492d803bf24c1d1591be3a01dbb03bd8422030be7b180edbc
Opcode Fuzzy Hash: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
Instruction Fuzzy Hash: 66E10971515284BEFB25AF34CC4ABEB7B6CEF81304F04051EED459E082D6F89F05866A

Function 00444988 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 394COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0044497D), ref: 00444988
GetSystemDirectoryA.KERNEL32(004476E2,00000104), ref: 0044499F

Part of subcall function 004449B7: lstrcatA.KERNEL32(004476E2,004449AA), ref: 004449B8
Part of subcall function 004449B7: GetProcAddress.KERNEL32(00000000,004449D9), ref: 004449E4
Part of subcall function 004449B7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004449F7
Part of subcall function 004449B7: GetTickCount.KERNEL32 ref: 00444A2B
Part of subcall function 004449B7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00447B36,00000000,00000000,00000000,00000000), ref: 00444AFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4
ADVAPI32.DLL, xrefs: 004449F6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-2287716718
Opcode ID: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
Instruction ID: 19c68f3023ce274ec36717a3ae1c492d9397771fe9f7b7e6842121c45e0871bb
Opcode Fuzzy Hash: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
Instruction Fuzzy Hash: FCD10871515248BEFB25AF30CC4ABEB7B6CEF81304F04051EED499E082D6F85F05866A

Function 004449B7 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 374stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(004476E2,004449AA), ref: 004449B8

Part of subcall function 004449CE: LoadLibraryA.KERNEL32(004449C3), ref: 004449CE
Part of subcall function 004449CE: GetProcAddress.KERNEL32(00000000,004449D9), ref: 004449E4
Part of subcall function 004449CE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004449F7
Part of subcall function 004449CE: GetTickCount.KERNEL32 ref: 00444A2B
Part of subcall function 004449CE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00447B36,00000000,00000000,00000000,00000000), ref: 00444AFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4
ADVAPI32.DLL, xrefs: 004449F6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-2287716718
Opcode ID: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
Instruction ID: 7872315c8e41b2f6baaf2bbb83b760d10dae2caf37187fddf4a3c1c4c6806c3a
Opcode Fuzzy Hash: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
Instruction Fuzzy Hash: E7D1F771515258BEFB25AF34CC0ABEB7B6CEF81304F04055EED499E082D6F89F05866A

Function 004449CE Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 364libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(004449C3), ref: 004449CE

Part of subcall function 004449E3: GetProcAddress.KERNEL32(00000000,004449D9), ref: 004449E4
Part of subcall function 004449E3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004449F7
Part of subcall function 004449E3: GetTickCount.KERNEL32 ref: 00444A2B
Part of subcall function 004449E3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00447B36,00000000,00000000,00000000,00000000), ref: 00444AFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4
ADVAPI32.DLL, xrefs: 004449F6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-2287716718
Opcode ID: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
Instruction ID: 36e61ba7eee1286dcfe0567ef96b774d59f0c35643aced60f5b4dc79184a6c45
Opcode Fuzzy Hash: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
Instruction Fuzzy Hash: 80D1F871515248BEFB25AF34CC0ABEB7BACEF81304F04051EED499E182D6F89F458669

Function 004449E3 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 371librarythreadsleepCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,004449D9), ref: 004449E4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004449F7
GetTickCount.KERNEL32 ref: 00444A2B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00447B36,00000000,00000000,00000000,00000000), ref: 00444AFD
CreateThread.KERNEL32(00000000,00000000,00444329,00000000,00000000), ref: 00444BD8
CloseHandle.KERNEL32(?,987AB7B1), ref: 00444BE1
CreateThread.KERNEL32(00000000,00000000,Function_00044520,00000000,00000000), ref: 00444C81
CloseHandle.KERNEL32(?,00000000), ref: 00444C8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00444C97
GetVersionExA.KERNEL32(?,?,00000000), ref: 00444D8C
SetEvent.KERNEL32(?,?,00000000), ref: 00444F25
Sleep.KERNEL32(00007530,?,00000000), ref: 00444F36
ResetEvent.KERNEL32(?,?,00000000), ref: 00444F49

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4
ADVAPI32.DLL, xrefs: 004449F6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepTickVersionVolume
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2334578396-2287716718
Opcode ID: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
Instruction ID: cf214444b098b0c3f0473f61ed8012436d6a21f24637e4464a03836174d16bcb
Opcode Fuzzy Hash: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
Instruction Fuzzy Hash: 9DD1F771515248BEFB25AF24CC4ABEB3BACEF81304F04051EED499F182D6F86F058669

Function 00673378 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 006733E2
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00673401
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0067342B
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00673438
UnmapViewOfFile.KERNEL32(?), ref: 00673450

Strings

\Device\PhysicalMemory, xrefs: 00673378
C:,, xrefs: 006733AC

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:,$\Device\PhysicalMemory
API String ID: 2985292042-1440550476
Opcode ID: 4bcd0e85e4bfeb71090631d03ff8b60b88209d435469d77d4338cfd267a743e4
Instruction ID: 0c8b477286709aa2518086e5382c41176cedb717dbfeac0ae548a4125bbda2d9
Opcode Fuzzy Hash: 4bcd0e85e4bfeb71090631d03ff8b60b88209d435469d77d4338cfd267a743e4
Instruction Fuzzy Hash: DB81AB71500218FFEB249F14CC89ABA37ADFF48710F108658ED199B295D3F0AF55CAA8

Function 0067339D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 006733E2
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00673401
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0067342B
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00673438
UnmapViewOfFile.KERNEL32(?), ref: 00673450

Strings

ysic, xrefs: 006733E8, 006733FE
C:,, xrefs: 006733AC

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:,$ysic
API String ID: 2985292042-2852681185
Opcode ID: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
Instruction ID: 8f445bcaa559bce2bea17fcb332553b1b208c4b3ae5aff510a4d36a3809a3ac2
Opcode Fuzzy Hash: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
Instruction Fuzzy Hash: BC116071540609BBEB349F14CC56FAB366DEF88B10F104518EA199A290D7F46F148669

Function 00444078 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 004440E2
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00444101
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0044412B
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00444138
UnmapViewOfFile.KERNEL32(?), ref: 00444150

Strings

\Device\PhysicalMemory, xrefs: 00444078

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: \Device\PhysicalMemory
API String ID: 2985292042-2007344781
Opcode ID: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
Instruction ID: 314ef5349cb426bb654ade74c9385d154bda7a63d22fc4d94ac40317333ebf77
Opcode Fuzzy Hash: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
Instruction Fuzzy Hash: 8C81AC71500208FFEB249F14CC89BAA37ACFF88711F110659ED199B291D3F4AF55CAA8

Function 0044409D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 004440E2
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00444101
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0044412B
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00444138
UnmapViewOfFile.KERNEL32(?), ref: 00444150

Strings

ysic, xrefs: 004440E8, 004440FE

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: ysic
API String ID: 2985292042-20973071
Opcode ID: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
Instruction ID: 66587d69ef02d34e27c42825819929b2b8a7eabed53d0035f511173998abfce8
Opcode Fuzzy Hash: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
Instruction Fuzzy Hash: E8116071240709FBEB249F14CC5AFAB366CEF88B00F114519EA199A290D7F46F24866D

Function 006724AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\vlatVt), ref: 006724BA
lstrlenW.KERNEL32(?), ref: 006724C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00672516

Strings

\BaseNamedObjects\vlatVt, xrefs: 006724B8

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\vlatVt
API String ID: 2597515329-2976639972
Opcode ID: a54c8803a08581c9da36486dfecbc61c94a0088590b78a339b52d0a767c5b7b1
Instruction ID: edcd208b36bd4819782b525d3397745d3223e1e2e4fceb06e09fd6e051ef82e2
Opcode Fuzzy Hash: a54c8803a08581c9da36486dfecbc61c94a0088590b78a339b52d0a767c5b7b1
Instruction Fuzzy Hash: A001A4B0790304BBF7305B29CC4BF5F7969DF81B50F548158F708AE1C4DAB89A0483A9

Function 00444526 Relevance: 4.6, APIs: 3, Instructions: 127sleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(004481C4), ref: 00444537
Sleep.KERNEL32(0000EA60), ref: 004445A9
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00444659

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep$SystemTime
String ID:
API String ID: 3773743504-0
Opcode ID: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
Instruction ID: 6b1cfcf08e4ec74f00c6af1712d2e99c453c245f2457894b19e281a3f4f8a1b3
Opcode Fuzzy Hash: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
Instruction Fuzzy Hash: 7641E331605258BAFB319F21CC0DBAA7A6EAFC6715F04441AFA099E1C1C7F8DF01C668

Function 00441E6F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 279libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00441E62,00441496,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00441E6F

Part of subcall function 00441E96: GetProcAddress.KERNEL32(00000000,00441E80), ref: 00441E97

Strings

\vlatVt, xrefs: 00441EC6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \vlatVt
API String ID: 2574300362-2471180080
Opcode ID: adea248a18c199a1ac14e49b73efb39744e018c94b47ff039029f9f4fc18aa4e
Instruction ID: 2ff8dd4b9d0255b689cbfb2d8c736a8ee6b02cb74068b5d03f264be0f4978e9a
Opcode Fuzzy Hash: adea248a18c199a1ac14e49b73efb39744e018c94b47ff039029f9f4fc18aa4e
Instruction Fuzzy Hash: 0191ED629181D28BE733CB748568AD7BF90A90335079D49CFD5812F1B3CB5AD85BC24E

Function 004435C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction ID: 872dfa9f61c3419e9f389a71c75280baba57510c9127ba1846da56c43c64897a
Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction Fuzzy Hash: E9312C716006169BFB248E38C84179AB3E2FB90704F11853DE556D7780D679FB898BC4

Function 006728C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction ID: 9f59f7e0f06612f3dd4320ef1dd5b530afa453b88b2d1ceb68717dcf478ed197
Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction Fuzzy Hash: A8312A326006168FDB148E39C85479AB3F3FB94304F14C63CE65AE7680E675FA998BC0

Function 00401A40 Relevance: 154.4, APIs: 29, Strings: 59, Instructions: 421
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00401A9E
GetProcAddress.KERNEL32(00000000), ref: 00401AA7
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 00401AB7
GetProcAddress.KERNEL32(00000000), ref: 00401ABA

Part of subcall function 004016C0: strstr.MSVCRT ref: 00401730
Part of subcall function 004016C0: strcspn.MSVCRT ref: 0040174D
Part of subcall function 004016C0: strncpy.MSVCRT ref: 0040175C
Part of subcall function 004016C0: strcspn.MSVCRT ref: 0040176C
Part of subcall function 004016C0: atoi.MSVCRT(00000000), ref: 004017A8

Part of subcall function 00403160: GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,74DEF550,74DF0BD0,00000072), ref: 0040317B
Part of subcall function 00403160: GetComputerNameA.KERNEL32 ref: 00403192
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 004031AB
Part of subcall function 00403160: strstr.MSVCRT ref: 00403214
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,Windows NT), ref: 00403304
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040332D

Part of subcall function 00401A00: LoadLibraryA.KERNEL32 ref: 00401A20

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2

Strings

F, xrefs: 00401BDB
l, xrefs: 00401B91
l, xrefs: 00401BBD
M, xrefs: 00402010
d, xrefs: 0040201A
l, xrefs: 00402038
a, xrefs: 00402047
a, xrefs: 00401BC7
u, xrefs: 0040201F
l, xrefs: 00402024
l, xrefs: 00401B8C
u, xrefs: 00401B66
o, xrefs: 00401B79
e, xrefs: 00401BEA
Distribuoeq, xrefs: 00401FA5, 00401FE4
e, xrefs: 00402029
G, xrefs: 00401FFB
F, xrefs: 0040202E
l, xrefs: 00401B6F
i, xrefs: 00401BE0
l, xrefs: 00401A94
e, xrefs: 00402051
U, xrefs: 00401B9B
PlusCtrl.dll, xrefs: 00401CC5
d, xrefs: 00401BCC
o, xrefs: 00401BD6
e, xrefs: 0040203D
8@, xrefs: 00401FEA
w, xrefs: 00401B35
SetFileAttributesA, xrefs: 00401F7F
F, xrefs: 00401A8A
o, xrefs: 00402015
., xrefs: 00401B82
i, xrefs: 00402033
ExitProcess, xrefs: 00401F94
d, xrefs: 00401B87
o, xrefs: 00401BC2
i, xrefs: 00401A7B
i, xrefs: 00401A8F
N, xrefs: 00402042
o, xrefs: 00401BAF
w, xrefs: 00401BB4
t, xrefs: 00401A80
l, xrefs: 00401BE5
L, xrefs: 00401BA5
kernel32.dll, xrefs: 00401A65, 00401AAE, 00401F84, 00401F99, 00402001
e, xrefs: 00401A99
GetTempPathA, xrefs: 00401AA9
t, xrefs: 0040200B
A, xrefs: 00402056
A, xrefs: 00401BEF
m, xrefs: 00401B74
m, xrefs: 0040204C
T, xrefs: 00401BD1
,8@, xrefs: 004020E8
D, xrefs: 00401BAA
W, xrefs: 00401A72
R, xrefs: 00401BA0
e, xrefs: 00402006

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: LibraryLoad$lstrcpy$AddressCloseHandleProcstrcspnstrstr$ComputerInfoLocaleNameatoistrncpy
String ID: ,8@$.$A$A$D$Distribuoeq$ExitProcess$F$F$F$G$GetTempPathA$L$M$N$PlusCtrl.dll$R$SetFileAttributesA$T$U$W$a$a$d$d$d$e$e$e$e$e$e$i$i$i$i$kernel32.dll$l$l$l$l$l$l$l$l$m$m$o$o$o$o$o$t$t$u$u$w$w$8@
API String ID: 3864303722-4133879002
Opcode ID: 8fad84325013aa2872d693e4a5823aaf4a1b65688ad2ea7df792892cca219c5c
Instruction ID: 3c3143e3e5472c0825c52dd3c823dc81544a2ddb207d74fe6334a4c7ffd002c2
Opcode Fuzzy Hash: 8fad84325013aa2872d693e4a5823aaf4a1b65688ad2ea7df792892cca219c5c
Instruction Fuzzy Hash: 0502C270548380DEE310CB64DD48B5BBBE5AB95704F04492DF6C5A72D2DBBAD808CB6B

Function 00402D30 Relevance: 52.7, APIs: 12, Strings: 18, Instructions: 217stringlibraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000047,00000000,0000009C), ref: 00402DE5
GetProcAddress.KERNEL32(00000000), ref: 00402DEC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402E0F
strncmp.MSVCRT ref: 00402E34
lstrcatA.KERNEL32(?,004084CC), ref: 00402EC0
lstrcatA.KERNEL32(?,?), ref: 00402ED0
CopyFileA.KERNEL32(?,?,00000000), ref: 00402EE1
lstrcpyA.KERNEL32(?,?), ref: 00402F04
GetLastError.KERNEL32 ref: 00402F7F
lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402FD1
lstrcatA.KERNEL32(?,?), ref: 00402FDF
lstrlenA.KERNEL32(00000000), ref: 00402FFE

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Strings

F, xrefs: 00402D96
A, xrefs: 00402DCB
o, xrefs: 00402D73
a, xrefs: 00402DB7
G, xrefs: 00402D56
%c%c%c%c%c%c.exe, xrefs: 00402E99
t, xrefs: 00402D65
Description, xrefs: 0040300A
m, xrefs: 00402DBE
u, xrefs: 00402D81
,8@, xrefs: 00402EA5
SYSTEM\CurrentControlSet\Services\, xrefs: 00402FC5
M, xrefs: 00402D6C
i, xrefs: 00402D9D
N, xrefs: 00402DB0
8@, xrefs: 00402F99
kernel32.dll, xrefs: 00402DE0
d, xrefs: 00402D7A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AddressCopyCountDirectoryErrorFileLastLibraryLoadProcSystemTicklstrlenrandstrncmp
String ID: %c%c%c%c%c%c.exe$,8@$A$Description$F$G$M$N$SYSTEM\CurrentControlSet\Services\$a$d$i$kernel32.dll$m$o$t$u$8@
API String ID: 2930506891-1316125334
Opcode ID: 4cad2e7bd832c944ab44e5aa06c1b8362982bd4035659bc22fff8856b8ad885a
Instruction ID: 0e0e6dca43d9b0313fe333de96fee7407300e1d87e337aa7371e7680423aad75
Opcode Fuzzy Hash: 4cad2e7bd832c944ab44e5aa06c1b8362982bd4035659bc22fff8856b8ad885a
Instruction Fuzzy Hash: 478119B2900258ABD722DB60DD89FDA7B7CAF55700F0401E9F609B61C1DA789F44CF65

Function 00402600 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 196stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402613
lstrcatA.KERNEL32(?,Distribuoeq), ref: 00402623

Strings

Distribuoeq, xrefs: 0040261D, 004027B9, 004027C6
ImagePath, xrefs: 0040267A
SYSTEM\CurrentControlSet\Services\, xrefs: 0040260D
69@, xrefs: 0040263F
$9@, xrefs: 00402680

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: $9@$69@$Distribuoeq$ImagePath$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-738438224
Opcode ID: 4993b40f7886f15423b6108ea60fa8a6cb83f6d371995b2a9da2af4ffd17cede
Instruction ID: cff8f841e93e58ab4234d6d93627b2c916986187481524a3f77962f8d504dc07
Opcode Fuzzy Hash: 4993b40f7886f15423b6108ea60fa8a6cb83f6d371995b2a9da2af4ffd17cede
Instruction Fuzzy Hash: 1551D4357407056BE320DB34ED49FEB37A8EB84721F404839FA06F11D0E6BD95194669

Function 004023B0 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 114librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 00402438
GetProcAddress.KERNEL32(00000000), ref: 0040243F
GetTempPathA.KERNEL32(00000104,?), ref: 0040247C
lstrcatA.KERNEL32(?,SOFTWARE.LOG), ref: 0040248E
MoveFileExA.KERNEL32(00000000,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 004024AA
MoveFileExA.KERNEL32(?,00000000,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004024BB

Strings

A, xrefs: 00402430
N, xrefs: 00402424
a, xrefs: 00402428
SOFTWARE.LOG, xrefs: 00402488
M, xrefs: 00402406
d, xrefs: 0040240E
t, xrefs: 00402402
u, xrefs: 00402412
m, xrefs: 0040242C
i, xrefs: 0040241D
o, xrefs: 0040240A
F, xrefs: 00402419
kernel32.dll, xrefs: 004023FD
G, xrefs: 004023F8

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: FileMove$AddressLibraryLoadPathProcTemplstrcat
String ID: A$F$G$M$N$SOFTWARE.LOG$a$d$i$kernel32.dll$m$o$t$u
API String ID: 20907805-1765106238
Opcode ID: 3574a8691a983e4fb58ac25ab56cb1c955f97815db305d7cfbd3ec60fc5b3c7d
Instruction ID: f0613c91973a543e40f7bda577bceb9edfdbe02e48fb26baed1209212c166b8f
Opcode Fuzzy Hash: 3574a8691a983e4fb58ac25ab56cb1c955f97815db305d7cfbd3ec60fc5b3c7d
Instruction Fuzzy Hash: 43219171D482CCEEEB11C7A8CD09BDEBFB45B22704F0480D9964477282D6B91B48CBB6

Function 00673E64 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 246threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00673E58), ref: 00673E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73f7ea65b +*,000000C8), ref: 00673E7A
wsprintfA.USER32 ref: 00673E8F
CreateThread.KERNEL32(00000000,00000000,00673629,00000000,00000000), ref: 00673ED8
CloseHandle.KERNEL32(?,987AB7B1), ref: 00673EE1
CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00673F81
CloseHandle.KERNEL32(?,00000000), ref: 00673F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00673F97

Part of subcall function 0067339D: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 006733E2
Part of subcall function 0067339D: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00673401
Part of subcall function 0067339D: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0067342B
Part of subcall function 0067339D: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00673438
Part of subcall function 0067339D: UnmapViewOfFile.KERNEL32(?), ref: 00673450

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00673E77, 00673E8C, 00674119, 00674158
C:,, xrefs: 00673E8E

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#73f7ea65b +*$C:,$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 541178049-2141397456
Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction ID: d0ff452162a7e1ca983889516eb66b89e466c2e9edbd51934116482813847d81
Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction Fuzzy Hash: 5891E171119259BFDB21AF24CC1EBEB7B6DEF41300F004649F8595E182D7F05F458AAA

