Edit tour

Windows Analysis Report
9JQ3JboYdz.exe

Overview

General Information

Sample name:	9JQ3JboYdz.exe renamed because original name is a hash value
Original sample name:	fb714d59bcb67c0910c8f4ee0c5f0e62.exe
Analysis ID:	1520443
MD5:	fb714d59bcb67c0910c8f4ee0c5f0e62
SHA1:	f22ffe25d693ccf771b5ae60b373f4c74551b317
SHA256:	25ad9ca13dc1ee44d8c3a3d0fba9365d9e9fd65db1411a0f720dd036d11911f3
Tags:	exeuser-abuse_ch
Infos:

Detection

RunningRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RunningRAT

AI detected suspicious sample

Checks if browser processes are running

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Self deletion via cmd or bat file

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the program root directory (C:\Program Files)

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

9JQ3JboYdz.exe (PID: 4364 cmdline: "C:\Users\user\Desktop\9JQ3JboYdz.exe" MD5: FB714D59BCB67C0910C8F4EE0C5F0E62)

cmd.exe (PID: 4568 cmdline: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 2792 cmdline: ping 127.0.0.1 -n 1 MD5: B3624DD758CCECF93A1226CEF252CA12)

svchost.exe (PID: 6208 cmdline: C:\Windows\SysWOW64\svchost.exe -k "SySe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

svchost.exe (PID: 7084 cmdline: C:\Windows\SysWOW64\svchost.exe -k "SySe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

SySe.exe (PID: 1612 cmdline: C:\Windows\system32\SySe.exe "c:\program files (x86)\4293750.dll",MainThread MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Running RAT	NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.	No Attribution	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/	https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
9JQ3JboYdz.exe	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
9JQ3JboYdz.exe	GoldDragon_RunningRAT	Detects Running RAT from Gold Dragon report	Florian Roth	0x402f:$a1: emanybtsohteg 0x405d:$a2: tekcosesolc 0x4089:$a3: emankcosteg 0x4095:$a4: emantsohteg 0x406a:$a5: tpokcostes 0x400e:$a6: putratSASW
9JQ3JboYdz.exe	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x9bb0:$s1: %s%d.dll 0x9cbc:$s2: /c ping 127.0.0.1 -n 0x9cd6:$s3: del /f/q "%s" 0x9ac8:$s4: GUpdate 0x9c8c:$s5: %s\%d.bak 0x9bc5:$s6: "%s",MainThread 0x9bd8:$s7: rundll32.exe 0x4089:$rev1: emankcosteg 0x42ae:$rev3: daerhTniaM,"s%" s% 0x4602:$rev4: s% etadpUllD,"s%" 23lldnuR 0x472f:$rev5: ---DNE yromeMmorFdaoL 0x4724:$rev6: eMnigulP 0x429f:$rev7: exe.23lldnuR\ 0x45a8:$rev8: dnammoc\nepo\llehs\ 0x45df:$rev8: dnammoc\nepo\llehs\ 0x4789:$rev9: "s%" k- exe.tsohcvs\23metsyS\%%tooRmetsyS% 0x402f:$rev10: emanybtsohteg 0x405d:$rev11: tekcosesolc 0x406a:$rev12: tpokcostes 0x4095:$rev13: emantsohteg

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\4293750.dll	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x5534:$s4: GUpdate 0x514c:$s5: %s\%d.bak 0x55e3:$s6: "%s",MainThread 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s" 0x515c:$v2_2: LoadFromMemory END--- 0x51d0:$v2_3: hmProxy!= NULL 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s 0x5610:$v2_6: %d*%sMHz

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2138500502.0000000000403000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
Process Memory Space: 9JQ3JboYdz.exe PID: 4364	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.10000000.0.unpack	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x5534:$s4: GUpdate 0x514c:$s5: %s\%d.bak 0x55e3:$s6: "%s",MainThread 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s" 0x515c:$v2_2: LoadFromMemory END--- 0x51d0:$v2_3: hmProxy!= NULL 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s 0x5610:$v2_6: %d*%sMHz
0.2.9JQ3JboYdz.exe.4032a0.1.unpack	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x5910:$s1: %s%d.dll 0x5a1c:$s2: /c ping 127.0.0.1 -n 0x5a36:$s3: del /f/q "%s" 0x4934:$s4: GUpdate 0x5828:$s4: GUpdate 0x454c:$s5: %s\%d.bak 0x59ec:$s5: %s\%d.bak 0x49e3:$s6: "%s",MainThread 0x5925:$s6: "%s",MainThread 0x5938:$s7: rundll32.exe 0x44ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s" 0x455c:$v2_2: LoadFromMemory END--- 0x45d0:$v2_3: hmProxy!= NULL 0x4684:$v2_4: Rundll32 "%s",DllUpdate %s 0x4a10:$v2_6: %d*%sMHz
7.2.SySe.exe.10000000.1.unpack	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x5534:$s4: GUpdate 0x514c:$s5: %s\%d.bak 0x55e3:$s6: "%s",MainThread 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s" 0x515c:$v2_2: LoadFromMemory END--- 0x51d0:$v2_3: hmProxy!= NULL 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s 0x5610:$v2_6: %d*%sMHz
0.2.9JQ3JboYdz.exe.4032a0.1.raw.unpack	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x6910:$s1: %s%d.dll 0x6a1c:$s2: /c ping 127.0.0.1 -n 0x6a36:$s3: del /f/q "%s" 0x5534:$s4: GUpdate 0x6828:$s4: GUpdate 0x514c:$s5: %s\%d.bak 0x69ec:$s5: %s\%d.bak 0x55e3:$s6: "%s",MainThread 0x6925:$s6: "%s",MainThread 0x6938:$s7: rundll32.exe 0x50ec:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s" 0x515c:$v2_2: LoadFromMemory END--- 0x51d0:$v2_3: hmProxy!= NULL 0x5284:$v2_4: Rundll32 "%s",DllUpdate %s 0x5610:$v2_6: %d*%sMHz
0.0.9JQ3JboYdz.exe.400000.0.unpack	JoeSecurity_RunningRAT	Yara detected RunningRAT	Joe Security
0.0.9JQ3JboYdz.exe.400000.0.unpack	GoldDragon_RunningRAT	Detects Running RAT from Gold Dragon report	Florian Roth	0x402f:$a1: emanybtsohteg 0x405d:$a2: tekcosesolc 0x4089:$a3: emankcosteg 0x4095:$a4: emantsohteg 0x406a:$a5: tpokcostes 0x400e:$a6: putratSASW
0.0.9JQ3JboYdz.exe.400000.0.unpack	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x9bb0:$s1: %s%d.dll 0x9cbc:$s2: /c ping 127.0.0.1 -n 0x9cd6:$s3: del /f/q "%s" 0x9ac8:$s4: GUpdate 0x9c8c:$s5: %s\%d.bak 0x9bc5:$s6: "%s",MainThread 0x9bd8:$s7: rundll32.exe 0x4089:$rev1: emankcosteg 0x42ae:$rev3: daerhTniaM,"s%" s% 0x4602:$rev4: s% etadpUllD,"s%" 23lldnuR 0x472f:$rev5: ---DNE yromeMmorFdaoL 0x4724:$rev6: eMnigulP 0x429f:$rev7: exe.23lldnuR\ 0x45a8:$rev8: dnammoc\nepo\llehs\ 0x45df:$rev8: dnammoc\nepo\llehs\ 0x4789:$rev9: "s%" k- exe.tsohcvs\23metsyS\%%tooRmetsyS% 0x402f:$rev10: emanybtsohteg 0x405d:$rev11: tekcosesolc 0x406a:$rev12: tpokcostes 0x4095:$rev13: emantsohteg
0.2.9JQ3JboYdz.exe.400000.0.unpack	MALWARE_Win_RunningRAT	Detects RunningRAT	ditekSHen	0x9bb0:$s1: %s%d.dll 0x9cbc:$s2: /c ping 127.0.0.1 -n 0x9cd6:$s3: del /f/q "%s" 0x87d4:$s4: GUpdate 0x9ac8:$s4: GUpdate 0x83ec:$s5: %s\%d.bak 0x9c8c:$s5: %s\%d.bak 0x8883:$s6: "%s",MainThread 0x9bc5:$s6: "%s",MainThread 0x9bd8:$s7: rundll32.exe 0x838c:$v2_1: %%SystemRoot%%\System32\svchost.exe -k "%s" 0x83fc:$v2_2: LoadFromMemory END--- 0x8470:$v2_3: hmProxy!= NULL 0x8524:$v2_4: Rundll32 "%s",DllUpdate %s 0x88b0:$v2_6: %d*%sMHz
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe -k "SySe", CommandLine: C:\Windows\SysWOW64\svchost.exe -k "SySe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe -k "SySe", ProcessId: 6208, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE W32.YoungLotus Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:11:24.709461+0200	2814897	1	Malware Command and Control Activity Detected	192.168.2.6	49711	124.221.255.145	8506	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 9JQ3JboYdz.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\4293750.dll

Avira: detection malicious, Label: BDS/Backdoor.Gen7

Multi AV Scanner detection for submitted file

Source: 9JQ3JboYdz.exe

ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\4293750.dll

Joe Sandbox ML: detected

Source: 9JQ3JboYdz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: rundll32.pdb source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr
Source:	Binary string: rundll32.pdbGCTL source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2814897 - Severity 1 - ETPRO MALWARE W32.YoungLotus Checkin : 192.168.2.6:49711 -> 124.221.255.145:8506

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 124.221.255.145:8506

Source: Joe Sandbox View

ASN Name: JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_1000152B select,memset,recv,

3_2_1000152B

Source: global traffic

DNS traffic detected: DNS query: www.sf2110.com

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\SysWOW64\svchost.exe

Code function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command

3_2_10002BC3

System Summary

Malicious sample detected (through community Yara rule)

Source: 9JQ3JboYdz.exe, type: SAMPLE	Matched rule: Detects Running RAT from Gold Dragon report Author: Florian Roth
Source: 9JQ3JboYdz.exe, type: SAMPLE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: 3.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: 7.2.SySe.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Running RAT from Gold Dragon report Author: Florian Roth
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: 0.2.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RunningRAT Author: ditekSHen
Source: C:\Program Files (x86)\4293750.dll, type: DROPPED	Matched rule: Detects RunningRAT Author: ditekSHen

Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B640B1 NtQuerySystemInformation,	7_2_00B640B1
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B65CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	7_2_00B65CF1
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B64136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	7_2_00B64136
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B65911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxWWorker,CreateActCtxWWorker,GetModuleHandleW,CreateActCtxWWorker,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	7_2_00B65911
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B65D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	7_2_00B65D6A

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_10001F48 strlen,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_10001F48

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_10001FBD LoadLibraryA,GetProcAddress,memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary,

3_2_10001FBD

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_100025A2 ExitWindowsEx,

3_2_100025A2

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Windows\SysWOW64\SySe.exe

Jump to behavior

Source: 9JQ3JboYdz.exe, 00000000.00000000.2138518349.000000000040B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs 9JQ3JboYdz.exe
Source: 9JQ3JboYdz.exe, 00000000.00000002.2165981379.00000000006BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 9JQ3JboYdz.exe
Source: 9JQ3JboYdz.exe	Binary or memory string: OriginalFilename vs 9JQ3JboYdz.exe

Source: 9JQ3JboYdz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 9JQ3JboYdz.exe, type: SAMPLE	Matched rule: GoldDragon_RunningRAT date = 2018-02-03, hash3 = 7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51, hash2 = 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863, hash1 = 0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88, author = Florian Roth, description = Detects Running RAT from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9JQ3JboYdz.exe, type: SAMPLE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: 3.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: 7.2.SySe.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: GoldDragon_RunningRAT date = 2018-02-03, hash3 = 7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51, hash2 = 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863, hash1 = 0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88, author = Florian Roth, description = Detects Running RAT from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: 0.2.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT
Source: C:\Program Files (x86)\4293750.dll, type: DROPPED	Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@10/2@1/2

Source: C:\Windows\SysWOW64\SySe.exe

Code function: 7_2_00B63C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

7_2_00B63C66

Source: C:\Windows\SysWOW64\svchost.exe

Code function: OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,strlen,StartServiceA,

3_2_10001B5B

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Code function: 0_2_00401794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcmpiA,CloseHandle,FreeLibrary,

0_2_00401794

Source: C:\Windows\SysWOW64\SySe.exe

Code function: 7_2_00B6205A CoCreateInstance,

7_2_00B6205A

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_10001A43 OpenSCManagerA,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,

3_2_10001A43

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

File created: C:\Program Files (x86)\4293750.dll

Jump to behavior

Source: C:\Windows\SysWOW64\SySe.exe	Mutant created: \Sessions\1\BaseNamedObjects\www.sf2110.com:8506:SySe
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03

Source: C:\Windows\SysWOW64\SySe.exe	Command line argument: WLDP.DLL		7_2_00B64136
Source: C:\Windows\SysWOW64\SySe.exe	Command line argument: localserver		7_2_00B64136

Source: 9JQ3JboYdz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9JQ3JboYdz.exe

ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\9JQ3JboYdz.exe "C:\Users\user\Desktop\9JQ3JboYdz.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "SySe"
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "SySe"
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\SySe.exe C:\Windows\system32\SySe.exe "c:\program files (x86)\4293750.dll",MainThread
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\SySe.exe C:\Windows\system32\SySe.exe "c:\program files (x86)\4293750.dll",MainThread	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1	Jump to behavior

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: mfc42.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source:	Binary string: rundll32.pdb source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr
Source:	Binary string: rundll32.pdbGCTL source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr

Source: SySe.exe.3.dr

Static PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC]

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Code function: 0_2_00401B6B LoadLibraryA,GetProcAddress,__p__pgmptr,sprintf,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,ShellExecuteA,

0_2_00401B6B

Source: SySe.exe.3.dr

Static PE information: section name: .didat

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10004C68 push eax; ret	3_2_10004C86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_10004CA0 push eax; ret	3_2_10004CCE
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B66883 push ecx; ret	7_2_00B66896
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B6682D push ecx; ret	7_2_00B66840

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\svchost.exe

Executable created and started: C:\Windows\SysWOW64\SySe.exe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Windows\SysWOW64\SySe.exe			Jump to dropped file
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	File created: C:\Program Files (x86)\4293750.dll			Jump to dropped file

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

File created: C:\Program Files (x86)\4293750.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Windows\SysWOW64\SySe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SySe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_10001A43 OpenSCManagerA,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle,

3_2_10001A43

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process created: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe"
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process created: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe"			Jump to behavior

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Code function: 0_2_00402400 IsIconic,

0_2_00402400

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_1000265E OpenEventLogA,ClearEventLogA,CloseEventLog,

3_2_1000265E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_10003E6B LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,

3_2_10003E6B

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-373

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 2720	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 7277	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe	Window / User API: threadDelayed 1386	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-1603

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Dropped PE file which has not been started: C:\Program Files (x86)\4293750.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\svchost.exe TID: 3924	Thread sleep count: 2720 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924	Thread sleep time: -2720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924	Thread sleep count: 7277 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924	Thread sleep time: -7277000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004	Thread sleep count: 1386 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004	Thread sleep time: -693000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004	Thread sleep time: -52500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SySe.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SySe.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_1000358C GetSystemInfo,wsprintfA,

3_2_1000358C

Source: 9JQ3JboYdz.exe, 00000000.00000002.2165981379.00000000006BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\YVRO
Source: SySe.exe, 00000007.00000002.4610196471.0000000000787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\SySe.exe

API call chain: ExitProcess graph end node

graph_7-2033

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\SySe.exe

Code function: 7_2_00B65E4F LdrResolveDelayLoadedAPI,

7_2_00B65E4F

Source: C:\Windows\SysWOW64\SySe.exe

Code function: 7_2_00B625B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

7_2_00B625B2

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe

Code function: 0_2_00401B6B LoadLibraryA,GetProcAddress,__p__pgmptr,sprintf,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,ShellExecuteA,

0_2_00401B6B

Source: C:\Windows\SysWOW64\SySe.exe

Code function: 7_2_00B63F6B mov esi, dword ptr fs:[00000030h]

7_2_00B63F6B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_10003D5D FreeLibrary,free,VirtualFree,GetProcessHeap,HeapFree,

3_2_10003D5D

Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B661C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_00B661C0
Source: C:\Windows\SysWOW64\SySe.exe	Code function: 7_2_00B66510 SetUnhandledExceptionFilter,		7_2_00B66510

Source: C:\Users\user\Desktop\9JQ3JboYdz.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_1000304F wsprintfA,strlen,strlen,strlen,GetLocalTime,wsprintfA,strlen,

3_2_1000304F

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_1000336E ServiceMain,strncpy,wcstombs,RegisterServiceCtrlHandlerA,FreeConsole,GetVersionExA,MainThread,GetCurrentDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetSystemDirectoryA,lstrcatA,CopyFileA,GetFileAttributesA,GetLastError,wsprintfA,GetModuleFileNameA,wsprintfA,Sleep,GetExitCodeProcess,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,

3_2_1000336E

Source: 9JQ3JboYdz.exe

Binary or memory string: 360tray.exe

Stealing of Sensitive Information

Yara detected RunningRAT

Source: Yara match	File source: 9JQ3JboYdz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2138500502.0000000000403000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JQ3JboYdz.exe PID: 4364, type: MEMORYSTR

Remote Access Functionality

Yara detected RunningRAT

Source: Yara match	File source: 9JQ3JboYdz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2138500502.0000000000403000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JQ3JboYdz.exe PID: 4364, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Timestomp	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	22 Windows Service	1 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	4 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	22 Windows Service	1 File Deletion	NTDS	31 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	131 Masquerading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Valid Accounts	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9JQ3JboYdz.exe	95%	ReversingLabs	Win32.Backdoor.Venik
9JQ3JboYdz.exe	100%	Avira	TR/AD.Farfli.qqkhu

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\4293750.dll	100%	Avira	BDS/Backdoor.Gen7
C:\Program Files (x86)\4293750.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\SySe.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sf2110.com	124.221.255.145	true	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
124.221.255.145	www.sf2110.com	China		45361	JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520443
Start date and time:	2024-09-27 11:10:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9JQ3JboYdz.exe renamed because original name is a hash value
Original Sample Name:	fb714d59bcb67c0910c8f4ee0c5f0e62.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@10/2@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 84
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 9JQ3JboYdz.exe

Simulations

Behavior and APIs

Time	Type	Description
05:12:04	API Interceptor	8342554x Sleep call for process: svchost.exe modified
05:12:12	API Interceptor	1431x Sleep call for process: SySe.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR	http://www.dh91l.icu/	Get hash	malicious	Unknown	Browse	124.221.80.91
	https://qwehikd-asdu.xyz/	Get hash	malicious	Unknown	Browse	124.222.174.117
	https://geminishdw-dws.top/	Get hash	malicious	Unknown	Browse	124.221.80.91
	https://geminiqwc-sw.top/	Get hash	malicious	Unknown	Browse	124.221.80.91
	https://qwekorqw-eqo.top/	Get hash	malicious	Unknown	Browse	124.222.174.117
	https://qwoms-dei3.top/	Get hash	malicious	Unknown	Browse	124.220.205.65
	https://saihdqq-yadq.xyz/	Get hash	malicious	Unknown	Browse	124.220.205.65
	https://soqmd-gm.top/	Get hash	malicious	Unknown	Browse	124.221.80.91
	https://sklqms-dp3.top/	Get hash	malicious	Unknown	Browse	124.221.80.91
	https://dsldiqos-erqs.xyz/	Get hash	malicious	Unknown	Browse	124.220.203.60

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SysWOW64\SySe.exe	2Syx0ZLsgo.exe	Get hash	malicious	RunningRAT	Browse
	I6A09pYeTA.exe	Get hash	malicious	RunningRAT	Browse
	ExeFile (24).exe	Get hash	malicious	RunningRAT	Browse
	ExeFile (119).exe	Get hash	malicious	RunningRAT	Browse
	ExeFile (118).exe	Get hash	malicious	RunningRAT	Browse
	ExeFile (20).exe	Get hash	malicious	Gh0stCringe, RunningRAT	Browse
	LisectAVT_2403002A_160.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT, XRed	Browse
	dPs664opQr.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse
	SraTIeD668.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse
	S6FxbFJNYp.exe	Get hash	malicious	Gh0stCringe, GhostRat, Mimikatz, RunningRAT	Browse

Created / dropped Files

C:\Program Files (x86)\4293750.dll

Download File

Process:	C:\Users\user\Desktop\9JQ3JboYdz.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	6.0728598875843725
Encrypted:	false
SSDEEP:	384:8T9IWqIwt10zr6lXYhCRdkyurLmC2S1xJrQcWrH/RUAMO0MY0holUxHdlkq4tKDV:8ht+Izr6pqRrLuS1vzWpaGZHdqYDG
MD5:	CB0426D467A62C8DC63180E84FE2FDD2
SHA1:	15BF72ABB1C002DD3B67200BAC22310AAFAB6D9C
SHA-256:	73B2AC758264A2822AE0C61A414648F37FA1FEC0C2EF125C51D7B1AD975220C8
SHA-512:	24199C817521D24441B86957D9860407D47DBD3B6D0FFEDF602A9D6D1039ACE784AB01E4491785861929D7BC4BF633B90FD06C77B7201E238C4368C1307AB980
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_RunningRAT, Description: Detects RunningRAT, Source: C:\Program Files (x86)\4293750.dll, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........d...d...d..#G...d..x...d..{...d..zx...d..{...d..{...d...d...d...d..d..:k...d...B...d...D...d..Rich.d..........PE..L....w.T...........!.....@...$.......N.......P......................................................................pZ.......T..d............................p.......................................................P..$............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........`.......P..............@....reloc..d....p.......^..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\SySe.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.199746098562656
Encrypted:	false
SSDEEP:	1536:H9ykYCTdiHQKrFXmw2RQln5IUmDjoX6+:HlMHprF2nRQln5I
MD5:	889B99C52A60DD49227C5E485A016679
SHA1:	8FA889E456AA646A4D0A4349977430CE5FA5E2D7
SHA-256:	6CBE0E1F046B13B29BFA26F8B368281D2DDA7EB9B718651D5856F22CC3E02910
SHA-512:	08933106EAF338DD119C45CBF1F83E723AFF77CC0F8D3FC84E36253B1EB31557A54211D1D5D1CB58958188E32064D451F6C66A24B3963CCCD3DE07299AB90641
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2Syx0ZLsgo.exe, Detection: malicious, Browse Filename: I6A09pYeTA.exe, Detection: malicious, Browse Filename: ExeFile (24).exe, Detection: malicious, Browse Filename: ExeFile (119).exe, Detection: malicious, Browse Filename: ExeFile (118).exe, Detection: malicious, Browse Filename: ExeFile (20).exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_160.exe, Detection: malicious, Browse Filename: dPs664opQr.exe, Detection: malicious, Browse Filename: SraTIeD668.exe, Detection: malicious, Browse Filename: S6FxbFJNYp.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.....^...^...^.pb^...^.c._...^.c._...^...^c..^.c._...^.c._...^.c._...^.c.^...^.c._...^Rich...^........PE..L...9..j.................b...........a............@..........................@............@.............................................hg...................0..........T........................... ........................m..`....................text...La.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat...............~..............@....rsrc...hg.......h..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.246733903202193
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9JQ3JboYdz.exe
File size:	49'152 bytes
MD5:	fb714d59bcb67c0910c8f4ee0c5f0e62
SHA1:	f22ffe25d693ccf771b5ae60b373f4c74551b317
SHA256:	25ad9ca13dc1ee44d8c3a3d0fba9365d9e9fd65db1411a0f720dd036d11911f3
SHA512:	24dac934a89ab30379331251749947af7817ed4c661a5b247a12177d1c3c04593da274eeea9ebfb7c6f7329916f03eb2c6c0a2d18b99358d8d14b6de48a33393
SSDEEP:	768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67GhPC:Ub1MsHz3JDwhyWr+N95OTga69
TLSH:	6E236D01730470A6D75693726AFB922F84593EB20BB824CBF7D44D0E19F49D5B93A42B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..tW..tW..tW..h[..tW..{...tW.DhY..tW..k]..tW..kS..tW..RS..tW..tV.[tW..R\..tW..rQ..tW.Rich.tW.........PE..L....w.T...........

File Icon


Icon Hash:	71b018dccec77331

Static PE Info

General

Entrypoint:	0x4028d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x54FD77CC [Mon Mar 9 10:37:00 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	24ffff844f7eed74e1f1064cc9840ba9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A070h
push 004028CCh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004031FCh]
pop ecx
or dword ptr [0040A298h], FFFFFFFFh
or dword ptr [0040A29Ch], FFFFFFFFh
call dword ptr [00403200h]
mov ecx, dword ptr [0040A28Ch]
mov dword ptr [eax], ecx
call dword ptr [00403204h]
mov ecx, dword ptr [0040A288h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00403208h]
mov eax, dword ptr [eax]
mov dword ptr [0040A294h], eax
call 00007F589CBCA83Bh
cmp dword ptr [00409D60h], ebx
jne 00007F589CBCA72Eh
push 00402A54h
call dword ptr [0040320Ch]
pop ecx
call 00007F589CBCA80Dh
push 00403294h
push 00403290h
call 00007F589CBCA7F8h
mov eax, dword ptr [0040A284h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0040A280h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00403214h]
push 0040328Ch
push 00403280h
call 00007F589CBCA7C5h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa2a0	0x64	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0xa98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0x280	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b83	0x2000	af004437d972dc872368f31fffd6aaa6	False	0.4327392578125	data	5.330045711780258	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x78b6	0x8000	925d51730b9cce1ad4e9c44bb9cd6285	False	0.495697021484375	data	5.749651963507455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb000	0xa98	0x1000	c41cc8dcf2debdfbcfbd52158b76ca73	False	0.26123046875	data	2.5169812284194717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb160	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.33064516129032256
RT_ICON	0xb448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.4391891891891892
RT_DIALOG	0xb598	0x1c6	data	Chinese	China	0.5682819383259912
RT_GROUP_ICON	0xb570	0x22	data	Chinese	China	1.0
RT_VERSION	0xb760	0x338	data	French	France	0.45024271844660196

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, _except_handler3, memset, __p__pgmptr, sprintf, memcpy, _access, __CxxFrameHandler, strstr, _setmbcp, _mkdir
KERNEL32.dll	CloseHandle, CreateFileA, FreeLibrary, GetTickCount, GetFileAttributesA, ExpandEnvironmentStringsA, GetLastError, GetProcAddress, LoadLibraryA, lstrcpyA, GetCommandLineA, Sleep, lstrcmpiA, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetModuleHandleA, GetStartupInfoA, WriteFile
USER32.dll	SendMessageA, IsIconic, GetClientRect, EnableWindow, LoadIconA, GetSystemMetrics, wsprintfA, DrawIcon

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
French	France

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T11:11:24.709461+0200	2814897	ETPRO MALWARE W32.YoungLotus Checkin	1	192.168.2.6	49711	124.221.255.145	8506	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:11:33.295403957 CEST	49711	8506	192.168.2.6	124.221.255.145
Sep 27, 2024 11:11:33.300436974 CEST	8506	49711	124.221.255.145	192.168.2.6
Sep 27, 2024 11:11:33.300549984 CEST	49711	8506	192.168.2.6	124.221.255.145
Sep 27, 2024 11:11:34.042504072 CEST	49711	8506	192.168.2.6	124.221.255.145
Sep 27, 2024 11:11:34.047379971 CEST	8506	49711	124.221.255.145	192.168.2.6
Sep 27, 2024 11:11:48.026493073 CEST	8506	49711	124.221.255.145	192.168.2.6
Sep 27, 2024 11:11:48.068775892 CEST	49711	8506	192.168.2.6	124.221.255.145
Sep 27, 2024 11:12:48.895733118 CEST	8506	49711	124.221.255.145	192.168.2.6
Sep 27, 2024 11:12:48.959527016 CEST	49711	8506	192.168.2.6	124.221.255.145
Sep 27, 2024 11:13:49.696609974 CEST	8506	49711	124.221.255.145	192.168.2.6
Sep 27, 2024 11:13:49.772106886 CEST	49711	8506	192.168.2.6	124.221.255.145
Sep 27, 2024 11:14:50.545175076 CEST	8506	49711	124.221.255.145	192.168.2.6
Sep 27, 2024 11:14:50.663079977 CEST	49711	8506	192.168.2.6	124.221.255.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:11:32.741568089 CEST	62537	53	192.168.2.6	1.1.1.1
Sep 27, 2024 11:11:33.288966894 CEST	53	62537	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 11:11:32.741568089 CEST	192.168.2.6	1.1.1.1	0xa90b	Standard query (0)	www.sf2110.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 11:11:33.288966894 CEST	1.1.1.1	192.168.2.6	0xa90b	No error (0)	www.sf2110.com		124.221.255.145	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:11:27
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\9JQ3JboYdz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9JQ3JboYdz.exe"
Imagebase:	0x400000
File size:	49'152 bytes
MD5 hash:	FB714D59BCB67C0910C8F4EE0C5F0E62
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RunningRAT, Description: Yara detected RunningRAT, Source: 00000000.00000000.2138500502.0000000000403000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:11:27
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe -k "SySe"
Imagebase:	0x860000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:11:28
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe -k "SySe"
Imagebase:	0x860000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:11:30
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:11:30
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:11:30
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 1
Imagebase:	0xa30000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:11:32
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\SySe.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\SySe.exe "c:\program files (x86)\4293750.dll",MainThread
Imagebase:	0xb60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	179
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401794 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 67
libraryloaderprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 004017A8
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 004017BA
GetProcAddress.KERNEL32(?,Process32First), ref: 004017CF
GetProcAddress.KERNEL32(?,Process32Next), ref: 004017E1
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004017F5
Process32First.KERNEL32(00000000,00000128), ref: 00401819
Process32Next.KERNEL32(00000000,00000128), ref: 0040182C
lstrcmpiA.KERNEL32(00000000,?), ref: 00401843
CloseHandle.KERNELBASE(00000000), ref: 0040185C
FreeLibrary.KERNEL32(00000000), ref: 0040186C

Strings

CreateToolhelp32Snapshot, xrefs: 004017B1
Process32First, xrefs: 004017C6
Process32Next, xrefs: 004017D8
kernel32.dll, xrefs: 004017A3

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: AddressProc$LibraryProcess32$CloseCreateFirstFreeHandleLoadNextSnapshotToolhelp32lstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
API String ID: 653906424-4285911020
Opcode ID: 1fd417c11413756bd4715d1432974552d424e7ffcafe747e360662e6f791f9bc
Instruction ID: e698cd54efef0762fd02a762dd22e0b3df5000b7872fc78e3db917c3bca36737
Opcode Fuzzy Hash: 1fd417c11413756bd4715d1432974552d424e7ffcafe747e360662e6f791f9bc
Instruction Fuzzy Hash: 39210E75D41218EFDB10EFA0D949BEEBBB8FB48301F10846AE505B2290D7749B80CF54

Function 00401B6B Relevance: 24.5, APIs: 9, Strings: 5, Instructions: 48
librarythreadloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(shell32.dll,?), ref: 00401B80
GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 00401B98
__p__pgmptr.MSVCRT ref: 00401BBA
sprintf.MSVCRT ref: 00401BCF
GetCurrentProcess.KERNEL32(00000100), ref: 00401BDD
SetPriorityClass.KERNELBASE(00000000), ref: 00401BE4
GetCurrentThread.KERNEL32 ref: 00401BEC
SetThreadPriority.KERNELBASE(00000000), ref: 00401BF3
ShellExecuteA.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00401C10

Strings

shell32.dll, xrefs: 00401B7B
ShellExecuteA, xrefs: 00401B8C
open, xrefs: 00401C09
/c ping 127.0.0.1 -n 1 && del /f/q "%s", xrefs: 00401BC3
cmd.exe, xrefs: 00401C04

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: CurrentPriorityThread$AddressClassExecuteLibraryLoadProcProcessShell__p__pgmptrsprintf
String ID: /c ping 127.0.0.1 -n 1 && del /f/q "%s"$ShellExecuteA$cmd.exe$open$shell32.dll
API String ID: 239697722-3584563708
Opcode ID: 7249951d3074dcb4a7fe4bb46aef8e51ce1700dc43be1304f4320e222d999fe6
Instruction ID: 03b7caf6ff0ed763f8f9b181b84943af9cfe637eb8e7dbc85a8f0fb9157acd93
Opcode Fuzzy Hash: 7249951d3074dcb4a7fe4bb46aef8e51ce1700dc43be1304f4320e222d999fe6
Instruction Fuzzy Hash: 5A11A171E44208ABEB109FA4DD0ABD9BB7CAB08702F0000B5F645F61D1CBF45A848F69

Function 00401134 Relevance: 115.8, APIs: 42, Strings: 24, Instructions: 337
sleeplibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#2621.MFC42 ref: 00401162
Sleep.KERNELBASE(00000000), ref: 0040116A
GetCommandLineA.KERNEL32 ref: 00401170
strstr.MSVCRT ref: 00401188
Sleep.KERNELBASE(00000000), ref: 004011AF
wsprintfA.USER32 ref: 004011DE

Part of subcall function 00401C18: memset.MSVCRT ref: 00401C59
Part of subcall function 00401C18: memset.MSVCRT ref: 00401C69
Part of subcall function 00401C18: LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 00401C76
Part of subcall function 00401C18: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 00401C8E
Part of subcall function 00401C18: GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 00401CA3
Part of subcall function 00401C18: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 00401CB8
Part of subcall function 00401C18: FreeLibrary.KERNEL32(00000000), ref: 00401D62

lstrcpyA.KERNEL32(SySe,?,80000002,?,DisplayName,00000001,System Rete Da mula), ref: 0040121E

Part of subcall function 00401C18: lstrcpyA.KERNEL32(?,?), ref: 00401D1F

wsprintfA.USER32 ref: 0040125A
Sleep.KERNEL32(00000000), ref: 00401307
LoadLibraryA.KERNELBASE(shell32.dll), ref: 00401312
GetProcAddress.KERNEL32(?,ShellExecuteA), ref: 0040132A
Sleep.KERNELBASE(00000000), ref: 00401338
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00401343
GetProcAddress.KERNEL32(?,CreateMutexA), ref: 0040135B
Sleep.KERNELBASE(00000001), ref: 00401369
GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 0040137B
wsprintfA.USER32 ref: 004013A4
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 004013B8
GetLastError.KERNEL32 ref: 004013CD
CloseHandle.KERNEL32(00000000), ref: 004013F6
Sleep.KERNEL32(00000000), ref: 004013FE
GetProcAddress.KERNEL32(?,GetVersionExA), ref: 00401410
Sleep.KERNEL32(00000000), ref: 0040142F
ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\,?,00000104), ref: 00401446
Sleep.KERNEL32(00000000), ref: 0040144E
GetFileAttributesA.KERNELBASE(?), ref: 0040145B
ExpandEnvironmentStringsA.KERNEL32(%Temp%\,?,00000104), ref: 00401489
#537.MFC42(?), ref: 0040149E

Part of subcall function 004016EB: _access.MSVCRT ref: 00401714

#800.MFC42(?,?), ref: 004014C9
GetFileAttributesA.KERNEL32(?,?,?), ref: 004014D5
GetTickCount.KERNEL32 ref: 004014E2
wsprintfA.USER32 ref: 004014FC
Sleep.KERNEL32(00000000), ref: 00401507
Sleep.KERNEL32(00000000,00000000), ref: 00401546
LoadLibraryA.KERNELBASE(00000000,360tray.exe), ref: 004015C7
Sleep.KERNELBASE(00000000), ref: 004015E2
GetProcAddress.KERNEL32(00000000,Install), ref: 004015F4
wsprintfA.USER32 ref: 00401662
FreeLibrary.KERNEL32(00000000), ref: 00401698
Sleep.KERNEL32(00000000), ref: 004016A0
FreeLibrary.KERNELBASE(00000000), ref: 004016AD
Sleep.KERNELBASE(00000000), ref: 004016D2

Strings

SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 0040124E
GUpdate, xrefs: 0040117C
SYSTEM\CurrentControlSet\Services\%s, xrefs: 004011D2
Description, xrefs: 0040122B
open, xrefs: 0040167B
360tray.exe, xrefs: 004015A0, 004015A6
DisplayName, xrefs: 004011EE
%s:%d:%s, xrefs: 00401398
%Temp%\, xrefs: 00401484
shell32.dll, xrefs: 0040130D
ServiceDll, xrefs: 004012B9, 004012BF
www.sf2110.com, xrefs: 00401393
%ProgramFiles%\, xrefs: 00401441
ReleaseMutex, xrefs: 0040136F
"%s",MainThread, xrefs: 00401656
kernel32.dll, xrefs: 0040133E
rundll32.exe, xrefs: 00401676
GetVersionExA, xrefs: 00401404
System Rete Da mula, xrefs: 004011E7
Install, xrefs: 004015E8
ShellExecuteA, xrefs: 0040131E
SySe, xrefs: 00401219, 00401387
%s%d.dll, xrefs: 004014F0
CreateMutexA, xrefs: 0040134F

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: Sleep$AddressProc$Library$wsprintf$Load$Free$AttributesEnvironmentExpandFileStringslstrcpymemset$#2621#537#800CloseCommandCountCreateErrorHandleLastLineMutexTick_accessstrstr
String ID: "%s",MainThread$%ProgramFiles%\$%Temp%\$%s%d.dll$%s:%d:%s$360tray.exe$CreateMutexA$Description$DisplayName$GUpdate$GetVersionExA$Install$ReleaseMutex$SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll$ShellExecuteA$SySe$System Rete Da mula$kernel32.dll$open$rundll32.exe$shell32.dll$www.sf2110.com
API String ID: 2440389195-460911923
Opcode ID: 33c2655f0df4c5bdb74095cc6ef8f893952d5ebb8828a241915ac991c88762e1
Instruction ID: 3e4d9021d073eed2ebaccca2140894c21fcc0a3ec56120faac2ae3b4723efbfb
Opcode Fuzzy Hash: 33c2655f0df4c5bdb74095cc6ef8f893952d5ebb8828a241915ac991c88762e1
Instruction Fuzzy Hash: 68E17E70945258DFEB20DB64CD49BDEBB79AB44306F0041EAE109B62E1CB795F84CF29

Function 004028D2 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004028FF
__p__fmode.MSVCRT ref: 00402914
__p__commode.MSVCRT ref: 00402922
__setusermatherr.MSVCRT ref: 0040294E
_initterm.MSVCRT ref: 00402964
__getmainargs.MSVCRT ref: 00402987
_initterm.MSVCRT ref: 00402997
GetStartupInfoA.KERNEL32(?), ref: 004029D6
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004029FA
exit.KERNELBASE ref: 00402A0A
_XcptFilter.MSVCRT ref: 00402A1C

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: c6672fdfefc484d33459fe495202c256ca6675a5ab502eee85e92a4fdfc38f08
Instruction ID: 41b20fb36615245da369ed675267998572c4bc05a5f1d3210e4b8a6eebd3b03a
Opcode Fuzzy Hash: c6672fdfefc484d33459fe495202c256ca6675a5ab502eee85e92a4fdfc38f08
Instruction Fuzzy Hash: 1C415DB1A40308AFDB209FA4DA49A5ABFA8AB09711F20017FF451B73E1D7B84941CB59

Function 00401000 Relevance: 4.5, APIs: 3, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0040101D
WriteFile.KERNELBASE(000000FF,004032A0,00006600,?,00000000), ref: 00401044
CloseHandle.KERNELBASE(000000FF), ref: 00401056

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 503e30a7f5baba76d2006de02f8aabc9fecde34cd01d4e51a3acff696a7f97a2
Instruction ID: 0b57e97574c49083c60be4e0953d33bf3402ecf870afa031020ca03fe4ac14e9
Opcode Fuzzy Hash: 503e30a7f5baba76d2006de02f8aabc9fecde34cd01d4e51a3acff696a7f97a2
Instruction Fuzzy Hash: 36F06234E41348FBEB10DFA49D0AF9E7F785B04705F2081A4F6507B2C1C6B96B008B58

Function 00401AEE Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(-004032A0,www.sf2110.com,00000228,?,?,?,?,?,?,0040151F), ref: 00401B42

Strings

www.sf2110.com, xrefs: 00401B34

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: memcpy
String ID: www.sf2110.com
API String ID: 3510742995-1396719888
Opcode ID: 1d9d4e6a103436fa6d4a87c3801ee709b09ed6f15207dc39c5cfe36b8e263f2a
Instruction ID: 35b040e23320f7c57e1bee8842fc800d469dc723e7eedb9ee6c7bb718427654e
Opcode Fuzzy Hash: 1d9d4e6a103436fa6d4a87c3801ee709b09ed6f15207dc39c5cfe36b8e263f2a
Instruction Fuzzy Hash: CDF09671E80304B7EB10AE609D47B6A36685B21745F2040BBF904772D2F67E7725529D

Function 00402A60 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#1576.MFC42(00402A06,00402A06,00402A06,00402A06,00402A06,00000000,?,0000000A), ref: 00402A70

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction ID: 2e8f5fa0b2b7dc8462a5570c84725da21d48d42b60ee068d54710228b117be70
Opcode Fuzzy Hash: 371cf650558777b7497c1cc85ae61873b6a5021e63d3067b0ccf166c38b5e6e7
Instruction Fuzzy Hash: BFB00836118386ABCB12EE95890592ABAA6BB98304F484C1DB2A1500A287668428EB16

Non-executed Functions

Function 00402400 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(E8844D8D), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 1ee85660d1dedbebd5f403de0e96ef1f5b119a627276ba2acc2b378afb4465c5
Instruction ID: 5de610e982ba27cc53666b937cb18e62fe31540b2012b128af7b5849c0221d0a
Opcode Fuzzy Hash: 1ee85660d1dedbebd5f403de0e96ef1f5b119a627276ba2acc2b378afb4465c5
Instruction Fuzzy Hash: 09C012B090820CAB8708CF98EA00C29BBACEB09301B0002DCF808933008A32AE009A98

Function 0040187B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040188F
GetProcAddress.KERNEL32(?,GetModuleFileNameA), ref: 004018A7
GetProcAddress.KERNEL32(?,GetSystemDirectoryA), ref: 004018BF
GetProcAddress.KERNEL32(?,MoveFileA), ref: 004018D7
GetProcAddress.KERNEL32(?,MoveFileExA), ref: 004018EF
GetTickCount.KERNEL32 ref: 00401921
wsprintfA.USER32 ref: 0040193B
FreeLibrary.KERNEL32(00000000), ref: 00401979