Function 00673F27 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 205threadlibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00673F1B), ref: 00673F27
CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00673F81
CloseHandle.KERNEL32(?,00000000), ref: 00673F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00673F97
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00673FE8
GetVersionExA.KERNEL32(?,?,00000000), ref: 0067408C
wsprintfA.USER32 ref: 0067410A
CreateThread.KERNEL32(?,?,Function_000037B1,6F6C6902), ref: 00674138
CloseHandle.KERNEL32(?,?,Function_000037B1,6F6C6902,?,?,00000023,00676E36,00000073,6F6C6902,6F6C6902,00673AEA,00000014,00000000), ref: 00674141
RtlExitUserThread.NTDLL(00000000), ref: 00674261

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
ilo.brenz.pl, xrefs: 00673FE7, 00673FF6
020a00 . . :#73f7ea65b +*, xrefs: 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$EventExitLibraryLoadUserVersionlstrlenwsprintf
String ID: 020a00 . . :#73f7ea65b +*$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
API String ID: 485685433-2386965409
Opcode ID: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
Instruction ID: 5d99a7d083f575bdd4f9fb8b318d7ba6f22ddecd34b6e817615bef73e002a416
Opcode Fuzzy Hash: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
Instruction Fuzzy Hash: 4681E071119249BEDB21AF24C81DBEE7BAEAF41300F044548F86D9E192CBF49F41CB69

Function 00673E4D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 262librarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00673E41), ref: 00673E4D

Part of subcall function 00673E64: GetProcAddress.KERNEL32(00000000,00673E58), ref: 00673E65
Part of subcall function 00673E64: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73f7ea65b +*,000000C8), ref: 00673E7A
Part of subcall function 00673E64: wsprintfA.USER32 ref: 00673E8F
Part of subcall function 00673E64: CreateThread.KERNEL32(00000000,00000000,00673629,00000000,00000000), ref: 00673ED8
Part of subcall function 00673E64: CloseHandle.KERNEL32(?,987AB7B1), ref: 00673EE1

CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00673F81
CloseHandle.KERNEL32(?,00000000), ref: 00673F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00673F97
GetVersionExA.KERNEL32(?,?,00000000), ref: 0067408C
wsprintfA.USER32 ref: 0067410A

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00673EA4
020a00 . . :#73f7ea65b +*, xrefs: 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersion
String ID: 020a00 . . :#73f7ea65b +*$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 62832863-4142076871
Opcode ID: f3eab7d3b9ecada30b338b465e3c48a7a59313c7040ec96585de29dc26fd48b8
Instruction ID: 54f1c21b0f2f2a542c5262e4630a106055940212fe89080cc77441520f60ba9f
Opcode Fuzzy Hash: f3eab7d3b9ecada30b338b465e3c48a7a59313c7040ec96585de29dc26fd48b8
Instruction Fuzzy Hash: 31912571118254BEDB21AF24CC1EBEB7BADEF41300F044649F8599E182D7F05F4587AA

Function 00444C27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205threadlibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00444C1B), ref: 00444C27
CreateThread.KERNEL32(00000000,00000000,Function_00044520,00000000,00000000), ref: 00444C81
CloseHandle.KERNEL32(?,00000000), ref: 00444C8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00444C97
lstrlenA.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00444CE8
GetVersionExA.KERNEL32(?,?,00000000), ref: 00444D8C
CreateThread.KERNEL32(?,?,Function_000444B1,6F6C6902), ref: 00444E38
CloseHandle.KERNEL32(?,?,Function_000444B1,6F6C6902,?,?,00000023,00447B36,00000000,6F6C6902,6F6C6902,004447EA,00000014,00000000), ref: 00444E41
ExitThread.KERNEL32(00000000), ref: 00444F61

Strings

ilo.brenz.pl, xrefs: 00444CE7, 00444CF6

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$EventExitLibraryLoadVersionlstrlen
String ID: ilo.brenz.pl
API String ID: 4087459659-878173267
Opcode ID: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
Instruction ID: e85841639f8cb1db1ace13110e80643258c57876f049225af3ebeb0147343002
Opcode Fuzzy Hash: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
Instruction Fuzzy Hash: D181EE71509249BFEB319F24C81ABEE7BACBF81300F14054AE8595E181C7F89F058B6E

Function 00404905 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 203sleepprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403E00: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
Part of subcall function 00403E00: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
Part of subcall function 00403E00: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404A1E
Sleep.KERNEL32(00001388), ref: 00404A2D
Sleep.KERNEL32(0000000A,?,00000000), ref: 00404B7D
ExitThread.KERNEL32 ref: 00404B87

Strings

%s %s%s, xrefs: 00404991
D, xrefs: 004049A4
GET %s HTTP/1.1Host: %s:%d, xrefs: 00404A92
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 004049D0
,8@, xrefs: 0040496F
GET %s HTTP/1.1Host: %s, xrefs: 00404A6D
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00404AD7
GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00404B1A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryExitProcessSystemThreadlstrcatlstrcpy
String ID: %s %s%s$,8@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#
API String ID: 2825703556-2499878509
Opcode ID: df2cad709f29754dcafc4a0d25050df2d5ba39f326bf680629eab38fb005b706
Instruction ID: da6923137c11df0d7ab68030686ac7cd269fa33bd206a37efab997621938c878
Opcode Fuzzy Hash: df2cad709f29754dcafc4a0d25050df2d5ba39f326bf680629eab38fb005b706
Instruction Fuzzy Hash: 2551A8B15443456BD324DB64CD41FEB77A9AFC4304F00493EF64AA72C1EA79AA04CB9B

Function 004024D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129libraryfileloaderCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00402504
LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 00402516
GetProcAddress.KERNEL32(00000000), ref: 0040251D
LoadResource.KERNEL32(?,00000000), ref: 00402533
LockResource.KERNEL32(00000000), ref: 0040254A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004025A1
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004025BE
CloseHandle.KERNEL32(00000000), ref: 004025C5

Strings

hra%u.dll, xrefs: 00402560
,8@, xrefs: 00402566
kernel32.dll, xrefs: 0040250F
SizeofResource, xrefs: 0040250A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Resource$FileLoad$AddressCloseCreateFindHandleLibraryLockProcWrite
String ID: ,8@$SizeofResource$hra%u.dll$kernel32.dll
API String ID: 2921964263-4168475015
Opcode ID: a79a88351d4ee55d91fec4b12707c34b880592affa0a33c76b31672086c36472
Instruction ID: 05619c64b77a0a6437fb081d8a4bc4abd72332ae768d0b043ea742f75d8c896d
Opcode Fuzzy Hash: a79a88351d4ee55d91fec4b12707c34b880592affa0a33c76b31672086c36472
Instruction Fuzzy Hash: 1F11D2716402047BD7209F649E4DFAB376CEB85B24F114529FE06B72C0DBB498148ABC

Function 00402810 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 83sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00402888
CreateMutexA.KERNEL32(00000000,00000000,Distribuoeq), ref: 004028A8
GetLastError.KERNEL32 ref: 004028AE
ExitProcess.KERNEL32 ref: 004028BC
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_00001A40,00000000), ref: 00402944
CloseHandle.KERNEL32(?), ref: 0040294D
Sleep.KERNEL32(0000012C), ref: 00402967

Strings

hra%u.dll, xrefs: 004028D1
Distribuoeq, xrefs: 0040281F, 004028A1
,8@, xrefs: 004028D7
Z9@, xrefs: 00402824
H9@, xrefs: 0040282A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep$CloseCreateErrorExitHandleLastMutexObjectProcessSingleWait
String ID: ,8@$Distribuoeq$H9@$Z9@$hra%u.dll
API String ID: 482528292-2211841438
Opcode ID: 735153542032c615ee15675859b1d42246c009a904f63fe55f3969934729beb0
Instruction ID: 9e342082198d0c0f17f09a8a404d76bdda1f71cbb84061cebe59b1f914c361f5
Opcode Fuzzy Hash: 735153542032c615ee15675859b1d42246c009a904f63fe55f3969934729beb0
Instruction Fuzzy Hash: 2A314DB0540305AFD310EB61EF4AF5A3AA8EB54718F21413EB655B61E2CFF958048FAD

Function 00404C83 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 287sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A), ref: 00405087
ExitThread.KERNEL32 ref: 00405093

Strings

E, xrefs: 00404D93
P, xrefs: 00404E37
192.168.1.244, xrefs: 00404CC8
`:@, xrefs: 00404D1E
]@, xrefs: 00404E24, 00404FB2
,8@, xrefs: 00404F5B
%d.%d.%d.%d, xrefs: 00404F55
<:@, xrefs: 00404D6A
@, xrefs: 00404DAF

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$192.168.1.244$<:@$@$E$P$`:@$]@
API String ID: 896407411-2643560063
Opcode ID: d604f48981dc178444f468b20bfd3291236b9bb87fd842ba203fa14314ef6784
Instruction ID: a11e23f07e89fd79917e8136cf8e3326afab1f20c2e29fb6b7df3ea0f310ee3b
Opcode Fuzzy Hash: d604f48981dc178444f468b20bfd3291236b9bb87fd842ba203fa14314ef6784
Instruction Fuzzy Hash: BBB159715083859AE710DF60C845B6BB7E5FFD4308F004D2DFA89A7291DB749A09CB9B

Function 00405320 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 274sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A), ref: 00405717
ExitThread.KERNEL32 ref: 00405723

Strings

@, xrefs: 0040543F
192.168.1.244, xrefs: 00405358
`:@, xrefs: 004053AE
P, xrefs: 004054C7
]@, xrefs: 004054B4, 00405642
,8@, xrefs: 004055EB
%d.%d.%d.%d, xrefs: 004055E5
E, xrefs: 00405423
<:@, xrefs: 004053FA

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$192.168.1.244$<:@$@$E$P$`:@$]@
API String ID: 896407411-2643560063
Opcode ID: fb4a31642ab8506c44b56105cc454ed5c2899b6acfb7622cd7005f80403f0be3
Instruction ID: bee5a320e23260b0ccfa8ee8b9c418d69dfc131687e79230085c79d38b805ed6
Opcode Fuzzy Hash: fb4a31642ab8506c44b56105cc454ed5c2899b6acfb7622cd7005f80403f0be3
Instruction Fuzzy Hash: 90B179715083859AE710DF60C845B6BB7E5FFD4308F004D2DFA89A7291DBB49A09CB9B

Function 00444B64 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 246threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00444B58), ref: 00444B65
GetModuleFileNameA.KERNEL32(00000000,004476E2,000000C8), ref: 00444B7A
CreateThread.KERNEL32(00000000,00000000,00444329,00000000,00000000), ref: 00444BD8
CloseHandle.KERNEL32(?,987AB7B1), ref: 00444BE1
CreateThread.KERNEL32(00000000,00000000,Function_00044520,00000000,00000000), ref: 00444C81
CloseHandle.KERNEL32(?,00000000), ref: 00444C8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00444C97

Part of subcall function 0044409D: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 004440E2
Part of subcall function 0044409D: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00444101
Part of subcall function 0044409D: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0044412B
Part of subcall function 0044409D: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00444138
Part of subcall function 0044409D: UnmapViewOfFile.KERNEL32(?), ref: 00444150

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmap
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3400179232-621207024
Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction ID: 0970c711e8415b1078d830f88e856be1eb9566ebbc6d70b3408eaffb5101b0bd
Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction Fuzzy Hash: 2191C371505249BFEB21AF24CC4ABEB7B6CEF81304F14054AF9595E081D6F86F0587AA

Function 00674109 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0067410A
CreateThread.KERNEL32(?,?,Function_000037B1,6F6C6902), ref: 00674138
CloseHandle.KERNEL32(?,?,Function_000037B1,6F6C6902,?,?,00000023,00676E36,00000073,6F6C6902,6F6C6902,00673AEA,00000014,00000000), ref: 00674141
Sleep.KERNEL32(00000064,?,?,?,Function_000037B1,6F6C6902,?,?,00000023,00676E36,00000073,6F6C6902,6F6C6902,00673AEA,00000014,00000000), ref: 006741DA
GetTickCount.KERNEL32 ref: 006741E3
SetEvent.KERNEL32(000005E8,?,00000000), ref: 00674225
Sleep.KERNEL32(00007530,?,00000000), ref: 00674236
ResetEvent.KERNEL32(000005E8,?,00000000), ref: 00674249

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
020a00 . . :#73f7ea65b +*, xrefs: 00674109, 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: EventSleep$CloseCountCreateHandleResetThreadTickwsprintf
String ID: 020a00 . . :#73f7ea65b +*$\DEVICE\AFD\ENDPOINT
API String ID: 4091134114-602111237
Opcode ID: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
Instruction ID: 9e649ff07f7fbbbd07a772240f1077f585e36e62b83b173bff770f7a790ddb5d
Opcode Fuzzy Hash: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
Instruction Fuzzy Hash: C4614631118249BADF21AF34C81DBEE7BAEAF41304F048548E86D5E182CBF49F41C769

Function 00404720 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142sleepthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404817
Sleep.KERNEL32(000007D0), ref: 00404822
Sleep.KERNEL32(0000000A), ref: 00404833
ExitThread.KERNEL32 ref: 00404839
Sleep.KERNEL32(00000032,?,00000000), ref: 004048F4
ExitThread.KERNEL32 ref: 004048FF

Part of subcall function 00403E00: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
Part of subcall function 00403E00: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
Part of subcall function 00403E00: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

Strings

%s %s%s, xrefs: 004047AE
D, xrefs: 004047CB
,8@, xrefs: 004047B4, 0040488F
GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00404863
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00404882

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep$ExitThread$CreateDirectoryProcessSystemlstrcatlstrcpy
String ID: %s %s%s$,8@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache
API String ID: 4106849892-1440346242
Opcode ID: 5eb02f3b8431406fad96daf4aa59b50a38eec1cead9eb88fe7224a995bb05ed2
Instruction ID: 794b02a4c492586d25d224780bf78908b263a50c21f6d464f885ce95802daaf6
Opcode Fuzzy Hash: 5eb02f3b8431406fad96daf4aa59b50a38eec1cead9eb88fe7224a995bb05ed2
Instruction Fuzzy Hash: A1416672144345AFE320DB50CD45BEB77A9AFC4700F004D3EF686A31C1DA7999048BAA

Function 00402153 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 98librarystringloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,Distribuoeq), ref: 0040215F
ReleaseMutex.KERNEL32(00000000), ref: 0040216C
CloseHandle.KERNEL32(00000000), ref: 00402173
lstrcatA.KERNEL32(?,?), ref: 0040222C
GetProcAddress.KERNEL32(00000000,?), ref: 0040223F

Strings

Distribuoeq, xrefs: 00402153, 004022F9
,8@, xrefs: 00402213
stf%c%c%c%c%c.exe, xrefs: 0040220D
8@, xrefs: 004022FF

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Mutex$AddressCloseHandleOpenProcReleaselstrcat
String ID: ,8@$Distribuoeq$stf%c%c%c%c%c.exe$8@
API String ID: 2376757572-3791897913
Opcode ID: 3fee883449239276f1948b4b83ab1ea6cde5b5cab6033c52ad3544baa1033d71
Instruction ID: 07dd3426e8a5cfa61062460b71f0a3489c34bdea3db5e388aae2d5ac9104c876
Opcode Fuzzy Hash: 3fee883449239276f1948b4b83ab1ea6cde5b5cab6033c52ad3544baa1033d71
Instruction Fuzzy Hash: 6C31F6F26403417BE7209BA0DD0AFAF369CAF44701F00493DF746B61C1EEB896048A6B

Function 00444B4D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 262librarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00444B41), ref: 00444B4D

Part of subcall function 00444B64: GetProcAddress.KERNEL32(00000000,00444B58), ref: 00444B65
Part of subcall function 00444B64: GetModuleFileNameA.KERNEL32(00000000,004476E2,000000C8), ref: 00444B7A
Part of subcall function 00444B64: CreateThread.KERNEL32(00000000,00000000,00444329,00000000,00000000), ref: 00444BD8
Part of subcall function 00444B64: CloseHandle.KERNEL32(?,987AB7B1), ref: 00444BE1

CreateThread.KERNEL32(00000000,00000000,Function_00044520,00000000,00000000), ref: 00444C81
CloseHandle.KERNEL32(?,00000000), ref: 00444C8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00444C97
GetVersionExA.KERNEL32(?,?,00000000), ref: 00444D8C

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00444BA4

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThread$AddressEventFileLibraryLoadModuleNameProcVersion
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4113580538-621207024
Opcode ID: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
Instruction ID: e0ac6c75b037fdfe9fbf295c9a5931706bbe2a8225ee84057753739f6c3a91a2
Opcode Fuzzy Hash: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
Instruction Fuzzy Hash: 3A910871515244BEEB219F24CC5ABEB7B6CEF81304F04054AE9495E182D6F89F05C6AA

Function 00673EF8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 192libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00673EEC), ref: 00673EF8

Part of subcall function 00673F27: LoadLibraryA.KERNEL32(00673F1B), ref: 00673F27
Part of subcall function 00673F27: CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00673F81
Part of subcall function 00673F27: CloseHandle.KERNEL32(?,00000000), ref: 00673F8A
Part of subcall function 00673F27: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00673F97
Part of subcall function 00673F27: GetVersionExA.KERNEL32(?,?,00000000), ref: 0067408C

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00674157
020a00 . . :#73f7ea65b +*, xrefs: 00674119, 00674158

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateLibraryLoad$CloseEventHandleThreadVersion
String ID: 020a00 . . :#73f7ea65b +*$\DEVICE\AFD\ENDPOINT
API String ID: 4090826934-602111237
Opcode ID: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
Instruction ID: 7937d6e7e8e214ce7318628740b7b0a9a5693972658882aad16e49715bacf5bf
Opcode Fuzzy Hash: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
Instruction Fuzzy Hash: 15611471119249BEDB21AF34CC1ABEA7BADEF41300F044649F86D9E182C7F05F4587AA

Function 00403B10 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00403BB6
GetLastError.KERNEL32 ref: 00403BC2
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00403BF5
InterlockedExchange.KERNEL32(?,00000000), ref: 00403C07
LocalAlloc.KERNEL32(00000040,00000008), ref: 00403C1B
FreeLibrary.KERNEL32(00000000), ref: 00403C38
GetProcAddress.KERNEL32(?,?), ref: 00403C99
GetLastError.KERNEL32 ref: 00403CA5
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00403CD7

Strings

$, xrefs: 00403B2C

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 36fe4dab1de80df83a616e5d2683970340db3ca332fec087ab461386fbccdab3
Instruction ID: 52b406d3f103219c093564718a3b2c2d18ed8ca5132a2492024d70ce187348d6
Opcode Fuzzy Hash: 36fe4dab1de80df83a616e5d2683970340db3ca332fec087ab461386fbccdab3
Instruction Fuzzy Hash: F8613C71600205AFEB15CF99C984AAA7BF9AB48301F11803EE916F7390D774EE04CB64

Function 0040367F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004036AC
__p__fmode.MSVCRT ref: 004036C1
__p__commode.MSVCRT ref: 004036CF
__setusermatherr.MSVCRT ref: 004036FB
_initterm.MSVCRT ref: 00403711
__getmainargs.MSVCRT ref: 00403734
_initterm.MSVCRT ref: 00403744
GetStartupInfoA.KERNEL32(?), ref: 00403783
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004037A7
exit.MSVCRT ref: 004037B7
_XcptFilter.MSVCRT ref: 004037C9

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: bdb5c9794a0d6897bb365cab6c7c557ce66239c653fb92b30b56ff46a497ed67
Instruction ID: ba1f1da14ff76bb8750f1f60014ed55525f4e47ea4881a3bfc32ef867773b9a2
Opcode Fuzzy Hash: bdb5c9794a0d6897bb365cab6c7c557ce66239c653fb92b30b56ff46a497ed67
Instruction Fuzzy Hash: A1415EF5840304AFDB20AFA4D949A5ABFACEB09711B20453FE452B72D1C7785941CF68

Function 00402B20 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

#4710.MFC42 ref: 00402B2A
#6197.MFC42(00000000,0000009C,0000009C,00000000,00000000,00000001), ref: 00402B7E

Part of subcall function 00402D30: LoadLibraryA.KERNEL32(kernel32.dll,00000047,00000000,0000009C), ref: 00402DE5
Part of subcall function 00402D30: GetProcAddress.KERNEL32(00000000), ref: 00402DEC
Part of subcall function 00402D30: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402E0F
Part of subcall function 00402D30: strncmp.MSVCRT ref: 00402E34