Strings

GetModuleFileNameA, xrefs: 0040189B
kernel32.dll, xrefs: 0040188A
GetSystemDirectoryA, xrefs: 004018B3
MoveFileA, xrefs: 004018CB
MoveFileExA, xrefs: 004018E3
%s\%d.bak, xrefs: 0040192F

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: AddressProc$Library$CountFreeLoadTickwsprintf
String ID: %s\%d.bak$GetModuleFileNameA$GetSystemDirectoryA$MoveFileA$MoveFileExA$kernel32.dll
API String ID: 2704705959-706646508
Opcode ID: 439d6103ebf8e8c0a2e54ea9977356cebfa60b531f2e9e129bb2cebecea63de2
Instruction ID: 278943a665a34f5de4912a77712433a3c03d867667eba4ba3f010f6a07107de3
Opcode Fuzzy Hash: 439d6103ebf8e8c0a2e54ea9977356cebfa60b531f2e9e129bb2cebecea63de2
Instruction Fuzzy Hash: B12151B5D85218ABEB20DF60CC8DBE9BB78EB54701F1041E5A649B2191DBB49FC0CF64

Function 00401C18 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 95
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401C59
memset.MSVCRT ref: 00401C69
LoadLibraryA.KERNEL32(ADVAPI32.dll), ref: 00401C76
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 00401C8E
GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 00401CA3
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 00401CB8
lstrcpyA.KERNEL32(?,?), ref: 00401D1F
FreeLibrary.KERNEL32(00000000), ref: 00401D62

Strings

ADVAPI32.dll, xrefs: 00401C71
RegQueryValueExA, xrefs: 00401C97
RegCloseKey, xrefs: 00401CAC
RegOpenKeyExA, xrefs: 00401C82

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: AddressProc$Librarymemset$FreeLoadlstrcpy
String ID: ADVAPI32.dll$RegCloseKey$RegOpenKeyExA$RegQueryValueExA
API String ID: 3313493744-123098875
Opcode ID: 6cfc459c3633b96d3d6a7f6576698e4911ea3d3d1c7daab3c8c40142335194e9
Instruction ID: ee5ed84a35279ae09bc0a5aec9c8e8049356c5a81716acae3ba6bb287f67954d
Opcode Fuzzy Hash: 6cfc459c3633b96d3d6a7f6576698e4911ea3d3d1c7daab3c8c40142335194e9
Instruction Fuzzy Hash: 93314FB5940218ABDB10DF90DD85FDEBBB8AF48710F10416AF605B62D0D778AE44CF64

Function 004020F5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#355.MFC42(00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402133
#2515.MFC42(00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402145
#540.MFC42(00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 0040217A
#2818.MFC42(?,00409D58,?,00000000,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402190
#3499.MFC42(?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 004021C5
#6907.MFC42(?,00000001,00000000,?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 004021FB
#800.MFC42(?,00000001,00000000,?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 0040220A
#800.MFC42(?,00000001,00000000,?,?,00000000,00000000,00000004,All Files (*.*)|*.*||,?), ref: 00402216

Part of subcall function 004022C0: #800.MFC42(?,00000000,00402B79,000000FF,?,0040222D,?,00000001,00000000,?,?,00000000), ref: 004022EC

Strings

All Files (*.*)|*.*||, xrefs: 00402120

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: #800$#2515#2818#3499#355#540#6907
String ID: All Files (*.*)|*.*||
API String ID: 1584807323-1256402831
Opcode ID: 4922d2615448acd3483173aa7a39ffc0c03dd6e8f39ba40f8db02418d57e1958
Instruction ID: c5d4932d0e26176f48f047347bf5286b918a9edaf58949088f637132c46f74e5
Opcode Fuzzy Hash: 4922d2615448acd3483173aa7a39ffc0c03dd6e8f39ba40f8db02418d57e1958
Instruction Fuzzy Hash: D0316D7198011CABCB14EB94CE5ABEDB774BB10304F1042AEE115772C1DAB41E44CB69

Function 004016EB Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_access.MSVCRT ref: 00401714
#5683.MFC42(0000005C,?,?,?,?,?,?), ref: 00401735
#4129.MFC42(?,00000000,0000005C,?,?,?,?,?,?), ref: 00401742
#800.MFC42(?,00000000,0000005C,?,?,?,?,?), ref: 0040176D
_mkdir.MSVCRT ref: 0040177B

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: #4129#5683#800_access_mkdir
String ID:
API String ID: 2252135049-0
Opcode ID: fe9398ada3c2d6f7717ef24858e2bc8e3691a59763239764df60b612b1b35ab5
Instruction ID: e64eea6ac71e0944d3c5090b23e1d4b3a6541fea866ff8cfdbd13ca0f40ae5ed
Opcode Fuzzy Hash: fe9398ada3c2d6f7717ef24858e2bc8e3691a59763239764df60b612b1b35ab5
Instruction Fuzzy Hash: A71160709001099BCB00EFA5CD45BAEBB79EB00354F10423EF826B72D0DB385A01CB99

Function 00401FC6 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402400: IsIconic.USER32(E8844D8D), ref: 0040240E

#470.MFC42(?), ref: 00402004

Part of subcall function 004023D0: SendMessageA.USER32(?,00000000,00000000,00000027), ref: 004023EA

GetSystemMetrics.USER32(0000000B), ref: 0040202A
GetSystemMetrics.USER32(0000000C), ref: 00402035

Part of subcall function 00402420: GetClientRect.USER32(?,U @), ref: 00402432

Part of subcall function 004023A0: DrawIcon.USER32(00000000,?,?,?), ref: 004023BA

#755.MFC42(?,?,?,?), ref: 004020A8

Memory Dump Source

Source File: 00000000.00000002.2165709493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2165685716.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165733449.0000000000403000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2165760094.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_9JQ3JboYdz.jbxd

Similarity

API ID: MetricsSystem$#470#755ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2506822835-0
Opcode ID: 1c9899e63e8db84197f4d426d0ee9b49cb4c862dee0a21bfd3b4b5b287d3fdbe
Instruction ID: 4f4a8c447454e0b861ef3f698e30a861443d70d21ee0d95d9e798c61fe4189de
Opcode Fuzzy Hash: 1c9899e63e8db84197f4d426d0ee9b49cb4c862dee0a21bfd3b4b5b287d3fdbe
Instruction Fuzzy Hash: 15212D719001099BCB14EFB4DE4ABEDB774BB08304F14826EE515B32D1DF786904CB58

Analysis Process: svchost.exePID: 7084, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.8%
Total number of Nodes:	641
Total number of Limit Nodes:	4

Executed Functions

Function 10003E6B Relevance: 248.8, APIs: 71, Strings: 71, Instructions: 296
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,1000383C,10004E5A,?,?,?,?,?,?), ref: 10003E85
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 10003E96
GetProcAddress.KERNEL32(76210000,GetModuleFileNameA), ref: 10003EA3
GetProcAddress.KERNEL32(76210000,CreateMutexA), ref: 10003EB0
GetProcAddress.KERNEL32(76210000,ReleaseMutex), ref: 10003EBD
GetProcAddress.KERNEL32(76210000,GetLastError), ref: 10003ECA
GetProcAddress.KERNEL32(76210000,CloseHandle), ref: 10003ED7
GetProcAddress.KERNEL32(76210000,Sleep), ref: 10003EE4
GetProcAddress.KERNEL32(76210000,lstrcatA), ref: 10003EF1
GetProcAddress.KERNEL32(76210000,GetTickCount), ref: 10003EFE
GetProcAddress.KERNEL32(76210000,WaitForSingleObject), ref: 10003F0B
GetProcAddress.KERNEL32(76210000,GetFileAttributesA), ref: 10003F18
GetProcAddress.KERNEL32(76210000,CreateEventA), ref: 10003F25
GetProcAddress.KERNEL32(76210000,ResetEvent), ref: 10003F32
GetProcAddress.KERNEL32(76210000,CancelIo), ref: 10003F3F
GetProcAddress.KERNEL32(76210000,SetEvent), ref: 10003F4C
GetProcAddress.KERNEL32(76210000,TerminateThread), ref: 10003F59
GetProcAddress.KERNEL32(76210000,GetVersionExA), ref: 10003F66
GetProcAddress.KERNEL32(76210000,GetExitCodeProcess), ref: 10003F73
GetProcAddress.KERNEL32(76210000,ExpandEnvironmentStringsA), ref: 10003F80
GetProcAddress.KERNEL32(76210000,GetSystemInfo), ref: 10003F8D
GetProcAddress.KERNEL32(76210000,GetSystemDirectoryA), ref: 10003F9A
GetProcAddress.KERNEL32(76210000,MoveFileA), ref: 10003FA7
GetProcAddress.KERNEL32(76210000,MoveFileExA), ref: 10003FB4

Strings

TerminateThread, xrefs: 10003F4E
CreateEventA, xrefs: 10003F1A
MoveFileA, xrefs: 10003F9C
SetTokenInformation, xrefs: 10004250
getsockname, xrefs: 10004158
EnumWindows, xrefs: 10004028
ChangeServiceConfig2A, xrefs: 10004210
WSACleanup, xrefs: 100040A8
SendMessageA, xrefs: 10004018
MessageBoxA, xrefs: 10003FF8
IsWindowVisible, xrefs: 10004008
GetExitCodeProcess, xrefs: 10003F68
recv, xrefs: 10004108
closesocket, xrefs: 10004118
ExpandEnvironmentStringsA, xrefs: 10003F75
GetVersionExA, xrefs: 10003F5B
strstr, xrefs: 10004080
wininet.dll, xrefs: 10004270
ADVAPI32.dll, xrefs: 10004178
send, xrefs: 100040F8
WaitForSingleObject, xrefs: 10003F00
strcmp, xrefs: 10004045
memset, xrefs: 10004070
wsprintfA, xrefs: 10003FDD
ExitWindowsEx, xrefs: 10003FE8
CreateMutexA, xrefs: 10003EA5
ResetEvent, xrefs: 10003F27
User32.dll, xrefs: 10003FD0
OpenProcessToken, xrefs: 10004230
SetServiceStatus, xrefs: 10004185
WSAStartup, xrefs: 1000409D
lstrcatA, xrefs: 10003EE6
GetCurrentProcess, xrefs: 10003FC3
GetSystemInfo, xrefs: 10003F82
WTSGetActiveConsoleSessionId, xrefs: 10003FB6
GetSystemDirectoryA, xrefs: 10003F8F
SetEvent, xrefs: 10003F41
Sleep, xrefs: 10003ED9
MoveFileExA, xrefs: 10003FA9
GetModuleFileNameA, xrefs: 10003E98
QueryServiceStatus, xrefs: 100041E6
CreateServiceA, xrefs: 10004200
ws2_32.dll, xrefs: 10004090
kernel32.dll, xrefs: 10003E80
OpenSCManagerA, xrefs: 100041A0
socket, xrefs: 100040B8
GetTickCount, xrefs: 10003EF3
DeleteService, xrefs: 10004220
CloseServiceHandle, xrefs: 100041D0
strlen, xrefs: 10004050
DuplicateTokenEx, xrefs: 10004240
connect, xrefs: 100040E8
ControlService, xrefs: 100041F0
memcpy, xrefs: 10004060
gethostname, xrefs: 10004168
CancelIo, xrefs: 10003F34
CloseHandle, xrefs: 10003ECC
GetFileAttributesA, xrefs: 10003F0D
GetLastError, xrefs: 10003EBF
RegisterServiceCtrlHandlerA, xrefs: 10004190
StartServiceA, xrefs: 100041C0
setsockopt, xrefs: 10004128
CreateProcessA, xrefs: 10003E8D
MSVCRT.dll, xrefs: 10004038
WSAIoctl, xrefs: 10004138
htons, xrefs: 100040D8
select, xrefs: 10004148
gethostbyname, xrefs: 100040C8
ReleaseMutex, xrefs: 10003EB2
OpenServiceA, xrefs: 100041B0
CreateProcessAsUserA, xrefs: 10004260

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ADVAPI32.dll$CancelIo$ChangeServiceConfig2A$CloseHandle$CloseServiceHandle$ControlService$CreateEventA$CreateMutexA$CreateProcessA$CreateProcessAsUserA$CreateServiceA$DeleteService$DuplicateTokenEx$EnumWindows$ExitWindowsEx$ExpandEnvironmentStringsA$GetCurrentProcess$GetExitCodeProcess$GetFileAttributesA$GetLastError$GetModuleFileNameA$GetSystemDirectoryA$GetSystemInfo$GetTickCount$GetVersionExA$IsWindowVisible$MSVCRT.dll$MessageBoxA$MoveFileA$MoveFileExA$OpenProcessToken$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$ReleaseMutex$ResetEvent$SendMessageA$SetEvent$SetServiceStatus$SetTokenInformation$Sleep$StartServiceA$TerminateThread$User32.dll$WSACleanup$WSAIoctl$WSAStartup$WTSGetActiveConsoleSessionId$WaitForSingleObject$closesocket$connect$gethostbyname$gethostname$getsockname$htons$kernel32.dll$lstrcatA$memcpy$memset$recv$select$send$setsockopt$socket$strcmp$strlen$strstr$wininet.dll$ws2_32.dll$wsprintfA
API String ID: 2238633743-2593546367
Opcode ID: c0ece4e7efd5b4c6edabd0fb5669f7d958223cf09bcca4ca1208277cbc57487f
Instruction ID: 1d4e4a84f7054c9bea1b663399dca5a43fab5260fb22e9cb011038ddc9d5f956
Opcode Fuzzy Hash: c0ece4e7efd5b4c6edabd0fb5669f7d958223cf09bcca4ca1208277cbc57487f
Instruction Fuzzy Hash: F5B16970800B45AEE731AF32CD04EA7BEF6FF84340B118D2DE5AA56924DB32A855DF51

Function 1000336E Relevance: 52.6, APIs: 25, Strings: 5, Instructions: 150
stringsleepregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strncpy.MSVCRT ref: 1000338C
wcstombs.MSVCRT ref: 1000339C
RegisterServiceCtrlHandlerA.ADVAPI32(?,100032F7), ref: 100033B1
FreeConsole.KERNEL32 ref: 100033C6

Part of subcall function 1000318A: SetServiceStatus.SECHOST(00000010), ref: 100031CA

GetVersionExA.KERNEL32(?), ref: 100033F3
MainThread.4293750 ref: 1000340F

Part of subcall function 1000315D: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10003178
Part of subcall function 1000315D: CloseHandle.KERNEL32(00000000), ref: 1000317F

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 10003426
lstrcatA.KERNEL32(?,1000660C), ref: 10003438
lstrcatA.KERNEL32(?,SySe), ref: 1000344A
lstrcatA.KERNEL32(?,.exe), ref: 1000345C
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000346A
lstrcatA.KERNEL32(?,\Rundll32.exe), ref: 1000347C
CopyFileA.KERNEL32(?,?,00000001), ref: 10003492
GetFileAttributesA.KERNELBASE(?), ref: 1000349F
GetLastError.KERNEL32 ref: 100034AA
wsprintfA.USER32 ref: 100034C3
GetModuleFileNameA.KERNEL32(?,00000104), ref: 100034DE
wsprintfA.USER32 ref: 100034FE
Sleep.KERNELBASE(000003E8), ref: 1000350C
GetExitCodeProcess.KERNELBASE(00000000,?), ref: 10003517
CloseHandle.KERNELBASE(00000000), ref: 10003527
Sleep.KERNELBASE(00000BB8), ref: 10003532
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10003559
CloseHandle.KERNEL32(00000000), ref: 10003560
Sleep.KERNEL32(00000064), ref: 10003568

Strings

SySe, xrefs: 10003444
.#v, xrefs: 10003527, 10003560
.exe, xrefs: 10003456
%s "%s",MainThread, xrefs: 100034F8
\Rundll32.exe, xrefs: 10003476

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: lstrcat$CloseFileHandleSleep$DirectoryObjectServiceSingleWaitwsprintf$AttributesCodeConsoleCopyCtrlCurrentErrorExitFreeHandlerLastMainModuleNameProcessRegisterStatusSystemThreadVersionstrncpywcstombs
String ID: %s "%s",MainThread$.exe$SySe$\Rundll32.exe$.#v
API String ID: 2268562214-2619658641
Opcode ID: edc6bb86fa15e14382b8bf422a5a5e13054f2286661d091575d839084948f042
Instruction ID: 41d25408302aabc459f6968b7f59f59ff79b25a4c4978eb5c8748b31ff7b5c46
Opcode Fuzzy Hash: edc6bb86fa15e14382b8bf422a5a5e13054f2286661d091575d839084948f042
Instruction Fuzzy Hash: 06515275800269AFEB11DBA0CCC99DF77BEEB09395F604465F209D2058DB719A84CF61

Function 10001FBD Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 98
libraryprocessloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(userenv.dll,00000000,00000104,00000000), ref: 10001FCB
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 10001FDA
memset.MSVCRT ref: 10001FF9
memset.MSVCRT ref: 10002005
GetCurrentProcess.KERNEL32 ref: 10002023
OpenProcessToken.ADVAPI32(00000000,000F01FF,10003544), ref: 10002033
DuplicateTokenEx.ADVAPI32(10003544,02000000,00000000,00000001,00000001,?), ref: 1000204A
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 10002069
CreateProcessAsUserA.KERNELBASE(?,00000000,10003544,00000000,00000000,00000000,00000430,?,00000000,?,?), ref: 10002094
CloseHandle.KERNEL32(?), ref: 100020A0
CloseHandle.KERNEL32(10003544), ref: 100020A9
FreeLibrary.KERNELBASE(?), ref: 100020BB

Strings

WinSta0\Default, xrefs: 1000201C
.#v, xrefs: 100020A0, 100020A9
userenv.dll, xrefs: 10001FC6
CreateEnvironmentBlock, xrefs: 10001FD1

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: ProcessToken$CloseHandleLibrarymemset$AddressCreateCurrentDuplicateFreeInformationLoadOpenProcUser
String ID: CreateEnvironmentBlock$WinSta0\Default$userenv.dll$.#v
API String ID: 389336417-1936089592
Opcode ID: b17ba00ba64db28f18bd6f450c5a4aff0af55f28d04f5de357443b33628a04c7
Instruction ID: 393253a686a726e0e40b90c7e54b6c9b8ea898aa750e1207ba5c491074f34e4f
Opcode Fuzzy Hash: b17ba00ba64db28f18bd6f450c5a4aff0af55f28d04f5de357443b33628a04c7
Instruction Fuzzy Hash: E13104B2D11229BBEB11DFD5CD89DDEBFBAEF08781F200056F605A2154C7B15A00DBA0

Function 1000318A Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetServiceStatus.SECHOST(00000010), ref: 100031CA

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: 27465d0ccf9c2ca7f2eb77ed8655f8ffd3fcd3240fb6f93fded1e015b92d134b
Instruction ID: 42df913d68a79b1f62ab0f840a1365e4bfcb694bfd220718bb7b564d1378dfbb
Opcode Fuzzy Hash: 27465d0ccf9c2ca7f2eb77ed8655f8ffd3fcd3240fb6f93fded1e015b92d134b
Instruction Fuzzy Hash: 24F0A5B0D0021EDFDB40DF99D8857AEBBF4BB08348F108069E818A7244D7B496048F90

Non-executed Functions

Function 1000304F Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 85
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 1000306C
strlen.MSVCRT ref: 10003078
strlen.MSVCRT ref: 1000308E

Part of subcall function 10004A93: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,00000000,?), ref: 10004AC0
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10004AD7
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10004AE2
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10004AED
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10004AF8
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10004B03
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10004B0E
Part of subcall function 10004A93: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 10004C02

strlen.MSVCRT ref: 100030B4
GetLocalTime.KERNEL32(?), ref: 100030D7
wsprintfA.USER32 ref: 100030FF
strlen.MSVCRT ref: 1000310D

Strings

Remark, xrefs: 1000309E
Group, xrefs: 100030C4
SySe, xrefs: 1000305B
InstallTime, xrefs: 10003120
SYSTEM\CurrentControlSet\Services\%s, xrefs: 10003066
%4d-%.2d-%.2d %.2d:%.2d, xrefs: 100030F9
1000, xrefs: 100030AD, 100030B3, 100030BC

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$strlen$Librarywsprintf$FreeLoadLocalTime
String ID: %4d-%.2d-%.2d %.2d:%.2d$1000$Group$InstallTime$Remark$SYSTEM\CurrentControlSet\Services\%s$SySe
API String ID: 124699875-1081287659
Opcode ID: 01154ca105bfda5f078472489b81bc39b1063e4cdbc4f1aa553d48ab01563500
Instruction ID: 2672780922b42b35e2a89e682ca47f3d516b1e1a70e82393c56e9bdbe1b2b31e
Opcode Fuzzy Hash: 01154ca105bfda5f078472489b81bc39b1063e4cdbc4f1aa553d48ab01563500
Instruction Fuzzy Hash: CE211DA28001287BF710E794DC89DFF76BDEB4D695F5400A6FA01E1049EB39AE418775

Function 10001B5B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 176
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,00000000), ref: 10001B96
_local_unwind2.MSVCRT ref: 10001BA9
CreateServiceA.ADVAPI32(00000000,00000000,00000000,000F01FF,?,10001E9B,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000), ref: 10001BE6
GetLastError.KERNEL32(?,00000000), ref: 10001BF5
OpenServiceA.ADVAPI32(10001E9B,00000000,000F01FF,?,00000000), ref: 10001C09
StartServiceA.ADVAPI32(00000000,00000000,00000000,?,00000000), ref: 10001C1F
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?,?,00000000), ref: 10001C43
ChangeServiceConfig2A.ADVAPI32(00000000,00000002,?), ref: 10001CA3