ExitProcess.KERNEL32 ref: 00402C4B

Strings

Distribuoeq, xrefs: 00402BB1, 00402C0A
l9@, xrefs: 00402BCE
b8@, xrefs: 00402B35
Distribufqy Transaction Coordinator Service, xrefs: 00402C05
Distribucjx Transaction Coordinator Service., xrefs: 00402C00
P8@, xrefs: 00402B6A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: #4710#6197AddressDirectoryExitLibraryLoadProcProcessSystemstrncmp
String ID: Distribucjx Transaction Coordinator Service.$Distribufqy Transaction Coordinator Service$Distribuoeq$P8@$b8@$l9@
API String ID: 3958467283-4228543752
Opcode ID: 117839834650e7e938ed014b9244ee9cb0d5573d962b4e8f455a6211bd4cceb4
Instruction ID: cf9320a1031b7b380acfe78e02c8ba282f3c83360672a311bdaa638afd64cd46
Opcode Fuzzy Hash: 117839834650e7e938ed014b9244ee9cb0d5573d962b4e8f455a6211bd4cceb4
Instruction Fuzzy Hash: 4311B130640304BBD760AF658E0AF6B77A8AB45B04F10462DFA85B72C1DAF9A904865C

Function 004414AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0044214A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0044216A

CloseHandle.KERNEL32(?), ref: 004412AD
FreeLibrary.KERNEL32(50FFFFFE,?,0044149B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 004414B8
CloseHandle.KERNEL32(?,?,0044149B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 004414BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 004414C9
Process32First.KERNEL32 ref: 004414DC
Process32Next.KERNEL32 ref: 004414ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00441505
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00441542
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0044155D
CloseHandle.KERNEL32 ref: 0044156C

Strings

csrs, xrefs: 0044152C

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryNextOpenPrivilegesProcessRemoteSnapshotThreadTokenToolhelp32
String ID: csrs
API String ID: 931541398-2321902090
Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction ID: f0d665bfa49ec8cece9321ab52119d0e35e068c4c8f8e5dd8cdd45ca20d94520
Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction Fuzzy Hash: AF112E30105205FBFB256E21CD49BBF3A6DEF84711F00012EFD4A99161D6B89E41966E

Function 00405810 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00405A85

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000028), ref: 00405A77

Strings

E, xrefs: 00405934
`:@, xrefs: 004058C6
,8@, xrefs: 004059A6
AAAA, xrefs: 00405854
%d.%d.%d.%d, xrefs: 004059A0
<:@, xrefs: 0040588D

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$<:@$AAAA$E$`:@
API String ID: 896407411-2836906244
Opcode ID: ea2dd581bac7c8cef9c5bdfd95272e9f0afcf65b51e7e46ad9891951b0c6bac6
Instruction ID: e9a3f02c22eb15b260bf825b8ca02d5a946cb04ee5495d7803f8191399606438
Opcode Fuzzy Hash: ea2dd581bac7c8cef9c5bdfd95272e9f0afcf65b51e7e46ad9891951b0c6bac6
Instruction Fuzzy Hash: 1F51D2B0548381AAE320DF64CC45B6BB7E8EFD4304F004D2DF695A72D1E7B585098BAB

Function 004050B0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A,?,?,?,00000200), ref: 004052FF
ExitThread.KERNEL32 ref: 00405308

Strings

E, xrefs: 0040517B
@, xrefs: 00405197
`:@, xrefs: 00405106
]@, xrefs: 00405206
<:@, xrefs: 00405152
P, xrefs: 00405219

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: <:@$@$E$P$`:@$]@
API String ID: 896407411-2684562160
Opcode ID: 69fcc90e96dea77de8cc62438d1ff4d5379d368cbce85fec8dadd9f28f38ca4b
Instruction ID: 39b009766a04849488636733dbf50ff139f1285f39767be3529f9717fe43e04f
Opcode Fuzzy Hash: 69fcc90e96dea77de8cc62438d1ff4d5379d368cbce85fec8dadd9f28f38ca4b
Instruction Fuzzy Hash: 13614C71548344AAD710DF648C45B5FBBE9FF88304F40092EF689A72E1DBB49909CB9B

Function 004043BF Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 159threadCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040443F
ExitThread.KERNEL32 ref: 004045AB

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

sprintf.MSVCRT ref: 00404507
sprintf.MSVCRT ref: 00404538

Strings

#0%s!, xrefs: 00404532
*:@, xrefs: 004043F5
%s/%s, xrefs: 00404501
<:@, xrefs: 0040441E

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: sprintf$CountExitThreadTickmallocrand
String ID: #0%s!$%s/%s$*:@$<:@
API String ID: 3712263441-3613801517
Opcode ID: 00b75b3de8d93dc31a74d50db6e5e73740eefd36b768d78ccac709e30f348c81
Instruction ID: 19c619330cfb283f4556bae5eafdd7ef04c8a47010b92698e7a8e45263eab30c
Opcode Fuzzy Hash: 00b75b3de8d93dc31a74d50db6e5e73740eefd36b768d78ccac709e30f348c81
Instruction Fuzzy Hash: 1651B1B1104340ABE310DF748D45B9BB6E4EFC4704F004E3EF69AA72D1E7789A058B6A

Function 004016C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00401730
strcspn.MSVCRT ref: 0040174D
strncpy.MSVCRT ref: 0040175C
strcspn.MSVCRT ref: 0040176C
atoi.MSVCRT(00000000), ref: 004017A8

Strings

*:@, xrefs: 004017D4
<:@, xrefs: 004017B2

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: strcspn$atoistrncpystrstr
String ID: *:@$<:@
API String ID: 896909712-1525120602
Opcode ID: 70288e223b217b753ca0d46052b630638dcf25dcd2a199c3146b493787b399b8
Instruction ID: f8a19cff3734ad80dd224e4d4fa567c6fc112c9a2d060b15b6745f6d38997baa
Opcode Fuzzy Hash: 70288e223b217b753ca0d46052b630638dcf25dcd2a199c3146b493787b399b8
Instruction Fuzzy Hash: DD215C31E002186BC710A778DD06BEA7765BF48710F0006BEFA59F32D1DEB44A448B9D

Function 00444E09 Relevance: 12.2, APIs: 8, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(?,?,Function_000444B1,6F6C6902), ref: 00444E38
CloseHandle.KERNEL32(?,?,Function_000444B1,6F6C6902,?,?,00000023,00447B36,00000000,6F6C6902,6F6C6902,004447EA,00000014,00000000), ref: 00444E41
Sleep.KERNEL32(00000064,?,?,?,Function_000444B1,6F6C6902,?,?,00000023,00447B36,00000000,6F6C6902,6F6C6902,004447EA,00000014,00000000), ref: 00444EDA
GetTickCount.KERNEL32 ref: 00444EE3
SetEvent.KERNEL32(?,?,00000000), ref: 00444F25
Sleep.KERNEL32(00007530,?,00000000), ref: 00444F36
ResetEvent.KERNEL32(?,?,00000000), ref: 00444F49

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: EventSleep$CloseCountCreateHandleResetThreadTick
String ID:
API String ID: 1870499893-0
Opcode ID: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
Instruction ID: 61e243172b24d1d383c75fbb9c45a3f8440206c63e72ef37573d17fe558795a2
Opcode Fuzzy Hash: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
Instruction Fuzzy Hash: CD610571508249BAEB31AF34C81ABDE7BADBF81304F14054AE9595E181C7F89F05C76E

Function 00444BF8 Relevance: 10.7, APIs: 7, Instructions: 192libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00444BEC), ref: 00444BF8

Part of subcall function 00444C27: LoadLibraryA.KERNEL32(00444C1B), ref: 00444C27
Part of subcall function 00444C27: CreateThread.KERNEL32(00000000,00000000,Function_00044520,00000000,00000000), ref: 00444C81
Part of subcall function 00444C27: CloseHandle.KERNEL32(?,00000000), ref: 00444C8A
Part of subcall function 00444C27: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00444C97
Part of subcall function 00444C27: GetVersionExA.KERNEL32(?,?,00000000), ref: 00444D8C

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CreateLibraryLoad$CloseEventHandleThreadVersion
String ID:
API String ID: 4090826934-0
Opcode ID: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
Instruction ID: 56d4a1bd0f41dd74c38a1100e4a6aff77fc8715d4044c39675475b8d9a644a6e
Opcode Fuzzy Hash: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
Instruction Fuzzy Hash: BB61F571515249BEEB21AF34CC1ABEB7B6CEF81304F14054AF9595F181C2F85F0587AA

Function 00401D35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110libraryfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2
CreateFileA.KERNEL32(PlusCtrl.dll,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401D79
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00401DB7

Strings

PlusCtrl.dll, xrefs: 00401CC5, 00401D74

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFileLibraryLoad
String ID: PlusCtrl.dll
API String ID: 4073770061-3813448905
Opcode ID: 276a740126fdbb8642ac7236fc26bc1fb47062cc569460620264d7a81443eeee
Instruction ID: 678e4eeabf8f2deab5107e84c4a66d22c971bafb6cfac5e257f318dcc26d0ccf
Opcode Fuzzy Hash: 276a740126fdbb8642ac7236fc26bc1fb47062cc569460620264d7a81443eeee
Instruction Fuzzy Hash: 3241A4315443029BE320CF64DD44B6B7BE4AF84754F140A2EF961B22E0E778E8458B9A

Function 00402C60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,SYSTEM\CurrentControlSet\Services\,00403862), ref: 00402CCF
lstrcatA.KERNEL32(00000000,Distribuoeq), ref: 00402CE1

Strings

Distribuoeq, xrefs: 00402CDB
SYSTEM\CurrentControlSet\Services\, xrefs: 00402CC9
69@, xrefs: 00402D1A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 69@$Distribuoeq$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-1248136302
Opcode ID: e66b1be437945f124023d56c1bdd6389618300147cf61839c5c59340b3a33dba
Instruction ID: c16f20cbba010059dd829025b88d8e0ac7ec225dfd2f823269786c1a3f48f5c0
Opcode Fuzzy Hash: e66b1be437945f124023d56c1bdd6389618300147cf61839c5c59340b3a33dba
Instruction Fuzzy Hash: 1CF0B43164820CBBDB60C774DD05FE577B8E755701F1005B9A7C9F20C0DDB46A988A54

Function 004045B1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000), ref: 004046DC
ExitThread.KERNEL32 ref: 004046E6

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Strings

GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404675
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404633
,8@, xrefs: 00404639, 0040467B

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: ,8@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 896407411-2728580657
Opcode ID: 03551809c68347d44f03a8e8098e885f0497282a7a7c0524782b2bd92df2901a
Instruction ID: ed96877d601846c175f9a107851c42ea53cf3a02b77a1f13df8ed6ecda56d954
Opcode Fuzzy Hash: 03551809c68347d44f03a8e8098e885f0497282a7a7c0524782b2bd92df2901a
Instruction Fuzzy Hash: 8B31A4B15142446BE220DB60DD46FFB73ACEF95305F050D3DF645A21C1FA796A08866B

Function 00403F5B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00404073

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000005), ref: 0040405D

Strings

`:@, xrefs: 00403FF0
*:@, xrefs: 00403FCE
<:@, xrefs: 00403FB7

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: *:@$<:@$`:@
API String ID: 896407411-1978189025
Opcode ID: 67827bdd94f09c8e4a8428c72f103af8ad3767357eff487082fd3e5c6fe3f275
Instruction ID: b9c020bd257d16025c789386b94bafe435fe5cc7bb509be09224f6c53715fa15
Opcode Fuzzy Hash: 67827bdd94f09c8e4a8428c72f103af8ad3767357eff487082fd3e5c6fe3f275
Instruction Fuzzy Hash: E82105312443016BE3209B15DD45BAB77E9AFC4705F00483DF789B72D0DAB459088BAB

Function 00401F1C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84librarystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2
lstrlenA.KERNEL32(?), ref: 00401F31

Strings

PlusCtrl.dll, xrefs: 00401CC5

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseHandle$LibraryLoadlstrlen
String ID: PlusCtrl.dll
API String ID: 1302537757-3813448905
Opcode ID: 8b81bdb92c0fb83030933092d185a2b517c2c3c20cc09dc9aafab582fb3a248c
Instruction ID: 354abdcd05cd2bf0f73582f64dd16865d1a564750717cbbe5506fc225f074c98
Opcode Fuzzy Hash: 8b81bdb92c0fb83030933092d185a2b517c2c3c20cc09dc9aafab582fb3a248c
Instruction Fuzzy Hash: 673172715483019BE720CF64DD44B6B77E8AB84754F144A3EF991A32E0E738E845CF5A

Function 00403E50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000014), ref: 00403F43
ExitThread.KERNEL32 ref: 00403F55

Strings

`:@, xrefs: 00403F0E
*:@, xrefs: 00403EEC
<:@, xrefs: 00403EDB

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: *:@$<:@$`:@
API String ID: 896407411-1978189025
Opcode ID: 58e52e15e8708b750c7b593d4532e1dc8ecc44a5eaeeec1c10d20306b6376e07
Instruction ID: 1aa1a50a868dfdc426b5470280aee9243670915e3d1e7e507b5142f6f6797285
Opcode Fuzzy Hash: 58e52e15e8708b750c7b593d4532e1dc8ecc44a5eaeeec1c10d20306b6376e07
Instruction Fuzzy Hash: BC21D131644300AFE7249B14DD06BAB77E9EF84704F00493DF289A72D0CBB59E088B9A

Function 00401890 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessTrans), ref: 004018BA

Strings

r:@, xrefs: 00401927
ProcessTrans, xrefs: 004018B4
%u.%u.%u.%u, xrefs: 0040190E
,8@, xrefs: 00401914

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: %u.%u.%u.%u$,8@$ProcessTrans$r:@
API String ID: 190572456-3036480515
Opcode ID: 0d9dd16706f6b930d6d57109fc15d559f869456c61a1f1dd963bc1d5b8d49efc
Instruction ID: a057d568f8cbf7d36185e8a16d9019903c22752d08b1d8e26d53945e98208902
Opcode Fuzzy Hash: 0d9dd16706f6b930d6d57109fc15d559f869456c61a1f1dd963bc1d5b8d49efc
Instruction Fuzzy Hash: 35118EB195020AABDB14DB94CE45EBFB379EF84704F108279BC41B72D5DA389D049BA8

Function 00403070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

#470.MFC42 ref: 0040308F
#755.MFC42 ref: 0040310B
#2379.MFC42 ref: 00403119

Strings

b8@, xrefs: 004030AB
t8@, xrefs: 00403101

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: #2379#470#755
String ID: b8@$t8@
API String ID: 3024983488-745822901
Opcode ID: bd1fef225f27e3e765584d2d1b50f287eb6c34b8cefa70481d492fc26062ce55
Instruction ID: 23b8168f71ff80b0920836344aa8155c5e6477b8b6503ddd266453aefce758f2
Opcode Fuzzy Hash: bd1fef225f27e3e765584d2d1b50f287eb6c34b8cefa70481d492fc26062ce55
Instruction Fuzzy Hash: 72116D712143019FC214DF39DE49D6B77E9FFC8204F084A2DB5CAD3290DA34E9058A55

Function 00405B70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000F), ref: 00405C26
ExitThread.KERNEL32 ref: 00405C30

Strings

`:@, xrefs: 00405BF2
*:@, xrefs: 00405BD0
<:@, xrefs: 00405BBF

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: ExitSleepThread
String ID: *:@$<:@$`:@
API String ID: 2532117645-1978189025
Opcode ID: 0b160bee8590a9feaa90095d80f7b6cabd1019267ee4be1ece85caba017e34c7
Instruction ID: 4104fc32b431a330129af2c8e51cee684ef8fc9b11a9caa93217bf55ecdcdacd
Opcode Fuzzy Hash: 0b160bee8590a9feaa90095d80f7b6cabd1019267ee4be1ece85caba017e34c7
Instruction Fuzzy Hash: D9116070248301ABE324DB50DE4AF6B77E9EF95704F00092DF689B61D1DBB49D088B5B

Function 004028C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004025E0: EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_000024D0,00000000), ref: 004025EB

Part of subcall function 00402600: lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402613
Part of subcall function 00402600: lstrcatA.KERNEL32(?,Distribuoeq), ref: 00402623

Part of subcall function 00401A00: LoadLibraryA.KERNEL32 ref: 00401A20

Part of subcall function 004012B0: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004012C2

WaitForSingleObject.KERNEL32(00000000,000000FF,Function_00001A40,00000000), ref: 00402944
CloseHandle.KERNEL32(?), ref: 0040294D
Sleep.KERNEL32(0000012C), ref: 00402967

Strings

hra%u.dll, xrefs: 004028D1
,8@, xrefs: 004028D7

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: CloseCreateEnumHandleLibraryLoadNamesObjectResourceSingleSleepThreadWaitlstrcatlstrcpy
String ID: ,8@$hra%u.dll
API String ID: 3019664125-1682502944
Opcode ID: 5ccd0519ab355be5024abd0711c82a46054f02262ec7dfd481542cb7669b5a23
Instruction ID: 46b2761210bd7351e1acdc70686b2ba36b0e2774d37aa7cde017ba267fd11447
Opcode Fuzzy Hash: 5ccd0519ab355be5024abd0711c82a46054f02262ec7dfd481542cb7669b5a23
Instruction Fuzzy Hash: 4401F5712403006BD204EBB0AF4AFAA3364EB88724F10063EF611721E3DEF8A8045B6D

Function 00443468 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0044348C

Part of subcall function 004434A7: GetTempFileNameA.KERNEL32(?,004434A3,00000000,?), ref: 004434A8
Part of subcall function 004434A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,004434A3,00000000,?), ref: 004434C3
Part of subcall function 004434A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,004434A3,00000000,?), ref: 004434F3
Part of subcall function 004434A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,004434A3,00000000,?), ref: 004434FF
Part of subcall function 004434A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,004434A3), ref: 00443523

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction ID: bc959381ca3bcfa73c1120829bf83ae050afa175a19b0b92cdb63d3c2636d43d
Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction Fuzzy Hash: 9021F0B1145205BFE7215E21CC4EFFB3A2CEF85B01F00411AFA0889181D7B59F44867A

Function 00672768 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0067278C

Part of subcall function 006727A7: GetTempFileNameA.KERNEL32(?,006727A3,00000000,?), ref: 006727A8
Part of subcall function 006727A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,006727A3,00000000,?), ref: 006727C3
Part of subcall function 006727A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,006727A3,00000000,?), ref: 006727F3
Part of subcall function 006727A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,006727A3,00000000,?), ref: 006727FF
Part of subcall function 006727A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,006727A3), ref: 00672823

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction ID: 6af56d3432225522c02f73e3ff3821a4a38b09518d09bbeb7386a047aac4b7be
Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction Fuzzy Hash: 1A210FB1146346BFE7215A20CC8EFFF3A2DEF85B00F004119FA0889082D7B19E0586B6

Function 004434A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,004434A3,00000000,?), ref: 004434A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,004434A3,00000000,?), ref: 004434C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,004434A3,00000000,?), ref: 004434F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,004434A3,00000000,?), ref: 004434FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,004434A3), ref: 00443523

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction ID: 3a629e6072f9c6bb16df19fbd354396c7e6c4d8254eba6e65a016ed8f34d5281
Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction Fuzzy Hash: 10116DB1101605FBEB254F21CC4AFFB7A2DEF84B12F004519FA0989190DBF49F5086A9

Function 006727A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,006727A3,00000000,?), ref: 006727A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,006727A3,00000000,?), ref: 006727C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,006727A3,00000000,?), ref: 006727F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,006727A3,00000000,?), ref: 006727FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,006727A3), ref: 00672823

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction ID: bdfd10e891f6e390ebcf6749d5b4d690d2ee7f0c7e28dcb32411b4ab6b753b2c
Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction Fuzzy Hash: 88116DB1101606FBEB254B20CC49FFB7A2DEF84B10F004519FA0999090DBF59E5196A9

Function 00673826 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127sleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(006774C4), ref: 00673837
Sleep.KERNEL32(0000EA60), ref: 006738A9
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00673959

Strings

qbjpfl.com, xrefs: 00673889

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep$SystemTime
String ID: qbjpfl.com
API String ID: 3773743504-2091053656
Opcode ID: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
Instruction ID: 4211758ff40a2ca534a0b2ac24188528a227c783e851cd5ad888d239e8678c36
Opcode Fuzzy Hash: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
Instruction Fuzzy Hash: 0F41FF71605269BADB349F248C0DBE97B6FAF86710F008429FA0D9E2C1D7F59B01D629

Function 00404079 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0040418E
ExitThread.KERNEL32 ref: 0040419B

Strings

*:@, xrefs: 004040F0
<:@, xrefs: 004040CE

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: ExitSleepThread
String ID: *:@$<:@
API String ID: 2532117645-1525120602
Opcode ID: 489a674434dd79bd1cd95d87094fd23d0865ee3d3cf51ba8a6b23f5a7c25bf35
Instruction ID: 67d8ddba5409ffce38fdec036543afa66e7020f410cbc9efe6a496dc460af4ba
Opcode Fuzzy Hash: 489a674434dd79bd1cd95d87094fd23d0865ee3d3cf51ba8a6b23f5a7c25bf35
Instruction Fuzzy Hash: C231F171604300ABE3109F24ED49BEF77A5EFA5311F00853DF68AA73D1CA789949CB5A

Function 00404B8D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,00000000), ref: 00404C70
ExitThread.KERNEL32 ref: 00404C7D

Strings

,8@, xrefs: 00404BD2
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404C1E

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: ExitSleepThread
String ID: ,8@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 2532117645-1548460504
Opcode ID: b4116cea720f3c054be25ad523dc78a633388379998c86f4e6064588cdf672b1
Instruction ID: fcf92245488759253a7268ef054163d6874dfe110737c38e6750fee933bc3a6f
Opcode Fuzzy Hash: b4116cea720f3c054be25ad523dc78a633388379998c86f4e6064588cdf672b1
Instruction Fuzzy Hash: 7821A571104340AFD324DB24DD45FEB73A8EFD6305F014A2DF285A7180EB7566098BAB

Function 00441DCE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

__common_dcos_data.LIBCMT ref: 00441E01
GetModuleHandleA.KERNEL32(0019FF0C), ref: 00441E3D
GetProcAddress.KERNEL32(00000000,00441ED6), ref: 00441E48

Strings

.DLL, xrefs: 00441E33

Memory Dump Source

Source File: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc__common_dcos_data
String ID: .DLL
API String ID: 2806178913-899428287
Opcode ID: 43ccb803021d9cfd7693e2714fab7b3bfa06ff211f52309e9f9144216690baaa
Instruction ID: 27e8e2f27e7d1009793519ea9f8ab49cdfe6ad0291ff4d1aa577e2838c473262
Opcode Fuzzy Hash: 43ccb803021d9cfd7693e2714fab7b3bfa06ff211f52309e9f9144216690baaa
Instruction Fuzzy Hash: 73010474102106EAFB658F6CC549BEA3BA8EF05342F200006ED1A8B525C778AED1C69E

Function 00403E00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

Strings

\Program Files\Internet Explorer\iexplore.exe, xrefs: 00403E1A

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: DirectorySystemlstrcatlstrcpy
String ID: \Program Files\Internet Explorer\iexplore.exe
API String ID: 2630975639-1907246925
Opcode ID: b65ced3afa1010b117ea438fd43ae358f07f39bee29bead101c46353a56f49ca
Instruction ID: 9106fefdb625428a61e5fc355ea8c8d419b7259a9281d561dea26b2b043bae92
Opcode Fuzzy Hash: b65ced3afa1010b117ea438fd43ae358f07f39bee29bead101c46353a56f49ca
Instruction Fuzzy Hash: 5CE086F454C341ABD710D764DE48FAA77E4BB94305F45492CB6C9D2190D6B89058CB1A

Function 004046EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,TerminateProcess), ref: 0040470A
GetProcAddress.KERNEL32(00000000), ref: 00404711

Strings

TerminateProcess, xrefs: 00404700
kernel32.dll, xrefs: 00404705

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: TerminateProcess$kernel32.dll
API String ID: 2574300362-189552057
Opcode ID: b5eaaf0141d6078d17560b1a0c42e59a086fb3de11d860db1d2ac48d1d58cc35
Instruction ID: 6234211f27a0ee7e56edea027cbfabecb5e332b867d42f8a1c4da6211805d416
Opcode Fuzzy Hash: b5eaaf0141d6078d17560b1a0c42e59a086fb3de11d860db1d2ac48d1d58cc35
Instruction Fuzzy Hash: B8C08CB2781300DAC6407BE0BE496A57711E2CAB27330003BFA02F10E0CE3A00148B2D

Function 004012D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 004012EA
GetProcAddress.KERNEL32(00000000), ref: 004012F1

Strings

kernel32.dll, xrefs: 004012E5
SizeofResource, xrefs: 004012E0

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SizeofResource$kernel32.dll
API String ID: 2574300362-1445693867
Opcode ID: 4b093c2f19e2f6703a235c920fd83a05b68be8ff96e2aabb20befe6985bddcc5
Instruction ID: 95eb9911caf4fa21a6ef5e617abe4a02a41252af43e6d184f25434936a232e00
Opcode Fuzzy Hash: 4b093c2f19e2f6703a235c920fd83a05b68be8ff96e2aabb20befe6985bddcc5
Instruction Fuzzy Hash: 48C09B70581300DBC7407BE07F0D60637555645B41312407F7C47F11F0CEB910155B1D

Function 00402970 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 151sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00402A2D
Sleep.KERNEL32(000001F4), ref: 00402A80
Sleep.KERNEL32(000001F4), ref: 00402AD4

Strings

H9@, xrefs: 00402993

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: H9@
API String ID: 3472027048-4187015488
Opcode ID: e1895029d93275b0449bae78078f8bc4f68a4563e2c20b19454be42c37018b9e
Instruction ID: ed3428e1d1f1db40b83d8743f65f7dc7aa56edce5a66b806c87c14721956b620
Opcode Fuzzy Hash: e1895029d93275b0449bae78078f8bc4f68a4563e2c20b19454be42c37018b9e
Instruction Fuzzy Hash: 0F21C9B22802259BD300DF95EF08B567BA9E754759F20807EE684F62E1CEFA50449FDC

Function 006710CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(03E5F97C), ref: 0067113D
GetProcAddress.KERNEL32(00000000,006711D6), ref: 00671148

Strings

.DLL, xrefs: 00671133

Memory Dump Source

Source File: 00000006.00000002.2050972089.0000000000670000.00000040.10000000.00040000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_670000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
Instruction ID: 1e052ee506a7e669b4a93951546a789fcd28c83ced4bbab1421192bc98a56967
Opcode Fuzzy Hash: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
Instruction Fuzzy Hash: 04012630215006FACB659F2CC8096EA37AEEF06341F80C106EA1D8F216C770DF91C695

Function 00401A00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00401A20

Strings

hra%u.dll, xrefs: 00401A0C
,8@, xrefs: 00401A12

Memory Dump Source

Source File: 00000006.00000002.2049939943.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2049899874.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2049979890.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050050665.0000000000408000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050091522.0000000000419000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050321266.000000000041F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050425295.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050468907.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050504265.000000000042A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050545876.0000000000430000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050587934.0000000000432000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050631729.0000000000438000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050668797.000000000043A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.2050704877.0000000000440000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrlBCB3.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ,8@$hra%u.dll
API String ID: 1029625771-1682502944
Opcode ID: 35d89bcc790b1656c578160c71392fb5b744eb91aab05cf506bcb9e0b22284b5
Instruction ID: d94e0402731fb128af6b950281fe7e8085e8897a8f6bb0695ae2b7902bddec47
Opcode Fuzzy Hash: 35d89bcc790b1656c578160c71392fb5b744eb91aab05cf506bcb9e0b22284b5
Instruction Fuzzy Hash: C3D0A77059020567C710A770ED4AEA633646B50700F444A3D7686D10D0EABD815CC689

Analysis Process: rundll32.exePID: 7600, Parent PID: 7300COMMON

Execution Graph

Execution Coverage:	32%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001193 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 104
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

Strings

hrl, xrefs: 10001218
D, xrefs: 10001294

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$CloseFileHandle$CreateTemp$FindLoadLockMemoryNamePathProcessSizeofWriteZero
String ID: D$hrl
API String ID: 3860286866-1539874146
Opcode ID: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction ID: 7e218033b22d9d8325d54e1b04e0e1002b9ec3418c8ade03e82d96821e86f301
Opcode Fuzzy Hash: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction Fuzzy Hash: 0A31E8B1D01228ABEB11EFA0CC8CEEE7BBDEB49791F104566F605E2165D7344A54CB60

Function 10001A32 Relevance: 10.6, APIs: 7, Instructions: 55
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000001,10003018,00000104), ref: 10001A4F
DisableThreadLibraryCalls.KERNEL32(00000001), ref: 10001A56

Part of subcall function 10001134: FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
Part of subcall function 10001134: SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
Part of subcall function 10001134: LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
Part of subcall function 10001134: LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
Part of subcall function 10001134: lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Part of subcall function 10001338: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
Part of subcall function 10001338: PathFindFileNameW.SHLWAPI(?), ref: 1000135C
Part of subcall function 10001338: PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
Part of subcall function 10001338: lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10001A8E

Part of subcall function 100012BD: CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7

Part of subcall function 10001193: FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
Part of subcall function 10001193: SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
Part of subcall function 10001193: LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
Part of subcall function 10001193: LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
Part of subcall function 10001193: GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
Part of subcall function 10001193: GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
Part of subcall function 10001193: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
Part of subcall function 10001193: WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
Part of subcall function 10001193: CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
Part of subcall function 10001193: RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
Part of subcall function 10001193: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

SetEvent.KERNEL32(?), ref: 10001ABA
WaitForSingleObject.KERNEL32(000000FF), ref: 10001AC8
CloseHandle.KERNEL32 ref: 10001ADA
CloseHandle.KERNEL32 ref: 10001AE2

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$File$CloseHandle$CreateFindName$Path$EventLoadLockModuleSizeofTemp$CallsDisableExtensionLibraryMemoryMutexObjectProcessSingleThreadWaitWriteZerolstrcmpilstrcpyn
String ID:
API String ID: 3535865480-0
Opcode ID: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction ID: ffd36879a7497b368e77efcd0eb173f2275a3137c17b7fd903d544f692c8100a
Opcode Fuzzy Hash: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction Fuzzy Hash: 78115B34606332AAF612EBA18C89BCF3BACEF023E5F118116F554D10ADDB609950CA63

Function 100010CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100010E3
lstrcatW.KERNEL32(?,\lpk), ref: 100010F5
LoadLibraryW.KERNELBASE(?), ref: 10001102

Part of subcall function 1000101F: RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

\lpk, xrefs: 100010E9

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryLibraryLoadMemoryMoveSystemlstrcat
String ID: \lpk
API String ID: 3372298440-336436324
Opcode ID: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction ID: be4007e3f20e417fa77d5d5c324e07ec6705456ad939ec99c1b7038da3bba866
Opcode Fuzzy Hash: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction Fuzzy Hash: B2E0127480032A9BFB50EBB08C8EAC777BCE704381F000562E755D206AEF74D585CB50

Function 100012F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001311
PathFindFileNameW.SHLWAPI(?), ref: 1000131E
lstrcmpiW.KERNELBASE(00000000,lpk.dll), ref: 1000132A

Strings

lpk.dll, xrefs: 10001324

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: FileName$FindModulePathlstrcmpi
String ID: lpk.dll
API String ID: 1239673384-3066363995
Opcode ID: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction ID: 2c49bb99bc8642171fc9961312980d4ab0a4eef97db440158d685f58edb63067
Opcode Fuzzy Hash: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction Fuzzy Hash: 35E0127554032D6BEB116B70CC8DDD7376CA700745F004251F65AD20BADA74958DCF50

Function 100019E6 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,100018D3,00000000,00000004,00000000), ref: 100019F4
SetThreadPriority.KERNELBASE(00000000,000000F1), ref: 10001A02
ResumeThread.KERNELBASE ref: 10001A12
TerminateThread.KERNEL32(00000000), ref: 10001A24

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$CreatePriorityResumeTerminate
String ID:
API String ID: 2154424394-0
Opcode ID: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction ID: e961737a7aae76fd0c4580525259ff7f5de2b8d71232f79ea42e210bb63285d4
Opcode Fuzzy Hash: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction Fuzzy Hash: AFE07570502230BAFA119B769C8CB873F6AEB076F1B554316F62E915BAC7204581CBA1

Function 100012BD Relevance: 4.5, APIs: 3, Instructions: 24
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7
GetLastError.KERNEL32(00000001,?,10001A74), ref: 100012D7
CloseHandle.KERNEL32(00000000,?,10001A74), ref: 100012EB

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction ID: 226164d0f01b805de613a55782abc57cedde5fe5c7c82aa8690d380dee59acf0
Opcode Fuzzy Hash: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction Fuzzy Hash: 1BD05E3660873067F212937CBC0CB8F2A35EBC5BF2F128265FE4AD229CCB24490685D5

Function 10001000 Relevance: 3.0, APIs: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
ExitProcess.KERNEL32 ref: 10001016

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction ID: 5188076986118a0aee3e910be33b50d7ca781def4220dbbbf73b176a37f9c490
Opcode Fuzzy Hash: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction Fuzzy Hash: F6C04C35104261ABFA11AB618E8CB067B66AB547D1B114215E255800BED6318450EA15

Non-executed Functions

Function 10001677 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 172
stringfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 1000168F
lstrcpyW.KERNEL32(?,A:\,0000EA60,75BF73E0), ref: 100016C2
lstrcpyW.KERNEL32(?,?), ref: 100016DF
PathAppendW.SHLWAPI(?,10002374), ref: 100016F3
FindFirstFileW.KERNEL32(?,?), ref: 10001703
PathFindExtensionW.SHLWAPI(?), ref: 100017CA
lstrcmpiW.KERNEL32(00000000,.EXE), ref: 100017E1
lstrcpyW.KERNEL32(?,?), ref: 100017F5
PathAppendW.SHLWAPI(?,lpk.dll), ref: 10001803
GetFileAttributesW.KERNEL32(?), ref: 1000180C
CopyFileW.KERNEL32(10003018,?,00000001), ref: 10001829
SetFileAttributesW.KERNEL32(?,00000007), ref: 10001838
lstrcmpiW.KERNEL32(100015A2,.RAR), ref: 10001846
lstrcmpiW.KERNEL32(100015A2,.ZIP), ref: 10001854
lstrcpyW.KERNEL32(?,?), ref: 1000187D
PathAppendW.SHLWAPI(?,?), ref: 1000188D
WaitForSingleObject.KERNEL32(00000014), ref: 100018A4
FindNextFileW.KERNEL32(100015A2,?), ref: 100018BF

Strings

lpk.dll, xrefs: 100017F7
.RAR, xrefs: 1000183E
.ZIP, xrefs: 1000184C
A:\, xrefs: 100016BC
.EXE, xrefs: 100017DB

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pathlstrcpy$AppendFindlstrcmpi$AttributesObjectSingleWait$CopyExtensionFirstNext
String ID: .EXE$.RAR$.ZIP$A:\$lpk.dll
API String ID: 3771388200-3932496361
Opcode ID: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction ID: 14b84c573bc6bfc0103a48903cae28372ea9a580d345985b263a6e171d24a783
Opcode Fuzzy Hash: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction Fuzzy Hash: 5651DDB290022DAAEB10DBA4CC88BDE77BDEB44390F1445A6E605E2055DB75DB84CFA0

Function 1000142B Relevance: 38.6, APIs: 14, Strings: 8, Instructions: 129
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHRegGetValueW.SHLWAPI(80000000,WinRAR\shell\open\command,00000000,00000002,00000000,?,?), ref: 10001456
lstrcpyW.KERNEL32(00000022,?), ref: 10001485
StrStrIW.SHLWAPI(00000022,1000230C), ref: 10001498
PathRemoveFileSpecW.SHLWAPI(00000022), ref: 100014B2
PathAppendW.SHLWAPI(00000022,rar.exe), ref: 100014C4
GetFileAttributesW.KERNEL32(00000022), ref: 100014D1
PathGetShortPath.SHELL32(00000022), ref: 100014E9
GetTempPathW.KERNEL32(00000104,?), ref: 100014FB
GetCurrentThreadId.KERNEL32 ref: 10001508
GetTempFileNameW.KERNEL32(?,IRAR,00000000), ref: 1000151B
wsprintfW.USER32 ref: 10001544

Part of subcall function 10001398: RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
Part of subcall function 10001398: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
Part of subcall function 10001398: GetLastError.KERNEL32 ref: 100013DB

wsprintfW.USER32 ref: 10001580

Part of subcall function 10001398: WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
Part of subcall function 10001398: TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
Part of subcall function 10001398: GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 1000141E
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 10001423

Part of subcall function 10001677: WaitForSingleObject.KERNEL32(00000000), ref: 1000168F

wsprintfW.USER32 ref: 100015C0
wsprintfW.USER32 ref: 100015E6

Strings

rar.exe, xrefs: 100014B8
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll", xrefs: 100015BA
"%s" x "%s" *.exe "%s\", xrefs: 1000157A
", xrefs: 10001464
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll", xrefs: 1000153E
IRAR, xrefs: 1000150F
cmd /c RD /s /q "%s", xrefs: 100015E0
WinRAR\shell\open\command, xrefs: 10001445

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Path$wsprintf$FileProcess$CloseHandleObjectSingleTempWait$AppendAttributesCodeCreateCurrentErrorExitLastMemoryNameRemoveShortSpecTerminateThreadValueZerolstrcpy
String ID: "$"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"$"%s" x "%s" *.exe "%s\"$IRAR$WinRAR\shell\open\command$cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"$cmd /c RD /s /q "%s"$rar.exe
API String ID: 2025278562-176847598
Opcode ID: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction ID: 53c986b37aabe2969284ac0dd55f15aa40eaa0efec7de0ac8071c71bfebae4df
Opcode Fuzzy Hash: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction Fuzzy Hash: 1041C4B690021DAAEF10DB90CD48EDA77BCEB44340F1045A2B619D6055E674EB85CFB1

Function 1000101F Relevance: 21.0, APIs: 1, Strings: 11, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001000: GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
Part of subcall function 10001000: ExitProcess.KERNEL32 ref: 10001016

RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

LpkEditControl, xrefs: 10001049
LpkPSMTextOut, xrefs: 1000109B
LpkInitialize, xrefs: 1000108C
LpkTabbedTextOut, xrefs: 1000101F
LpkGetCharacterPlacement, xrefs: 1000106E
LpkGetTextExtentExPoint, xrefs: 1000107D
LpkExtTextOut, xrefs: 10001064
LpkUseGDIWidthCache, xrefs: 100010AA
LpkDllInitialize, xrefs: 10001029
LpkDrawTextEx, xrefs: 10001038
ftsWordBreak, xrefs: 100010B9

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitMemoryMoveProcProcess
String ID: LpkDllInitialize$LpkDrawTextEx$LpkEditControl$LpkExtTextOut$LpkGetCharacterPlacement$LpkGetTextExtentExPoint$LpkInitialize$LpkPSMTextOut$LpkTabbedTextOut$LpkUseGDIWidthCache$ftsWordBreak
API String ID: 598812106-3128392633
Opcode ID: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction ID: aa075801c4fef1efc4910219ef897301fe87f4caca160f87edb01903a9b0afcb
Opcode Fuzzy Hash: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction Fuzzy Hash: 48015474C0239065FB27EFB14D95BCA3B54E7196C1F10C515F3446712EDBB470849B59

Function 100018D3 Relevance: 16.6, APIs: 11, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000060), ref: 100018E6
DriveType.SHELL32(00000002), ref: 10001902
CreateThread.KERNEL32(00000000,00000000,10001677,00000002,00000004,00000000), ref: 1000191D
SetThreadPriority.KERNEL32(00000000,000000F1), ref: 10001930
ResumeThread.KERNEL32(?), ref: 1000193D
TerminateThread.KERNEL32(?,00000000), ref: 10001956
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,00000000), ref: 10001975
RtlZeroMemory.KERNEL32(?,00000060), ref: 10001989
CloseHandle.KERNEL32(?), ref: 10001997
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 100019C0
CloseHandle.KERNEL32(?), ref: 100019D0

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$CloseHandleMemoryMultipleObjectsWaitZero$CreateDrivePriorityResumeTerminateType
String ID:
API String ID: 1898017378-0
Opcode ID: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction ID: a0013d5da517d4d5a33f6e42946cb667d24e2e6983c8dbf7389f749baf9380a9
Opcode Fuzzy Hash: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction Fuzzy Hash: A631B671540721ABF712EB20CC98BAB7BEEEF807D0F500615F6A6D10A9C772C945C762

Function 10001398 Relevance: 12.1, APIs: 8, Instructions: 54
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
GetLastError.KERNEL32 ref: 100013DB
WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
CloseHandle.KERNEL32(?), ref: 1000141E
CloseHandle.KERNEL32(?), ref: 10001423

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CloseHandle$CodeCreateErrorExitLastMemoryObjectSingleTerminateWaitZero
String ID:
API String ID: 479851863-0
Opcode ID: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction ID: 7f4f93b674e2ec955674b2195e50ebeabb8675a41d593902dc04bf7fa736d272
Opcode Fuzzy Hash: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction Fuzzy Hash: 4411E271900229EBEB01EFE1CD88ADE7FB9EF08791F104011EA05A6169D6319A54DBA1