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 10001DAE, 10001DB4
Description, xrefs: 10001DD4

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Service$ChangeConfig2Open$CreateErrorLastManagerStart_local_unwind2
String ID: Description$SYSTEM\CurrentControlSet\Services\%s
API String ID: 1109860625-2908613140
Opcode ID: ae27365f3abc695d381728d134456e741ffe8850672492339ff11c7de2e79d22
Instruction ID: 34160cdb049149ef51204cb724d21122ba78e6005a4a2cbc3d1f025aef1d8869
Opcode Fuzzy Hash: ae27365f3abc695d381728d134456e741ffe8850672492339ff11c7de2e79d22
Instruction Fuzzy Hash: E6813270C086A8DEEB21CB64CC88BDEBFB5AB19344F0401D9E55C66291C77A0F94CF65

Function 10001A43 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 53servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,SySe,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A54
OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A69
StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A7A
GetLastError.KERNEL32(?,?,?,?,?,?,?,10003043,SySe), ref: 10001A84
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A92
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,10003043,SySe), ref: 10001AA0
Sleep.KERNEL32(00000064), ref: 10001AB2
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001ABB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001AC2

Strings

SySe, xrefs: 10001A4A

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Service$CloseHandle$Open$ErrorLastManagerQuerySleepStartStatus
String ID: SySe
API String ID: 191932718-261273551
Opcode ID: 014086cccfa01bbc5a08c9c9583791d5995df2f921ac7ee13cb4fdb749c4e3c5
Instruction ID: 9ee7ec8bb55b1ac22ac6ce330aaae550d3e81ab1b6a3f2d0b0f6497ceb73b83b
Opcode Fuzzy Hash: 014086cccfa01bbc5a08c9c9583791d5995df2f921ac7ee13cb4fdb749c4e3c5
Instruction Fuzzy Hash: 33012531746327EBF711ABA05CC9FEF36A9EB0A7C1F200420F602D9099DB65884186E6

Function 10002BC3 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77stringprocessCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10002BD1
memset.MSVCRT ref: 10002BEF

Part of subcall function 10004822: memset.MSVCRT ref: 10004857
Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
Part of subcall function 10004822: memset.MSVCRT ref: 10004878
Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004885
Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A63

lstrlenA.KERNEL32(?), ref: 10002C1E
strstr.MSVCRT ref: 10002C34
lstrcpyA.KERNEL32(00000000,?), ref: 10002C44
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10002C8A

Strings

WinSta0\Default, xrefs: 10002C60
Applications\iexplore.exe\shell\open\command, xrefs: 10002C01
D, xrefs: 10002C57

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$memset$Library$CreateFreeLoadProcesslstrcpylstrlenstrlenstrstr
String ID: Applications\iexplore.exe\shell\open\command$D$WinSta0\Default
API String ID: 2952214944-490771695
Opcode ID: 7fd2577a0a9b6326ac895a1fa05e515703ef0ef4a7097cdaa6f8a03547f7ada4
Instruction ID: 41262b3153465784fb7137690828f40fbae5b7cfa485d5802afb8d228550aeb8
Opcode Fuzzy Hash: 7fd2577a0a9b6326ac895a1fa05e515703ef0ef4a7097cdaa6f8a03547f7ada4
Instruction Fuzzy Hash: 46216A72900128AAFF60CBE1CD48EDF7BBCEF453D2F100015BA09E6048DA719A84CBA0

Function 1000265E Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000,Application), ref: 100026B8
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 100026C7
CloseEventLog.ADVAPI32(00000000), ref: 100026CE

Strings

Security, xrefs: 10002670
System, xrefs: 10002677
(b, xrefs: 10002669
Application, xrefs: 100026B4

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: (b$Application$Security$System
API String ID: 1391105993-346596376
Opcode ID: 979e5dc6c9d061fd1560a2a7781cfa77c6718ec7c1a2c36edda2fbc21b44326a
Instruction ID: bc44e267b22650a43e45f5af2b99767b5e3e23e3035c63c9d4cfe444952d6dd8
Opcode Fuzzy Hash: 979e5dc6c9d061fd1560a2a7781cfa77c6718ec7c1a2c36edda2fbc21b44326a
Instruction Fuzzy Hash: 5D018F71E00A99BBFB00DF94984479DBFB4EB097C9FA04095E506EB248D73A8E408F95

Function 10001F48 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47servicestringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10001F4E

Part of subcall function 10001ACF: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10001ADF
Part of subcall function 10001ACF: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10001AF5
Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B06
Part of subcall function 10001ACF: ControlService.ADVAPI32(00000000,00000001,?), ref: 10001B1D
Part of subcall function 10001ACF: Sleep.KERNEL32(0000000A), ref: 10001B2F
Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B3A
Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B43
Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B4A

OpenSCManagerA.ADVAPI32(00000000,00000000,?,?,?,?,10002F76,SySe), ref: 10001F6B
OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,10002F76,SySe), ref: 10001F7F
DeleteService.ADVAPI32(00000000,?,?,?,?,10002F76,SySe), ref: 10001F8C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10002F76,SySe), ref: 10001F93
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,10002F76,SySe), ref: 10001F9A

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 10001FA7

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Service$CloseHandleOpen$ManagerQueryStatus$ControlDeleteSleepstrlen
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
API String ID: 625463800-1784019800
Opcode ID: 02807cd9fc2c2d172a8d2777ce926d73bc9f3961fff41b6754e738332fe71101
Instruction ID: 320e00f64ca60edd69a113f9dbbd44adb98dc69d7bce9bbf9f1d19ab5e200103
Opcode Fuzzy Hash: 02807cd9fc2c2d172a8d2777ce926d73bc9f3961fff41b6754e738332fe71101
Instruction Fuzzy Hash: 39F096B610912A7FF1106771ECCCDBF7E6DDB4E2D6B120428F5055600ECF2658418571

Function 1000358C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 10004822: memset.MSVCRT ref: 10004857
Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
Part of subcall function 10004822: memset.MSVCRT ref: 10004878
Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004885
Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A63

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 100035C9
wsprintfA.USER32 ref: 100035DE

Strings

~MHz, xrefs: 100035AE
%d*%sMHz, xrefs: 100035D6
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 100035B3

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$memset$Library$FreeInfoLoadSystemwsprintf
String ID: %d*%sMHz$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 86330591-2169120903
Opcode ID: dc211f4c5e3334b9a75a581acafed69773f2644d7a1948e9a9c8f06f08de0db5
Instruction ID: e0e52339f3a0edf701dd4b0822ed73eda2d577ef34cae91861143d544cce4ff8
Opcode Fuzzy Hash: dc211f4c5e3334b9a75a581acafed69773f2644d7a1948e9a9c8f06f08de0db5
Instruction Fuzzy Hash: 93F054B1900149BFFB04DBE8CD05DEEBB6DDB1C144F200464FB01F5055E6629A148766

Function 10003D5D Relevance: 7.6, APIs: 5, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,?,100039AB,00000000), ref: 10003D99
free.MSVCRT ref: 10003DA8
VirtualFree.KERNEL32(?,00000000,00008000,?,?,100039AB,00000000), ref: 10003DBE
GetProcessHeap.KERNEL32(00000000,?,?,?,100039AB,00000000), ref: 10003DC6
HeapFree.KERNEL32(00000000), ref: 10003DCD

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Free$Heap$LibraryProcessVirtualfree
String ID:
API String ID: 831075735-0
Opcode ID: 667178307696715c23ee8a0b861fe9ca313d72f521eb66f714d6403ad810cf37
Instruction ID: 71511c0ad6a298159b0eec715adc94005effd13d7d75cd72595928e5cffca51a
Opcode Fuzzy Hash: 667178307696715c23ee8a0b861fe9ca313d72f521eb66f714d6403ad810cf37
Instruction Fuzzy Hash: DC01ED72500611AFE7219FA5DCC895BB7EDFB443A1311892EF19A93554C731BC45CB50

Function 1000152B Relevance: 4.6, APIs: 3, Instructions: 72networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10001581
memset.MSVCRT ref: 10001599
recv.WS2_32(?,?,00002000,00000000), ref: 100015B0

Part of subcall function 10001603: __EH_prolog.LIBCMT ref: 10001608
Part of subcall function 10001603: memcmp.MSVCRT(?,?,00000003,00000000,00000000,00002000), ref: 10001635

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: H_prologmemcmpmemsetrecvselect
String ID:
API String ID: 845096623-0
Opcode ID: 75ccf4472247f99d1fc82cf152b3949a0f6c798424c0c4ef67da7dbc52851d33
Instruction ID: b249bad086b58afcbe69b5c97c14a2d47d410cce536c228878a31608307147f8
Opcode Fuzzy Hash: 75ccf4472247f99d1fc82cf152b3949a0f6c798424c0c4ef67da7dbc52851d33
Instruction Fuzzy Hash: E3216376500128ABEB20CBA5DC88DCF7BADEF853E1F100565F51A9B195DB30AE85CA90

Function 100025A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 10004666: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,SeShutdownPrivilege), ref: 1000467E
Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000468E
Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 10004699
Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 100046A4
Part of subcall function 10004666: LoadLibraryA.KERNEL32(kernel32.dll,?,SeShutdownPrivilege), ref: 100046AE
Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 100046B9
Part of subcall function 10004666: LoadLibraryA.KERNEL32(KERNEL32.dll,?,SeShutdownPrivilege), ref: 10004701
Part of subcall function 10004666: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10004709
Part of subcall function 10004666: CloseHandle.KERNEL32(?,?,SeShutdownPrivilege), ref: 10004718
Part of subcall function 10004666: FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004729
Part of subcall function 10004666: FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004734

ExitWindowsEx.USER32(?,00000000), ref: 100025B8

Strings

SeShutdownPrivilege, xrefs: 100025A3, 100025AA, 100025C0

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID: SeShutdownPrivilege
API String ID: 3789203340-3733053543
Opcode ID: e4fba66ba179fd9c90d11779b271753c7a602678899a700a7ffa0e43bc127d12
Instruction ID: 24361d1f74b491916104d0b65e9654eb6268adfd09238d66ad51a9c89c1c7c7a
Opcode Fuzzy Hash: e4fba66ba179fd9c90d11779b271753c7a602678899a700a7ffa0e43bc127d12
Instruction Fuzzy Hash: 55D0C93614D7203AF6259310FC07F891386DB46A60F32005AF100281D9EE97394101DE

Function 10004822 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 183
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 10004857
memset.MSVCRT ref: 1000486A
memset.MSVCRT ref: 10004878
LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004885
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
strchr.MSVCRT ref: 10004991
lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A3F
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A63

Strings

RegEnumKeyExA, xrefs: 100048BF
RegEnumValueA, xrefs: 100048B2
RegQueryValueExA, xrefs: 10004891
RegCloseKey, xrefs: 100048CC
RegOpenKeyExA, xrefs: 100048A2
%08X, xrefs: 100049FF
ADVAPI32.dll, xrefs: 10004880

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$memset$Library$FreeLoadlstrcpystrchr
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 3659255042-2913591164
Opcode ID: 7424f0aa0fc5f41e5269731e09dcfb498a038a30a4bf35bef428207efb807e24
Instruction ID: 7827c6d97ea14ff7f97f876e2ede93deda3ff4f1abfb71c7f8a3dc5e2b71a7d8
Opcode Fuzzy Hash: 7424f0aa0fc5f41e5269731e09dcfb498a038a30a4bf35bef428207efb807e24
Instruction Fuzzy Hash: 3761F9B190111DABEF21DFA0CD84EEFBBB9FB49390F1101A6F609A2114DB319E548F65

Function 100027BC Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 180
stringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 100027D8
strrchr.MSVCRT ref: 100027E2
strrchr.MSVCRT ref: 10002811
strlen.MSVCRT ref: 10002821
strncpy.MSVCRT ref: 1000283B
strcpy.MSVCRT(?,00000005), ref: 10002850
memset.MSVCRT ref: 10002889
wsprintfA.USER32 ref: 100028A4
memset.MSVCRT ref: 100028B3
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 10002909
strstr.MSVCRT ref: 10002921
strstr.MSVCRT ref: 10002935
lstrcatA.KERNEL32(?,100062A0), ref: 1000294F
lstrcatA.KERNEL32(?,?), ref: 1000295B
lstrcpyA.KERNEL32(00000000,?), ref: 10002963
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 100029A9

Strings

WinSta0\Default, xrefs: 1000297F
D, xrefs: 10002976
%s\shell\open\command, xrefs: 1000289E
"%1, xrefs: 1000291B

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: memset$lstrcatstrrchrstrstr$CreateEnvironmentExpandProcessStringslstrcpystrcpystrlenstrncpywsprintf
String ID: "%1$%s\shell\open\command$D$WinSta0\Default
API String ID: 4079107157-33419044
Opcode ID: 04d3fabc052defb42953b4d487a01b0e0a3a75e7128b93fa4fdb2158ee315547
Instruction ID: 1dae266835ad86fc393f082bb566385ae5bfce16840cf251a65e311cd9e83007
Opcode Fuzzy Hash: 04d3fabc052defb42953b4d487a01b0e0a3a75e7128b93fa4fdb2158ee315547
Instruction Fuzzy Hash: 86514FB690062DBFFB10CBE0CD89EDF777CEB05395F1044A6F604E6144DA719A498BA0

Function 10004529 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 115
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(wininet.dll,?,00000001,00000000), ref: 1000454D
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10004564
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000457E
FreeLibrary.KERNEL32(00000000,?,00000001,00000000), ref: 1000459C
CreateFileA.KERNEL32(10002CDC,40000000,00000000,00000000,00000002,00000000,00000000,?,00000001,00000000), ref: 100045B7
memset.MSVCRT ref: 100045D3
GetProcAddress.KERNEL32(10002CDC,InternetReadFile), ref: 100045E3
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,00000001,00000000), ref: 1000461B
CloseHandle.KERNEL32(00000000,?,00000001,00000000), ref: 1000462E
Sleep.KERNEL32(00000001,?,00000001,00000000), ref: 10004639
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 10004645
FreeLibrary.KERNEL32(00000000,?,00000001,00000000), ref: 10004658

Strings

InternetReadFile, xrefs: 100045DB
InternetCloseHandle, xrefs: 1000463F
InternetOpenA, xrefs: 1000455B
01#v, xrefs: 100045B7
MZ, xrefs: 100045FB
MSIE 6.0, xrefs: 1000456A
InternetOpenUrlA, xrefs: 10004578
wininet.dll, xrefs: 10004537

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWritememset
String ID: 01#v$InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$MZ$wininet.dll
API String ID: 2364563185-1782425846
Opcode ID: 4ccd4711cf4494772635a2f590ae23fe1c53700288b07bfeed38bb136e3ef3db
Instruction ID: cfdd7e431f84bb68211a12104eaec753c658bf1fa5ec063c49e3443a626c7788
Opcode Fuzzy Hash: 4ccd4711cf4494772635a2f590ae23fe1c53700288b07bfeed38bb136e3ef3db
Instruction Fuzzy Hash: 0E3149B180011CBEEB109FA0CC84EEFBFB9EB483D5F118069F605A2154DB365E858AA5

Function 10004666 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,?,SeShutdownPrivilege), ref: 1000467E
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 1000468E
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 10004699
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 100046A4
LoadLibraryA.KERNEL32(kernel32.dll,?,SeShutdownPrivilege), ref: 100046AE
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 100046B9
LoadLibraryA.KERNEL32(KERNEL32.dll,?,SeShutdownPrivilege), ref: 10004701
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10004709
CloseHandle.KERNEL32(?,?,SeShutdownPrivilege), ref: 10004718
FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004729
FreeLibrary.KERNEL32(00000000,?,SeShutdownPrivilege), ref: 10004734

Strings

LookupPrivilegeValueA, xrefs: 1000469B
kernel32.dll, xrefs: 100046A6
AdjustTokenPrivileges, xrefs: 10004690
GetLastError, xrefs: 10004703
KERNEL32.dll, xrefs: 100046FC
OpenProcessToken, xrefs: 10004688
GetCurrentProcess, xrefs: 100046B0
ADVAPI32.dll, xrefs: 10004675
SeShutdownPrivilege, xrefs: 1000466D

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$SeShutdownPrivilege$kernel32.dll
API String ID: 2887716753-2040270271
Opcode ID: 2c02e0a2dce957ed4b170e4857a5501a8461009b11209441a4d50c6b9b6a2af3
Instruction ID: 8d4d7167a0abf61afb389703d9ccc16411aa1da686c4766c6b67e9c280f51853
Opcode Fuzzy Hash: 2c02e0a2dce957ed4b170e4857a5501a8461009b11209441a4d50c6b9b6a2af3
Instruction Fuzzy Hash: DD2148B1D04218BAEB01EBF58C48FEFBFB8EF48391F114465E605E2144DB759A448BA0

Function 10002D9E Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 136
synchronizationsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10002DA3
wsprintfA.USER32 ref: 10002DD0
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 10002DE4
GetLastError.KERNEL32 ref: 10002DF0
ReleaseMutex.KERNEL32(00000000), ref: 10002DFE
CloseHandle.KERNEL32(00000000), ref: 10002E05
rand.MSVCRT ref: 10002E28
Sleep.KERNEL32 ref: 10002E37
lstrcatA.KERNEL32(00000000,www.sf2110.com), ref: 10002E60
strcmp.MSVCRT ref: 10002E72
GetTickCount.KERNEL32 ref: 10002E8A
GetTickCount.KERNEL32 ref: 10002EA6
WaitForSingleObject.KERNEL32(?,00000064,?,?,?,0000213A), ref: 10002F0F
Sleep.KERNEL32(000001F4), ref: 10002F1C

Strings

www.sf2110.com, xrefs: 10002DC5, 10002E4F
SySe, xrefs: 10002DB4
.#v, xrefs: 10002E05
%s:%d:%s, xrefs: 10002DCA

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CountMutexSleepTick$CloseCreateErrorH_prologHandleLastObjectReleaseSingleWaitlstrcatrandstrcmpwsprintf
String ID: %s:%d:%s$SySe$www.sf2110.com$.#v
API String ID: 4065721159-3036444230
Opcode ID: a5af5a3d6a9359322f04e457a363fbda1204055e8f71d46e8cb9e8ff8e7e396c
Instruction ID: 0aef3fa4da984b37d72cd036fbc76a84f9d8f20caef5abb9300e459f48f97b0e
Opcode Fuzzy Hash: a5af5a3d6a9359322f04e457a363fbda1204055e8f71d46e8cb9e8ff8e7e396c
Instruction Fuzzy Hash: 4F41A8358042A5ABFB15DBB4CC88BDE7BB9EF093C0F1040A5E509E3199DF716A44CB51

Function 10004A93 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 144
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,?,00000000,?), ref: 10004AC0
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10004AD7
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10004AE2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10004AED
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10004AF8
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10004B03
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10004B0E
FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 10004C02

Strings

RegDeleteValueA, xrefs: 10004AF2
RegDeleteKeyA, xrefs: 10004AE7
RegSetValueExA, xrefs: 10004ADC
RegCreateKeyExA, xrefs: 10004ACB
RegCloseKey, xrefs: 10004B08
RegOpenKeyExA, xrefs: 10004AFD
ADVAPI32.dll, xrefs: 10004ABB

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 2449869053-3188892968
Opcode ID: b9fec3eb9a562a6a9266f8090f520ea499f34599839294b39172511a198aaae8
Instruction ID: 2058804bda021c861d2603192b8c2d3dc199326d0aa42d29f4cfa0892e9c0375
Opcode Fuzzy Hash: b9fec3eb9a562a6a9266f8090f520ea499f34599839294b39172511a198aaae8
Instruction Fuzzy Hash: E741E3B1900259BFFF11DF94DC84EEEBAB9FB08695F114026FA24A2168DB318C159B64

Function 10001603 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10001608
memcmp.MSVCRT(?,?,00000003,00000000,00000000,00002000), ref: 10001635
memcpy.MSVCRT(00000003,00000000,00000003,00000000,?,00000003,00000000,00000000,00002000), ref: 1000169E
memcmp.MSVCRT(00000003,00000003,00000003,00000003,00000000,00000003,00000000,?,00000003,00000000,00000000,00002000), ref: 100016AD
_CxxThrowException.MSVCRT(?,10005370), ref: 100016C9
memcpy.MSVCRT(?,00000000,00000004,00000003,00000000,?,00000003,00000000,00000000,00002000), ref: 100016E1
??2@YAPAXI@Z.MSVCRT(?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?,00000003,00000000), ref: 10001743
??2@YAPAXI@Z.MSVCRT(?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?,00000003,00000000), ref: 1000174F
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017A7
??3@YAXPAX@Z.MSVCRT(?,00000000,?,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017B0
_CxxThrowException.MSVCRT(?,10005370), ref: 100017CD
??3@YAXPAX@Z.MSVCRT(00000000,?,10005370,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017DC
??3@YAXPAX@Z.MSVCRT(?,?,10005370,?,00000004,?,00000004,?,00000004,00000003,00000003,?,?,00000003,00000000,?), ref: 100017EA

Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932

Strings

P`, xrefs: 100017C6
``, xrefs: 100016C2

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: ??3@$??2@memcpy$ExceptionThrowmemcmp$H_prolog
String ID: P`$``
API String ID: 1493374972-3525061398
Opcode ID: 10262e34717a2dc6bb8153166a79431bc9c49f8163c052bb3b4c512cb2356511
Instruction ID: 8fe5d1832865b8ccca8e0fc317077c96d8ecfcaf39360939d2f87a7bcfb0ed6c
Opcode Fuzzy Hash: 10262e34717a2dc6bb8153166a79431bc9c49f8163c052bb3b4c512cb2356511
Instruction Fuzzy Hash: 1E51B4B5A00109ABFF44DFA4CD82EEEB7BAFF48680F004019F605A7185DF75AA50CB95

Function 100031D2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 120
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Ole32.dll,?,00000144,00000000), ref: 100031E6
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 100031F6
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10003201
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 1000320C
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 10003216
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10003221
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 100032E3
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 100032ED

Strings

Ole32.dll, xrefs: 100031E1
CoUninitialize, xrefs: 100031F8
CoCreateInstance, xrefs: 10003203
FriendlyName, xrefs: 100032AC
CoInitialize, xrefs: 100031F0
Oleaut32.dll, xrefs: 1000320E
SysFreeString, xrefs: 10003218

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2256533930-3340630095
Opcode ID: f1eadba59b2ebd071f72d2f7cbb709308b938fb940b81a85d55ffd123040d419
Instruction ID: 1885695b6b8551886770f00f979ae30a25f1f1d427a69892d216d7985a67bda5
Opcode Fuzzy Hash: f1eadba59b2ebd071f72d2f7cbb709308b938fb940b81a85d55ffd123040d419
Instruction Fuzzy Hash: 1641EA70A00219AFEB01DBA5CC88DEFBBBDFF89795B208459F505E7258D7719901CBA0

Function 10004369 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 75
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 1000439A
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 100043AD
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 100043B8
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 100043C3
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 100043D1
LoadLibraryA.KERNEL32(kernel32.dll), ref: 100043DB
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 100043E6

Strings

kernel32.dll, xrefs: 100043D6
GetThreadDesktop, xrefs: 100043A1
SetThreadDesktop, xrefs: 100043BD
GetUserObjectInformationA, xrefs: 100043B2
CloseDesktop, xrefs: 100043CB
user32.dll, xrefs: 1000438F
GetCurrentThreadId, xrefs: 100043E0

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
API String ID: 2238633743-588083535
Opcode ID: 4c1376e7f27bce54e3710619517fe6f641db0fdfb4de06b67931ee9d63f56ed5
Instruction ID: 67ebd5df9d46fa76e82372fdf0c3b5a8e4a25dc64441a3b0318b74b919e85c2a
Opcode Fuzzy Hash: 4c1376e7f27bce54e3710619517fe6f641db0fdfb4de06b67931ee9d63f56ed5
Instruction Fuzzy Hash: 212107B1D00228BBEB10EFA5DC44BEEBAFDEB48391F114126F911F2254DB7459408F64

Function 100036BA Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 108stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 100036D4
wsprintfA.USER32 ref: 100036F4
lstrlenA.KERNEL32(?,00000000), ref: 10003706

Part of subcall function 10004822: memset.MSVCRT ref: 10004857
Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
Part of subcall function 10004822: memset.MSVCRT ref: 10004878
Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004885
Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A63

memset.MSVCRT ref: 10003738
getsockname.WS2_32(?,?,?), ref: 10003751
memcpy.MSVCRT(?,?,00000004), ref: 10003764

Part of subcall function 100035EA: lstrlenA.KERNEL32(?,?,1000377E,?,00000032,?,?,?,00000004), ref: 10003611
Part of subcall function 100035EA: gethostname.WS2_32(?,?), ref: 10003621

GetVersionExA.KERNEL32(?), ref: 10003792

Part of subcall function 1000358C: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 100035C9
Part of subcall function 1000358C: wsprintfA.USER32 ref: 100035DE

GlobalMemoryStatusEx.KERNEL32(?), ref: 100037B0

Part of subcall function 100031D2: LoadLibraryA.KERNEL32(Ole32.dll,?,00000144,00000000), ref: 100031E6
Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 100031F6
Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10003201
Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 1000320C
Part of subcall function 100031D2: LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,100037D5), ref: 10003216
Part of subcall function 100031D2: GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10003221

Part of subcall function 1000366A: LoadLibraryA.KERNEL32(kernel32.dll,?,00000144,00000000,?,?,100037E0), ref: 10003676
Part of subcall function 1000366A: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1000368E
Part of subcall function 1000366A: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 10003698
Part of subcall function 1000366A: FreeLibrary.KERNEL32(00000000), ref: 100036AC

Part of subcall function 10003629: lstrlenA.KERNEL32(00000014,?,?,?,?,100037FD,?,00000014,?), ref: 10003650
Part of subcall function 10003629: lstrcpyA.KERNEL32(00000014,Error,?,?,?,?,100037FD,?,00000014,?), ref: 10003662

lstrcpyA.KERNEL32(?,10006514), ref: 10003809

Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932

Strings

Group, xrefs: 1000371E
SySe, xrefs: 100036E9
@, xrefs: 100037A9
SYSTEM\CurrentControlSet\Services\%s, xrefs: 100036EE

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Library$memset$Load$lstrlenmemcpy$??2@??3@Freelstrcpywsprintf$GlobalInfoMemoryStatusSystemVersiongethostnamegetsockname
String ID: @$Group$SYSTEM\CurrentControlSet\Services\%s$SySe
API String ID: 1875266911-3168783696
Opcode ID: 955314d3c9f2b6115b712ce9295eb8f3d277e00088749fc94f886e12991fb5ce
Instruction ID: 3133a6343b416fd9d4de8abc7d75c938e5c6614370202d51db2fcbf0203c4673
Opcode Fuzzy Hash: 955314d3c9f2b6115b712ce9295eb8f3d277e00088749fc94f886e12991fb5ce
Instruction Fuzzy Hash: 2C41FDB690121CAAEB10DBA4CC49FCEB7BCEB08340F104496F609E7195DB74AB448FA1

Function 100024AC Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 100024B8
printf.MSVCRT ref: 100024C9
memset.MSVCRT ref: 100024FC
memcpy.MSVCRT(10006CF0,00000000,00000063,10006CF0,00000000,00000063,00000001), ref: 10002505
??2@YAPAXI@Z.MSVCRT(-00000064,10006CF0,00000000,00000063,10006CF0,00000000,00000063,00000001), ref: 1000250E
memcpy.MSVCRT(00000000,00000000,-00000064,-00000064,10006CF0,00000000,00000063,10006CF0,00000000,00000063,00000001), ref: 1000251B
printf.MSVCRT ref: 10002537
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002561
printf.MSVCRT ref: 10002573

Strings

hmProxy!= NULL, xrefs: 100024C4
Can't load library from memory., xrefs: 10002532
Loop_Proxy, xrefs: 100024B3
OpenProxy, xrefs: 10002540

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: printf$memcpy$??2@??3@memset
String ID: Can't load library from memory.$Loop_Proxy$OpenProxy$hmProxy!= NULL
API String ID: 60333908-620223428
Opcode ID: 1d0c7509cf9b4937be937c3ffef0e8e5e866c158fea0c4347d35d9917c06a107
Instruction ID: 34426b20c795a1564e6a7497d8f5fa3a22278249d6d1bd148d0ebd3529ec88d4
Opcode Fuzzy Hash: 1d0c7509cf9b4937be937c3ffef0e8e5e866c158fea0c4347d35d9917c06a107
Instruction Fuzzy Hash: 07112B76A045247FF200E7B0AD45FAF339ECB087D6F210026FA009605EEE756D0043A9

Function 10001E37 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10001E3C
wsprintfA.USER32 ref: 10001E7B

Part of subcall function 10001B5B: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,?,00000000), ref: 10001B96
Part of subcall function 10001B5B: _local_unwind2.MSVCRT ref: 10001BA9

wsprintfA.USER32 ref: 10001EAE
strlen.MSVCRT ref: 10001EBB

Part of subcall function 10004A93: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,00000000,?), ref: 10004AC0
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10004AD7
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10004AE2
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10004AED
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10004AF8
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10004B03
Part of subcall function 10004A93: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10004B0E
Part of subcall function 10004A93: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 10004C02

memset.MSVCRT ref: 10001EEE
lstrcpyA.KERNEL32(?,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost), ref: 10001F02
lstrlenA.KERNEL32(?,00000001), ref: 10001F0B

Part of subcall function 10001A43: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,SySe,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A54
Part of subcall function 10001A43: OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A69
Part of subcall function 10001A43: StartServiceA.ADVAPI32(00000000,00000000,00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A7A
Part of subcall function 10001A43: GetLastError.KERNEL32(?,?,?,?,?,?,?,10003043,SySe), ref: 10001A84
Part of subcall function 10001A43: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001A92
Part of subcall function 10001A43: CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,10003043,SySe), ref: 10001AC2

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, xrefs: 10001EFC
ServiceDll, xrefs: 10001ED2
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 10001EA8
%%SystemRoot%%\System32\svchost.exe -k "%s", xrefs: 10001E6F

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Service$Open$CloseHandleLibraryManagerwsprintf$ErrorFreeH_prologLastLoadStart_local_unwind2lstrcpylstrlenmemsetstrlen
String ID: %%SystemRoot%%\System32\svchost.exe -k "%s"$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s\Parameters$ServiceDll
API String ID: 1573142492-3522277913
Opcode ID: 0128ef592e1c99bbe64aa5232a117bdd0909c69419edbc971054f239723094cd
Instruction ID: b0e3a08bed4d5a752cfc5ae4754fd9917613b9386cafdbad90e7966b10716f67
Opcode Fuzzy Hash: 0128ef592e1c99bbe64aa5232a117bdd0909c69419edbc971054f239723094cd
Instruction Fuzzy Hash: D9217EB290011CBBEB10DF94DC86EEF7B7DEB48780F104069FA08A2145EB715F558BA6

Function 10002F7B Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69sleepprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 10001ACF: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10001ADF
Part of subcall function 10001ACF: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10001AF5
Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B06
Part of subcall function 10001ACF: ControlService.ADVAPI32(00000000,00000001,?), ref: 10001B1D
Part of subcall function 10001ACF: Sleep.KERNEL32(0000000A), ref: 10001B2F
Part of subcall function 10001ACF: QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B3A
Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B43
Part of subcall function 10001ACF: CloseServiceHandle.ADVAPI32(00000000), ref: 10001B4A

Part of subcall function 100020C8: GetModuleFileNameA.KERNEL32(?,00000104), ref: 100020E5
Part of subcall function 100020C8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100020F3
Part of subcall function 100020C8: GetTickCount.KERNEL32 ref: 100020F9
Part of subcall function 100020C8: wsprintfA.USER32 ref: 10002113
Part of subcall function 100020C8: MoveFileA.KERNEL32(?,?), ref: 1000212A
Part of subcall function 100020C8: MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000213B

wsprintfA.USER32 ref: 10002FC4
CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10002FE7
GetModuleFileNameA.KERNEL32(?,00000104), ref: 10002FFF
GetFileAttributesA.KERNEL32(?), ref: 1000300C
GetLastError.KERNEL32 ref: 10003018
Sleep.KERNEL32(000003E8), ref: 10003028
GetFileAttributesA.KERNEL32(?), ref: 10003035

Strings

GUpdate%s, xrefs: 10002FB0
WinSta0\Default, xrefs: 10002FBD
D, xrefs: 10002FB6
SySe, xrefs: 10002F85, 10002F8A, 10002FA9, 1000303D

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: FileService$AttributesCloseHandleModuleMoveNameOpenQuerySleepStatuswsprintf$ControlCountCreateDirectoryErrorLastManagerProcessSystemTick
String ID: D$GUpdate%s$SySe$WinSta0\Default
API String ID: 3185690247-240907611
Opcode ID: 677340bbb3e7d3deb07a041f04dc4ca50ceeb01c397db1cab97bb9b2955d953d
Instruction ID: ebf8a919204883b3cf295611002b4e487a781f5c3db184b4aeea1269bd5b3cbf
Opcode Fuzzy Hash: 677340bbb3e7d3deb07a041f04dc4ca50ceeb01c397db1cab97bb9b2955d953d
Instruction Fuzzy Hash: EB11B672401269AFFB11DBA0CC45EDF37BEFF09381F204051F506E2098DBB49A088BA1

Function 1000473F Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 10004750
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10004764
GetProcAddress.KERNEL32(00000000,Process32First), ref: 1000476E
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 10004779
lstrcmpiA.KERNEL32(?,?), ref: 100047B1
CloseHandle.KERNEL32(00000000), ref: 100047D0
FreeLibrary.KERNEL32(00000000), ref: 100047DB

Strings

CreateToolhelp32Snapshot, xrefs: 1000475E
kernel32.dll, xrefs: 1000474B
Process32Next, xrefs: 10004770
Process32First, xrefs: 10004766

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll
API String ID: 1314729832-4285911020
Opcode ID: edd1cf7752d3c0a317ed2cc814c912f2b541baf62ab1e742b5b3ac3e1cc50ead
Instruction ID: 62e2a4d820bdf17ee503cc2422b7b88c1aaff87933f8729642c2e5364a3b347a
Opcode Fuzzy Hash: edd1cf7752d3c0a317ed2cc814c912f2b541baf62ab1e742b5b3ac3e1cc50ead
Instruction Fuzzy Hash: F3115E71D01228ABFB10DB618C88FEEBBF8EF497C1F110095E904E2144DB75AA408AA4

Function 100029B6 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98filestringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000170), ref: 100029D2
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 10002A05
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 10002A28
CloseHandle.KERNEL32(00000000), ref: 10002A3A
strlen.MSVCRT ref: 10002A47
wsprintfA.USER32 ref: 10002A6B
lstrcpyA.KERNEL32(?,?), ref: 10002A84

Part of subcall function 100027BC: memset.MSVCRT ref: 100027D8
Part of subcall function 100027BC: strrchr.MSVCRT ref: 100027E2
Part of subcall function 100027BC: strrchr.MSVCRT ref: 10002811
Part of subcall function 100027BC: strlen.MSVCRT ref: 10002821
Part of subcall function 100027BC: strncpy.MSVCRT ref: 1000283B
Part of subcall function 100027BC: memset.MSVCRT ref: 10002889
Part of subcall function 100027BC: wsprintfA.USER32 ref: 100028A4
Part of subcall function 100027BC: memset.MSVCRT ref: 100028B3

Strings

01#v, xrefs: 10002A05
.#v, xrefs: 10002A3A
%s %s, xrefs: 10002A65

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: memset$Filestrlenstrrchrwsprintf$CloseCreateHandleWritelstrcpymemcpystrncpy
String ID: %s %s$01#v$.#v
API String ID: 3641787489-3526099317
Opcode ID: 5a089fb692a77de50dca985f2a1d46a33a195534b01f1893c6a9a2dd3832bb26
Instruction ID: 17f6a9bfa48d753ffad60fceaecdc7a51846e01dcf90a102910361a13764abaa
Opcode Fuzzy Hash: 5a089fb692a77de50dca985f2a1d46a33a195534b01f1893c6a9a2dd3832bb26
Instruction Fuzzy Hash: B5318972A001196FFB60DBA4CC89FDB73ACDB05395F104562F608E2085EF71AE44CB61

Function 10003B9E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,?,?,?,?,?,1000397D), ref: 10003BC4
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 10003BD3
LoadLibraryA.KERNEL32(?,?,?,?,1000397D), ref: 10003C0D
realloc.MSVCRT ref: 10003C2C
GetProcAddress.KERNEL32(?,?), ref: 10003C85
FreeLibrary.KERNEL32(?,1000397D), ref: 10003CC7

Strings

kernel32.dll, xrefs: 10003BAA
IsBadReadPtr, xrefs: 10003BCA

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Library$AddressLoadProc$Freerealloc
String ID: IsBadReadPtr$kernel32.dll
API String ID: 343009874-2271619998
Opcode ID: 449202d9bcd9b40c7640628575b91c895d67466b70a0093317474b01c75d12b5
Instruction ID: afc84e2e1f51588ee312ba66ad041d110bb41dc23133337ce681a0c6c223f4ac
Opcode Fuzzy Hash: 449202d9bcd9b40c7640628575b91c895d67466b70a0093317474b01c75d12b5
Instruction Fuzzy Hash: 45410571A0021AABFB51CF64C889B9EBBF8FF04395F118069E905E7259D735EE44CB90

Function 10002C96 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 72stringprocessCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 10002C9F
??2@YAPAXI@Z.MSVCRT(00000001), ref: 10002CB3
memcpy.MSVCRT(00000000,?,00000001,00000001), ref: 10002CBF
strrchr.MSVCRT ref: 10002CC7
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002D27

Part of subcall function 10004529: LoadLibraryA.KERNEL32(wininet.dll,?,00000001,00000000), ref: 1000454D
Part of subcall function 10004529: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 10004564
Part of subcall function 10004529: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 1000457E
Part of subcall function 10004529: FreeLibrary.KERNEL32(00000000,?,00000001,00000000), ref: 1000459C

Part of subcall function 1000248B: GetFileAttributesA.KERNEL32(00000001,10002CE8,00000001), ref: 1000248F
Part of subcall function 1000248B: GetLastError.KERNEL32 ref: 1000249A

CreateProcessA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10002D18

Strings

WinSta0\Default, xrefs: 10002D11
D, xrefs: 10002CFB

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressLibraryProc$??2@??3@AttributesCreateErrorFileFreeLastLoadProcessmemcpystrlenstrrchr
String ID: D$WinSta0\Default
API String ID: 1737965409-1101385590
Opcode ID: fdc65b0dcff99aff6c43371ba455fda07db6a1f497c56a226c9a0abe83cfdb15
Instruction ID: 4c329e371b8b631c085a2e87808acd0a5feba54148e937fde04f6f1ec7f3be4b
Opcode Fuzzy Hash: fdc65b0dcff99aff6c43371ba455fda07db6a1f497c56a226c9a0abe83cfdb15
Instruction Fuzzy Hash: 6F01E1B75012286AFB01DBE49C45EDF77ACDF093D5F114422FE05E604ADEB49D0582E4

Function 10004467 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,00000000,?,00000000,Function_00004CE2,10005170,000000FF,?,100042CA,00000000), ref: 1000448F
GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 100044A4
GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 100044B0
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 100044BC

Strings

OpenInputDesktop, xrefs: 10004498
OpenDesktopA, xrefs: 100044A8
CloseDesktop, xrefs: 100044B4
user32.dll, xrefs: 1000448A

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: c36e72de9a328b3aed83568275539afdfd72128828bb5f39de00532976b64ac8
Instruction ID: 34d8331da3f18528c44290a267cf2e76cab1e846e39b69c6303802ebf673ca42
Opcode Fuzzy Hash: c36e72de9a328b3aed83568275539afdfd72128828bb5f39de00532976b64ac8
Instruction Fuzzy Hash: A3116DB5D00229ABEB11DFA9CC44FDDBAF8FB0C790F214125F511F2254CB7158008BA4

Function 100023FA Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 1000240A

Part of subcall function 1000389D: VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038D8
Part of subcall function 1000389D: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038E8
Part of subcall function 1000389D: GetProcessHeap.KERNEL32(00000000,00000014,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C), ref: 100038F9
Part of subcall function 1000389D: HeapAlloc.KERNEL32(00000000,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C,?), ref: 10003900
Part of subcall function 1000389D: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003924
Part of subcall function 1000389D: VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003933
Part of subcall function 1000389D: memcpy.MSVCRT(00000000,?,?,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?), ref: 10003944

OutputDebugStringA.KERNEL32(Can't load library from memory.,?,?,1000234E,?,10006E5C,?,00000000,00000000,?,?), ref: 10002421
printf.MSVCRT ref: 1000244D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 10002462

Strings

Can't load library from memory., xrefs: 1000241C
LoadFromMemory , xrefs: 10002405
PluginMe, xrefs: 10002429
LoadFromMemory END---, xrefs: 10002448

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AllocVirtual$Heapprintf$DebugFreeOutputProcessStringmemcpy
String ID: Can't load library from memory.$LoadFromMemory $LoadFromMemory END---$PluginMe
API String ID: 2530445704-2282109540
Opcode ID: f0778e8a1c44c2343f6cf091ec4a36fe4ce25287fc1b95e6eb17d6c0cbbf42cd
Instruction ID: 01af0e0ac1652a7321e0a293c3daa08a0af86dfdeaa3eab1b942b575fdefc638
Opcode Fuzzy Hash: f0778e8a1c44c2343f6cf091ec4a36fe4ce25287fc1b95e6eb17d6c0cbbf42cd
Instruction Fuzzy Hash: C3F09636100114BBFF02AF90DC05FDE3B75EB897E2F348015FA0455069CF72581597A1

Function 100020C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 100020E5
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 100020F3
GetTickCount.KERNEL32 ref: 100020F9
wsprintfA.USER32 ref: 10002113
MoveFileA.KERNEL32(?,?), ref: 1000212A
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000213B

Strings

%s\%d.bak, xrefs: 1000210D

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: c8f7a2f9335d496cf424573f89800cf957bdb9276c51bc95e16fdfb109c3bf7e
Instruction ID: c4293e3e21d6716b8372ba05ce181a3280e6ef40116a7aaffd0535516b57a778
Opcode Fuzzy Hash: c8f7a2f9335d496cf424573f89800cf957bdb9276c51bc95e16fdfb109c3bf7e
Instruction Fuzzy Hash: BEF0A4BA800278ABEB10EB94CDCDECB777DEB18785F100191F755D2065DAB59684CFA0