Function 10001606 Relevance: 9.0, APIs: 6, Instructions: 43
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 1000160C
GetTickCount.KERNEL32 ref: 1000161C
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001634
GetTickCount.KERNEL32 ref: 1000163D
GetLogicalDrives.KERNEL32 ref: 10001650
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001663

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: CountDrivesLogicalObjectSingleTickWait
String ID:
API String ID: 42545375-0
Opcode ID: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction ID: 3f6e6b7f54fa11ca4b0782ed1666a21edfd725203009cfb413e51542acf73e8d
Opcode Fuzzy Hash: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction Fuzzy Hash: 56F0F6319083259FF700EF30ECC886FBBEDEB802D5B25492FF500C2158C632AC049A61

Function 10001338 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
PathFindFileNameW.SHLWAPI(?), ref: 1000135C
PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

Strings

.TMP, xrefs: 10001381

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: FileFindNamePath$ExtensionModulelstrcmpi
String ID: .TMP
API String ID: 597247504-614523329
Opcode ID: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction ID: 1fd35f4ed13ad4ccd143400fde8a975121882a3ba8c08806c051296bf98cdfa8
Opcode Fuzzy Hash: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction Fuzzy Hash: 43F03760A003159AFB50AF608D4DED737FCEB003C5F028555E559D74AAEBF4CAC9CA60

Function 10001134 Relevance: 7.5, APIs: 5, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Memory Dump Source

Source File: 0000000E.00000002.1862349599.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000E.00000002.1862322787.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862377372.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000E.00000002.1862408208.0000000010032000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeoflstrcpyn
String ID:
API String ID: 3315616855-0
Opcode ID: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction ID: 8471c72c1caef8166e4ab4b94a4b144f79c53e762d3decfbeebc5ecea59f4515
Opcode Fuzzy Hash: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction Fuzzy Hash: 99F01C35A01334BBFB261BA59CCCF973FADEB497D5F01C126FA05D21A9DA21C815C660

Analysis Process: hrlC86B.tmpPID: 7616, Parent PID: 7600COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	920
Total number of Limit Nodes:	2

Executed Functions

Function 0043A12D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0043A1BE
GetVersion.KERNEL32 ref: 0043A200
VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 0043A228
CloseHandle.KERNEL32(?), ref: 0043A2AD

Strings

\BaseNamedObjects\efdtVt, xrefs: 0043A408
\BaseNamedObjects\efdtVt, xrefs: 0043A409, 0043A42C, 0043A43A
csrs, xrefs: 0043A52C

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\efdtVt$\BaseNamedObjects\efdtVt$csrs
API String ID: 3017432202-3386149195
Opcode ID: 22d3e82089374ac7a237ea7e7317fc585ff863e214d8247a786dd423991af1dd
Instruction ID: 4187f11468114e6316a54af968f4e5266a5e2a818104814e1d3eb392c5f2ad24
Opcode Fuzzy Hash: 22d3e82089374ac7a237ea7e7317fc585ff863e214d8247a786dd423991af1dd
Instruction Fuzzy Hash: 34B1E131544209FFEB219F21C80ABEA3BA9EF48314F10111AED499E181C7F99F65DB5A

Function 0077042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 007704BE
GetVersion.KERNEL32 ref: 00770500
VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 00770528
CloseHandle.KERNELBASE(?), ref: 007705AD

Strings

csrs, xrefs: 0077082C
\BaseNamedObjects\efdtVt, xrefs: 00770709, 0077072C, 0077073A
\BaseNamedObjects\efdtVt, xrefs: 00770708

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\efdtVt$\BaseNamedObjects\efdtVt$csrs
API String ID: 3017432202-3386149195
Opcode ID: 22d3e82089374ac7a237ea7e7317fc585ff863e214d8247a786dd423991af1dd
Instruction ID: 4160d38961329fb6e86b5968237cd46cf5f319c8a446f393f5209874883a3951
Opcode Fuzzy Hash: 22d3e82089374ac7a237ea7e7317fc585ff863e214d8247a786dd423991af1dd
Instruction Fuzzy Hash: CAB1AD71604249FFEF219F20CC09BAA3BA9EF44751F108128E90D9E181D7F89F65CB99

Function 0043A2F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 0043A2AD
GetModuleHandleA.KERNEL32(0043A2EC), ref: 0043A2F2
lstrcpyW.KERNEL32(\BaseNamedObjects\efdtVt,\BaseNamedObjects\efdtVt,?,?,?,?), ref: 0043A40A
lstrcpyW.KERNEL32(\BaseNamedObjects\efdtVt,?), ref: 0043A42D
lstrcatW.KERNEL32(\BaseNamedObjects\efdtVt,\efdtVt), ref: 0043A43B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 0043A46B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 0043A486
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A4C9
Process32First.KERNEL32 ref: 0043A4DC
Process32Next.KERNEL32 ref: 0043A4ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A505
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 0043A542
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A55D
CloseHandle.KERNEL32 ref: 0043A56C

Strings

\BaseNamedObjects\efdtVt, xrefs: 0043A408
\BaseNamedObjects\efdtVt, xrefs: 0043A409, 0043A42C, 0043A43A
csrs, xrefs: 0043A52C

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\efdtVt$\BaseNamedObjects\efdtVt$csrs
API String ID: 1545766225-3386149195
Opcode ID: b80840481bd6fa648c05abe5e70a58048cd08bfd6fe9004e40a44a992f3d704a
Instruction ID: 160871b153d0c7b58bcf956f1b3bd5d25be170d186cc29c7235f6c04d49bf4de
Opcode Fuzzy Hash: b80840481bd6fa648c05abe5e70a58048cd08bfd6fe9004e40a44a992f3d704a
Instruction Fuzzy Hash: 5F71DE31180205FFDB209F52C849BAE3B6DEF48315F10202AEC498E191C7B99F25DB5E

Function 007705F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 007705AD
GetModuleHandleA.KERNEL32(007705EC), ref: 007705F2
lstrcpyW.KERNEL32(\BaseNamedObjects\efdtVt,\BaseNamedObjects\efdtVt,?,?,?,?), ref: 0077070A
lstrcpyW.KERNEL32(\BaseNamedObjects\efdtVt,?), ref: 0077072D
lstrcatW.KERNEL32(\BaseNamedObjects\efdtVt,\efdtVt), ref: 0077073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 0077076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00770786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 007707C9
Process32First.KERNEL32 ref: 007707DC
Process32Next.KERNEL32 ref: 007707ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00770805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00770842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0077085D
CloseHandle.KERNEL32 ref: 0077086C

Strings

csrs, xrefs: 0077082C
\BaseNamedObjects\efdtVt, xrefs: 00770709, 0077072C, 0077073A
\BaseNamedObjects\efdtVt, xrefs: 00770708

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\efdtVt$\BaseNamedObjects\efdtVt$csrs
API String ID: 1545766225-3386149195
Opcode ID: b80840481bd6fa648c05abe5e70a58048cd08bfd6fe9004e40a44a992f3d704a
Instruction ID: a1dfc28b9d0a3a642b7bfd43967887f720debc5181bdbb3d4f8ad81e71380390
Opcode Fuzzy Hash: b80840481bd6fa648c05abe5e70a58048cd08bfd6fe9004e40a44a992f3d704a
Instruction Fuzzy Hash: EF719871200209FFDF219F10C849BAE3BADEF44791F148128ED0D9E191C7B8AF659B99

Function 0043C1AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
stringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\efdtVt), ref: 0043C1BA
lstrlenW.KERNEL32(?), ref: 0043C1C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 0043C216

Strings

\BaseNamedObjects\efdtVt, xrefs: 0043C1B8

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\efdtVt
API String ID: 2597515329-1229419330
Opcode ID: f1bad5ccbbd6d7462f27998acb1e7a99e32c5000d9e2d29f5668c81a6c7e7ee2
Instruction ID: b6b617a7670358c3591343260a5f2e89dffb7588324772433f9655870b0b696f
Opcode Fuzzy Hash: f1bad5ccbbd6d7462f27998acb1e7a99e32c5000d9e2d29f5668c81a6c7e7ee2
Instruction Fuzzy Hash: DC0181B0790304BAF7305B29CC4BF5B7969DF81B50F548158F718AE1C4DAB89A0483A9

Function 0077116F Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 275
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00771162,00770796,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 0077116F

Part of subcall function 00771196: GetProcAddress.KERNEL32(00000000,00771180), ref: 00771197

Strings

\efdtVt, xrefs: 007711C6

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: \efdtVt
API String ID: 2574300362-1801957270
Opcode ID: e73e629452e6669cffb749185899648472d8ec9f8d424b90bf8abee80f8f6073
Instruction ID: 482911f7ced62ee26f058ea1ad19ec8fa6e44874b5e05b9c75c53c5f3663b96c
Opcode Fuzzy Hash: e73e629452e6669cffb749185899648472d8ec9f8d424b90bf8abee80f8f6073
Instruction Fuzzy Hash: D791CE62E581D18BCF33CB7C4465AD5BF61AA033907CD89CFC1855F4B3CA1AD91A830A

Function 0077252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 0077255E

Strings

\BaseNamedObjects\efdtVt, xrefs: 0077254B

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\efdtVt
API String ID: 1950954290-1229419330
Opcode ID: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
Instruction ID: be79e926c7ba3cdd2c7dd474d1815d54d5159c487d34c6ebacd093897ac0aaf8
Opcode Fuzzy Hash: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
Instruction Fuzzy Hash: 75E09AF17402063AFB288A29CC17FA7228DCB80602F0C8604F918DA080E5B4AB108268

Function 00772574 Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0077252F: NtOpenSection.NTDLL(?,0000000E), ref: 0077255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B700,00000000,?,00000002,00100000,00000040), ref: 007725A4
CloseHandle.KERNELBASE(00000000,0000B700,00000000,?,00000002,00100000,00000040,00000000,0000B700,00000000,?,00770815), ref: 007725AC

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
Instruction ID: c0fc48932364244cc006778cce0d7e7e77f284fd433a252cdda6ada2135199ae
Opcode Fuzzy Hash: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
Instruction Fuzzy Hash: FE214170300645FBDF24EE25CC56FA97369BF807C4F404118F42D8E296DBB5AE26C618

Function 00771422 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 0077145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0077146A

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
Instruction ID: d6f38f481fcad269b120698a2c1356ff37e0dff7a02be2eff211d383f83c851a
Opcode Fuzzy Hash: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
Instruction Fuzzy Hash: F8F0E932542010BBD6201B42CC8EED73E28EF533A0F040455F4484E151C2624BA1D3F4

Function 00772477 Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 0077249B
NtWriteVirtualMemory.NTDLL ref: 007724A4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 0077144A Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 0077145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0077146A

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
Instruction ID: 47fd2fdfef69c01f2383a78087d1294dd7e4f4bd71475d1ca0affc6c0d2f20e2
Opcode Fuzzy Hash: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
Instruction Fuzzy Hash: 1BD06771643034BBD6312A568C0EEE77D1DEF577A0F015441F9089A1A1C5A28EA1C6F5

Function 007707AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0077144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 0077145A
Part of subcall function 0077144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0077146A

CloseHandle.KERNELBASE(?), ref: 007705AD
FreeLibrary.KERNELBASE(75A70000,?,0077079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 007707B8
CloseHandle.KERNELBASE(?,?,0077079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 007707BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 007707C9
Process32First.KERNEL32 ref: 007707DC
Process32Next.KERNEL32 ref: 007707ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00770805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00770842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0077085D
CloseHandle.KERNEL32 ref: 0077086C

Strings

csrs, xrefs: 0077082C

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction ID: 8e4b922132b0bede063b84f0d326b0bc1b3e89ce6544eda6767255f51ed2aa71
Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction Fuzzy Hash: C5112E31606205FBEF256E21CC49FBF3A6DEF44741F00412DFD4A99051D6B89A019AAA

Function 007705BA Relevance: 1.3, APIs: 1, Instructions: 7
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000000A,0077085C,?,00000000,00000000,-00003BD0,00000002,00000000,?,00000000), ref: 007705C1

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction ID: 21910e19a88f3ad15fec06206bfa6c778578457ab20bde61ee79dfa8db7cfedf
Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction Fuzzy Hash: 29B01228240301D5DE140910440DF0516247F01B91FE04059E20E4C0C007EC07101C99

Non-executed Functions

Function 00403160 Relevance: 64.9, APIs: 14, Strings: 23, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,74DEF550,74DF0BD0,00000072), ref: 0040317B
GetComputerNameA.KERNEL32 ref: 00403192
lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 004031AB
strstr.MSVCRT ref: 00403214
strstr.MSVCRT ref: 00403242
strstr.MSVCRT ref: 00403265
lstrcpyA.KERNEL32(?,Windows NT), ref: 00403304
lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040332D
GlobalMemoryStatusEx.KERNEL32(?), ref: 004033B5
lstrcpyA.KERNEL32(?,20108K), ref: 004033F1
GetTickCount.KERNEL32 ref: 004033FC

Strings

%u MHz, xrefs: 0040339D
69@, xrefs: 004031C7, 00403347
Windows NT, xrefs: 004032F8
%u MB, xrefs: 004033DA
Vista, xrefs: 0040328A
@, xrefs: 0040318A
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403326
~MHz, xrefs: 00403365
ProductName, xrefs: 004031E5
Windows 2003, xrefs: 00403274
Windows 7, xrefs: 004032F0
Windows XP, xrefs: 00403251
,8@, xrefs: 00403390
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004031A5
Windows 2000, xrefs: 00403223
Windows 2008, xrefs: 004032CA
2008, xrefs: 004032B1
20108K, xrefs: 004033EB
Windows Vista, xrefs: 0040329F
$9@, xrefs: 004031F3, 0040337B
2003, xrefs: 0040325F
2000, xrefs: 0040320E
@, xrefs: 004033AC

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: lstrcpy$strstr$ComputerCountGlobalInfoLocaleMemoryNameStatusTick
String ID: $9@$%u MB$%u MHz$,8@$2000$2003$2008$20108K$69@$@$@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 2000$Windows 2003$Windows 2008$Windows 7$Windows NT$Windows Vista$Windows XP$~MHz
API String ID: 13981014-3249776645
Opcode ID: b890d30ee0b0790192ef3d330c4cc97dd10b39269747d7349394549379db7efe
Instruction ID: 796351ffad0513cd72b75cf0597ba2326a6d71879f4fa0a8f8748fb66bcde97c
Opcode Fuzzy Hash: b890d30ee0b0790192ef3d330c4cc97dd10b39269747d7349394549379db7efe
Instruction Fuzzy Hash: EC617570144305AFD310DF60DE85FAB7BACAB88745F10493EF685B21D0EA78A609CB6D

Function 00773BD5 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 472libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(007769E2,00000104), ref: 00773C39
GetProcAddress.KERNEL32(00000000,00000002), ref: 00773C6C
GetProcAddress.KERNEL32(00000000,00773CD9), ref: 00773CE4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00773CF7
GetTickCount.KERNEL32 ref: 00773D2B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00776E36,00000000,00000000,00000000,00000000), ref: 00773DFD

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
ADVAPI32.DLL, xrefs: 00773CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
String ID: ADVAPI32.DLL$C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3969011833-1059168852
Opcode ID: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
Instruction ID: b0360265198ffa01a6366c5499de1f4a7cf691613eec2891ed29141d83634cfc
Opcode Fuzzy Hash: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
Instruction Fuzzy Hash: D2F10471519248FEDF25AF24CC4ABEA3BACEF42340F008519E8599F082D7F85F4597A6

Function 00773C5A Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 417libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00773C52), ref: 00773C5A
GetProcAddress.KERNEL32(00000000,00000002), ref: 00773C6C
GetProcAddress.KERNEL32(00000000,00773CD9), ref: 00773CE4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00773CF7
GetTickCount.KERNEL32 ref: 00773D2B

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
ADVAPI32.DLL, xrefs: 00773CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: ADVAPI32.DLL$C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-1059168852
Opcode ID: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
Instruction ID: 813e6e0d6f1c118d3b55fb5c0c3b28932c3acbf65886c8afd3c860f883790474
Opcode Fuzzy Hash: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
Instruction Fuzzy Hash: 03E11671519248FEDF25AF24CC4ABEA3BACEF42340F004519E8599E082D7F85F4597A6

Function 00773C88 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 394COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00773C7D), ref: 00773C88
GetSystemDirectoryA.KERNEL32(007769E2,00000104), ref: 00773C9F

Part of subcall function 00773CB7: lstrcat.KERNEL32(007769E2,00773CAA), ref: 00773CB8
Part of subcall function 00773CB7: GetProcAddress.KERNEL32(00000000,00773CD9), ref: 00773CE4
Part of subcall function 00773CB7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00773CF7
Part of subcall function 00773CB7: GetTickCount.KERNEL32 ref: 00773D2B
Part of subcall function 00773CB7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00776E36,00000000,00000000,00000000,00000000), ref: 00773DFD

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
ADVAPI32.DLL, xrefs: 00773CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: ADVAPI32.DLL$C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-1059168852
Opcode ID: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
Instruction ID: 791747efae0b63b1f76ea27eba097f1c829b7a69bf21dcddd07d5522be31d888
Opcode Fuzzy Hash: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
Instruction Fuzzy Hash: 67D1F471519248FEDF25AF24CC0ABEA3BACEF42340F008559E85D9E082D7F85F4587A6

Function 00773CB7 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 374stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(007769E2,00773CAA), ref: 00773CB8

Part of subcall function 00773CCE: LoadLibraryA.KERNEL32(00773CC3), ref: 00773CCE
Part of subcall function 00773CCE: GetProcAddress.KERNEL32(00000000,00773CD9), ref: 00773CE4
Part of subcall function 00773CCE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00773CF7
Part of subcall function 00773CCE: GetTickCount.KERNEL32 ref: 00773D2B
Part of subcall function 00773CCE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00776E36,00000000,00000000,00000000,00000000), ref: 00773DFD

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
ADVAPI32.DLL, xrefs: 00773CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: ADVAPI32.DLL$C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-1059168852
Opcode ID: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
Instruction ID: e3067aa8f1cdbb6eda7034aa4e6be770926bdc7422d138c7fbfbaeec6479532b
Opcode Fuzzy Hash: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
Instruction Fuzzy Hash: B7D1E171519248FEDF25AF24CC0ABEA3BACEF42340F008559E85D9E082D7F85F4597A6

Function 00773CCE Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 364libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00773CC3), ref: 00773CCE

Part of subcall function 00773CE3: GetProcAddress.KERNEL32(00000000,00773CD9), ref: 00773CE4
Part of subcall function 00773CE3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00773CF7
Part of subcall function 00773CE3: GetTickCount.KERNEL32 ref: 00773D2B
Part of subcall function 00773CE3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00776E36,00000000,00000000,00000000,00000000), ref: 00773DFD

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
ADVAPI32.DLL, xrefs: 00773CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: ADVAPI32.DLL$C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-1059168852
Opcode ID: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
Instruction ID: 1449aa15796e5920b069b057eddbe7d2d690017b17a25f4ddb7cf716cf2193d2
Opcode Fuzzy Hash: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
Instruction Fuzzy Hash: F6D1D171515248FEEF25AF24CC0ABEA3BACEF41340F008659E85D9E082D7F85F4597A6

Function 00773CE3 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 371librarythreadsleepCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00773CD9), ref: 00773CE4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00773CF7
GetTickCount.KERNEL32 ref: 00773D2B
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00776E36,00000000,00000000,00000000,00000000), ref: 00773DFD
CreateThread.KERNEL32(00000000,00000000,00773629,00000000,00000000), ref: 00773ED8
CloseHandle.KERNEL32(?,987AB7B1), ref: 00773EE1
CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00773F81
CloseHandle.KERNEL32(?,00000000), ref: 00773F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00773F97
GetVersionExA.KERNEL32(?,?,00000000), ref: 0077408C
wsprintfA.USER32 ref: 0077410A
SetEvent.KERNEL32(000002D8,?,00000000), ref: 00774225
Sleep.KERNEL32(00007530,?,00000000), ref: 00774236
ResetEvent.KERNEL32(000002D8,?,00000000), ref: 00774249

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
ADVAPI32.DLL, xrefs: 00773CF6
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepTickVersionVolumewsprintf
String ID: ADVAPI32.DLL$C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4085262208-1059168852
Opcode ID: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
Instruction ID: 2f68f3dacb2a2b17e9bfa749e6148f6c2c51684f88deead7a6cde463d0ee29ce
Opcode Fuzzy Hash: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
Instruction Fuzzy Hash: 97D1E171519248FEDF25AF24CC0ABEA3BACEF41340F008619E95D9E082D7F85F4597A6

Function 0043D8D5 Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 472libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(004406E2,00000104), ref: 0043D939
GetProcAddress.KERNEL32(00000000,00000002), ref: 0043D96C
GetProcAddress.KERNEL32(00000000,0043D9D9), ref: 0043D9E4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0043D9F7
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DAFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4
ADVAPI32.DLL, xrefs: 0043D9F6

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressProc$DirectoryInformationLibraryLoadVolumeWindows
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1176489311-2287716718
Opcode ID: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
Instruction ID: 5483a4cca7fa6dda94b9a6e8dc3b3dda59e7c0296e28ec901ac7a2c4e12ddd12
Opcode Fuzzy Hash: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
Instruction Fuzzy Hash: 77F11671918248BFDB25AF24DC4ABEB7BACEF45304F04151EE8459F082D6F85F05C6AA

Function 0043D95A Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 417libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0043D952), ref: 0043D95A
GetProcAddress.KERNEL32(00000000,00000002), ref: 0043D96C
GetProcAddress.KERNEL32(00000000,0043D9D9), ref: 0043D9E4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0043D9F7

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4
ADVAPI32.DLL, xrefs: 0043D9F6

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 384173800-2287716718
Opcode ID: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
Instruction ID: d5aeb79681732c52da032c4c8d33eafc2de116ab4e307484684b17d29cda3543
Opcode Fuzzy Hash: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
Instruction Fuzzy Hash: F7E11671918248BFEB25AF24DC5ABEB7B6CEF45300F04151EE8459E082D6F85F05C6AA

Function 0043D988 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 394COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0043D97D), ref: 0043D988
GetSystemDirectoryA.KERNEL32(004406E2,00000104), ref: 0043D99F

Part of subcall function 0043D9B7: lstrcatA.KERNEL32(004406E2,0043D9AA), ref: 0043D9B8
Part of subcall function 0043D9B7: GetProcAddress.KERNEL32(00000000,0043D9D9), ref: 0043D9E4
Part of subcall function 0043D9B7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0043D9F7
Part of subcall function 0043D9B7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DAFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4
ADVAPI32.DLL, xrefs: 0043D9F6

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressDirectoryHandleInformationLibraryLoadModuleProcSystemVolumelstrcat
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4132523617-2287716718
Opcode ID: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
Instruction ID: e469237d22ea40d14a6c21688543344d14d8b3862419d6cb576c78d552971018
Opcode Fuzzy Hash: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
Instruction Fuzzy Hash: B3D10771919248BFDB25AF20DC5ABEB7B6CEF45300F04151EEC499E082D6F85F0587AA

Function 0043D9B7 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 374stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(004406E2,0043D9AA), ref: 0043D9B8

Part of subcall function 0043D9CE: LoadLibraryA.KERNEL32(0043D9C3), ref: 0043D9CE
Part of subcall function 0043D9CE: GetProcAddress.KERNEL32(00000000,0043D9D9), ref: 0043D9E4
Part of subcall function 0043D9CE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0043D9F7
Part of subcall function 0043D9CE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DAFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4
ADVAPI32.DLL, xrefs: 0043D9F6

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: LibraryLoad$AddressInformationProcVolumelstrcat
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 653688714-2287716718
Opcode ID: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
Instruction ID: 506ef3d5f07e69169af31f654003bf0a550be58d401d3d6fb280936054199ced
Opcode Fuzzy Hash: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
Instruction Fuzzy Hash: 17D10571914248BFDB25AF24DC5ABEB7B6CEF45300F04151EE8499F082D6F86F05C6AA

Function 0043D9CE Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 364libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0043D9C3), ref: 0043D9CE

Part of subcall function 0043D9E3: GetProcAddress.KERNEL32(00000000,0043D9D9), ref: 0043D9E4
Part of subcall function 0043D9E3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0043D9F7
Part of subcall function 0043D9E3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DAFD

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4
ADVAPI32.DLL, xrefs: 0043D9F6

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: LibraryLoad$AddressInformationProcVolume
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 333550838-2287716718
Opcode ID: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
Instruction ID: cb8bb0cb82d729d4bfa5a6b979dd1c69d94d0a0853c6dbc1712e32f9ed8330f8
Opcode Fuzzy Hash: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
Instruction Fuzzy Hash: 5CD11571914248BEDB25AF20DC5ABEB7B6CEF45300F00151EE8499E182D6F86F05C6AA

Function 0043D9E3 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 371libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0043D9D9), ref: 0043D9E4
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0043D9F7
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DAFD
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,?,?), ref: 0043DBD8
CloseHandle.KERNEL32(?,?), ref: 0043DBE1

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4
ADVAPI32.DLL, xrefs: 0043D9F6

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressCloseCreateHandleInformationLibraryLoadProcThreadVolume
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 266462827-2287716718
Opcode ID: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
Instruction ID: df05783730ebd91ef218ce15d98a574c278806d0b45e4482b3bc0a850952a140
Opcode Fuzzy Hash: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
Instruction Fuzzy Hash: 36D10471919248BEDB25AF24DC5ABEB7B6CEF45300F00151EEC499F082D6F86F05C6A9

Function 00773378 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 007733E2
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00773401
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0077342B
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00773438
UnmapViewOfFile.KERNEL32(?), ref: 00773450

Strings

\Device\PhysicalMemory, xrefs: 00773378

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: \Device\PhysicalMemory
API String ID: 2985292042-2007344781
Opcode ID: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
Instruction ID: cfa86485efc9657f8302dd4c49911ad1b8f5ba70ff1a8850ddb9ac593b73c1e0
Opcode Fuzzy Hash: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
Instruction Fuzzy Hash: A6819B71500208FFEF249F14CC89ABA37ACEF48711F108618ED199B291D7F4AF55DAA9

Function 0077339D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 007733E2
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00773401
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0077342B
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00773438
UnmapViewOfFile.KERNEL32(?), ref: 00773450

Strings

ysic, xrefs: 007733E8, 007733FE

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: ysic
API String ID: 2985292042-20973071
Opcode ID: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
Instruction ID: 12cfca9b036c6423384264633975293fc100c4ec589523defb3d5d3282f24e65
Opcode Fuzzy Hash: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
Instruction Fuzzy Hash: 77118271540609FBEB349F14CC56FAB367CEF88B50F104518EA199B2D0D7F46F148669

Function 007724AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\efdtVt), ref: 007724BA
lstrlenW.KERNEL32(?), ref: 007724C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00772516

Strings

\BaseNamedObjects\efdtVt, xrefs: 007724B8

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\efdtVt
API String ID: 2597515329-1229419330
Opcode ID: f1bad5ccbbd6d7462f27998acb1e7a99e32c5000d9e2d29f5668c81a6c7e7ee2
Instruction ID: d43795e0cef972627ba6369f16488440b719261296f5a06187064983ddf217f1
Opcode Fuzzy Hash: f1bad5ccbbd6d7462f27998acb1e7a99e32c5000d9e2d29f5668c81a6c7e7ee2
Instruction Fuzzy Hash: F90181B0790304BAF7305B29CC4BF5B7969DF81B50F948154F618AE1C5DAB89A0483A9

Function 00401A40 Relevance: 154.4, APIs: 29, Strings: 59, Instructions: 421libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00401A9E
GetProcAddress.KERNEL32(00000000), ref: 00401AA7
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 00401AB7
GetProcAddress.KERNEL32(00000000), ref: 00401ABA

Part of subcall function 004016C0: strstr.MSVCRT ref: 00401730
Part of subcall function 004016C0: strcspn.MSVCRT ref: 0040174D
Part of subcall function 004016C0: strncpy.MSVCRT ref: 0040175C
Part of subcall function 004016C0: strcspn.MSVCRT ref: 0040176C
Part of subcall function 004016C0: atoi.MSVCRT(00000000), ref: 004017A8

Part of subcall function 00403160: GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,74DEF550,74DF0BD0,00000072), ref: 0040317B
Part of subcall function 00403160: GetComputerNameA.KERNEL32 ref: 00403192
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 004031AB
Part of subcall function 00403160: strstr.MSVCRT ref: 00403214
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,Windows NT), ref: 00403304
Part of subcall function 00403160: lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040332D

Part of subcall function 00401A00: LoadLibraryA.KERNEL32 ref: 00401A20

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2

Strings

8@, xrefs: 00401FEA
e, xrefs: 00401A99
i, xrefs: 00402033
., xrefs: 00401B82
e, xrefs: 00401BEA
t, xrefs: 00401A80
Distribuoeq, xrefs: 00401FA5, 00401FE4
W, xrefs: 00401A72
l, xrefs: 00401BE5
l, xrefs: 00402038
e, xrefs: 00402051
D, xrefs: 00401BAA
F, xrefs: 00401BDB
e, xrefs: 00402006
R, xrefs: 00401BA0
l, xrefs: 00401B91
i, xrefs: 00401A7B
u, xrefs: 00401B66
i, xrefs: 00401BE0
m, xrefs: 0040204C
M, xrefs: 00402010
l, xrefs: 00401BBD
T, xrefs: 00401BD1
o, xrefs: 00401BD6
,8@, xrefs: 004020E8
d, xrefs: 00401B87
d, xrefs: 0040201A
t, xrefs: 0040200B
w, xrefs: 00401B35
kernel32.dll, xrefs: 00401A65, 00401AAE, 00401F84, 00401F99, 00402001
m, xrefs: 00401B74
A, xrefs: 00401BEF
w, xrefs: 00401BB4
GetTempPathA, xrefs: 00401AA9
l, xrefs: 00401B6F
L, xrefs: 00401BA5
e, xrefs: 00402029
d, xrefs: 00401BCC
a, xrefs: 00402047
o, xrefs: 00401BC2
ExitProcess, xrefs: 00401F94
A, xrefs: 00402056
N, xrefs: 00402042
G, xrefs: 00401FFB
l, xrefs: 00401B8C
i, xrefs: 00401A8F
a, xrefs: 00401BC7
SetFileAttributesA, xrefs: 00401F7F
F, xrefs: 00401A8A
U, xrefs: 00401B9B
l, xrefs: 00401A94
e, xrefs: 0040203D
F, xrefs: 0040202E
o, xrefs: 00402015
o, xrefs: 00401BAF
u, xrefs: 0040201F
o, xrefs: 00401B79
PlusCtrl.dll, xrefs: 00401CC5
l, xrefs: 00402024

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: LibraryLoad$lstrcpy$AddressCloseHandleProcstrcspnstrstr$ComputerInfoLocaleNameatoistrncpy
String ID: ,8@$.$A$A$D$Distribuoeq$ExitProcess$F$F$F$G$GetTempPathA$L$M$N$PlusCtrl.dll$R$SetFileAttributesA$T$U$W$a$a$d$d$d$e$e$e$e$e$e$i$i$i$i$kernel32.dll$l$l$l$l$l$l$l$l$m$m$o$o$o$o$o$t$t$u$u$w$w$8@
API String ID: 3864303722-4133879002
Opcode ID: 8fad84325013aa2872d693e4a5823aaf4a1b65688ad2ea7df792892cca219c5c
Instruction ID: 3c3143e3e5472c0825c52dd3c823dc81544a2ddb207d74fe6334a4c7ffd002c2
Opcode Fuzzy Hash: 8fad84325013aa2872d693e4a5823aaf4a1b65688ad2ea7df792892cca219c5c
Instruction Fuzzy Hash: 0502C270548380DEE310CB64DD48B5BBBE5AB95704F04492DF6C5A72D2DBBAD808CB6B

Function 00402D30 Relevance: 52.7, APIs: 12, Strings: 18, Instructions: 217stringlibraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000047,00000000,0000009C), ref: 00402DE5
GetProcAddress.KERNEL32(00000000), ref: 00402DEC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402E0F
strncmp.MSVCRT ref: 00402E34
lstrcatA.KERNEL32(?,004084CC), ref: 00402EC0
lstrcatA.KERNEL32(?,?), ref: 00402ED0
CopyFileA.KERNEL32(?,?,00000000), ref: 00402EE1
lstrcpyA.KERNEL32(?,?), ref: 00402F04
GetLastError.KERNEL32 ref: 00402F7F
lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402FD1
lstrcatA.KERNEL32(?,?), ref: 00402FDF
lstrlenA.KERNEL32(00000000), ref: 00402FFE

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Strings

N, xrefs: 00402DB0
8@, xrefs: 00402F99
%c%c%c%c%c%c.exe, xrefs: 00402E99
kernel32.dll, xrefs: 00402DE0
u, xrefs: 00402D81
M, xrefs: 00402D6C
A, xrefs: 00402DCB
i, xrefs: 00402D9D
t, xrefs: 00402D65
,8@, xrefs: 00402EA5
a, xrefs: 00402DB7
d, xrefs: 00402D7A
F, xrefs: 00402D96
Description, xrefs: 0040300A
m, xrefs: 00402DBE
G, xrefs: 00402D56
o, xrefs: 00402D73
SYSTEM\CurrentControlSet\Services\, xrefs: 00402FC5

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: lstrcat$lstrcpy$AddressCopyCountDirectoryErrorFileLastLibraryLoadProcSystemTicklstrlenrandstrncmp
String ID: %c%c%c%c%c%c.exe$,8@$A$Description$F$G$M$N$SYSTEM\CurrentControlSet\Services\$a$d$i$kernel32.dll$m$o$t$u$8@
API String ID: 2930506891-1316125334
Opcode ID: 4cad2e7bd832c944ab44e5aa06c1b8362982bd4035659bc22fff8856b8ad885a
Instruction ID: 0e0e6dca43d9b0313fe333de96fee7407300e1d87e337aa7371e7680423aad75
Opcode Fuzzy Hash: 4cad2e7bd832c944ab44e5aa06c1b8362982bd4035659bc22fff8856b8ad885a
Instruction Fuzzy Hash: 478119B2900258ABD722DB60DD89FDA7B7CAF55700F0401E9F609B61C1DA789F44CF65

Function 00402600 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 196stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402613
lstrcatA.KERNEL32(?,Distribuoeq), ref: 00402623

Strings

69@, xrefs: 0040263F
ImagePath, xrefs: 0040267A
$9@, xrefs: 00402680
Distribuoeq, xrefs: 0040261D, 004027B9, 004027C6
SYSTEM\CurrentControlSet\Services\, xrefs: 0040260D

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: lstrcatlstrcpy
String ID: $9@$69@$Distribuoeq$ImagePath$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-738438224
Opcode ID: 4993b40f7886f15423b6108ea60fa8a6cb83f6d371995b2a9da2af4ffd17cede
Instruction ID: cff8f841e93e58ab4234d6d93627b2c916986187481524a3f77962f8d504dc07
Opcode Fuzzy Hash: 4993b40f7886f15423b6108ea60fa8a6cb83f6d371995b2a9da2af4ffd17cede
Instruction Fuzzy Hash: 1551D4357407056BE320DB34ED49FEB37A8EB84721F404839FA06F11D0E6BD95194669

Function 004023B0 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 114librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 00402438
GetProcAddress.KERNEL32(00000000), ref: 0040243F
GetTempPathA.KERNEL32(00000104,?), ref: 0040247C
lstrcatA.KERNEL32(?,SOFTWARE.LOG), ref: 0040248E
MoveFileExA.KERNEL32(00000000,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 004024AA
MoveFileExA.KERNEL32(?,00000000,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004024BB

Strings

t, xrefs: 00402402
d, xrefs: 0040240E
o, xrefs: 0040240A
m, xrefs: 0040242C
a, xrefs: 00402428
kernel32.dll, xrefs: 004023FD
G, xrefs: 004023F8
M, xrefs: 00402406
i, xrefs: 0040241D
F, xrefs: 00402419
N, xrefs: 00402424
SOFTWARE.LOG, xrefs: 00402488
u, xrefs: 00402412
A, xrefs: 00402430

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: FileMove$AddressLibraryLoadPathProcTemplstrcat
String ID: A$F$G$M$N$SOFTWARE.LOG$a$d$i$kernel32.dll$m$o$t$u
API String ID: 20907805-1765106238
Opcode ID: 3574a8691a983e4fb58ac25ab56cb1c955f97815db305d7cfbd3ec60fc5b3c7d
Instruction ID: f0613c91973a543e40f7bda577bceb9edfdbe02e48fb26baed1209212c166b8f
Opcode Fuzzy Hash: 3574a8691a983e4fb58ac25ab56cb1c955f97815db305d7cfbd3ec60fc5b3c7d
Instruction Fuzzy Hash: 43219171D482CCEEEB11C7A8CD09BDEBFB45B22704F0480D9964477282D6B91B48CBB6

Function 00773F27 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 205threadlibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00773F1B), ref: 00773F27
CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00773F81
CloseHandle.KERNEL32(?,00000000), ref: 00773F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00773F97
lstrlen.KERNEL32(yu.timid.pl,?,00000000), ref: 00773FE8
GetVersionExA.KERNEL32(?,?,00000000), ref: 0077408C
wsprintfA.USER32 ref: 0077410A
CreateThread.KERNEL32(?,?,Function_000037B1,2E757905), ref: 00774138
CloseHandle.KERNEL32(?,?,Function_000037B1,2E757905,?,?,00000023,00776E36,00000073,2E757905,2E757905,00773AEA,00000014,00000000), ref: 00774141
RtlExitUserThread.NTDLL(00000000), ref: 00774261

Strings

yu.timid.pl, xrefs: 00773FE7, 00773FF6
C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: CreateThread$CloseHandle$EventExitLibraryLoadUserVersionlstrlenwsprintf
String ID: C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$yu.timid.pl
API String ID: 485685433-1132917862
Opcode ID: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
Instruction ID: 1adf68a763729d83cbc9c413a2cee78551fb9cd7e9e3c8377542a280391d17b0
Opcode Fuzzy Hash: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
Instruction Fuzzy Hash: EF81DF71509249FEDF21AF24C819BEE7BACAF41340F044548F86D9E092C7F89F458B69

Function 00773E64 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 246threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00773E58), ref: 00773E65
GetModuleFileNameA.KERNEL32(00000000,007769E2,000000C8), ref: 00773E7A
wsprintfA.USER32 ref: 00773E8F
CreateThread.KERNEL32(00000000,00000000,00773629,00000000,00000000), ref: 00773ED8
CloseHandle.KERNEL32(?,987AB7B1), ref: 00773EE1
CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00773F81
CloseHandle.KERNEL32(?,00000000), ref: 00773F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00773F97

Part of subcall function 0077339D: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 007733E2
Part of subcall function 0077339D: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00773401
Part of subcall function 0077339D: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0077342B
Part of subcall function 0077339D: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00773438
Part of subcall function 0077339D: UnmapViewOfFile.KERNEL32(?), ref: 00773450

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 541178049-2858843470
Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction ID: 916b0afc2e7b295be33e4711951c7895b757c19a2cee5c69dc1c405247d0ea03
Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction Fuzzy Hash: C391CF71509249FEDF21AF24CC0EBEA7B6CEF42340F004649F8599E082D6F85F4587A6

Function 00773E4D Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 262librarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00773E41), ref: 00773E4D

Part of subcall function 00773E64: GetProcAddress.KERNEL32(00000000,00773E58), ref: 00773E65
Part of subcall function 00773E64: GetModuleFileNameA.KERNEL32(00000000,007769E2,000000C8), ref: 00773E7A
Part of subcall function 00773E64: wsprintfA.USER32 ref: 00773E8F
Part of subcall function 00773E64: CreateThread.KERNEL32(00000000,00000000,00773629,00000000,00000000), ref: 00773ED8
Part of subcall function 00773E64: CloseHandle.KERNEL32(?,987AB7B1), ref: 00773EE1

CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00773F81
CloseHandle.KERNEL32(?,00000000), ref: 00773F8A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00773F97
GetVersionExA.KERNEL32(?,?,00000000), ref: 0077408C
wsprintfA.USER32 ref: 0077410A

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00773EA4

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersion
String ID: C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 62832863-2858843470
Opcode ID: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
Instruction ID: 61aef0840838a67af8b383a5ffe58a110032b44e9a51c7e70003e9637460e8de
Opcode Fuzzy Hash: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
Instruction Fuzzy Hash: 8191F471119248BEDF21AF24CC1EBEA7BACEF41340F044659F8599E082D6F85F05C7A6

Function 00404905 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 203sleepprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403E00: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
Part of subcall function 00403E00: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
Part of subcall function 00403E00: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404A1E
Sleep.KERNEL32(00001388), ref: 00404A2D
Sleep.KERNEL32(0000000A,?,00000000), ref: 00404B7D
ExitThread.KERNEL32 ref: 00404B87