Function 1000366A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00000144,00000000,?,?,100037E0), ref: 10003676
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1000368E
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 10003698
FreeLibrary.KERNEL32(00000000), ref: 100036AC

Strings

kernel32.dll, xrefs: 10003671
GetCurrentProcess, xrefs: 10003690
IsWow64Process, xrefs: 10003688

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
API String ID: 2256533930-2522683910
Opcode ID: 34a6eaa16ec599896768d47b9751df638f2169115c1a8e10c5d2607526b1ef77
Instruction ID: ef67112214a51d6d1f3e9f06108ff16868adfdb602b3d8d3b658392e0a076cbe
Opcode Fuzzy Hash: 34a6eaa16ec599896768d47b9751df638f2169115c1a8e10c5d2607526b1ef77
Instruction Fuzzy Hash: CBF0A072A00314BBF701D7E58C98DAF7BBCDB886D1B104019FA00A3208DB739D0189B5

Function 100021FF Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 161memorysleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 10002279
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10002323
memcpy.MSVCRT(00000000,?,?), ref: 10002336
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10002371
memcpy.MSVCRT(00000000,?,?), ref: 10002384

Strings

SPh\n, xrefs: 1000233F
SGSWh5-, xrefs: 100022C4
GW2, xrefs: 1000228A

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AllocVirtualmemcpy$Sleep
String ID: GW2$SGSWh5-$SPh\n
API String ID: 1263862976-685354651
Opcode ID: 3d25bdad23a031e0b48f737afd54ec3eb76eea0dcd6b60b485997711385254f5
Instruction ID: 2f54f0f1129bbba38d4c41c0db51b56afb961a9339435d6967ffbe2678c67ccd
Opcode Fuzzy Hash: 3d25bdad23a031e0b48f737afd54ec3eb76eea0dcd6b60b485997711385254f5
Instruction Fuzzy Hash: E241F3B5104244BEF720DFA18CC6F7F7A6CEB457C4F10842AFA894548DCB76AE40A622

Function 10001ACF Relevance: 12.1, APIs: 8, Instructions: 55servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 10001ADF
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 10001AF5
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B06
ControlService.ADVAPI32(00000000,00000001,?), ref: 10001B1D
Sleep.KERNEL32(0000000A), ref: 10001B2F
QueryServiceStatus.ADVAPI32(00000000,?), ref: 10001B3A
CloseServiceHandle.ADVAPI32(00000000), ref: 10001B43
CloseServiceHandle.ADVAPI32(00000000), ref: 10001B4A

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Service$CloseHandleOpenQueryStatus$ControlManagerSleep
String ID:
API String ID: 2359367111-0
Opcode ID: 5fba824a85b92acc79a789ef028bf042a0167ae6a51034b94a07b5d3b0519e81
Instruction ID: 13eb0d6c039a265936ccbdc891ea19e15248044979c42994c6487f454c48f15c
Opcode Fuzzy Hash: 5fba824a85b92acc79a789ef028bf042a0167ae6a51034b94a07b5d3b0519e81
Instruction Fuzzy Hash: 87017531644627ABF7119BA09C89FFF7BBAEF0A7C1F204060FA01D509DEB648542D6A1

Function 10001445 Relevance: 10.6, APIs: 7, Instructions: 85networkCOMMON

Download Yara Rule

APIs

Part of subcall function 1000180A: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 1000182F
Part of subcall function 1000180A: CancelIo.KERNEL32(?,?,10001455,0000213A,00000000), ref: 10001838
Part of subcall function 1000180A: InterlockedExchange.KERNEL32(?,00000000), ref: 10001844
Part of subcall function 1000180A: closesocket.WS2_32(?), ref: 1000184D
Part of subcall function 1000180A: SetEvent.KERNEL32(?,?,10001455,0000213A,00000000), ref: 10001856

ResetEvent.KERNEL32(?,0000213A,00000000,00000000), ref: 10001458
socket.WS2_32(00000002,00000001,00000006), ref: 10001469
gethostbyname.WS2_32(?), ref: 1000147A
htons.WS2_32(?), ref: 1000148F
connect.WS2_32(?,00000002,00000010), ref: 100014AC
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 100014D1
WSAIoctl.WS2_32(?,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 10001502

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 4281462294-0
Opcode ID: 3bd37e16282c1c1f21b19040e991c0c37f16a42726fa5d42d22308dc76884aca
Instruction ID: 8d33707021d861f585806a6466cff3f66270e93c65c897c0ed9a4eea2b4cd3d2
Opcode Fuzzy Hash: 3bd37e16282c1c1f21b19040e991c0c37f16a42726fa5d42d22308dc76884aca
Instruction Fuzzy Hash: 9421BD71500719BFE7109FA4CC84EEBBBF9EF09394F104529F602A62A4C7B29D449B20

Function 100012D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100012D9
_CxxThrowException.MSVCRT(?,10005258), ref: 10001332
WSAStartup.WS2_32(00000202,?), ref: 10001343
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001350
memcpy.MSVCRT(?,00000068,00000003), ref: 10001379

Strings

hx , xrefs: 1000136D

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CreateEventExceptionH_prologStartupThrowmemcpy
String ID: hx
API String ID: 80965288-1695387836
Opcode ID: 77854b9b63fc0fb3e868ca2b5d078d50e29d64ea9dc30742ffd87570b9eaf05b
Instruction ID: e29fc32a716e33b2e16fee5429824c3098a31f8f694cb1b228e84ed99c9fd0ff
Opcode Fuzzy Hash: 77854b9b63fc0fb3e868ca2b5d078d50e29d64ea9dc30742ffd87570b9eaf05b
Instruction Fuzzy Hash: 8211B4748013849EF710DBA8CD89BEEBBB8DF09384F50005DF141A7286DFB56A08CB62

Function 100013B6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38synchronizationnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100013BB
WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,10002F56), ref: 100013DD
CloseHandle.KERNEL32(?,?,10002F56), ref: 100013F3
CloseHandle.KERNEL32(?,?,10002F56), ref: 100013FC
WSACleanup.WS2_32 ref: 10001402

Part of subcall function 1000180A: setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 1000182F
Part of subcall function 1000180A: CancelIo.KERNEL32(?,?,10001455,0000213A,00000000), ref: 10001838
Part of subcall function 1000180A: InterlockedExchange.KERNEL32(?,00000000), ref: 10001844
Part of subcall function 1000180A: closesocket.WS2_32(?), ref: 1000184D
Part of subcall function 1000180A: SetEvent.KERNEL32(?,?,10001455,0000213A,00000000), ref: 10001856

Strings

.#v, xrefs: 100013F3, 100013FC

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeH_prologInterlockedObjectSingleWaitclosesocketsetsockopt
String ID: .#v
API String ID: 1476891362-507759092
Opcode ID: 22c76b733420cd5322f8b44b49fa99b01b9ed644fac333f7b406b2753b621805
Instruction ID: 3d7d7f28339fdf93618245a95348ecc54ac045937f8d7f2223a7296bdd3ad800
Opcode Fuzzy Hash: 22c76b733420cd5322f8b44b49fa99b01b9ed644fac333f7b406b2753b621805
Instruction Fuzzy Hash: C801A934812BA1DFE725DB64CA4979EBBF5EF047D0F20465CE0A3525EACBB16A04CB11

Function 1000273D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33processCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104), ref: 10002758
wsprintfA.USER32 ref: 1000277A
wsprintfA.USER32 ref: 10002798
WinExec.KERNEL32(?,00000000), ref: 100027AA

Strings

Rundll32 "%s",Uninstall, xrefs: 10002792
Rundll32 "%s",DllUpdate %s, xrefs: 10002774

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: wsprintf$ExecFileModuleName
String ID: Rundll32 "%s",DllUpdate %s$Rundll32 "%s",Uninstall
API String ID: 4265364758-3622515909
Opcode ID: 2fae55858e382da93d8a6581f30ac6264c287b13e5b54571d9062f30e9afb438
Instruction ID: 96afaeef2140f7acea31c6041c278450ca2d3413692d0236748e955fccce9fd0
Opcode Fuzzy Hash: 2fae55858e382da93d8a6581f30ac6264c287b13e5b54571d9062f30e9afb438
Instruction Fuzzy Hash: 0FF01875400228AFFB10DB50CC8DFCA777DEB08384F604191F659D2065DBB19698CF91

Function 1000260E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26sleepmemoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000229,?,100022D7,?), ref: 10002616
memcpy.MSVCRT(00000001,www.sf2110.com,00000228,?,100022D7,?), ref: 10002633
LocalSize.KERNEL32(00000000), ref: 1000263C

Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C
Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
Part of subcall function 10001863: ??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
Part of subcall function 10001863: memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
Part of subcall function 10001863: ??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932

Sleep.KERNEL32(00000001,00000000,00000000), ref: 1000264F
LocalFree.KERNEL32(00000000), ref: 10002656

Strings

www.sf2110.com, xrefs: 1000262A

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Localmemcpy$??2@??3@$AllocFreeSizeSleep
String ID: www.sf2110.com
API String ID: 3084024409-1396719888
Opcode ID: 2ebc1bcf665d22d67c7a361327471c09cc11f5b44399916a7679a62a2e06e5b5
Instruction ID: 6c6233c5ed4335591c5831c53d58df47d942e828471bf6846fd26331ce1e1182
Opcode Fuzzy Hash: 2ebc1bcf665d22d67c7a361327471c09cc11f5b44399916a7679a62a2e06e5b5
Instruction Fuzzy Hash: 1BE092750036317BF341ABA09C4DFCF3A6DEF097D1F044104FB49A5199CB51564187E6

Function 10001863 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 100012A4: VirtualFree.KERNEL32(?,00000000,00008000,?,10001878,?,00000144,00000000,1000381E,000000C8,00000144), ref: 100012B6

??2@YAPAXI@Z.MSVCRT(1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001884
??3@YAXPAX@Z.MSVCRT(00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018F3
??2@YAPAXI@Z.MSVCRT(00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 100018FB
memcpy.MSVCRT(00000000,000000C8,00000001,00000001,00000144,00000144,1000381E,1000381E,00000004,1000381E,00000004,000000C8,00000004,?,00000003,?), ref: 1000190A
??3@YAXPAX@Z.MSVCRT(00000000,00000144,00000001,00000004,000000C8,00000004,?,00000003,?,00000144,00000000), ref: 10001932
memcpy.MSVCRT(00000000,000000C8,1000381E,?,00000144,00000000,1000381E,000000C8,00000144), ref: 1000189C

Part of subcall function 1000104C: memcpy.MSVCRT(?,00000003,00000003,00000000,?,?,10001947,?,00000003,?,00000144,00000000,1000381E,000000C8,00000144), ref: 10001074

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: memcpy$??2@??3@$FreeVirtual
String ID:
API String ID: 494799333-0
Opcode ID: 4ee7b13994a7bebae5ea71dd6d5e065c25e5d167394b36d5181ca15b21c419c8
Instruction ID: a26a835bd5f016d956b68753e1f5501337bc07bd69db5d8cf19c0b84b9b19e4d
Opcode Fuzzy Hash: 4ee7b13994a7bebae5ea71dd6d5e065c25e5d167394b36d5181ca15b21c419c8
Instruction Fuzzy Hash: B631CBB9601204BBFF01EB64DD92FEE77AAEF44380F004019F605A6186DFB4BB149751

Function 10002AC4 Relevance: 9.1, APIs: 6, Instructions: 51stringwindowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10002AD0
SendMessageA.USER32(?,0000000D,00000400,00000000), ref: 10002B05
lstrlenA.KERNEL32(00000000), ref: 10002B12
_strupr.MSVCRT ref: 10002B27
_strupr.MSVCRT ref: 10002B32
strstr.MSVCRT ref: 10002B36

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: _strupr$MessageSendVisibleWindowlstrlenstrstr
String ID:
API String ID: 850376632-0
Opcode ID: 863bd39a3c954a72feaba740ccb092445ef11d91041d151f256abd7524e25783
Instruction ID: f84e90a798d893893a4456b5c45592e19e504f04fdea282cdc153707e49d09ee
Opcode Fuzzy Hash: 863bd39a3c954a72feaba740ccb092445ef11d91041d151f256abd7524e25783
Instruction Fuzzy Hash: 3001B9726002296FFF109F64DC49F9A7BBCEB04385F204076E705E6094DB71E9468BA4

Function 10003E12 Relevance: 9.0, APIs: 6, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 10003E2A
FreeLibrary.KERNEL32(?), ref: 10003E34
FreeLibrary.KERNEL32(?), ref: 10003E3E
FreeLibrary.KERNEL32(?), ref: 10003E48
FreeLibrary.KERNEL32(?), ref: 10003E52
FreeLibrary.KERNEL32(?), ref: 10003E5C

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f0b267456437bb5650b3bd9d655f830ec4ec3bf790c62446a31930fdfe0cb4b5
Instruction ID: d8b8667a67b2f2557cad44f9379b5e8f255c0c6237c58758e20748922239760e
Opcode Fuzzy Hash: f0b267456437bb5650b3bd9d655f830ec4ec3bf790c62446a31930fdfe0cb4b5
Instruction Fuzzy Hash: A6F0EC706007459AEA61EE7ACC44B17F3ECEF90AD1B028929A451D3694DA74EC458960

Function 100026DF Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100026FA
strlen.MSVCRT ref: 10002718

Strings

Remark, xrefs: 10002707
Group, xrefs: 1000270E, 1000272B
SySe, xrefs: 100026E9
SYSTEM\CurrentControlSet\Services\%s, xrefs: 100026F4

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: strlenwsprintf
String ID: Group$Remark$SYSTEM\CurrentControlSet\Services\%s$SySe
API String ID: 350797232-3298372318
Opcode ID: b298f06eb582685539f31f60401fdbef796c9698157982a35a7a39406c1ee736
Instruction ID: a3fc7b85e27bf4a01dcc346c82e5e7340bd10ea751e75b0120d021e994437014
Opcode Fuzzy Hash: b298f06eb582685539f31f60401fdbef796c9698157982a35a7a39406c1ee736
Instruction Fuzzy Hash: CCF065B6800124B7FF10AB54DC4AFDA3B6DDB083D4F1040E1FE0966158EBB55A94CBD1

Function 1000389D Relevance: 8.9, APIs: 7, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038D8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038E8
GetProcessHeap.KERNEL32(00000000,00000014,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C), ref: 100038F9
HeapAlloc.KERNEL32(00000000,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C,?), ref: 10003900
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003924
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003933
memcpy.MSVCRT(00000000,?,?,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?), ref: 10003944

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Alloc$Virtual$Heap$Processmemcpy
String ID:
API String ID: 2335822491-0
Opcode ID: e49d25e9bb0d4a180f47fe763da8cbfb8d19a32eb96c44da1c7ada0cf7328320
Instruction ID: eacb235572be496481c28daf470fd61b07f9ecf460b9dfe0afcc7509c1ddb230
Opcode Fuzzy Hash: e49d25e9bb0d4a180f47fe763da8cbfb8d19a32eb96c44da1c7ada0cf7328320
Instruction Fuzzy Hash: 88314A71600701AFE715CFA9CD85E6BBBECEF49794F118029F644DB285D7B0E9408BA4

Function 1000389C Relevance: 8.9, APIs: 7, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038D8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 100038E8
GetProcessHeap.KERNEL32(00000000,00000014,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C), ref: 100038F9
HeapAlloc.KERNEL32(00000000,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?,10006E5C,?), ref: 10003900
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003924
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E), ref: 10003933
memcpy.MSVCRT(00000000,?,?,?,75C24CB0,00000000,?,?,?,10002414,?,?,?,?,1000234E,?), ref: 10003944

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Alloc$Virtual$Heap$Processmemcpy
String ID:
API String ID: 2335822491-0
Opcode ID: 9aa3b273a59eb2c0b2545a37afc38cd619bd195e7d1346904624c1b6da4ac45c
Instruction ID: 10317215f663cfab710d715b633d7b0dbc04a231647ffe3f91967b0172577e13
Opcode Fuzzy Hash: 9aa3b273a59eb2c0b2545a37afc38cd619bd195e7d1346904624c1b6da4ac45c
Instruction Fuzzy Hash: 69317A71600701AFEB15CBA8CD85F6BBBECEF49794F108029F645DB285D7B0E8008B64

Function 100011FB Relevance: 7.6, APIs: 5, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 10001226
_ftol.MSVCRT ref: 1000122E
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,?,?,10001712,00000003), ref: 10001251
memcpy.MSVCRT(00000000,?,00000000,?,?,10001712,00000003), ref: 10001275
VirtualFree.KERNEL32(?,00000000,00008000,?,?,10001712,00000003), ref: 10001287

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: Virtual$AllocFree_ftolceilmemcpy
String ID:
API String ID: 3927456183-0
Opcode ID: f94edee6810ba8cea6bfb4746a43b2bc9bf2551bc4d63573e388d815a9760473
Instruction ID: ff1c2b162e375ad2b81c3d4b25a5517a05f38efa8821d55832f31a3c03b13b4e
Opcode Fuzzy Hash: f94edee6810ba8cea6bfb4746a43b2bc9bf2551bc4d63573e388d815a9760473
Instruction Fuzzy Hash: 3A11C1B1700304ABF7549F65CC86B9FBBE9EB447D1F108429F655C6284DA71A8008760

Function 10001155 Relevance: 7.6, APIs: 5, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

ceil.MSVCRT ref: 10001187
_ftol.MSVCRT ref: 1000118F
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,?,?,10001947,?,00000003,?,00000144), ref: 100011A3

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AllocVirtual_ftolceil
String ID:
API String ID: 3317677364-0
Opcode ID: 7f57421f4e8a0dbe28e4ec1d2025382d16bc9b97be7dafbce8d036dedad50421
Instruction ID: 1b5d6cedb6f753cdbab920be1aa23ddc9916300482f626f48fbf4534a1b153b9
Opcode Fuzzy Hash: 7f57421f4e8a0dbe28e4ec1d2025382d16bc9b97be7dafbce8d036dedad50421
Instruction Fuzzy Hash: 29119EB1700700ABF7189F65CC85BDFBAE8EB447D1F10842DFB4AC6694EAB5E8008764

Function 1000180A Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 1000182F
CancelIo.KERNEL32(?,?,10001455,0000213A,00000000), ref: 10001838
InterlockedExchange.KERNEL32(?,00000000), ref: 10001844
closesocket.WS2_32(?), ref: 1000184D
SetEvent.KERNEL32(?,?,10001455,0000213A,00000000), ref: 10001856

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 1871585578dca608de80bf68f21ac6b78937bcf90260c740f92b3d4c82ad3011
Instruction ID: db2c71347286e861532d4f6efb444a5e96e0316710033133ccac3d22043cdb64
Opcode Fuzzy Hash: 1871585578dca608de80bf68f21ac6b78937bcf90260c740f92b3d4c82ad3011
Instruction Fuzzy Hash: 12F05E31000729EFEB209B95CC4EE9A7BB9FF08364F204528F382915F4DBB3A9449B50

Function 1000219E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100021A3
TerminateThread.KERNEL32(?,000000FF,0000213A,00000000,00000000,?,10002F05), ref: 100021CB
CloseHandle.KERNEL32(?,?,10002F05), ref: 100021D3

Strings

.#v, xrefs: 100021D3

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CloseH_prologHandleTerminateThread
String ID: .#v
API String ID: 977738144-507759092
Opcode ID: f942fbd0e499d4cf21b5ec8bbe2cbe5843c9e0da49b9e854954a717c2909fbbe
Instruction ID: a8522333981b9843ad3281970ac5822235ad3633b8ee82379763b10bff34d37e
Opcode Fuzzy Hash: f942fbd0e499d4cf21b5ec8bbe2cbe5843c9e0da49b9e854954a717c2909fbbe
Instruction Fuzzy Hash: C9F09079A00751DFEB24DF58DC805DEB7B5FB483A1B21822EE17A92198CBB52901DF50

Function 100042EE Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10004307
_beginthreadex.MSVCRT ref: 10004325
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10004335
CloseHandle.KERNEL32(?), ref: 1000433E

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
String ID:
API String ID: 92035984-0
Opcode ID: 4f24713aeb18b6c8055081ae489e524b02219a3e0fa4e6869f4180a6eb22546b
Instruction ID: faf95892778ea6415a1c54bed7ea38c560d5af97f962d2801ede21c28746a2bf
Opcode Fuzzy Hash: 4f24713aeb18b6c8055081ae489e524b02219a3e0fa4e6869f4180a6eb22546b
Instruction Fuzzy Hash: 93F097B1900119FFEF019FA8CC498AE7BB9FB08351B504565FD25E2264D7329A209B90

Function 10003629 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 21stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10004822: memset.MSVCRT ref: 10004857
Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
Part of subcall function 10004822: memset.MSVCRT ref: 10004878
Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004885
Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A63

lstrlenA.KERNEL32(00000014,?,?,?,?,100037FD,?,00000014,?), ref: 10003650
lstrcpyA.KERNEL32(00000014,Error,?,?,?,?,100037FD,?,00000014,?), ref: 10003662

Strings

InstallTime, xrefs: 10003638
Error, xrefs: 1000365A

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$memset$Library$FreeLoadlstrcpylstrlen
String ID: Error$InstallTime
API String ID: 2132864188-3993312925
Opcode ID: 05b9f159da249184b1e3b095e130b72a17f690af3a1cf10b62a6d9e74dba2db9
Instruction ID: e8fad5b45eeb662e546af45f25a3999bf1724c4d36ffe5c36dea95d3d4dec653
Opcode Fuzzy Hash: 05b9f159da249184b1e3b095e130b72a17f690af3a1cf10b62a6d9e74dba2db9
Instruction Fuzzy Hash: 9DE0BF31140648B7FF115F51CC46F9D3B5AEB187D6F108054FB08680A4DB7396A09789