Strings

,8@, xrefs: 0040496F
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 004049D0
GET %s HTTP/1.1Host: %s:%d, xrefs: 00404A92
D, xrefs: 004049A4
GET %s HTTP/1.1Host: %s, xrefs: 00404A6D
%s %s%s, xrefs: 00404991
GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00404B1A
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00404AD7

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Sleep$CreateDirectoryExitProcessSystemThreadlstrcatlstrcpy
String ID: %s %s%s$,8@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#
API String ID: 2825703556-2499878509
Opcode ID: df2cad709f29754dcafc4a0d25050df2d5ba39f326bf680629eab38fb005b706
Instruction ID: da6923137c11df0d7ab68030686ac7cd269fa33bd206a37efab997621938c878
Opcode Fuzzy Hash: df2cad709f29754dcafc4a0d25050df2d5ba39f326bf680629eab38fb005b706
Instruction Fuzzy Hash: 2551A8B15443456BD324DB64CD41FEB77A9AFC4304F00493EF64AA72C1EA79AA04CB9B

Function 004024D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129libraryfileloaderCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00402504
LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 00402516
GetProcAddress.KERNEL32(00000000), ref: 0040251D
LoadResource.KERNEL32(?,00000000), ref: 00402533
LockResource.KERNEL32(00000000), ref: 0040254A
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004025A1
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004025BE
CloseHandle.KERNEL32(00000000), ref: 004025C5

Strings

,8@, xrefs: 00402566
kernel32.dll, xrefs: 0040250F
hra%u.dll, xrefs: 00402560
SizeofResource, xrefs: 0040250A

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Resource$FileLoad$AddressCloseCreateFindHandleLibraryLockProcWrite
String ID: ,8@$SizeofResource$hra%u.dll$kernel32.dll
API String ID: 2921964263-4168475015
Opcode ID: a79a88351d4ee55d91fec4b12707c34b880592affa0a33c76b31672086c36472
Instruction ID: 05619c64b77a0a6437fb081d8a4bc4abd72332ae768d0b043ea742f75d8c896d
Opcode Fuzzy Hash: a79a88351d4ee55d91fec4b12707c34b880592affa0a33c76b31672086c36472
Instruction Fuzzy Hash: 1F11D2716402047BD7209F649E4DFAB376CEB85B24F114529FE06B72C0DBB498148ABC

Function 00402810 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 83sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00402888
CreateMutexA.KERNEL32(00000000,00000000,Distribuoeq), ref: 004028A8
GetLastError.KERNEL32 ref: 004028AE
ExitProcess.KERNEL32 ref: 004028BC
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_00001A40,00000000), ref: 00402944
CloseHandle.KERNEL32(?), ref: 0040294D
Sleep.KERNEL32(0000012C), ref: 00402967

Strings

,8@, xrefs: 004028D7
hra%u.dll, xrefs: 004028D1
Z9@, xrefs: 00402824
Distribuoeq, xrefs: 0040281F, 004028A1
H9@, xrefs: 0040282A

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Sleep$CloseCreateErrorExitHandleLastMutexObjectProcessSingleWait
String ID: ,8@$Distribuoeq$H9@$Z9@$hra%u.dll
API String ID: 482528292-2211841438
Opcode ID: 735153542032c615ee15675859b1d42246c009a904f63fe55f3969934729beb0
Instruction ID: 9e342082198d0c0f17f09a8a404d76bdda1f71cbb84061cebe59b1f914c361f5
Opcode Fuzzy Hash: 735153542032c615ee15675859b1d42246c009a904f63fe55f3969934729beb0
Instruction Fuzzy Hash: 2A314DB0540305AFD310EB61EF4AF5A3AA8EB54718F21413EB655B61E2CFF958048FAD

Function 00404C83 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 287sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A), ref: 00405087
ExitThread.KERNEL32 ref: 00405093

Strings

,8@, xrefs: 00404F5B
%d.%d.%d.%d, xrefs: 00404F55
P, xrefs: 00404E37
E, xrefs: 00404D93
@, xrefs: 00404DAF
]@, xrefs: 00404E24, 00404FB2
192.168.1.244, xrefs: 00404CC8
`:@, xrefs: 00404D1E
<:@, xrefs: 00404D6A

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$192.168.1.244$<:@$@$E$P$`:@$]@
API String ID: 896407411-2643560063
Opcode ID: d604f48981dc178444f468b20bfd3291236b9bb87fd842ba203fa14314ef6784
Instruction ID: a11e23f07e89fd79917e8136cf8e3326afab1f20c2e29fb6b7df3ea0f310ee3b
Opcode Fuzzy Hash: d604f48981dc178444f468b20bfd3291236b9bb87fd842ba203fa14314ef6784
Instruction Fuzzy Hash: BBB159715083859AE710DF60C845B6BB7E5FFD4308F004D2DFA89A7291DB749A09CB9B

Function 00405320 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 274sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A), ref: 00405717
ExitThread.KERNEL32 ref: 00405723

Strings

,8@, xrefs: 004055EB
%d.%d.%d.%d, xrefs: 004055E5
P, xrefs: 004054C7
]@, xrefs: 004054B4, 00405642
E, xrefs: 00405423
192.168.1.244, xrefs: 00405358
`:@, xrefs: 004053AE
<:@, xrefs: 004053FA
@, xrefs: 0040543F

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$192.168.1.244$<:@$@$E$P$`:@$]@
API String ID: 896407411-2643560063
Opcode ID: fb4a31642ab8506c44b56105cc454ed5c2899b6acfb7622cd7005f80403f0be3
Instruction ID: bee5a320e23260b0ccfa8ee8b9c418d69dfc131687e79230085c79d38b805ed6
Opcode Fuzzy Hash: fb4a31642ab8506c44b56105cc454ed5c2899b6acfb7622cd7005f80403f0be3
Instruction Fuzzy Hash: 90B179715083859AE710DF60C845B6BB7E5FFD4308F004D2DFA89A7291DBB49A09CB9B

Function 00404720 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142sleepthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404817
Sleep.KERNEL32(000007D0), ref: 00404822
Sleep.KERNEL32(0000000A), ref: 00404833
ExitThread.KERNEL32 ref: 00404839
Sleep.KERNEL32(00000032,?,00000000), ref: 004048F4
ExitThread.KERNEL32 ref: 004048FF

Part of subcall function 00403E00: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
Part of subcall function 00403E00: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
Part of subcall function 00403E00: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

Strings

,8@, xrefs: 004047B4, 0040488F
GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00404863
D, xrefs: 004047CB
%s %s%s, xrefs: 004047AE
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00404882

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Sleep$ExitThread$CreateDirectoryProcessSystemlstrcatlstrcpy
String ID: %s %s%s$,8@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache
API String ID: 4106849892-1440346242
Opcode ID: 5eb02f3b8431406fad96daf4aa59b50a38eec1cead9eb88fe7224a995bb05ed2
Instruction ID: 794b02a4c492586d25d224780bf78908b263a50c21f6d464f885ce95802daaf6
Opcode Fuzzy Hash: 5eb02f3b8431406fad96daf4aa59b50a38eec1cead9eb88fe7224a995bb05ed2
Instruction Fuzzy Hash: A1416672144345AFE320DB50CD45BEB77A9AFC4700F004D3EF686A31C1DA7999048BAA

Function 00402153 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 98librarystringloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,Distribuoeq), ref: 0040215F
ReleaseMutex.KERNEL32(00000000), ref: 0040216C
CloseHandle.KERNEL32(00000000), ref: 00402173
lstrcatA.KERNEL32(?,?), ref: 0040222C
GetProcAddress.KERNEL32(00000000,?), ref: 0040223F

Strings

,8@, xrefs: 00402213
8@, xrefs: 004022FF
stf%c%c%c%c%c.exe, xrefs: 0040220D
Distribuoeq, xrefs: 00402153, 004022F9

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Mutex$AddressCloseHandleOpenProcReleaselstrcat
String ID: ,8@$Distribuoeq$stf%c%c%c%c%c.exe$8@
API String ID: 2376757572-3791897913
Opcode ID: 3fee883449239276f1948b4b83ab1ea6cde5b5cab6033c52ad3544baa1033d71
Instruction ID: 07dd3426e8a5cfa61062460b71f0a3489c34bdea3db5e388aae2d5ac9104c876
Opcode Fuzzy Hash: 3fee883449239276f1948b4b83ab1ea6cde5b5cab6033c52ad3544baa1033d71
Instruction Fuzzy Hash: 6C31F6F26403417BE7209BA0DD0AFAF369CAF44701F00493DF746B61C1EEB896048A6B

Function 00403B10 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00403BB6
GetLastError.KERNEL32 ref: 00403BC2
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00403BF5
InterlockedExchange.KERNEL32(?,00000000), ref: 00403C07
LocalAlloc.KERNEL32(00000040,00000008), ref: 00403C1B
FreeLibrary.KERNEL32(00000000), ref: 00403C38
GetProcAddress.KERNEL32(?,?), ref: 00403C99
GetLastError.KERNEL32 ref: 00403CA5
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00403CD7

Strings

$, xrefs: 00403B2C

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 36fe4dab1de80df83a616e5d2683970340db3ca332fec087ab461386fbccdab3
Instruction ID: 52b406d3f103219c093564718a3b2c2d18ed8ca5132a2492024d70ce187348d6
Opcode Fuzzy Hash: 36fe4dab1de80df83a616e5d2683970340db3ca332fec087ab461386fbccdab3
Instruction Fuzzy Hash: F8613C71600205AFEB15CF99C984AAA7BF9AB48301F11803EE916F7390D774EE04CB64

Function 00774109 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0077410A
CreateThread.KERNEL32(?,?,Function_000037B1,2E757905), ref: 00774138
CloseHandle.KERNEL32(?,?,Function_000037B1,2E757905,?,?,00000023,00776E36,00000073,2E757905,2E757905,00773AEA,00000014,00000000), ref: 00774141
Sleep.KERNEL32(00000064,?,?,?,Function_000037B1,2E757905,?,?,00000023,00776E36,00000073,2E757905,2E757905,00773AEA,00000014,00000000), ref: 007741DA
GetTickCount.KERNEL32 ref: 007741E3
SetEvent.KERNEL32(000002D8,?,00000000), ref: 00774225
Sleep.KERNEL32(00007530,?,00000000), ref: 00774236
ResetEvent.KERNEL32(000002D8,?,00000000), ref: 00774249

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: EventSleep$CloseCountCreateHandleResetThreadTickwsprintf
String ID: C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER
API String ID: 4091134114-1175600431
Opcode ID: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
Instruction ID: 76c67509e4a6111fb44ce12f7f9174ac9c4a8929aba279efd10dbc63cc9d48d1
Opcode Fuzzy Hash: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
Instruction Fuzzy Hash: F2610471118249FADF25AF24C81DBEE7BADAF41380F148548E86D5E092C7F89F418769

Function 0040367F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004036AC
__p__fmode.MSVCRT ref: 004036C1
__p__commode.MSVCRT ref: 004036CF
__setusermatherr.MSVCRT ref: 004036FB
_initterm.MSVCRT ref: 00403711
__getmainargs.MSVCRT ref: 00403734
_initterm.MSVCRT ref: 00403744
GetStartupInfoA.KERNEL32(?), ref: 00403783
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004037A7
exit.MSVCRT ref: 004037B7
_XcptFilter.MSVCRT ref: 004037C9

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: bdb5c9794a0d6897bb365cab6c7c557ce66239c653fb92b30b56ff46a497ed67
Instruction ID: ba1f1da14ff76bb8750f1f60014ed55525f4e47ea4881a3bfc32ef867773b9a2
Opcode Fuzzy Hash: bdb5c9794a0d6897bb365cab6c7c557ce66239c653fb92b30b56ff46a497ed67
Instruction Fuzzy Hash: A1415EF5840304AFDB20AFA4D949A5ABFACEB09711B20453FE452B72D1C7785941CF68

Function 00773EF8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 192libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00773EEC), ref: 00773EF8

Part of subcall function 00773F27: LoadLibraryA.KERNEL32(00773F1B), ref: 00773F27
Part of subcall function 00773F27: CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00773F81
Part of subcall function 00773F27: CloseHandle.KERNEL32(?,00000000), ref: 00773F8A
Part of subcall function 00773F27: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00773F97
Part of subcall function 00773F27: GetVersionExA.KERNEL32(?,?,00000000), ref: 0077408C

Strings

C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER, xrefs: 00774157

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: CreateLibraryLoad$CloseEventHandleThreadVersion
String ID: C:\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_HRLBCA3.TMP_C58139D8BE6D964CE7A827DD4433F8741736607A_FDF12C9F_D1783C8B-CB68-4C51-AD0F-963AA2F39AB8\REPORT.WER
API String ID: 4090826934-1175600431
Opcode ID: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
Instruction ID: ea2f74d078bf3cb5d89c5dc778a78dd97323e747f585f4e605e40368358bb769
Opcode Fuzzy Hash: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
Instruction Fuzzy Hash: 0E61D171119249BEDF21AF24CC1ABEA7BACEF41340F044649F8599E092D3F89F45C7A6

Function 00402B20 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

#4710.MFC42 ref: 00402B2A
#6197.MFC42(00000000,0000009C,0000009C,00000000,00000000,00000001), ref: 00402B7E

Part of subcall function 00402D30: LoadLibraryA.KERNEL32(kernel32.dll,00000047,00000000,0000009C), ref: 00402DE5
Part of subcall function 00402D30: GetProcAddress.KERNEL32(00000000), ref: 00402DEC
Part of subcall function 00402D30: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402E0F
Part of subcall function 00402D30: strncmp.MSVCRT ref: 00402E34

ExitProcess.KERNEL32 ref: 00402C4B

Strings

P8@, xrefs: 00402B6A
Distribufqy Transaction Coordinator Service, xrefs: 00402C05
Distribucjx Transaction Coordinator Service., xrefs: 00402C00
l9@, xrefs: 00402BCE
Distribuoeq, xrefs: 00402BB1, 00402C0A
b8@, xrefs: 00402B35

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: #4710#6197AddressDirectoryExitLibraryLoadProcProcessSystemstrncmp
String ID: Distribucjx Transaction Coordinator Service.$Distribufqy Transaction Coordinator Service$Distribuoeq$P8@$b8@$l9@
API String ID: 3958467283-4228543752
Opcode ID: 117839834650e7e938ed014b9244ee9cb0d5573d962b4e8f455a6211bd4cceb4
Instruction ID: cf9320a1031b7b380acfe78e02c8ba282f3c83360672a311bdaa638afd64cd46
Opcode Fuzzy Hash: 117839834650e7e938ed014b9244ee9cb0d5573d962b4e8f455a6211bd4cceb4
Instruction Fuzzy Hash: 4311B130640304BBD760AF658E0AF6B77A8AB45B04F10462DFA85B72C1DAF9A904865C

Function 0043A4AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0043B14A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0043B16A

CloseHandle.KERNEL32(?), ref: 0043A2AD
FreeLibrary.KERNEL32(513BFD18,?,0043A49B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A4B8
CloseHandle.KERNEL32(?,?,0043A49B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A4BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A4C9
Process32First.KERNEL32 ref: 0043A4DC
Process32Next.KERNEL32 ref: 0043A4ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A505
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 0043A542
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 0043A55D
CloseHandle.KERNEL32 ref: 0043A56C

Strings

csrs, xrefs: 0043A52C

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryNextOpenPrivilegesProcessRemoteSnapshotThreadTokenToolhelp32
String ID: csrs
API String ID: 931541398-2321902090
Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction ID: 1ca685fec0534cffdddb52ec38ac997523233cb662d6ec19fee6d13979072624
Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
Instruction Fuzzy Hash: E9115E30146104FBEB256E21CD4DBBF3A6DEF48701F00102EFD8A99151C6B89E119A6E

Function 00405810 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00405A85

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000028), ref: 00405A77

Strings

,8@, xrefs: 004059A6
AAAA, xrefs: 00405854
%d.%d.%d.%d, xrefs: 004059A0
E, xrefs: 00405934
`:@, xrefs: 004058C6
<:@, xrefs: 0040588D

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$,8@$<:@$AAAA$E$`:@
API String ID: 896407411-2836906244
Opcode ID: ea2dd581bac7c8cef9c5bdfd95272e9f0afcf65b51e7e46ad9891951b0c6bac6
Instruction ID: e9a3f02c22eb15b260bf825b8ca02d5a946cb04ee5495d7803f8191399606438
Opcode Fuzzy Hash: ea2dd581bac7c8cef9c5bdfd95272e9f0afcf65b51e7e46ad9891951b0c6bac6
Instruction Fuzzy Hash: 1F51D2B0548381AAE320DF64CC45B6BB7E8EFD4304F004D2DF695A72D1E7B585098BAB

Function 004050B0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(0000000A,?,?,?,00000200), ref: 004052FF
ExitThread.KERNEL32 ref: 00405308

Strings

]@, xrefs: 00405206
@, xrefs: 00405197
`:@, xrefs: 00405106
<:@, xrefs: 00405152
E, xrefs: 0040517B
P, xrefs: 00405219

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: <:@$@$E$P$`:@$]@
API String ID: 896407411-2684562160
Opcode ID: 69fcc90e96dea77de8cc62438d1ff4d5379d368cbce85fec8dadd9f28f38ca4b
Instruction ID: 39b009766a04849488636733dbf50ff139f1285f39767be3529f9717fe43e04f
Opcode Fuzzy Hash: 69fcc90e96dea77de8cc62438d1ff4d5379d368cbce85fec8dadd9f28f38ca4b
Instruction Fuzzy Hash: 13614C71548344AAD710DF648C45B5FBBE9FF88304F40092EF689A72E1DBB49909CB9B

Function 004043BF Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 159threadCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040443F
ExitThread.KERNEL32 ref: 004045AB

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

sprintf.MSVCRT ref: 00404507
sprintf.MSVCRT ref: 00404538

Strings

%s/%s, xrefs: 00404501
<:@, xrefs: 0040441E
*:@, xrefs: 004043F5
#0%s!, xrefs: 00404532

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: sprintf$CountExitThreadTickmallocrand
String ID: #0%s!$%s/%s$*:@$<:@
API String ID: 3712263441-3613801517
Opcode ID: 00b75b3de8d93dc31a74d50db6e5e73740eefd36b768d78ccac709e30f348c81
Instruction ID: 19c619330cfb283f4556bae5eafdd7ef04c8a47010b92698e7a8e45263eab30c
Opcode Fuzzy Hash: 00b75b3de8d93dc31a74d50db6e5e73740eefd36b768d78ccac709e30f348c81
Instruction Fuzzy Hash: 1651B1B1104340ABE310DF748D45B9BB6E4EFC4704F004E3EF69AA72D1E7789A058B6A

Function 004016C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00401730
strcspn.MSVCRT ref: 0040174D
strncpy.MSVCRT ref: 0040175C
strcspn.MSVCRT ref: 0040176C
atoi.MSVCRT(00000000), ref: 004017A8

Strings

<:@, xrefs: 004017B2
*:@, xrefs: 004017D4

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: strcspn$atoistrncpystrstr
String ID: *:@$<:@
API String ID: 896909712-1525120602
Opcode ID: 70288e223b217b753ca0d46052b630638dcf25dcd2a199c3146b493787b399b8
Instruction ID: f8a19cff3734ad80dd224e4d4fa567c6fc112c9a2d060b15b6745f6d38997baa
Opcode Fuzzy Hash: 70288e223b217b753ca0d46052b630638dcf25dcd2a199c3146b493787b399b8
Instruction Fuzzy Hash: DD215C31E002186BC710A778DD06BEA7765BF48710F0006BEFA59F32D1DEB44A448B9D

Function 00401D35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110libraryfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2
CreateFileA.KERNEL32(PlusCtrl.dll,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401D79
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00401DB7

Strings

PlusCtrl.dll, xrefs: 00401CC5, 00401D74

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CloseHandle$CreateFileLibraryLoad
String ID: PlusCtrl.dll
API String ID: 4073770061-3813448905
Opcode ID: 276a740126fdbb8642ac7236fc26bc1fb47062cc569460620264d7a81443eeee
Instruction ID: 678e4eeabf8f2deab5107e84c4a66d22c971bafb6cfac5e257f318dcc26d0ccf
Opcode Fuzzy Hash: 276a740126fdbb8642ac7236fc26bc1fb47062cc569460620264d7a81443eeee
Instruction Fuzzy Hash: 3241A4315443029BE320CF64DD44B6B7BE4AF84754F140A2EF961B22E0E778E8458B9A

Function 00402C60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,SYSTEM\CurrentControlSet\Services\,00403862), ref: 00402CCF
lstrcatA.KERNEL32(00000000,Distribuoeq), ref: 00402CE1

Strings

69@, xrefs: 00402D1A
Distribuoeq, xrefs: 00402CDB
SYSTEM\CurrentControlSet\Services\, xrefs: 00402CC9

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: lstrcatlstrcpy
String ID: 69@$Distribuoeq$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-1248136302
Opcode ID: e66b1be437945f124023d56c1bdd6389618300147cf61839c5c59340b3a33dba
Instruction ID: c16f20cbba010059dd829025b88d8e0ac7ec225dfd2f823269786c1a3f48f5c0
Opcode Fuzzy Hash: e66b1be437945f124023d56c1bdd6389618300147cf61839c5c59340b3a33dba
Instruction Fuzzy Hash: 1CF0B43164820CBBDB60C774DD05FE577B8E755701F1005B9A7C9F20C0DDB46A988A54

Function 004045B1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000), ref: 004046DC
ExitThread.KERNEL32 ref: 004046E6

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Strings

,8@, xrefs: 00404639, 0040467B
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404633
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404675

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: ,8@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 896407411-2728580657
Opcode ID: 03551809c68347d44f03a8e8098e885f0497282a7a7c0524782b2bd92df2901a
Instruction ID: ed96877d601846c175f9a107851c42ea53cf3a02b77a1f13df8ed6ecda56d954
Opcode Fuzzy Hash: 03551809c68347d44f03a8e8098e885f0497282a7a7c0524782b2bd92df2901a
Instruction Fuzzy Hash: 8B31A4B15142446BE220DB60DD46FFB73ACEF95305F050D3DF645A21C1FA796A08866B

Function 00403F5B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00404073

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000005), ref: 0040405D

Strings

`:@, xrefs: 00403FF0
<:@, xrefs: 00403FB7
*:@, xrefs: 00403FCE

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: *:@$<:@$`:@
API String ID: 896407411-1978189025
Opcode ID: 67827bdd94f09c8e4a8428c72f103af8ad3767357eff487082fd3e5c6fe3f275
Instruction ID: b9c020bd257d16025c789386b94bafe435fe5cc7bb509be09224f6c53715fa15
Opcode Fuzzy Hash: 67827bdd94f09c8e4a8428c72f103af8ad3767357eff487082fd3e5c6fe3f275
Instruction Fuzzy Hash: E82105312443016BE3209B15DD45BAB77E9AFC4705F00483DF789B72D0DAB459088BAB

Function 00401F1C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84librarystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C82
CloseHandle.KERNEL32(?), ref: 00401CBF
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401CD2
lstrlenA.KERNEL32(?), ref: 00401F31

Strings

PlusCtrl.dll, xrefs: 00401CC5

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CloseHandle$LibraryLoadlstrlen
String ID: PlusCtrl.dll
API String ID: 1302537757-3813448905
Opcode ID: 8b81bdb92c0fb83030933092d185a2b517c2c3c20cc09dc9aafab582fb3a248c
Instruction ID: 354abdcd05cd2bf0f73582f64dd16865d1a564750717cbbe5506fc225f074c98
Opcode Fuzzy Hash: 8b81bdb92c0fb83030933092d185a2b517c2c3c20cc09dc9aafab582fb3a248c
Instruction Fuzzy Hash: 673172715483019BE720CF64DD44B6B77E8AB84754F144A3EF991A32E0E738E845CF5A

Function 00403E50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403D30: GetTickCount.KERNEL32 ref: 00403D31
Part of subcall function 00403D30: rand.MSVCRT ref: 00403D39

Sleep.KERNEL32(00000014), ref: 00403F43
ExitThread.KERNEL32 ref: 00403F55

Strings

`:@, xrefs: 00403F0E
<:@, xrefs: 00403EDB
*:@, xrefs: 00403EEC

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: *:@$<:@$`:@
API String ID: 896407411-1978189025
Opcode ID: 58e52e15e8708b750c7b593d4532e1dc8ecc44a5eaeeec1c10d20306b6376e07
Instruction ID: 1aa1a50a868dfdc426b5470280aee9243670915e3d1e7e507b5142f6f6797285
Opcode Fuzzy Hash: 58e52e15e8708b750c7b593d4532e1dc8ecc44a5eaeeec1c10d20306b6376e07
Instruction Fuzzy Hash: BC21D131644300AFE7249B14DD06BAB77E9EF84704F00493DF289A72D0CBB59E088B9A

Function 00401890 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessTrans), ref: 004018BA

Strings

,8@, xrefs: 00401914
ProcessTrans, xrefs: 004018B4
%u.%u.%u.%u, xrefs: 0040190E
r:@, xrefs: 00401927

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressProc
String ID: %u.%u.%u.%u$,8@$ProcessTrans$r:@
API String ID: 190572456-3036480515
Opcode ID: 0d9dd16706f6b930d6d57109fc15d559f869456c61a1f1dd963bc1d5b8d49efc
Instruction ID: a057d568f8cbf7d36185e8a16d9019903c22752d08b1d8e26d53945e98208902
Opcode Fuzzy Hash: 0d9dd16706f6b930d6d57109fc15d559f869456c61a1f1dd963bc1d5b8d49efc
Instruction Fuzzy Hash: 35118EB195020AABDB14DB94CE45EBFB379EF84704F108279BC41B72D5DA389D049BA8

Function 00403070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

#470.MFC42 ref: 0040308F
#755.MFC42 ref: 0040310B
#2379.MFC42 ref: 00403119

Strings

t8@, xrefs: 00403101
b8@, xrefs: 004030AB

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: #2379#470#755
String ID: b8@$t8@
API String ID: 3024983488-745822901
Opcode ID: bd1fef225f27e3e765584d2d1b50f287eb6c34b8cefa70481d492fc26062ce55
Instruction ID: 23b8168f71ff80b0920836344aa8155c5e6477b8b6503ddd266453aefce758f2
Opcode Fuzzy Hash: bd1fef225f27e3e765584d2d1b50f287eb6c34b8cefa70481d492fc26062ce55
Instruction Fuzzy Hash: 72116D712143019FC214DF39DE49D6B77E9FFC8204F084A2DB5CAD3290DA34E9058A55

Function 00405B70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000F), ref: 00405C26
ExitThread.KERNEL32 ref: 00405C30

Strings

`:@, xrefs: 00405BF2
<:@, xrefs: 00405BBF
*:@, xrefs: 00405BD0

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: ExitSleepThread
String ID: *:@$<:@$`:@
API String ID: 2532117645-1978189025
Opcode ID: 0b160bee8590a9feaa90095d80f7b6cabd1019267ee4be1ece85caba017e34c7
Instruction ID: 4104fc32b431a330129af2c8e51cee684ef8fc9b11a9caa93217bf55ecdcdacd
Opcode Fuzzy Hash: 0b160bee8590a9feaa90095d80f7b6cabd1019267ee4be1ece85caba017e34c7
Instruction Fuzzy Hash: D9116070248301ABE324DB50DE4AF6B77E9EF95704F00092DF689B61D1DBB49D088B5B

Function 004028C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004025E0: EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_000024D0,00000000), ref: 004025EB

Part of subcall function 00402600: lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402613
Part of subcall function 00402600: lstrcatA.KERNEL32(?,Distribuoeq), ref: 00402623

Part of subcall function 00401A00: LoadLibraryA.KERNEL32 ref: 00401A20

Part of subcall function 004012B0: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004012C2

WaitForSingleObject.KERNEL32(00000000,000000FF,Function_00001A40,00000000), ref: 00402944
CloseHandle.KERNEL32(?), ref: 0040294D
Sleep.KERNEL32(0000012C), ref: 00402967

Strings

,8@, xrefs: 004028D7
hra%u.dll, xrefs: 004028D1

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CloseCreateEnumHandleLibraryLoadNamesObjectResourceSingleSleepThreadWaitlstrcatlstrcpy
String ID: ,8@$hra%u.dll
API String ID: 3019664125-1682502944
Opcode ID: 5ccd0519ab355be5024abd0711c82a46054f02262ec7dfd481542cb7669b5a23
Instruction ID: 46b2761210bd7351e1acdc70686b2ba36b0e2774d37aa7cde017ba267fd11447
Opcode Fuzzy Hash: 5ccd0519ab355be5024abd0711c82a46054f02262ec7dfd481542cb7669b5a23
Instruction Fuzzy Hash: 4401F5712403006BD204EBB0AF4AFAA3364EB88724F10063EF611721E3DEF8A8045B6D

Function 0043C468 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0043C48C

Part of subcall function 0043C4A7: GetTempFileNameA.KERNEL32(?,0043C4A3,00000000,?), ref: 0043C4A8
Part of subcall function 0043C4A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,0043C4A3,00000000,?), ref: 0043C4C3
Part of subcall function 0043C4A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,0043C4A3,00000000,?), ref: 0043C4F3
Part of subcall function 0043C4A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,0043C4A3,00000000,?), ref: 0043C4FF
Part of subcall function 0043C4A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,0043C4A3), ref: 0043C523

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction ID: eead497032521727101889923c0b73cca6e1fa18f3801d473e0d642191bda642
Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction Fuzzy Hash: 1F21D2B1145305BFE7215A20CC8EFFF3A2CEF99B10F00411AFA4899191D7B5AE05867A

Function 00772768 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0077278C

Part of subcall function 007727A7: GetTempFileNameA.KERNEL32(?,007727A3,00000000,?), ref: 007727A8
Part of subcall function 007727A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,007727A3,00000000,?), ref: 007727C3
Part of subcall function 007727A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,007727A3,00000000,?), ref: 007727F3
Part of subcall function 007727A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,007727A3,00000000,?), ref: 007727FF
Part of subcall function 007727A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,007727A3), ref: 00772823

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction ID: 91a547ce5cf3efbeeb4102d8cf4f3a4da015a777ee4014bc1e4d2deef3a39aee
Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
Instruction Fuzzy Hash: 0F2102B1145345FFEB215A20CC8EFFF3A2CEF85B50F004119FA0889092D7B59E0686B6

Function 0043C4A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,0043C4A3,00000000,?), ref: 0043C4A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,0043C4A3,00000000,?), ref: 0043C4C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,0043C4A3,00000000,?), ref: 0043C4F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,0043C4A3,00000000,?), ref: 0043C4FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,0043C4A3), ref: 0043C523

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction ID: cfb145b5a6f0820f53188a34bb09c94998dbbf995a57aa88600f4fff029a2a13
Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction Fuzzy Hash: 1A1180B1101605FBEB250F20CC8DFFF7A2DEF98B11F004519FA0999190DBF4AE5096A9

Function 007727A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,007727A3,00000000,?), ref: 007727A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,007727A3,00000000,?), ref: 007727C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,007727A3,00000000,?), ref: 007727F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,007727A3,00000000,?), ref: 007727FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,007727A3), ref: 00772823

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction ID: 0d349e04068af304038cfb531d3884221524625929f4255da3579bb97ee34d44
Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
Instruction Fuzzy Hash: B6116DB1101605FBEB250B20CC49FFB7A2DEF84B50F004519FA1999091DBF99E5196A9

Function 00773826 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127sleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(007774C4), ref: 00773837
Sleep.KERNEL32(0000EA60), ref: 007738A9
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00773959

Strings

bmlegv.com, xrefs: 00773889

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: Sleep$SystemTime
String ID: bmlegv.com
API String ID: 3773743504-2097668362
Opcode ID: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
Instruction ID: 4a9c0f1bfc85e3acc0a035ac789c497dd8aec6af575b655e21d2691f0d6a0d9d
Opcode Fuzzy Hash: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
Instruction Fuzzy Hash: AB41FF71605248BADF349F248C0DBA97B6EAF86350F008429FA0D9E0C1C7F99B01DA65

Function 00404079 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 0040418E
ExitThread.KERNEL32 ref: 0040419B

Strings

<:@, xrefs: 004040CE
*:@, xrefs: 004040F0

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: ExitSleepThread
String ID: *:@$<:@
API String ID: 2532117645-1525120602
Opcode ID: 489a674434dd79bd1cd95d87094fd23d0865ee3d3cf51ba8a6b23f5a7c25bf35
Instruction ID: 67d8ddba5409ffce38fdec036543afa66e7020f410cbc9efe6a496dc460af4ba
Opcode Fuzzy Hash: 489a674434dd79bd1cd95d87094fd23d0865ee3d3cf51ba8a6b23f5a7c25bf35
Instruction Fuzzy Hash: C231F171604300ABE3109F24ED49BEF77A5EFA5311F00853DF68AA73D1CA789949CB5A

Function 00404B8D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,00000000), ref: 00404C70
ExitThread.KERNEL32 ref: 00404C7D

Strings

,8@, xrefs: 00404BD2
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404C1E

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: ExitSleepThread
String ID: ,8@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 2532117645-1548460504
Opcode ID: b4116cea720f3c054be25ad523dc78a633388379998c86f4e6064588cdf672b1
Instruction ID: fcf92245488759253a7268ef054163d6874dfe110737c38e6750fee933bc3a6f
Opcode Fuzzy Hash: b4116cea720f3c054be25ad523dc78a633388379998c86f4e6064588cdf672b1
Instruction Fuzzy Hash: 7821A571104340AFD324DB24DD45FEB73A8EFD6305F014A2DF285A7180EB7566098BAB

Function 00403E00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403E10
lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E25
lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403E38

Strings

\Program Files\Internet Explorer\iexplore.exe, xrefs: 00403E1A

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: DirectorySystemlstrcatlstrcpy
String ID: \Program Files\Internet Explorer\iexplore.exe
API String ID: 2630975639-1907246925
Opcode ID: b65ced3afa1010b117ea438fd43ae358f07f39bee29bead101c46353a56f49ca
Instruction ID: 9106fefdb625428a61e5fc355ea8c8d419b7259a9281d561dea26b2b043bae92
Opcode Fuzzy Hash: b65ced3afa1010b117ea438fd43ae358f07f39bee29bead101c46353a56f49ca
Instruction Fuzzy Hash: 5CE086F454C341ABD710D764DE48FAA77E4BB94305F45492CB6C9D2190D6B89058CB1A

Function 004046EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,TerminateProcess), ref: 0040470A
GetProcAddress.KERNEL32(00000000), ref: 00404711

Strings

TerminateProcess, xrefs: 00404700
kernel32.dll, xrefs: 00404705

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: TerminateProcess$kernel32.dll
API String ID: 2574300362-189552057
Opcode ID: b5eaaf0141d6078d17560b1a0c42e59a086fb3de11d860db1d2ac48d1d58cc35
Instruction ID: 6234211f27a0ee7e56edea027cbfabecb5e332b867d42f8a1c4da6211805d416
Opcode Fuzzy Hash: b5eaaf0141d6078d17560b1a0c42e59a086fb3de11d860db1d2ac48d1d58cc35
Instruction Fuzzy Hash: B8C08CB2781300DAC6407BE0BE496A57711E2CAB27330003BFA02F10E0CE3A00148B2D

Function 004012D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 004012EA
GetProcAddress.KERNEL32(00000000), ref: 004012F1

Strings

kernel32.dll, xrefs: 004012E5
SizeofResource, xrefs: 004012E0

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SizeofResource$kernel32.dll
API String ID: 2574300362-1445693867
Opcode ID: 4b093c2f19e2f6703a235c920fd83a05b68be8ff96e2aabb20befe6985bddcc5
Instruction ID: 95eb9911caf4fa21a6ef5e617abe4a02a41252af43e6d184f25434936a232e00
Opcode Fuzzy Hash: 4b093c2f19e2f6703a235c920fd83a05b68be8ff96e2aabb20befe6985bddcc5
Instruction Fuzzy Hash: 48C09B70581300DBC7407BE07F0D60637555645B41312407F7C47F11F0CEB910155B1D

Function 00402970 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 151sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00402A2D
Sleep.KERNEL32(000001F4), ref: 00402A80
Sleep.KERNEL32(000001F4), ref: 00402AD4

Strings

H9@, xrefs: 00402993

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: Sleep
String ID: H9@
API String ID: 3472027048-4187015488
Opcode ID: e1895029d93275b0449bae78078f8bc4f68a4563e2c20b19454be42c37018b9e
Instruction ID: ed3428e1d1f1db40b83d8743f65f7dc7aa56edce5a66b806c87c14721956b620
Opcode Fuzzy Hash: e1895029d93275b0449bae78078f8bc4f68a4563e2c20b19454be42c37018b9e
Instruction Fuzzy Hash: 0F21C9B22802259BD300DF95EF08B567BA9E754759F20807EE684F62E1CEFA50449FDC

Function 0043DB4D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3032276028-621207024
Opcode ID: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
Instruction ID: dce9f84e757b9975d0fb10439ed1db45e8e271f2206ffc939513cdec834887ea
Opcode Fuzzy Hash: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
Instruction Fuzzy Hash: 0D911471919244BFDB21AF24CC5ABEB7B6CEF45300F04155AE8495F182C6F8AF05C7AA

Function 0043DB64 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,?,?), ref: 0043DBD8
CloseHandle.KERNEL32(?,?), ref: 0043DBE1

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 0043DBA4

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3032276028-621207024
Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction ID: 5af344805ba2772d6342f3969649d82690e290198620cd4628cc3548786ed8a2
Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
Instruction Fuzzy Hash: F091C271509204BFDB21AF24CC5ABEB7B6CEF45304F04154AE8595F081D6F86F05C7AA

Function 0043ADCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0019FF0C), ref: 0043AE3D
GetProcAddress.KERNEL32(00000000,0043AED6), ref: 0043AE48

Strings

.DLL, xrefs: 0043AE33

Memory Dump Source

Source File: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 43ccb803021d9cfd7693e2714fab7b3bfa06ff211f52309e9f9144216690baaa
Instruction ID: 8f55d028b36de38a6e506a596eba3baa784fd7a0bb537c1508a25c4d0b69d54c
Opcode Fuzzy Hash: 43ccb803021d9cfd7693e2714fab7b3bfa06ff211f52309e9f9144216690baaa
Instruction Fuzzy Hash: 840126301C2006EACB659F2CC40ABFA3769EF0D342F002016E85A8B651C778DE61CA9F

Function 007710CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(02D6FC44), ref: 0077113D
GetProcAddress.KERNEL32(00000000,007711D6), ref: 00771148

Strings

.DLL, xrefs: 00771133

Memory Dump Source

Source File: 0000000F.00000002.2156079069.0000000000770000.00000040.10000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_770000_hrlC86B.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
Instruction ID: 9f24af38fdc26b0a96e9f22f785c07957ec83affd5888f869503e9f9b454993b
Opcode Fuzzy Hash: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
Instruction Fuzzy Hash: DA01C03021610EEA8F659E2CC849AEA3BACAF043C1FD0C114EA1E8F156D6789E80D795

Function 00401A00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00401A20

Strings

,8@, xrefs: 00401A12
hra%u.dll, xrefs: 00401A0C

Memory Dump Source

Source File: 0000000F.00000002.2154540533.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2154477309.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154598780.0000000000406000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154660412.0000000000408000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.000000000040A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154723608.0000000000419000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154927781.000000000041F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2154974810.0000000000422000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155013972.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155088118.000000000042A000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155170920.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155320274.0000000000432000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155403846.0000000000438000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155499823.000000000043A000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155579021.0000000000441000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000F.00000002.2155640067.0000000000447000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_hrlC86B.jbxd

Similarity

API ID: LibraryLoad
String ID: ,8@$hra%u.dll
API String ID: 1029625771-1682502944
Opcode ID: 35d89bcc790b1656c578160c71392fb5b744eb91aab05cf506bcb9e0b22284b5
Instruction ID: d94e0402731fb128af6b950281fe7e8085e8897a8f6bb0695ae2b7902bddec47
Opcode Fuzzy Hash: 35d89bcc790b1656c578160c71392fb5b744eb91aab05cf506bcb9e0b22284b5
Instruction Fuzzy Hash: C3D0A77059020567C710A770ED4AEA633646B50700F444A3D7686D10D0EABD815CC689

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UV0zBp62hW.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hrlBCA3.tmp_c58139d8be6d964ce7a827dd4433f8741736607a_fdf12c9f_d1783c8b-cb68-4c51-ad0f-963aa2f39ab8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hrlD452.tmp_385e217972a215e311fc37a4ee20ba5f24b17c_085fd521_67a6bf32-e823-49a6-ad0c-97c778b97c1d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hrlDFFA.tmp_21de373451925dcec6af935bf02dc4dddb2532_bf421634_9b6cbb7c-826e-49da-b94b-e0bfc1631c3a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF91.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0BB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0DC.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5C9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD666.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD696.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE21D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE27C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2BB.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Windows Analysis Report
UV0zBp62hW.dll