Function 1000315D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 100042EE: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10004307
Part of subcall function 100042EE: _beginthreadex.MSVCRT ref: 10004325
Part of subcall function 100042EE: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10004335
Part of subcall function 100042EE: CloseHandle.KERNEL32(?), ref: 1000433E

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 10003178
CloseHandle.KERNEL32(00000000), ref: 1000317F

Strings

.#v, xrefs: 1000317F

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CreateEvent_beginthreadex
String ID: .#v
API String ID: 1089044457-507759092
Opcode ID: 17d721387280f4c257e3238cd49efe249aff979b7a5e37610df1753b44f01f7e
Instruction ID: a1c9179e9ff13284b8660bf147a9eaea9a9923efbfad9c52f921b306abf4fa18
Opcode Fuzzy Hash: 17d721387280f4c257e3238cd49efe249aff979b7a5e37610df1753b44f01f7e
Instruction Fuzzy Hash: C8D022F64052303EFA0063B0EC08CFB360CCF052B0B310201FD14D10C8DA411C4103B9

Function 100035EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 10004822: memset.MSVCRT ref: 10004857
Part of subcall function 10004822: memset.MSVCRT ref: 1000486A
Part of subcall function 10004822: memset.MSVCRT ref: 10004878
Part of subcall function 10004822: LoadLibraryA.KERNEL32(ADVAPI32.dll,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004885
Part of subcall function 10004822: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 1000489D
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 100048AD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumValueA), ref: 100048BD
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegEnumKeyExA), ref: 100048CA
Part of subcall function 10004822: GetProcAddress.KERNEL32(?,RegCloseKey), ref: 100048D7
Part of subcall function 10004822: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000213A,00000144,00000000), ref: 10004A63

lstrlenA.KERNEL32(?,?,1000377E,?,00000032,?,?,?,00000004), ref: 10003611
gethostname.WS2_32(?,?), ref: 10003621

Strings

Remark, xrefs: 100035F9

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AddressProc$memset$Library$FreeLoadgethostnamelstrlen
String ID: Remark
API String ID: 619171837-3865500943
Opcode ID: 83dbbab8dfa45e9539ae4d59c493a246dad8b5cf60af1f24285e8dd54035da6b
Instruction ID: 39b077b3adc2da00c1cb4508d3157ec8a6411d10b118cb0f162994d28e94cfda
Opcode Fuzzy Hash: 83dbbab8dfa45e9539ae4d59c493a246dad8b5cf60af1f24285e8dd54035da6b
Instruction Fuzzy Hash: BDE0B635240219BBEF125F91CC46F9E3F2AEB087D1F108014FB18681A5DB739660AB89

Function 100039BA Relevance: 5.1, APIs: 4, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,?), ref: 10003A10
memset.MSVCRT ref: 10003A1B
VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000000,?,?), ref: 10003A31
memcpy.MSVCRT(00000000,?,?), ref: 10003A40

Memory Dump Source

Source File: 00000003.00000002.4610411485.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.4610385881.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610438233.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610463850.0000000010006000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000003.00000002.4610490577.0000000010007000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_svchost.jbxd

Similarity

API ID: AllocVirtual$memcpymemset
String ID:
API String ID: 2542864682-0
Opcode ID: a05ca4ebf277b10faf3ccce4336dd2b651ae8b873c4573ed6e3e9fab059df227
Instruction ID: 4a5287acb012e3640f8314301f41164344c56cf0a301795e67bafcb82fb77477
Opcode Fuzzy Hash: a05ca4ebf277b10faf3ccce4336dd2b651ae8b873c4573ed6e3e9fab059df227
Instruction Fuzzy Hash: 82213871A00208AFEB11CF59CC81F9AB7F8FF44344F118459E9809B251D770AA50CB54

Analysis Process: SySe.exePID: 1612, Parent PID: 7084COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	678
Total number of Limit Nodes:	13

Executed Functions

Function 00B65911 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 258
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathIsRelativeW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0(?,00000000,00000000,00000000), ref: 00B65932
RtlSetSearchPathMode.NTDLL ref: 00B65945
SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,00000104,?,?), ref: 00B65961
GetFileAttributesW.KERNEL32(?,?,?), ref: 00B659BF
CreateActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000020,?,?), ref: 00B659D1
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 00B65A17
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 00B65A38
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 00B65A59
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?), ref: 00B65A98
CreateActCtxWWorker.KERNEL32(?,?,?), ref: 00B65AB5
ActivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?,00000000,?,?), ref: 00B65AF3
SetWindowLongW.USER32(?,00000000,00000001), ref: 00B65B67
GetWindowLongW.USER32(?,00000000), ref: 00B65B77
GetWindow.USER32(?,00000003), ref: 00B65B89
memset.MSVCRT ref: 00B65BA7
GetClassNameW.USER32(00000000,?,00000050), ref: 00B65BB9
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(0000007F,00000001,?,000000FF,IME,000000FF), ref: 00B65BD7
GetWindow.USER32(00000000,00000003), ref: 00B65BE5
GetWindow.USER32(00000000,00000004), ref: 00B65BF0
GetWindowLongW.USER32(00000000,000000EC), ref: 00B65BFD
SetWindowLongW.USER32(00000000,000000EC,?), ref: 00B65C37
NtdllDefWindowProc_W.NTDLL(?,0000001C,?,?), ref: 00B65C56

Strings

IME, xrefs: 00B65BC5
, xrefs: 00B6597D
N, xrefs: 00B65B39
.manifest, xrefs: 00B659A8
|, xrefs: 00B65A2D
, xrefs: 00B65AAB

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Window$Create$LongWorker$Path$Search$ActivateAttributesClassCompareFileHandleModeModuleNameNtdllProc_RelativeStringmemset
String ID: $ $.manifest$IME$N$|
API String ID: 1028207903-3161873098
Opcode ID: 11cd33071b0b83cae35265a0cfe4d5847570e2bce5e5daca4b7583fad156cb66
Instruction ID: 03d24f540de58f68acdc522bf45da43ecb641c0e2d1158f14333ff50a0cb9218
Opcode Fuzzy Hash: 11cd33071b0b83cae35265a0cfe4d5847570e2bce5e5daca4b7583fad156cb66
Instruction Fuzzy Hash: 57916371900619AFDB30AF64DC88F9A7BF8EB45321F1442A5F519E31D0EBBC99848F61

Function 00B64136 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 193
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00B6414D
NtSetInformationProcess.NTDLL ref: 00B64162
AttachConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0(000000FF), ref: 00B64199
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00B641B1
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(WLDP.DLL,00000000,00000800,?,?,?), ref: 00B6420E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,WldpIsAllowedEntryPoint), ref: 00B64220
SetErrorMode.KERNEL32(00008001), ref: 00B6428A
DestroyWindow.USER32(?), ref: 00B6433B
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00B64345
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00B6434F
DeactivateActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(00000000,00000000), ref: 00B64386
ReleaseActCtx.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(?), ref: 00B6438D

Part of subcall function 00B637C3: CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00B637D4
Part of subcall function 00B637C3: CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(00B619CC,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 00B637F0
Part of subcall function 00B637C3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 00B63808
Part of subcall function 00B637C3: GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B6381D
Part of subcall function 00B637C3: CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 00B63866
Part of subcall function 00B637C3: SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B63873
Part of subcall function 00B637C3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B6387A
Part of subcall function 00B637C3: CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,00B68420,?), ref: 00B63897
Part of subcall function 00B637C3: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00B638D9
Part of subcall function 00B637C3: CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00B638E7

FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00B64398
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00B643A1
FreeConsole.API-MS-WIN-CORE-CONSOLE-L1-2-0 ref: 00B643B0
ExitProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B643B7

Strings

WldpIsAllowedEntryPoint, xrefs: 00B6421A
WLDP.DLL, xrefs: 00B64209
requestedRunLevel, xrefs: 00B64362
localserver, xrefs: 00B64261

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Free$EventLibraryLocal$CloseConsoleCreateHandleInformationInitializeProcess$AddressAllocAttachCurrentDeactivateDestroyErrorExitHandlesHeapLoadModeMultipleProcReleaseSecurityThreadUninitializeWaitWindow
String ID: WLDP.DLL$WldpIsAllowedEntryPoint$localserver$requestedRunLevel
API String ID: 3009286836-3890604504
Opcode ID: de01af1a0375f4cbe2719739d4fdbb7a2cd9c3f9e74e317e796d8449221e8504
Instruction ID: 90048634af703054fb493404c0d0d6f2adefb6e4d486360ad72c324928382413
Opcode Fuzzy Hash: de01af1a0375f4cbe2719739d4fdbb7a2cd9c3f9e74e317e796d8449221e8504
Instruction Fuzzy Hash: DF61AB71108701AFC710EF24DC49A6F7BEAEF88714F044A68F996932E1DB78C949CB52

Function 00B65D6A Relevance: 10.6, APIs: 7, Instructions: 87
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenProcessToken.NTDLL ref: 00B65D8E
RtlNtStatusToDosError.NTDLL ref: 00B65D95
NtClose.NTDLL ref: 00B65DBE
QueryActCtxW.API-MS-WIN-CORE-SIDEBYSIDE-L1-1-0(80000000,00000000,00000000,00000005,?,0000000C,00000000), ref: 00B65DED
NtOpenProcessToken.NTDLL ref: 00B65E13
NtSetInformationToken.NTDLL(?,00000018,00000000,00000004), ref: 00B65E2F
NtClose.NTDLL ref: 00B65E38

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Token$CloseOpenProcess$ErrorInformationQueryStatus
String ID:
API String ID: 3674487995-0
Opcode ID: 2e4b23918191f44cd0f11502a2bb251dbf320869da31cda0eeb2aa0293b9c8ff
Instruction ID: 9db9c191e38600dd6b67f922f2904a4e68a18bf94db56a6336432ac7a8d9c544
Opcode Fuzzy Hash: 2e4b23918191f44cd0f11502a2bb251dbf320869da31cda0eeb2aa0293b9c8ff
Instruction Fuzzy Hash: A9218532A0061AABDF309B948D49FAF7BB8EB45721F110264E915B71E0DA789D14C6A0

Function 00B63C66 Relevance: 7.6, APIs: 5, Instructions: 84
librarywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 00B63C87
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 00B63C93
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,00000000,00000000,?,00000104,00000000,?,00000000,00000008), ref: 00B63CF2

Part of subcall function 00B63B09: GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00B63B39
Part of subcall function 00B63B09: IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 00B63B40
Part of subcall function 00B63B09: GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 00B63B6C
Part of subcall function 00B63B09: PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 00B63B87

RtlImageNtHeader.NTDLL(00000000), ref: 00B63D13
SetProcessMitigationPolicy.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1(00000000,?,00000008,?,00000000,00000008), ref: 00B63D4B

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Process$AppendCurrentDirectoryErrorFormatHeaderImageLastLibraryLoadMessageMitigationPathPolicyProcess2SystemWow64
String ID:
API String ID: 4162338769-0
Opcode ID: a0890ceb9cdc6ddcf238ed2f5c81ecf2e80980ee6a85777ac6f5c4e89b64bde4
Instruction ID: f54fa9fc636deeb0af5788ea23518fb328af8890408d8220dcff7b7533693619
Opcode Fuzzy Hash: a0890ceb9cdc6ddcf238ed2f5c81ecf2e80980ee6a85777ac6f5c4e89b64bde4
Instruction Fuzzy Hash: 8B2174706402186EFB14DB258C89FFA76FDEBD4B10F1440A9F509E71D0DEB88F848A61

Function 00B65CF1 Relevance: 4.6, APIs: 3, Instructions: 53
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationToken.NTDLL ref: 00B65D17
NtQueryInformationToken.NTDLL ref: 00B65D3C
RtlNtStatusToDosError.NTDLL ref: 00B65D4D

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: InformationQueryToken$ErrorStatus
String ID:
API String ID: 1049779487-0
Opcode ID: 1567091156206c34e7006831e4544113b232e851810fdae50a6fea7fbee987c1
Instruction ID: 4d593e119840a13f8216bb79578d69b56e90b5c7e3e6b18a9723c5a4a638a757
Opcode Fuzzy Hash: 1567091156206c34e7006831e4544113b232e851810fdae50a6fea7fbee987c1
Instruction Fuzzy Hash: 06017571600219BBEF309AA19D4DFAE7BFCEB44755F1040B1AA01DB0D1D778D919CB60

Function 00B640B1 Relevance: 1.5, APIs: 1, Instructions: 27
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00B640D2

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d2d3eabac46f2ffeb825f3389a8caa5c35c3ca7bac8076fe60b033bb454da186
Instruction ID: eb5f3a554d52b9d4950273443e4d6e456bd8f29c792fa61382a9d1bc8b9c83d0
Opcode Fuzzy Hash: d2d3eabac46f2ffeb825f3389a8caa5c35c3ca7bac8076fe60b033bb454da186
Instruction Fuzzy Hash: B0E092347003087BE710DBA49A85BAEBBEC9B45708F141066EA41A71C1DAB4E8089621

Function 00B65E4F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrResolveDelayLoadedAPI.NTDLL(00B60000,?,?), ref: 00B65E71

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: DelayLoadedResolve
String ID:
API String ID: 841769287-0
Opcode ID: b629aa93f9f5644c7fa9d538bd3a67ace5fc13b5eb6f6f7ecfd2e04b521ee427
Instruction ID: 495a067760b35b07de89b2a29a0d6e752c28f2153ce6bfe6b63912d50627c5c1
Opcode Fuzzy Hash: b629aa93f9f5644c7fa9d538bd3a67ace5fc13b5eb6f6f7ecfd2e04b521ee427
Instruction Fuzzy Hash: CAD0CA3B006248FF8F022FC6EC24C863F2AE788320B048002F608020B0CBBA8021EB60

Function 00B65F25 Relevance: 10.6, APIs: 7, Instructions: 138
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00B66C20,00000058), ref: 00B65F3A
Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8), ref: 00B65F6F
_amsg_exit.MSVCRT ref: 00B65F84
_initterm.MSVCRT ref: 00B65FD8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B66004
exit.MSVCRT ref: 00B66087

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: 1d17bd6dfc8268ad39ba6fe95045ec91a46a1aeaadd2d4abb1294593656e74d1
Instruction ID: 9e332b36ac2cfd71e88fcd4bf00ac324fb146b69075dafb03a15c439b924ab8c
Opcode Fuzzy Hash: 1d17bd6dfc8268ad39ba6fe95045ec91a46a1aeaadd2d4abb1294593656e74d1
Instruction Fuzzy Hash: 8F41EE71A447129FDB359F58D88576A77E4EB44760F2006BEE806AB2D0DFBC8C40CB64

Function 00B65C6C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconW.USER32(?,00000064), ref: 00B65C95
LoadCursorW.USER32(00000000,00007F00), ref: 00B65CA4
RegisterClassW.USER32(?), ref: 00B65CC7
CreateWindowExW.USER32(00000080,RunDLL,00B619A0,00000000,80000000,80000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00B65CE6

Strings

RunDLL, xrefs: 00B65CAD, 00B65CE0

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Load$ClassCreateCursorIconRegisterWindow
String ID: RunDLL
API String ID: 1446224504-1316671358
Opcode ID: aeef00a3e24e09ae41023767c7798a04338b6d29dbd94041d4273a2f89d8c6cb
Instruction ID: fde179ba3449ec18b445298f3fa1bf780b8ae5e17bd8ecaec2b7bbe39fc993b4
Opcode Fuzzy Hash: aeef00a3e24e09ae41023767c7798a04338b6d29dbd94041d4273a2f89d8c6cb
Instruction Fuzzy Hash: 6C01E5B1D00208AFEB109F9A9C88EAFBEBCFB48754F504019F514E3280C7B859058BB4

Function 00B63E5B Relevance: 6.1, APIs: 4, Instructions: 108
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B63C66: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,00000008), ref: 00B63C87
Part of subcall function 00B63C66: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000008), ref: 00B63C93

Part of subcall function 00B63D62: _wtoi.MSVCRT(?), ref: 00B63D94
Part of subcall function 00B63D62: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 00B63DA0

WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 00B63EF5
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000), ref: 00B63F00
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,00000000,00000000,00000000), ref: 00B63F1E
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?), ref: 00B63F5C

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ByteCharLibraryMultiWide$AddressAllocErrorFreeLastLoadLocalProc_wtoi
String ID:
API String ID: 1343397253-0
Opcode ID: 40d80763ff67ec0a4627a74b94fdee3eafcfa160007b23a8409d9ef9c19200ec
Instruction ID: 3e39ab6f75595c284e6e3569a61621131dba019c9be271a9a16740d0f06cf02b
Opcode Fuzzy Hash: 40d80763ff67ec0a4627a74b94fdee3eafcfa160007b23a8409d9ef9c19200ec
Instruction Fuzzy Hash: B5313EB5A00205ABCB04CFA9C8549AFBBF9FF89B04F1440A9F905A7350DA759E01CB60

Function 00B65EF0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00B65F14

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: e0cfff25eaf25411ed16128dbece1e0f73c8f060a228638c07f0bb6b3d217316
Instruction ID: 34bac7492b620ac14df60928c5068dbbb53b77545b058cbb5a0170bb45c95ea0
Opcode Fuzzy Hash: e0cfff25eaf25411ed16128dbece1e0f73c8f060a228638c07f0bb6b3d217316
Instruction Fuzzy Hash: ECD0C9726C1201EB87609F24AD0A8013AE0A200B407000B94F408A32F2DEFD941C8B1D

Non-executed Functions

Function 00B661C0 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00B662F6,00B61000), ref: 00B661C7
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00B662F6,?,00B662F6,00B61000), ref: 00B661D0
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00B662F6,00B61000), ref: 00B661DB
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00B662F6,00B61000), ref: 00B661E2

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: bfb45eb396fd2d3cdf2627ced4fb86f1cc2736db9ea3ecf02cea753a51ac2443
Instruction ID: 84f7a4a4e5216a2b6b500ed2542391b379a55116639dd5d9eb87d26507c7a8c1
Opcode Fuzzy Hash: bfb45eb396fd2d3cdf2627ced4fb86f1cc2736db9ea3ecf02cea753a51ac2443
Instruction Fuzzy Hash: 1FD0E972444105BBDF002BE1EC0DA593E2DFB45656F154410F71A974A1DFBA5412CB65

Function 00B625B2 Relevance: 4.7, APIs: 3, Instructions: 187threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00000000), ref: 00B6265E
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00B62737
OutputDebugStringW.API-MS-WIN-CORE-DEBUG-L1-1-0(?), ref: 00B627A1

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThread
String ID:
API String ID: 4268342597-0
Opcode ID: eb68979f4f89b941fe21ce01eb1ec7856118ea5829c9d244f8b5daf6abe2004b
Instruction ID: 3d7e2bcf317df2ca0ce37075ce662dbc52cb8fb48dbc543e0e3a6f5cc8b3d452
Opcode Fuzzy Hash: eb68979f4f89b941fe21ce01eb1ec7856118ea5829c9d244f8b5daf6abe2004b
Instruction Fuzzy Hash: 59618D35600A099FEB219F39D844A6A7BE6FF84710B1585A9E80AD73A0DF7CEC01CB50

Function 00B63F6B Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlImageNtHeader.NTDLL ref: 00B63F7A
ImageDirectoryEntryToData.IMAGEHLP(?,00000001,0000000A,?), ref: 00B63FCA

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Image$DataDirectoryEntryHeader
String ID:
API String ID: 3478907836-0
Opcode ID: e31f195a5dd92d32aba28f35ddc4dff9387f126d9fb585de16bb40c6b9d6c6a0
Instruction ID: 21a256cf2a46cb397e29830032c3b63ce3eb148a0f643ced1a76ad0e9f687383
Opcode Fuzzy Hash: e31f195a5dd92d32aba28f35ddc4dff9387f126d9fb585de16bb40c6b9d6c6a0
Instruction Fuzzy Hash: AF018F75610351AAD7209F21C804BA3B7F8FF05B00F04059DF596DB291E779EA80CBA1

Function 00B6205A Relevance: 1.5, APIs: 1, Instructions: 33comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00B6161C,00000000,00000001,00B61940,?), ref: 00B62072

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: d118f3006d1886c95597b4cf4641fe918766c438f3de1a579a295bee1de05906
Instruction ID: b61b32d4ada636a65fc24293cdf43528ef5d720c7dde4efe28b9ff6814b85a2d
Opcode Fuzzy Hash: d118f3006d1886c95597b4cf4641fe918766c438f3de1a579a295bee1de05906
Instruction Fuzzy Hash: 35F08235740218BFDB00DB99CC55F8D77ADEB88750F140095FA06E72D0CAB5AE01CB90

Function 00B66510 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000064C0), ref: 00B66515

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2a6860c8f1c6108f577e4a8f62716b4a051cec6fe6cdf9e56d98572543fb8f87
Instruction ID: 2aaf922523fbc7e093d97187ea8f13fd48ea191748c7b4bf36dd901c1bf21890
Opcode Fuzzy Hash: 2a6860c8f1c6108f577e4a8f62716b4a051cec6fe6cdf9e56d98572543fb8f87
Instruction Fuzzy Hash: 009002A02565004646002B706C0D50526E46E48A1A7420590E006C92A4EEAA41059551

Function 00B62100 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000), ref: 00B621D8
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00B6223F

Strings

CallContext:[%hs] , xrefs: 00B622A3
LogHr, xrefs: 00B62192
(caller: %p) , xrefs: 00B62224
%hs!%p: , xrefs: 00B6220A
, xrefs: 00B62273
ReturnHr, xrefs: 00B6219E
%hs(%d) tid(%x) %08X %ws, xrefs: 00B6224F
Msg:[%ws] , xrefs: 00B6228B
[%hs], xrefs: 00B622D8
[%hs(%hs)], xrefs: 00B622BE
FailFast, xrefs: 00B62186
Exception, xrefs: 00B621AA
%hs(%u)\%hs!%p: , xrefs: 00B621F9

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: d2039f94eda327ac9bf246204ea82270a6bec6cf4d1e370f5d5859a5deae5083
Instruction ID: 4dab67fa5d6b05f9202320dd3560b9742f3a04cc3e65b4efce480f3c02228ea3
Opcode Fuzzy Hash: d2039f94eda327ac9bf246204ea82270a6bec6cf4d1e370f5d5859a5deae5083
Instruction Fuzzy Hash: BE5124B1900B00ABFB345F69CC49F67B7F9EB55700F084ADDF106A21A2DA7D9940CB62

Function 00B63B09 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 107processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63A51: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B63A7B
Part of subcall function 00B63A51: memset.MSVCRT ref: 00B63A8F
Part of subcall function 00B63A51: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000040,?,00000000,00000000), ref: 00B63AA6
Part of subcall function 00B63A51: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 00B63AC1
Part of subcall function 00B63A51: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 00B63AE1
Part of subcall function 00B63A51: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B63AF3

GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00B63B39
IsWow64Process2.API-MS-WIN-CORE-WOW64-L1-1-1(00000000), ref: 00B63B40
GetSystemDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,000000F6), ref: 00B63B6C
PathCchAppend.API-MS-WIN-CORE-PATH-L1-1-0(?,00000105,rundll32.exe), ref: 00B63B87
RtlWow64IsWowGuestMachineSupported.NTDLL ref: 00B63BA9
GetSystemWow64Directory2W.API-MS-WIN-CORE-WOW64-L1-1-1(?,000000F6,?), ref: 00B63BC9
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000000), ref: 00B63BD4
memset.MSVCRT ref: 00B63BE6
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B63C08
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000), ref: 00B63C16
Wow64EnableWow64FsRedirection.API-MS-WIN-CORE-KERNEL32-PRIVATE-L1-1-0(00000001), ref: 00B63C20
WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF), ref: 00B63C36
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00B63C44
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00B63C50

Strings

rundll32.exe, xrefs: 00B63B76

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Wow64$File$CloseHandle$CreateEnableProcessReadRedirectionSystemmemset$AppendCommandCurrentDirectoryDirectory2GuestLineMachineObjectPathPointerProcess2SingleSupportedWait
String ID: rundll32.exe
API String ID: 1294557600-3034741169
Opcode ID: 4aa6bd05c84ecbf09d9b789b0f4f6c005060dcc81debdbf3be524e17f6c1bfc1
Instruction ID: 3257f07885a4316de4ca85b6c16254fed6a4b9a82bae15c6920543cde7e0ca33
Opcode Fuzzy Hash: 4aa6bd05c84ecbf09d9b789b0f4f6c005060dcc81debdbf3be524e17f6c1bfc1
Instruction Fuzzy Hash: AF313272901129ABDF619B609C8DFEA77FCEB05B00F0801E5E609E3090DF789B85DB50

Function 00B637C3 Relevance: 15.1, APIs: 10, Instructions: 102threadCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000002), ref: 00B637D4
CoInitializeSecurity.API-MS-WIN-CORE-COM-L1-1-0(00B619CC,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000000), ref: 00B637F0
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0 ref: 00B638E7

Part of subcall function 00B6205A: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(00B6161C,00000000,00000001,00B61940,?), ref: 00B62072

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000001,00000000,00000000), ref: 00B63808
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B6381D

Part of subcall function 00B653AD: InitOnceExecuteOnce.API-MS-WIN-CORE-SYNCH-L1-2-0(00B684A4,00B653D0,00000000,00000000,00B6382A), ref: 00B653BB

CreateEventW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?), ref: 00B63866
SetEvent.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B63873
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B6387A
CoWaitForMultipleHandles.API-MS-WIN-CORE-COM-L1-1-0(00000000,00007530,00000001,00B68420,?), ref: 00B63897
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00B638D9

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CreateEvent$CloseHandleInitializeOnce$CurrentExecuteHandlesInitInstanceMultipleSecurityThreadUninitializeWait
String ID:
API String ID: 2536006573-0
Opcode ID: 093d2fe9608a75e09d7cd524a75fd2b5048d34d1e5e87207422bcb0a857b3f5d
Instruction ID: 5685411ae467e94a65dbd774d8ec6ce05916e9be6fa9c16f063412910fbf44e5
Opcode Fuzzy Hash: 093d2fe9608a75e09d7cd524a75fd2b5048d34d1e5e87207422bcb0a857b3f5d
Instruction Fuzzy Hash: 07314171600306AFEB115BB09C8DEAA7AECFB44B45B0445A9F506E32A1DFFCD9448B20

Function 00B638F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,000000C8), ref: 00B6391E
LoadStringW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000402,?,000000C8,?,000000C8), ref: 00B63963
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(CONOUT$,C0000000,00000003,00000000,00000003,00000000,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00B63992
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00B639D0
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,00B61844,00000002,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00B639E6
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000001,?,?,?,00000000,?,00000402,?,000000C8,?,000000C8), ref: 00B63A15
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000001,?,00000402,?,000000C8,?,000000C8), ref: 00B63A1C

Strings

CONOUT$, xrefs: 00B6398D

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ConsoleWrite$LoadString$CloseCreateFileHandle
String ID: CONOUT$
API String ID: 258192622-3130406586
Opcode ID: 204118bde5bc50f77aef7650df38682d5a5d748fc2b585e7cb13a2a367653975
Instruction ID: aaa11e3aed5d3e1cc6cbe380c733ee3eb8456202768c7dd6d321b9d0b5692c19
Opcode Fuzzy Hash: 204118bde5bc50f77aef7650df38682d5a5d748fc2b585e7cb13a2a367653975
Instruction Fuzzy Hash: 0931A232500119ABEB20DB64CC49FEB77FCEB45B00F044195FA0AE7181EA74AB49CE64

Function 00B633F9 Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B63431
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00B63443
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B6346A
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B6347C
AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B634CF
EncodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00B634E1
DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(00000000), ref: 00B634EF
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(?), ref: 00B6350F

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Lock$PointerReleaseShared$AcquireDecodeExclusive$Encode
String ID:
API String ID: 3770696666-0
Opcode ID: 33c9df0035957b0e1a8d457afa4084edb8bb35f7406988a56556d9aca4cd66b1
Instruction ID: 64dd6b6bf5bd855b7c758cd4bdbdbe3f6aa862f3b3997ffba26545fd43f72ef0
Opcode Fuzzy Hash: 33c9df0035957b0e1a8d457afa4084edb8bb35f7406988a56556d9aca4cd66b1
Instruction Fuzzy Hash: B9413A75A00219EFCB05DF65D89896DBBF9FF49B107144099E906EB3A0CB79AE01CF90

Function 00B62B5A Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?), ref: 00B62B6D

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 58584c2af3e9970e34ef36aec9694d84718c31129a41919be2af313e1f394de6
Instruction ID: b8414d77680e54b252c6108f9cc611986e49ce88e289703895a6f776a3e7071c
Opcode Fuzzy Hash: 58584c2af3e9970e34ef36aec9694d84718c31129a41919be2af313e1f394de6
Instruction Fuzzy Hash: A4316D70600A06ABFB245B619CC8BAF36EDEF51350F3480B6F506E62D0DB7CCD429692

Function 00B63D62 Relevance: 12.1, APIs: 8, Instructions: 98libraryloadermemoryCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT(?), ref: 00B63D94
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?), ref: 00B63DA0
LocalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?), ref: 00B63DD3
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000400,?,?,00000000,?,00000000,00000000), ref: 00B63DF1
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00B63E13
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00B63E30
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,00000000,?,?,00000000,?,00000000,00000000), ref: 00B63E43
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,00000000,?,00000000,00000000), ref: 00B63E4C

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: AddressProc$Local$AllocByteCharFreeMultiWide_wtoi
String ID:
API String ID: 3528786098-0
Opcode ID: 7dd1cea7406f4637bc96d43970fc98c66f69dd4bb2023b6c1189fd4f51a146fb
Instruction ID: 4887967de71ab9fbb997ab7304f5a27b9b41547cc3fb87397f0d83eba50c2bad
Opcode Fuzzy Hash: 7dd1cea7406f4637bc96d43970fc98c66f69dd4bb2023b6c1189fd4f51a146fb
Instruction Fuzzy Hash: E3317F76500212EFCB215F64DC489ABBBF9EF49B1071445AAED46D3250DBBA9E01CAB0

Function 00B63A51 Relevance: 9.1, APIs: 6, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00B63A7B
memset.MSVCRT ref: 00B63A8F
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000040,?,00000000,00000000), ref: 00B63AA6
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000), ref: 00B63AC1
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,000000F8,?,00000000), ref: 00B63AE1
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00B63AF3

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: File$Read$CloseCreateHandlePointermemset
String ID:
API String ID: 3827546496-0
Opcode ID: e62a4d395679897cf0470dee59e9a2f1f5cb59122154715389f147cf474b4992
Instruction ID: 0c889506683756eb474adedec2e3c22be27fae44fce9dc75884ac05dd8c096c1
Opcode Fuzzy Hash: e62a4d395679897cf0470dee59e9a2f1f5cb59122154715389f147cf474b4992
Instruction Fuzzy Hash: 931186716001247BDB209BA59C49FFF7BBCEF45B60F440158FA5CE20D0EAB89A45DBA1

Function 00B66735 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00B66762
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B66771
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00B6677A
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00B66783
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00B66798

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 06b09b1fe3d20a7ada4a4e8af4b3af6d8c6c56fdc9273b198f86e166da6e7e15
Instruction ID: 54b947b39716443b862f1a6af9aa6b6376ee6e895660da23a3ef46e71beea7de
Opcode Fuzzy Hash: 06b09b1fe3d20a7ada4a4e8af4b3af6d8c6c56fdc9273b198f86e166da6e7e15
Instruction Fuzzy Hash: EB110671D01209AFDF20DFB8DA4869EB7F9EF58315F6148A5D802E7290EA789F049B50

Function 00B65695 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

CharNextW.API-MS-WIN-CORE-STRING-L2-1-0(?,00000000,?,00000000,?), ref: 00B65885

Strings

sta, xrefs: 00B65724
localserver, xrefs: 00B6573A
/, xrefs: 00B656A5

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CharNext
String ID: /$localserver$sta
API String ID: 3213498283-3694077230
Opcode ID: 346f6e1c155e81b6e9dabf88a6d9b216df12034b569ae4091c0725582bd8dba8
Instruction ID: 4d1199f8ab6fe1308819dbb1b4ed576e26700335937d62e8b355260f8a407bb0
Opcode Fuzzy Hash: 346f6e1c155e81b6e9dabf88a6d9b216df12034b569ae4091c0725582bd8dba8
Instruction Fuzzy Hash: 6E71A279A00626DBCF34DF5984106B9B3F1EFA8750F6444EAE8C5EB280EB788E51D750

Function 00B624E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 00B624EB
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00B624F7

Strings

kernelbase.dll, xrefs: 00B624E6
RaiseFailFastException, xrefs: 00B624F1

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 6f318f487be221b582321a12a448f1179799b6b06df2e8a6c9c591413735dae0
Instruction ID: c208b720e48df89ced4fad658780e450e368168a3e63ce81a90d313f6c7ee620
Opcode Fuzzy Hash: 6f318f487be221b582321a12a448f1179799b6b06df2e8a6c9c591413735dae0
Instruction Fuzzy Hash: DAE0EC76540229B78F212FA5DC1CC9A7F6DEB447A27044452FE19931A0CE798C10DAA0

Function 00B63306 Relevance: 6.1, APIs: 4, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

AcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B63381
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B6339A

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: db1abf698b784bbed2e48aec9b5c6a3dbe76faca56a56e3bac06f5bf2a88bd44
Instruction ID: cd08dcff5235f697c453f771247fdbd325a4028a8d855bd0f15d5b070bd02e00
Opcode Fuzzy Hash: db1abf698b784bbed2e48aec9b5c6a3dbe76faca56a56e3bac06f5bf2a88bd44
Instruction Fuzzy Hash: 4831C331600124EFCB049B19C898A6DBBE9FF49710B1540D5E906DB3A0CF78AE01CB94

Function 00B63FE7 Relevance: 6.1, APIs: 4, Instructions: 55comCOMMON

Download Yara Rule

APIs

CoInitializeEx.API-MS-WIN-CORE-COM-L1-1-0(00000000,00000006), ref: 00B64003
CLSIDFromString.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 00B64012
CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,00000001,00B61970,?,?,?), ref: 00B6402D
CoUninitialize.API-MS-WIN-CORE-COM-L1-1-0(?,?), ref: 00B6405E

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: CreateFromInitializeInstanceStringUninitialize
String ID:
API String ID: 2575628211-0
Opcode ID: e513fc13412560d387f9dbaab5cdad16b903ff2756abcae6b9c1e63a2bc59c31
Instruction ID: 08ca965dc78659a640aeb0d600ea8308f53f9c86d42097e306386048d127d371
Opcode Fuzzy Hash: e513fc13412560d387f9dbaab5cdad16b903ff2756abcae6b9c1e63a2bc59c31
Instruction Fuzzy Hash: 8C115231700528AFDB14DB65DC55EAE7BBDEF48710F000095E605E7290CFB9A901CBA1

Function 00B65E80 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00B66598: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00B6659F

__set_app_type.MSVCRT ref: 00B65E92
__p__fmode.MSVCRT ref: 00B65EA8
__p__commode.MSVCRT ref: 00B65EB6
__setusermatherr.MSVCRT ref: 00B65ED7

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: 940eb034b63b2b410d1eaa9286d820563d565e8446d0ed950147e028fec05ad2
Instruction ID: 41178791272166d9a6d4a51d5551c11c9833a4bdd01ed1cb225c2d233c54f5ef
Opcode Fuzzy Hash: 940eb034b63b2b410d1eaa9286d820563d565e8446d0ed950147e028fec05ad2
Instruction Fuzzy Hash: CAF0F2B05803099FCB28AF30A84A6083BA4BB15721B104B9AE466932F5DFBD8454CA54

Function 00B65490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

RoOriginateError.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80040111,?), ref: 00B655D9

Part of subcall function 00B633F9: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B63431
Part of subcall function 00B633F9: DecodePointer.API-MS-WIN-CORE-UTIL-L1-1-0(?), ref: 00B63443
Part of subcall function 00B633F9: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000), ref: 00B6346A

RoOriginateErrorW.API-MS-WIN-CORE-WINRT-ERROR-L1-1-0(80070057,00000012,?), ref: 00B65616

Strings

activatibleClassId, xrefs: 00B655FE

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ErrorLockOriginateShared$AcquireDecodePointerRelease
String ID: activatibleClassId
API String ID: 3068322146-2691401494
Opcode ID: 4e29eec3d366f456f0909d4827ef6f1f3def7b1e1bdcf8d62f4f6079592ca263
Instruction ID: c09d8aaf3c688e49c19cc11f40f35800c6e88307c954586d10a58d89454a5ece
Opcode Fuzzy Hash: 4e29eec3d366f456f0909d4827ef6f1f3def7b1e1bdcf8d62f4f6079592ca263
Instruction Fuzzy Hash: 4941C571A10618EBCB24DF64DC98AAE77FAFF58710F104099E807E7291DB79AD11CB90

Function 00B64751 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040,?,00000000,00000000), ref: 00B64771
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001,?,?,?,?,?,00000000), ref: 00B647A5

Part of subcall function 00B646CA: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,00B62B21,00000000,?,?), ref: 00B646DA
Part of subcall function 00B646CA: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,00B62B21,00000000,?,?), ref: 00B646E9

Strings

Local\SM0:%d:%d:%hs, xrefs: 00B64778

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ErrorLast$CreateCurrentMutexProcess
String ID: Local\SM0:%d:%d:%hs
API String ID: 779401067-4162240545
Opcode ID: d2d3176e4e7c0ad7d4cae938e990d77c154ea02ddff538a1ee9b30c83adb7825
Instruction ID: b37deae25bb95fa5dbe06d358ca97891b582c20a221e8b6e24cfef9f8ff3acdb
Opcode Fuzzy Hash: d2d3176e4e7c0ad7d4cae938e990d77c154ea02ddff538a1ee9b30c83adb7825
Instruction Fuzzy Hash: 3841B471941938ABCB31DB64DC89AEA77F9EB54700F1041E5F809A7281DBB89E80CBD0

Function 00B62C6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00B62CC6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00B62CD2

Strings

_p0, xrefs: 00B62CAD

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ErrorLastOpenSemaphore
String ID: _p0
API String ID: 1909229842-2437413317
Opcode ID: 7146da838952f1883ea73e492aaf4f10b9bbd9a0a90f595ffd3d5be5cf4348ab
Instruction ID: 0590972d8a0760d59e627e4e27364b129fb2e75cf76193197b749403cabf7891
Opcode Fuzzy Hash: 7146da838952f1883ea73e492aaf4f10b9bbd9a0a90f595ffd3d5be5cf4348ab
Instruction Fuzzy Hash: 1C21F271205A05AFE315EF18D88596BB7E9EBC8310F108A6DF85587394DB38DC058AA2

Function 00B66B60 Relevance: 5.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 00B64925
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 00B64936
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00B6495D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00B64964

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID:
API String ID: 1234203156-0
Opcode ID: 1c7a475f5dcc4cbf5629df3ddc64301703f216deca13e1c14b7c4e5ec398e1f9
Instruction ID: d14e43e2de76e1b5ad0b24587978c71d90c2aaed57da1903c1e2ff827d97de8c
Opcode Fuzzy Hash: 1c7a475f5dcc4cbf5629df3ddc64301703f216deca13e1c14b7c4e5ec398e1f9
Instruction Fuzzy Hash: CD21AC31500910AFCF15AFA0D985A7EBBE9EF8170930441D4F9069B1A6DFBC9D05DBA0

Function 00B648B7 Relevance: 5.1, APIs: 4, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?), ref: 00B64925
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?), ref: 00B64936
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00B6495D
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,?), ref: 00B64964

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: ErrorHeapLast$FreeProcess
String ID:
API String ID: 1234203156-0
Opcode ID: 6a7a811c7ed11aa79ddd98a09f0729bcd5fc321ec8f2965a8c003cd667f1e84c
Instruction ID: fff98d4f92f2cfa3771420efe426af7b6fdc3de9b797c58f6c1839c4cbd4d60b
Opcode Fuzzy Hash: 6a7a811c7ed11aa79ddd98a09f0729bcd5fc321ec8f2965a8c003cd667f1e84c
Instruction Fuzzy Hash: 1221AC31500820EFCF15AFA0D985AAEBBA9EF8170430441D4F802AB19ADFBC9D01DBA0

Function 00B62E62 Relevance: 5.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,?,00B64B2F,?,00000000,00000000,?,?,?,00000000,?), ref: 00B62E80
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,?,?,00B648A0,?,?,?,?,00000000), ref: 00B62E87
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00B64B2F,?,00000000,00000000,?,?,?,00000000,?,?,?,00B648A0), ref: 00B62EA5
HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00000000,?,?,?,00B648A0,?,?,?,?,00000000), ref: 00B62EAC

Memory Dump Source

Source File: 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, Offset: 00B60000, based on PE: true

Associated: 00000007.00000002.4610477592.0000000000B60000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4610531810.0000000000B69000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_b60000_SySe.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 93b289103173740ff90fb89894815f4e08b59570d16f298a793d33ac891a73f9
Instruction ID: b61ce8d8c8b1038037229c6cc5df78e20d7c9e8d3903ce455b372ec4cdc72909
Opcode Fuzzy Hash: 93b289103173740ff90fb89894815f4e08b59570d16f298a793d33ac891a73f9
Instruction Fuzzy Hash: E7F04F72610611AFDB188FA1DC88B65BBFCFF48312F110529F141C7490DBB9E995CBA0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9JQ3JboYdz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\4293750.dll

C:\Windows\SysWOW64\SySe.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
9JQ3JboYdz.exe

Function 00401794 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 67
libraryloaderprocessCOMMON

Function 00401B6B Relevance: 24.5, APIs: 9, Strings: 5, Instructions: 48
librarythreadloaderCOMMON

Function 00401134 Relevance: 115.8, APIs: 42, Strings: 24, Instructions: 337
sleeplibraryloaderCOMMON

Function 004028D2 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00401000 Relevance: 4.5, APIs: 3, Instructions: 35
fileCOMMON

Function 00401AEE Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39
COMMON

Function 00402A60 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 0040187B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 63
libraryloaderCOMMON

Function 00401C18 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 95
libraryloaderstringCOMMON

Function 004020F5 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82
COMMON

Function 004016EB Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Function 00401FC6 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre