Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.5727.29935.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.5727.29935.exe
Analysis ID:1436361
MD5:ce813b7759c9293c3fec90106ce0e647
SHA1:8a8f39fc451f89174d4c01927b0539e762eec399
SHA256:1ab6d36d906e439da8469ebfa4d3c6384f4dae213701a527d719aeeb19827792
Tags:exe
Infos:

Detection

Score:34
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to delete services
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for domain / URL
Source: http://smallsrv.com/webmail.exeVirustotal: Detection: 6%Perma Link
Source: http://smallsrv.com/sendmail.exeVirustotal: Detection: 5%Perma Link
Multi AV Scanner detection for dropped file
Source: C:\shttps\http.exeVirustotal: Detection: 39%Perma Link
Source: C:\shttps\uninst.exeVirustotal: Detection: 15%Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeReversingLabs: Detection: 50%
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeVirustotal: Detection: 59%Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeWindow detected: &Uninstall Small HTTP server ver 3.06 End User License Agreement The "Small HTTP server" is free software. This means: 1. All copyrights to "Small HTTP server" are exclusively owned by the author - Max Feoktistov (AKA Maksim Feoktistov). This software may including the librarry "MD5 Message-Digest Algorithm" that owned by "RSA Data Security Inc." 2. Anyone may use this software ulimited time. 3. The "Small HTTP server" may be freely distributed. 4. "Small HTTP server" IS DISTRIBUTED "AS IS". NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE AT YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS DAMAGES LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING OR MISUSING THIS SOFTWARE. 5. The source code of this software and any clones may be distributed under term of GNU General Public License version 3. 6. All rights not expressly granted here are reserved by Max Feoktistov. 7. Installing and using "Small HTTP server" signifies acceptance of these terms and conditions of the license. 8. If you do not agree with the terms of this license you must remove "Small HTTP server" files from your storage devices and cease to use the product. Max Feoktistov GNU GENERAL PUBLIC LICENSE Version 3 29 June 2007 Copyright (C) 2007 Free Software Foundation Inc. <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The GNU General Public License is a free copyleft license forsoftware and other kinds of works. The licenses for most software and other practical works are designedto take away your freedom to share and change the works. By contrastthe GNU General Public License is intended to guarantee your freedom toshare and change all versions of a program--to make sure it remains freesoftware for all its users. We the Free Software Foundation use theGNU General Public License for most of our software; it applies also toany other work released this way by its authors. You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthem if you wish) that you receive source code or can get it if youwant it that you can change the software or use pieces of it in newfree programs and that you know you can do these things. To protect your rights we need to prevent others from denying youthese rights or asking you to surrender the rights. Therefore you havecertain responsibilities if you distribute copies of the software or ifyou modify it: responsibilities to respect the freedom of others. For example if you distribute copies of such a progr
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile created: C:\shttps\license.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: http://127.0.0
Source: desc.htm.0.drString found in binary or memory: http://127.0.0.1/
Source: desc.htm.0.drString found in binary or memory: http://127.0.0.1/$_admin_$conf
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.dr, desc.htm.0.drString found in binary or memory: http://127.0.0.1/$_admin_$host
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drString found in binary or memory: http://127.0.0.1/$_admin_$stat
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://127.0.0.1/$_admin_$state
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://127.0.0.1/My/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://127.0.0.1/My/index.htm.
Source: desc.htm.0.drString found in binary or memory: http://Web.Golux.Com/coar/cgi/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://Your_IP_address/IMAGES/bgr.gif.
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://Your_IP_address_here/test.html
Source: http.exe.0.dr, shs_lang.cfg.0.dr, shs_lang.cfg0.0.drString found in binary or memory: http://other.host
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.dr, desc.htm.0.drString found in binary or memory: http://smallsrv.com/donation.shtml
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.dr, desc.htm.0.drString found in binary or memory: http://smallsrv.com/index.htm#new
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drString found in binary or memory: http://smallsrv.com/index.htm#newhttp://smallsrv.com/news.htmdesc.htmhttp://smallsrv.com/donation.sh
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://smallsrv.com/ipbase.zip
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://smallsrv.com/libsec111.zip
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drString found in binary or memory: http://smallsrv.com/news.htm
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://smallsrv.com/seclibgnutls.zip
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://smallsrv.com/sendmail.exe
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://smallsrv.com/webmail.exe
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://www.OpenSSL.org
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://www.delorie.com/djgpp/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://www.gnu.org/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://www.gnutls.org
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: http://www.php.net
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drString found in binary or memory: https://%.9s:%u%s
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drString found in binary or memory: https://%.9s:%u%s%.16s:%u%sopen
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: https://build.openvpn.net/downloads/releases/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741660063.0000000000139000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000003.1741383828.0000000000139000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000003.1741520038.0000000000139000.00000004.00000020.00020000.00000000.sdmp, license.txt.0.drString found in binary or memory: https://fsf.org/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: https://gnutls.org/manual/html_node/Priority-Strings.html
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: https://hostname.etc/$_vpn_$/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: https://openvpn.net/
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drString found in binary or memory: https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: 0_2_004011D6 PostQuitMessage,GetDlgItem,EnableWindow,SHBrowseForFolder,SHGetPathFromIDList,SetDlgItemTextA,ControlService,DeleteService,DeleteFileA,wsprintfA,DeleteFileA,wsprintfA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,RemoveDirectoryA,ControlService,GetDlgItemTextA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,wsprintfA,MessageBoxA,_lcreat,_hwrite,_lclose,GlobalAlloc,GlobalFix,wsprintfA,GlobalUnWire,GlobalFree,RegDeleteValueA,wsprintfA,RegSetValueExA,RegCloseKey,_lopen,_lcreat,_llseek,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,wsprintfA,wsprintfA,_hwrite,CreateServiceA,GetLastError,wsprintfA,MessageBoxA,ChangeServiceConfigA,DeleteService,_lclose,MessageBoxA,KiUserCallbackDispatcher,NtdllDefWindowProc_A,0_2_004011D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: 0_2_004011D6 PostQuitMessage,GetDlgItem,EnableWindow,SHBrowseForFolder,SHGetPathFromIDList,SetDlgItemTextA,ControlService,DeleteService,DeleteFileA,wsprintfA,DeleteFileA,wsprintfA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,RemoveDirectoryA,ControlService,GetDlgItemTextA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,wsprintfA,MessageBoxA,_lcreat,_hwrite,_lclose,GlobalAlloc,GlobalFix,wsprintfA,GlobalUnWire,GlobalFree,RegDeleteValueA,wsprintfA,RegSetValueExA,RegCloseKey,_lopen,_lcreat,_llseek,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,wsprintfA,wsprintfA,_hwrite,CreateServiceA,GetLastError,wsprintfA,MessageBoxA,ChangeServiceConfigA,DeleteService,_lclose,MessageBoxA,KiUserCallbackDispatcher,NtdllDefWindowProc_A,0_2_004011D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: 0_2_0042B4E00_2_0042B4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: String function: 00406A3A appears 78 times
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: http.exe.0.drBinary string: VPN client: connection closed. \\.\Global\\Device\\DosDevices\Global\vpn_if_client_down.batvpn_if_up.batvpn_if_client_up.bat192.168.111.1, 8.8.8.8, 4.4.4.4192.168.112.1, 8.8.8.8, 4.4.4.4192.168.111.20192.168.112.20255.255.255.0192.168.111.1192.168.112.1tap0901>>%.256s VPN in:%u out:%u time: %us %s
Source: http.exe.0.drBinary string: \Device\
Source: classification engineClassification label: sus34.winEXE@1/12@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: PostQuitMessage,GetDlgItem,EnableWindow,SHBrowseForFolder,SHGetPathFromIDList,SetDlgItemTextA,ControlService,DeleteService,DeleteFileA,wsprintfA,DeleteFileA,wsprintfA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,RemoveDirectoryA,ControlService,GetDlgItemTextA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,wsprintfA,MessageBoxA,_lcreat,_hwrite,_lclose,GlobalAlloc,GlobalFix,wsprintfA,GlobalUnWire,GlobalFree,RegDeleteValueA,wsprintfA,RegSetValueExA,RegCloseKey,_lopen,_lcreat,_llseek,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,wsprintfA,wsprintfA,_hwrite,CreateServiceA,GetLastError,wsprintfA,MessageBoxA,ChangeServiceConfigA,DeleteService,_lclose,MessageBoxA,KiUserCallbackDispatcher,NtdllDefWindowProc_A,0_2_004011D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: 0_2_004011D6 PostQuitMessage,GetDlgItem,EnableWindow,SHBrowseForFolder,SHGetPathFromIDList,SetDlgItemTextA,ControlService,DeleteService,DeleteFileA,wsprintfA,DeleteFileA,wsprintfA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,DeleteFileA,RemoveDirectoryA,ControlService,GetDlgItemTextA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,wsprintfA,MessageBoxA,_lcreat,_hwrite,_lclose,GlobalAlloc,GlobalFix,wsprintfA,GlobalUnWire,GlobalFree,RegDeleteValueA,wsprintfA,RegSetValueExA,RegCloseKey,_lopen,_lcreat,_llseek,GetDlgItemTextA,GetDlgItemTextA,GetDlgItemTextA,wsprintfA,wsprintfA,_hwrite,CreateServiceA,GetLastError,wsprintfA,MessageBoxA,ChangeServiceConfigA,DeleteService,_lclose,MessageBoxA,KiUserCallbackDispatcher,NtdllDefWindowProc_A,0_2_004011D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeReversingLabs: Detection: 50%
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeVirustotal: Detection: 59%
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: nds) that the resource record may be cached before it should be discarded.<br> $SLAVE <i>&lt;domain-name&gt; &lt;ip-address-of-master&gt; [&lt;filename&gt;]</i> -- Work as slave DNS server for this domain. Download full domain from master<br> the time interva
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: C recomendation you must direct class "IN" for each line with RR format. <i>&lt;type&gt;</i> may be: <li> A <i>&lt;IP-address&gt;</i> - a host address <li> AAAA <i>&lt;IPv6-address&gt;</i> - a host IPv6 address <li> NS <i>&lt;full-name&gt;</i> - an authorit
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: 250-STARTTLS
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: ached before it should be discarded.<br> $SLAVE <i>&lt;domain-name&gt; &lt;ip-address-of-master&gt; [&lt;filename&gt;]</i> -- Work as slave DNS server for this domain. Download full domain from master<br> $IF_DOWN <i>&lt;host:port&gt; &lt;interval&gt; Old.IP=N
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: veus name will be used. Unlike RFC recomendation you must direct class "IN" for each line with RR format. <i>&lt;type&gt;</i> may be: <li> A <i>&lt;IP-address&gt;</i> - a host IPv4 address <li> AAAA <i>&lt;IPv6-address&gt;</i> - a host IPv6 address <li> NS
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: %u.%u.%u.%u.IN-ADDR.ARPA
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: %u.%u.IN-ADDR.ARPA
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: m 1 to 255. Lower values are preferred. <li> PTR <i>&lt;full-name&gt;</i> - a name. Host at left side must be #.#.#.#.in-addr.arpa <LI> TXT text <LI> SPF text <LI> CAA 0 [issue|issuewild] server <LI> TYPE<i>number \\# length hex hex hex...</i> - for new, un
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: e&gt;</i><br> $TTL <i>&lt;validate-time&gt;</i> -- a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded.<br> $SLAVE <i>&lt;domain-name&gt; &lt;ip-address-of-master&gt;
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: .IN-ADDR.ARPA
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeString found in binary or memory: ll be used. Unlike RFC recomendation you must direct class "IN" for each line with RR format. <i>&lt;type&gt;</i> may be: <li> A <i>&lt;IP-address&gt;</i> - a host address <li> AAAA <i>&lt;IPv6-address&gt;</i> - a host IPv6 address <li> NS <i>&lt;full-
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeAutomated click: Install
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeAutomated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeWindow detected: &Uninstall Small HTTP server ver 3.06 End User License Agreement The "Small HTTP server" is free software. This means: 1. All copyrights to "Small HTTP server" are exclusively owned by the author - Max Feoktistov (AKA Maksim Feoktistov). This software may including the librarry "MD5 Message-Digest Algorithm" that owned by "RSA Data Security Inc." 2. Anyone may use this software ulimited time. 3. The "Small HTTP server" may be freely distributed. 4. "Small HTTP server" IS DISTRIBUTED "AS IS". NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE AT YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS DAMAGES LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING OR MISUSING THIS SOFTWARE. 5. The source code of this software and any clones may be distributed under term of GNU General Public License version 3. 6. All rights not expressly granted here are reserved by Max Feoktistov. 7. Installing and using "Small HTTP server" signifies acceptance of these terms and conditions of the license. 8. If you do not agree with the terms of this license you must remove "Small HTTP server" files from your storage devices and cease to use the product. Max Feoktistov GNU GENERAL PUBLIC LICENSE Version 3 29 June 2007 Copyright (C) 2007 Free Software Foundation Inc. <https://fsf.org/> Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed. Preamble The GNU General Public License is a free copyleft license forsoftware and other kinds of works. The licenses for most software and other practical works are designedto take away your freedom to share and change the works. By contrastthe GNU General Public License is intended to guarantee your freedom toshare and change all versions of a program--to make sure it remains freesoftware for all its users. We the Free Software Foundation use theGNU General Public License for most of our software; it applies also toany other work released this way by its authors. You can apply it toyour programs too. When we speak of free software we are referring to freedom notprice. Our General Public Licenses are designed to make sure that youhave the freedom to distribute copies of free software (and charge forthem if you wish) that you receive source code or can get it if youwant it that you can change the software or use pieces of it in newfree programs and that you know you can do these things. To protect your rights we need to prevent others from denying youthese rights or asking you to surrender the rights. Therefore you havecertain responsibilities if you distribute copies of the software or ifyou modify it: responsibilities to respect the freedom of others. For example if you distribute copies of such a progr
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeWindow detected: Number of UI elements: 13
Source: uninst.exe.0.drStatic PE information: real checksum: 0x11309 should be: 0x10219
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exeStatic PE information: real checksum: 0x0 should be: 0x3da64
Source: uninst.exe.0.drStatic PE information: section name: .eh_fram
Source: http.exe.0.drStatic PE information: section name: .eh_fram
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: 0_2_00408795 pushfd ; ret 0_2_00408796
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile created: C:\shttps\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile created: C:\shttps\http.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile created: C:\shttps\license.txtJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeDropped PE file which has not been started: C:\shttps\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeDropped PE file which has not been started: C:\shttps\http.exeJump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: FpAGPROGMANshttps\http.exe\%s\Small HTTP server.lnk\Description.lnk\License.lnk\lang_notes.lnklangpackslangpacks\rulangpacks\en%s\Can't create file
Source: SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROGMAN
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exeCode function: 0_2_0040192F GetVersion,OpenSCManagerA,OpenServiceA,QueryServiceConfigA,MessageBoxA,LoadIconA,LoadCursorA,RegisterClassA,SHGetSpecialFolderLocation,SHGetPathFromIDList,wsprintfA,_lopen,GetFileTime,_hread,_lclose,RegOpenKeyA,RegQueryValueA,GetStockObject,ShowWindow,0_2_0040192F

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		12
Windows Service		12
Windows Service		1
Process Injection		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Service Execution		1
DLL Side-Loading		1
Process Injection		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		21
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.FileRepMalware.5727.29935.exe50%ReversingLabsWin32.Trojan.Generic
SecuriteInfo.com.FileRepMalware.5727.29935.exe59%VirustotalBrowse
SecuriteInfo.com.FileRepMalware.5727.29935.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\shttps\http.exe17%ReversingLabs
C:\shttps\http.exe39%VirustotalBrowse
C:\shttps\uninst.exe12%ReversingLabsWin32.PUA.Generic
C:\shttps\uninst.exe15%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://smallsrv.com/donation.shtml0%Avira URL Cloudsafe
http://smallsrv.com/news.htm0%Avira URL Cloudsafe
https://gnutls.org/manual/html_node/Priority-Strings.html0%Avira URL Cloudsafe
https://%.9s:%u%s0%Avira URL Cloudsafe
http://smallsrv.com/webmail.exe0%Avira URL Cloudsafe
http://127.0.0.1/$_admin_$host0%Avira URL Cloudsafe
http://127.0.0.1/$_admin_$conf0%Avira URL Cloudsafe
https://hostname.etc/$_vpn_$/0%Avira URL Cloudsafe
http://smallsrv.com/news.htm1%VirustotalBrowse
https://%.9s:%u%s%.16s:%u%sopen0%Avira URL Cloudsafe
http://smallsrv.com/donation.shtml1%VirustotalBrowse
http://127.0.0.1/$_admin_$stat0%Avira URL Cloudsafe
http://127.0.0.1/$_admin_$host0%VirustotalBrowse
http://Web.Golux.Com/coar/cgi/0%Avira URL Cloudsafe
http://smallsrv.com/webmail.exe7%VirustotalBrowse
http://other.host0%Avira URL Cloudsafe
http://smallsrv.com/index.htm#new0%Avira URL Cloudsafe
http://127.0.0.1/$_admin_$stat0%VirustotalBrowse
http://127.0.0.1/My/index.htm.0%Avira URL Cloudsafe
https://gnutls.org/manual/html_node/Priority-Strings.html0%VirustotalBrowse
http://smallsrv.com/libsec111.zip0%Avira URL Cloudsafe
http://127.0.0.1/$_admin_$conf0%VirustotalBrowse
http://other.host0%VirustotalBrowse
http://Web.Golux.Com/coar/cgi/0%VirustotalBrowse
http://127.0.0.1/My/index.htm.0%VirustotalBrowse
http://smallsrv.com/ipbase.zip0%Avira URL Cloudsafe
http://www.gnutls.org0%Avira URL Cloudsafe
http://127.0.0.1/0%Avira URL Cloudsafe
http://smallsrv.com/libsec111.zip0%VirustotalBrowse
http://smallsrv.com/index.htm#new3%VirustotalBrowse
http://127.0.0.1/$_admin_$state0%Avira URL Cloudsafe
http://Your_IP_address/IMAGES/bgr.gif.0%Avira URL Cloudsafe
http://smallsrv.com/ipbase.zip4%VirustotalBrowse
http://smallsrv.com/index.htm#newhttp://smallsrv.com/news.htmdesc.htmhttp://smallsrv.com/donation.sh0%Avira URL Cloudsafe
http://127.0.00%Avira URL Cloudsafe
http://www.gnutls.org0%VirustotalBrowse
http://Your_IP_address_here/test.html0%Avira URL Cloudsafe
http://127.0.0.1/$_admin_$state0%VirustotalBrowse
http://smallsrv.com/seclibgnutls.zip0%Avira URL Cloudsafe
http://smallsrv.com/sendmail.exe0%Avira URL Cloudsafe
http://127.0.0.1/My/0%Avira URL Cloudsafe
http://127.0.0.1/2%VirustotalBrowse
http://smallsrv.com/index.htm#newhttp://smallsrv.com/news.htmdesc.htmhttp://smallsrv.com/donation.sh3%VirustotalBrowse
http://smallsrv.com/seclibgnutls.zip4%VirustotalBrowse
http://smallsrv.com/sendmail.exe5%VirustotalBrowse
http://127.0.0.1/My/0%VirustotalBrowse
http://127.0.00%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.gnu.org/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
    		high
    http://www.delorie.com/djgpp/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
      		high
      https://%.9s:%u%sSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drfalse
      • Avira URL Cloud: safe
      		low
      https://openvpn.net/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
        		high
        http://smallsrv.com/donation.shtmlSecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.dr, desc.htm.0.drfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://smallsrv.com/webmail.exeSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
        • 7%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://smallsrv.com/news.htmSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://gnutls.org/manual/html_node/Priority-Strings.htmlSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://127.0.0.1/$_admin_$hostSecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.dr, desc.htm.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://127.0.0.1/$_admin_$confdesc.htm.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.php.netSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
          		high
          https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.htmlSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
            		high
            https://hostname.etc/$_vpn_$/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://%.9s:%u%s%.16s:%u%sopenSecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drfalse
            • Avira URL Cloud: safe
            		low
            http://127.0.0.1/$_admin_$statSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://Web.Golux.Com/coar/cgi/desc.htm.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://other.hosthttp.exe.0.dr, shs_lang.cfg.0.dr, shs_lang.cfg0.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://smallsrv.com/index.htm#newSecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.dr, desc.htm.0.drfalse
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://127.0.0.1/My/index.htm.SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://smallsrv.com/libsec111.zipSecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://build.openvpn.net/downloads/releases/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
              		high
              http://smallsrv.com/ipbase.zipSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
              • 4%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.gnutls.orgSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://127.0.0.1/desc.htm.0.drfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://127.0.0.1/$_admin_$stateSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://Your_IP_address/IMAGES/bgr.gif.SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
              • Avira URL Cloud: safe
              		low
              http://smallsrv.com/index.htm#newhttp://smallsrv.com/news.htmdesc.htmhttp://smallsrv.com/donation.shSecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, http.exe.0.drfalse
              • 3%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://fsf.org/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741660063.0000000000139000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000003.1741383828.0000000000139000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000003.1741520038.0000000000139000.00000004.00000020.00020000.00000000.sdmp, license.txt.0.drfalse
                		high
                http://127.0.0SecuriteInfo.com.FileRepMalware.5727.29935.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		low
                http://Your_IP_address_here/test.htmlSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
                • Avira URL Cloud: safe
                		low
                http://smallsrv.com/seclibgnutls.zipSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
                • 4%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://smallsrv.com/sendmail.exeSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
                • 5%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.OpenSSL.orgSecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
                  		high
                  http://127.0.0.1/My/SecuriteInfo.com.FileRepMalware.5727.29935.exe, SecuriteInfo.com.FileRepMalware.5727.29935.exe, 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, desc.htm.0.drfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1436361
                  Start date and time:2024-05-04 16:24:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 2m 17s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:2
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  Detection:SUS
                  Classification:sus34.winEXE@1/12@0/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 5
                  • Number of non-executed functions: 2
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Exclude process from analysis (whitelisted): SIHClient.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\shttps\desc.htm

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:HTML document, ASCII text
                  Category:dropped
                  Size (bytes):89232
                  Entropy (8bit):5.060228397971653
                  Encrypted:false
                  SSDEEP:1536:Q2MlQ0+lFuc8302G0J5LXp7n7ZbuOPXaB:Q2oGmJlX91bpPXi
                  MD5:A0EA01DFC9375131655453B5370DD214
                  SHA1:23B7C8FB73C4EECA0816D5374034F2CC82D27C8E
                  SHA-256:8E8B2AB9C56B769B08CFFA1BF064BF35B3C45C64A7896DC7A960FBDD66262A89
                  SHA-512:327E3864514B8A49B24F9D871254500CDB792477384D92BADA3E3062FBD13E7BA0AD71175E6C0686CB102CD817944F7B7AB4036481AC2149E7CF5CF3532F6E5D
                  Malicious:false
                  Reputation:low
                  Preview:<html><head>.<style>.font.h{font-size:9pt; line-height:10pt}.font.f4a{font-size:6pt; line-height:8pt }.font.f5{font-size:16pt; line-height:18pt }.font.f {font-size:9pt; line-height:10pt }..</style>.<meta name="keywords" content="VPN,HTTPS VPN,smtp,dns,web,server,cgi,ssi,isapi,http server,smtp server,dns server,web server,server,ftp server,pop3 server,DHCP server, mail server">.<meta name="description" content="Description for the program Small HTTP server. About HTTP, FTP, DNS, DHCP, Mail, proxy and VPN servers.">..<script type="text/javascript"> ..var ism=0;.var ovp=0;..function mhide().{if( ism ). {if( !ovp ). {ism = 0;. ovp = 0;. document.getElementById('mn').style.display = "none" ;. return true ;. }. return true ;. }. return false;.}.function mshow().{document.getElementById('mn').style.display = "";. ism = 1;. return false ;.}..function E(s,a,b,c).{var x,z,l,t;. x=a + c + b +"64" + h + e;. z=c+b; l="<"; t="a";. document.write('<b>'+s+'</b>: '+l+t+" href=m"+t+"ilto"+

                  C:\shttps\http.cfg

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text
                  Category:dropped
                  Size (bytes):37
                  Entropy (8bit):4.222174311224063
                  Encrypted:false
                  SSDEEP:3:vcnei38rFU:/CaU
                  MD5:2472582290B4B2EFA9AB56C99FAABCC5
                  SHA1:7CF42D8FA364D6C6238EDF7CBAF144EB7DC2EA80
                  SHA-256:25A7693031BCC2BB860F765FB5E43A83451ED82E4CDAE70E9DD2B7FEAAC00849
                  SHA-512:98C5A5801D4E3544BFCC39CA45DBB8BF3ED1C5A84A649AA152CC08D8F23F0318E117DA233B3FEC0A44B5909DFD51F5CAC7977988A345F86FB9A77D40F73A237A
                  Malicious:false
                  Reputation:low
                  Preview: . user=admin;;c:\shttps;A. norunhtm.

                  C:\shttps\http.exe

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Category:dropped
                  Size (bytes):331264
                  Entropy (8bit):6.602839268715394
                  Encrypted:false
                  SSDEEP:6144:MtEqVR9V3QDesq+pFtE75bdRDSBciGR7V6jrAeZqK9IKjjsxzYX6mGI:CEWV3QDeetE7NDDSiiGX7eZqK9IKjjso
                  MD5:E4852476C159D37B1768C8AC7D7B1A3B
                  SHA1:88A0FA9FA656BD07425DE360F47283D035A5CFEE
                  SHA-256:017E4BC48B84792FFF31C0C879EB4A420E0C14590905F62BACA1AE216A233FB2
                  SHA-512:84744276BD28178B7EBEA60AF0980597A6683B04C0536AFD3746C0BC32BD0FD1E0B66379F2146732BB112629773BD5F51B135C32221289E18DF59AE340C0841A
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 17%
                  • Antivirus: Virustotal, Detection: 39%, Browse
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ve.e...............#..........................@..................................~........ ........ ............................................................................................................P................................text...............................`.0`.data... ...........................@.`..rdata..............................@.`@.eh_framdd.......f..................@.0@.bss....@.... ........................`..idata..............................@.0..rsrc...............................@.0.........................................................................................................................................................................................................................................................................................................................................................

                  C:\shttps\http.exe.manifest

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1030
                  Entropy (8bit):5.140215479522065
                  Encrypted:false
                  SSDEEP:12:TM3iSnRuVov1U7FysyGp3DyiU22Xpl3kQtfgcGkVtvXlaMN2U5Nci26J2xA5NE/v:qPnRuV+EGH3p4ciMPgiPJW
                  MD5:7B8EF5A845CFC027F687018CA9C7B2C3
                  SHA1:8052A649454EABF2F849EA5AB97D8BBAEF3B98A0
                  SHA-256:1B67993E811F676452815F714EF365A45CD44414E97FEC7E2A325E2325DAF0DC
                  SHA-512:B5C461EE70EC23BD1388DEC629584A91271EA0D1C28155FD6B599B7F53F353BFFA075393C903129A304852F7FAAA953631E759C5A6480A291A8BF8A2380F2EA6
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version='1.0' encoding='UTF-8' standalone='yes'?>..<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. Windows 10 -->.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>.. Windows 8.1 -->.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. Windows 8 -->.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. Windows 7 -->.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. Windows Vista -->.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. </application>.. </compatibility>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level='highestAvailable' uiAccess='false' />.. </requestedPrivileges>.. </security>..

                  C:\shttps\lang_notes.txt

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1948
                  Entropy (8bit):4.529439466668669
                  Encrypted:false
                  SSDEEP:48:5lByB7fIWAkKNAHTd85Bz45Pf6BlApTGgO52:5lByUKZCtMn6BasgS2
                  MD5:0343D8AF7C4D427649C8FFE6C1612CD6
                  SHA1:8CCA40020728DF4AF62234A33BA2B369DE0ED4B3
                  SHA-256:B7720BB2248F52FD2FC04EC8F5B6037A8E1AA8E23F094F85B1F39C6DB5137CC0
                  SHA-512:8D74A3019983E37CE183A25D75EEB3AF221B540FC1441E0009C1492B8A485C12CD1D3EA78A42B666D6657CCBAD54E45DD113FB1D9479DEA59E98516443F3B773
                  Malicious:false
                  Reputation:low
                  Preview:...... Notes for multi languages support.... The Small HTTP server ver 3.06 support separate language file. This..give possibility to make any localisation of the program. The language file..named 'shs_lang.cfg'. The file is the same for Windows and for Linux..versions. If this file is placed in the same directory where placed..configuration file, the program load strings from this file. Localisation..files that are already available, placed into 'langpacks' directory... If the file for your language is not precent there, then you can make..it yourself, just translate the file from some other language. If you do it,..then you may send me the result, it will be including in the next packages..and it will be a vailable for download on the site.....shs_lang.cfg file format:.... It is text file. The file including the records for strings constant..that using the program. Each record it is:....MNEMOTIC_NAME=some text<LF><LF>....

                  C:\shttps\langpacks\en\shs_lang.cfg

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text, with very long lines (311)
                  Category:dropped
                  Size (bytes):41693
                  Entropy (8bit):5.450799967788996
                  Encrypted:false
                  SSDEEP:384:84FNtLIrfru/wsscsUTIcMILeFHIAY0QIyk8G+4oSqzNzEzL3eY7hrINiyGcDy1U:/FNtsGH+UbL8Y0Ln8FHZ43BcDSH7MDeI
                  MD5:246A8F91C571ACFAFBE058AED6744AE9
                  SHA1:C245B23F009B27C9AF72EE75D1831A496FFD47E4
                  SHA-256:173D84383867A95E5C06826A07FC798B5B49E90B4355AB7FDD11DDBAF81A55AD
                  SHA-512:5CADFA126E0CD30482083D3188DA84A4888941F44D2FAFABE1ED285F11806EA8FDED49705674DE1F63317ED5C11810AB47051EB19E7D205130740B823FC2144B
                  Malicious:false
                  Reputation:low
                  Preview:charset=; charset=windows-1251..S1t2T_4362878=Bind to all addapters..S1t2T_4197922=IPs and IPv6 to bind, through coma. (0.0.0.0. - bind to all IP; ::0 bind to all IPv6)..S1t2T_1259448=Also work through IPv6..S1t2T_1727805=No limitation for %s..S1t2T_3322121=Time per that will calculating limits (in seconds)..S1t2T_5543034=Limit per IP (Kb)..S1t2T_6151093=Limit per network (Kb)..S1t2T_3979193=Total limit for server (Kb)..S1t2T_4199171=Don't restrict speed of outgoing transfer..S1t2T_3759240=Limit for summary speed of outgoing transfer. for all connections from the same IP (KBytes/minute)..S1t2T_4406032=How many another connections must have activity,. to check on speed limitation..S1t2T_3105507=Don't save uncrypted passwords in config file..S1t2T_2188250=Remove passwords from the log..S1t2T_2190235=Save passwords as MD5 Digest (RFC2069/RFC2617)..S1t2T_2154049=Realm - string for MD5 Digest (RFC2069/RFC2617)..S1t2T_2847174=Using MD5 Digest for authorization if posible. (RFC2069/RFC261

                  C:\shttps\langpacks\ru\shs_lang.cfg

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:Non-ISO extended-ASCII text, with very long lines (311)
                  Category:dropped
                  Size (bytes):49665
                  Entropy (8bit):6.1262982306514715
                  Encrypted:false
                  SSDEEP:768:kcFNmBCzXSSNsSLCD3yU3+vz8xFnk2Ub8Q2QcRH7MsjBWK9CYdEh:kctuS1OD3yk+gDnk2a8BQcR7nXdk
                  MD5:B21A667A495D420D6B921D3CDD8ACF6A
                  SHA1:3E58576BE78633D0972045AC066B62893D58D817
                  SHA-256:98091294F27EFED73AB43B0799ACDA723503DFDC6CD4440445AAFA849A016BB1
                  SHA-512:B519D29B2C1FECA57A3F9BD630577594F9903173A65C177F18E1FE7F867F6CE5ADF0E0DC5A1C3C37866C984E5FB1202FF4CF835C935899EF81A6ABD522C210B5
                  Malicious:false
                  Preview:charset=; charset=windows-1251..S2sGENERAL_S=..... ...........S2sDON_T_OUT=.. ........ ... . ..........S2sSTART_AS_=........... ..........S2sDISABLE_I=.. .......... ...... . ...........S2sMINIMIZE_=............. ... .........S2sDETAIL_LO=......... ..... ... POP/SMTP/FTP. ..... ............ ...... ........ ..........S2sDISABLE_S=.. ......... ......S2sSTORE_LOG=......... .... ........ ... ...-........S2sNEW_LOG_F=..... ... .... ...... ..... ... ....., ...... ........ .......... .. .......S2sDISABLE_T=.. ............ .......... .............. ........... . ...... ........S2sUSERS_FRO=............ .......... ............. ............ . ...... . .... .. ......... ...... ........... ..... ............. 0. ........... ................ .. ... TCP .......... (HTTP,FTP,POP,SMTP,Proxy)..S2sENABLE_TO=......... ......... ....................S2sHTTP_SERV=HTTP ........S2sDISABLE_H=......... HTTP .........S2sHOW_MANY_=... ..... HTTP ........ ..... ............... ............. ..... 20Kb ......

                  C:\shttps\license.txt

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):34455
                  Entropy (8bit):4.628285571178764
                  Encrypted:false
                  SSDEEP:384:rrHtjJRuZ7vytNQ0Lf8KnYz3ZlqXstCTyVqtGJEuzFrb3CNHroNjOK1gxCLfW:vt7Y+tNdSz3ZlqXOWoInuzx3Y8N3Wiu
                  MD5:67A6EA9846E3B7A4169E6E523E234932
                  SHA1:245CBBA889EBB7CE8BDF7AB48FE80FF5B2634A43
                  SHA-256:BD649DC7C808457239F906AEDE37E988E860D9B8EBD4D15C1BC5334C9D3B21B2
                  SHA-512:DBA48F6940B81903D84C45EE8C986B62813E5EC23A62F466CAF2F76AF176CF2AF59FF21644E986B029FF5B176F5CD3E75A1F811C102A1D8A3C08B5DDF631C25E
                  Malicious:false
                  Preview:.. Small HTTP server ver 3.06.. End User License Agreement...... The "Small HTTP server" is free software. This means:.... 1. All copyrights to "Small HTTP server" are exclusively owned by the author - Max Feoktistov (AKA Maksim Feoktistov)... This software may including the librarry "MD5 Message-Digest Algorithm" that owned by "RSA Data Security, Inc." .... 2. Anyone may use this software ulimited time. .... 3. The "Small HTTP server", may be freely distributed..... 4. "Small HTTP server" IS DISTRIBUTED "AS IS". NO WARRANTY OF ANY KIND IS EXPRESSED OR IMPLIED. YOU USE AT YOUR OWN RISK. THE AUTHOR WILL NOT BE LIABLE FOR DATA LOSS, DAMAGES, LOSS OF PROFITS OR ANY OTHER KIND OF LOSS WHILE USING OR MISUSING THIS SOFTWARE..... 5. The source code of this software and any clones may be distributed under term of GNU General Public License version 3... .. 6. All rights not expressly gran

                  C:\shttps\uninst.exe

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                  Category:dropped
                  Size (bytes):5120
                  Entropy (8bit):2.9158528066839318
                  Encrypted:false
                  SSDEEP:24:etGS9dwDElOz8CIIhgKW2+3aW9GA9EuJnfVMFZtLwH8Nv08Nvx1TKZUAtBBC/UU9:6zwDElOzACsEu1ixLwwAUAtB0/w
                  MD5:21EAC4EB717B77220B315A069DD02197
                  SHA1:F9B524070D9C8D09E137C4B60A1B412B923059C9
                  SHA-256:F62C8723C8A57E841DDC50464208099209073438041D826E4537EB58CA5782AD
                  SHA-512:AC39B26CFDCF320887DF0F58663EE150CB6D412DE3675196E5FD752A30679DB8BA5F7C7D19430CD00576BAFAC06D0172C8DF782F3F262205426BDC99B6E90E45
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 12%
                  • Antivirus: Virustotal, Detection: 15%, Browse
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.#e...............#............)........ ....@..........................p................ ..............................`.......................................................................................`..`............................text...l........................... .0`.data... .... ......................@.`..rdata.......0......................@.0@.eh_fram.....@......................@.0@.bss....`....P........................`..idata.......`......................@.0.................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\shttps\vpn_if_client_down.bat

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):359
                  Entropy (8bit):4.98233486013166
                  Encrypted:false
                  SSDEEP:6:TOwjvkqviBTBhsXjjhKhBF0JIDKWP+EzlWtuFs0QGI8ItLxQLnscOwv:6xqSsTjhqDKmnzDUGaIOa
                  MD5:84BE01E5CCCE78E905FF6DB9185E33DB
                  SHA1:D3DBA249D1AB348D074B4D01D76E19FCDD57D609
                  SHA-256:05FA7F3582BA35E41E7EC9C896B2674C193620B30450EAFD6E20561DB42CAF88
                  SHA-512:4563AB1D852F72423E955B15BCDE9EFDE2744A627F0E640B28128314EA01FBC1111A257A4B8D2D344735B9A84939FE79090B63DD7D825EC956584A4439645B22
                  Malicious:false
                  Preview:rem Example of script that server call when VPN connection closed..rem Arguments:..rem <interface> <ip>....echo ON....rem Drect yuor original gateway in next line:..set ORIGINAL_GW=10.0.0.1....echo if:%1 ip:%2....rem Uncomment next 2 lines to direct all IP4 trafic to original GW..rem route DELETE 0.0.0.0..rem route ADD 0.0.0.0 MASK 0.0.0.0 %ORIGINAL_GW%....

                  C:\shttps\vpn_if_client_up.bat

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):570
                  Entropy (8bit):5.167932692097142
                  Encrypted:false
                  SSDEEP:12:6YOpZwhpAsTjhqDKlNdGyN0xu7ofo5p4GUG41T7hOFYjOv:6lwpEDKlRou7PZ4zOFwOv
                  MD5:BEA278E63E2E43A363C5210947D3FB26
                  SHA1:C96D3C64E562AD021D352FDF04826590AEA327E0
                  SHA-256:329DA10143F6A1BCCD712D72651A527638EC69D54DC627AF5C38D354571AEBB0
                  SHA-512:8D2A9D856507A0F0CC503DE641E59012440F7F177BDF834545697AB0210FC3CE1AEADC2B1FE13635DEF1147091BCF18A8289066175F66349289009D9A97D7C6A
                  Malicious:false
                  Preview:rem Example of script that server call when connection estabilished..rem Arguments:..rem <interface> <ip> <netmask> <gw> "<dns servers>" <ip_of_remote_vpn_server>....echo ON....rem Drect yuor original gateway in next line:..set ORIGINAL_GW=10.0.0.1....netsh interface ipv4 set address name=%1 static %2 %3 %4....echo if:%1 ip:%2 mask:%3 gw:%4 dns:%5 remote:%6....rem Uncomment next 3 lines to redirect all IP4 trafic to VPN..rem route ADD %6 MASK 255.255.255.255 %ORIGINAL_GW%..rem route ADD 0.0.0.0 MASK 0.0.0.0 %3..rem route DELETE 0.0.0.0 MASK 0.0.0.0 %ORIGINAL_GW%..

                  C:\shttps\vpn_if_up.bat

                  Download File
                  Process:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):403
                  Entropy (8bit):4.84282055411228
                  Encrypted:false
                  SSDEEP:6:TOwxOpvi+AHhoagxGF33WYiSWfriGF33WYZBDqSOfXrAR7i9z4QAhtI6Fn:6YOpZwhDdGxBpdGeFqnfXrARRHx
                  MD5:42936425ADFCD065D22499483EE462EE
                  SHA1:D7FA5205678FA6F311CA024C15B7D0DB77180C83
                  SHA-256:0294C9BBFED6785F2FAAB428C6DE53833E3FA486B3BD2543E0395CC9B18A603B
                  SHA-512:904E281B0A7E1E99D29ED49CA4FF912B30924D4BA2FFE2229FEA44C1A2DB0F4F9F4F2DF79AFED35F564997DE227706C1CD88EE16B90083379961A69216865995
                  Malicious:false
                  Preview:rem Example of script that server call when connection estabilished..rem Arguments:..rem <interface> <ip> <netmask> <gw> '<dns servers>'....echo ON..netsh interface ipv4 set address name="%1" static %2 %3 %4..rem netsh interface ipv4 set address name="Local Area Connection 4" static 192.168.111.1 255.255.255.0 192.168.111.1....rem netsh interface ipv4 add dnsservers %1 address=192.168.x.x index=1....

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                  Entropy (8bit):7.898948904627537
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.66%
                  • UPX compressed Win32 Executable (30571/9) 0.30%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • VXD Driver (31/22) 0.00%
                  File name:SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  File size:222'208 bytes
                  MD5:ce813b7759c9293c3fec90106ce0e647
                  SHA1:8a8f39fc451f89174d4c01927b0539e762eec399
                  SHA256:1ab6d36d906e439da8469ebfa4d3c6384f4dae213701a527d719aeeb19827792
                  SHA512:1454ee8db5bba12973aa718f77ce79e3316f3a8acb93ec10a51cbe17d5776513e88c89e2d9442c0dfd1b4b7d70874fc7cbcf6615d9398ebbe213ef44cda848bf
                  SSDEEP:6144:OiSOxUDa232VT3mC7Rp5+hmVwEkbf14zoqa:OTOxsaZVTJ7Rpqm2EafA1
                  TLSH:FF24123C442FD7A7DF2FEDFB514ED132CB5C6A4813D6426B09D314822E9A2534A4A993
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ve.e...............#.`........................@.......................... ................ ............................

                  File Icon

                  Icon Hash:65399d0dce53b1d9

                  Static PE Info

                  General

                  Entrypoint:0x490ac0
                  Entrypoint Section:UPX1
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x65FE6576 [Sat Mar 23 05:15:34 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:d97478089471b95afdd89547cc8a0f96

                  Entrypoint Preview

                  Instruction
                  pushad
                  mov esi, 0045B015h
                  lea edi, dword ptr [esi-0005A015h]
                  push edi
                  or ebp, FFFFFFFFh
                  jmp 00007F7C40B9FF22h
                  nop
                  nop
                  nop
                  nop
                  nop
                  nop
                  mov al, byte ptr [esi]
                  inc esi
                  mov byte ptr [edi], al
                  inc edi
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F7C40B9FEFFh
                  mov eax, 00000001h
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc eax, eax
                  add ebx, ebx
                  jnc 00007F7C40B9FF1Dh
                  jne 00007F7C40B9FF3Ah
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F7C40B9FF31h
                  dec eax
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc eax, eax
                  jmp 00007F7C40B9FEE6h
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc ecx, ecx
                  jmp 00007F7C40B9FF64h
                  xor ecx, ecx
                  sub eax, 03h
                  jc 00007F7C40B9FF23h
                  shl eax, 08h
                  mov al, byte ptr [esi]
                  inc esi
                  xor eax, FFFFFFFFh
                  je 00007F7C40B9FF87h
                  sar eax, 1
                  mov ebp, eax
                  jmp 00007F7C40B9FF1Dh
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F7C40B9FEDEh
                  inc ecx
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jc 00007F7C40B9FED0h
                  add ebx, ebx
                  jne 00007F7C40B9FF19h
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  adc ecx, ecx
                  add ebx, ebx
                  jnc 00007F7C40B9FF01h
                  jne 00007F7C40B9FF1Bh
                  mov ebx, dword ptr [esi]
                  sub esi, FFFFFFFCh
                  adc ebx, ebx
                  jnc 00007F7C40B9FEF6h
                  add ecx, 02h
                  cmp ebp, FFFFFB00h
                  adc ecx, 02h
                  lea edx, dword ptr [eax+eax]

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x911e40x164.rsrc
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x910000x1e4.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  UPX00x10000x5a0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  UPX10x5b0000x360000x35e007dadb53a1cc172b5278a7606d8092c99False0.9878008990719258data7.906994863104994IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x910000x10000x400a92d8e3b2258a64bfbdf4420667f0683False0.4140625data3.2665778364487696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0x910a40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States0.47635135135135137
                  RT_GROUP_ICON0x911d00x14dataEnglishUnited States1.15

                  Imports

                  DLLImport
                  ADVAPI32.dllRegCloseKey
                  GDI32.dllGetStockObject
                  KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                  SHELL32.dllSHBrowseForFolderA
                  USER32.dllLoadIconA

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:24:49
                  Start date:04/05/2024
                  Path:C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.5727.29935.exe"
                  Imagebase:0x400000
                  File size:222'208 bytes
                  MD5 hash:CE813B7759C9293C3FEC90106CE0E647
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:1.5%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:81.1%
                    Total number of Nodes:111
                    Total number of Limit Nodes:3
                    execution_graph 10383 4011d6 10384 4012ff 10383->10384 10385 4011f7 10383->10385 10386 4011f9 10385->10386 10387 40121d 10385->10387 10386->10384 10388 401915 NtdllDefWindowProc_A 10386->10388 10389 40120d PostQuitMessage 10386->10389 10387->10388 10390 401908 KiUserCallbackDispatcher 10387->10390 10392 401250 10387->10392 10393 401239 10387->10393 10388->10384 10391 40124b 10389->10391 10390->10391 10391->10388 10394 401263 10392->10394 10395 401257 10392->10395 10396 401491 10393->10396 10405 401242 10393->10405 10462 401ecc SendDlgItemMessageA 10394->10462 10395->10391 10397 40128c SHBrowseForFolder SHGetPathFromIDList 10395->10397 10399 40149a ControlService 10396->10399 10400 4014ac GetDlgItemTextA CreateDirectoryA SetCurrentDirectoryA 10396->10400 10397->10384 10402 4012b0 10397->10402 10399->10400 10403 4018f5 MessageBoxA 10400->10403 10404 4014ea CreateDirectoryA CreateDirectoryA CreateDirectoryA 10400->10404 10401 401270 GetDlgItem EnableWindow 10401->10388 10407 4012ec SetDlgItemTextA 10402->10407 10403->10390 10409 40150e 10404->10409 10405->10391 10406 401321 10405->10406 10408 4013ff 10405->10408 10414 401340 ControlService DeleteService 10406->10414 10415 401362 DeleteFileA 10406->10415 10407->10384 10408->10403 10416 40141a 10408->10416 10412 401526 wsprintfA 10409->10412 10424 40153e 10409->10424 10410 401565 _lcreat 10413 40154b MessageBoxA 10410->10413 10410->10424 10411 401605 10459 401ecc SendDlgItemMessageA 10411->10459 10412->10424 10413->10384 10413->10410 10414->10415 10417 401378 10415->10417 10419 401427 DeleteFileA 10416->10419 10420 401384 wsprintfA DeleteFileA 10417->10420 10421 4013ad 10417->10421 10463 401eec 10419->10463 10420->10417 10426 4013e7 RemoveDirectoryA 10421->10426 10427 4013be wsprintfA RemoveDirectoryA 10421->10427 10422 401626 10460 401ecc SendDlgItemMessageA 10422->10460 10424->10410 10424->10411 10430 4015d7 _hwrite _lclose 10424->10430 10426->10408 10427->10421 10429 401eec 10432 40145c DeleteFileA 10429->10432 10430->10424 10431 401653 10433 4016b8 10431->10433 10434 40165a GlobalAlloc GlobalFix wsprintfA 10431->10434 10436 401eec 10432->10436 10435 40173a _lopen 10433->10435 10461 401ecc SendDlgItemMessageA 10433->10461 10465 40113e DdeInitializeA 10434->10465 10441 401751 _lcreat 10435->10441 10442 401766 _llseek 10435->10442 10440 401474 DeleteFileA RemoveDirectoryA 10436->10440 10444 4018f2 10440->10444 10445 401773 GetDlgItemTextA GetDlgItemTextA wsprintfA _hwrite 10441->10445 10442->10445 10443 4016ce 10446 4016f3 wsprintfA RegSetValueExA 10443->10446 10447 4016de RegDeleteValueA 10443->10447 10444->10403 10448 4018e8 _lclose 10445->10448 10449 4017d9 10445->10449 10450 401726 RegCloseKey 10446->10450 10447->10450 10448->10444 10451 4018d2 10449->10451 10452 4017e6 10449->10452 10450->10435 10451->10448 10453 4018db DeleteService 10451->10453 10454 401807 CreateServiceA 10452->10454 10455 401888 10452->10455 10453->10448 10456 401845 10454->10456 10455->10448 10458 4018a5 ChangeServiceConfigA 10455->10458 10456->10448 10457 40184d GetLastError wsprintfA MessageBoxA 10456->10457 10457->10448 10458->10456 10459->10422 10460->10431 10461->10443 10462->10401 10464 401444 DeleteFileA 10463->10464 10464->10429 10466 401169 DdeCreateStringHandleA DdeConnect 10465->10466 10467 4011cf GlobalUnWire GlobalFree 10465->10467 10466->10467 10468 401190 10466->10468 10467->10433 10469 401199 DdeClientTransaction Sleep DdeDisconnect DdeUninitialize 10468->10469 10469->10467 10470 401d2a GetCommandLineA GetModuleHandleA 10472 401cb2 10470->10472 10481 40192f GetVersion 10472->10481 10475 401d09 10478 401d12 CloseServiceHandle 10475->10478 10479 401d1f ExitProcess 10475->10479 10476 401cca KiUserCallbackDispatcher 10476->10475 10477 401cde IsDialogMessage 10476->10477 10477->10476 10480 401cf3 TranslateMessage DispatchMessageA 10477->10480 10478->10479 10480->10476 10484 401991 10481->10484 10482 4019c5 OpenSCManagerA 10485 401a57 MessageBoxA 10482->10485 10486 4019df OpenServiceA 10482->10486 10483 401a6b LoadIconA LoadCursorA RegisterClassA 10487 401cab 10483->10487 10491 401ad3 10483->10491 10484->10482 10484->10483 10485->10483 10489 4019fb QueryServiceConfigA 10486->10489 10497 401a19 10486->10497 10487->10475 10487->10476 10488 401add SHGetSpecialFolderLocation 10490 401afc SHGetPathFromIDList wsprintfA _lopen 10488->10490 10488->10491 10489->10497 10490->10491 10492 401b41 GetFileTime _hread _lclose 10490->10492 10491->10488 10493 401c12 RegOpenKeyA 10491->10493 10501 401b9b 10492->10501 10494 401c32 10493->10494 10495 401c79 GetStockObject 10493->10495 10494->10495 10496 401c3b RegQueryValueA 10494->10496 10502 401005 CreateWindowExA 10495->10502 10496->10495 10500 401c57 10496->10500 10497->10483 10500->10495 10501->10493 10503 4010a8 ShowWindow 10502->10503 10504 40104c 10502->10504 10503->10487 10505 40105c SendMessageA 10504->10505 10505->10503 10506 401068 CreateWindowExA 10505->10506 10506->10505

                    Executed Functions

                    Function 004011D6 Relevance: 156.3, APIs: 57, Strings: 32, Instructions: 565nativewindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 4011d6-4011f1 1 401925-40192c 0->1 2 4011f7 0->2 3 4011f9-4011fd 2->3 4 40121d-401224 2->4 3->1 5 401203-401207 3->5 6 401915-40191f NtdllDefWindowProc_A 4->6 7 40122a-401231 4->7 5->6 8 40120d-401218 PostQuitMessage 5->8 6->1 9 401237 7->9 10 401908-40190c KiUserCallbackDispatcher 7->10 11 401912 8->11 12 401250-401255 9->12 13 401239-40123c 9->13 10->11 11->6 14 401263-401287 call 401ecc GetDlgItem EnableWindow 12->14 15 401257-40125c 12->15 16 401491-401498 13->16 17 401242-401245 13->17 14->6 18 40128c-4012ae SHBrowseForFolder SHGetPathFromIDList 15->18 19 40125e 15->19 21 40149a-4014ab ControlService 16->21 22 4014ac-4014e4 GetDlgItemTextA CreateDirectoryA SetCurrentDirectoryA 16->22 23 401306-40131b call 401f0c 17->23 24 40124b 17->24 26 4012b0-4012c6 call 401e4d 18->26 27 4012ff-401301 18->27 19->6 21->22 28 4018f5-401902 MessageBoxA 22->28 29 4014ea-40150d CreateDirectoryA * 3 22->29 34 401321-40133e call 401eec 23->34 35 4013ff-401414 call 401e0a 23->35 24->6 41 4012c8-4012e9 call 401d50 26->41 42 4012ec-4012fe SetDlgItemTextA 26->42 27->1 28->10 33 40150e-401513 29->33 37 401515-40151b 33->37 38 40153e-401543 33->38 55 401340-40135f ControlService DeleteService 34->55 56 401362-401375 DeleteFileA 34->56 35->28 58 40141a-40148c call 401eec DeleteFileA call 401eec DeleteFileA call 401eec DeleteFileA call 401eec DeleteFileA RemoveDirectoryA 35->58 44 401548-401549 37->44 45 40151d-401524 37->45 39 4015fc-4015ff 38->39 46 401565-40157b _lcreat 39->46 47 401605-401632 call 401ecc 39->47 41->42 42->27 44->33 45->44 51 401526-40153b wsprintfA 45->51 53 40154b-40155f MessageBoxA 46->53 54 40157d-401596 call 401e71 46->54 72 401634-40163b 47->72 73 401646-401658 call 401ecc 47->73 51->38 53->27 53->46 69 401607 54->69 70 401598-4015ab call 401e71 54->70 55->56 61 401378-401382 56->61 102 4018f2 58->102 65 401384-4013ab wsprintfA DeleteFileA 61->65 66 4013ad 61->66 65->61 71 4013b2-4013bc 66->71 75 40160a-40160f 69->75 70->69 87 4015ad-4015c0 call 401e71 70->87 77 4013e7-4013fc RemoveDirectoryA 71->77 78 4013be-4013e5 wsprintfA RemoveDirectoryA 71->78 72->73 79 40163d-401642 72->79 88 4016b8-4016bf 73->88 89 40165a-4016b5 GlobalAlloc GlobalFix wsprintfA call 40113e GlobalUnWire GlobalFree 73->89 82 401611-401612 75->82 83 4015d7-4015f9 _hwrite _lclose 75->83 77->35 78->71 79->73 82->75 83->39 87->69 104 4015c2-4015d5 call 401e71 87->104 90 4016c1-4016dc call 401ecc 88->90 91 40173a-40174f _lopen 88->91 89->88 105 4016f3-401720 wsprintfA RegSetValueExA 90->105 106 4016de-4016f1 RegDeleteValueA 90->106 98 401751-401764 _lcreat 91->98 99 401766-401772 _llseek 91->99 103 401773-4017d3 GetDlgItemTextA * 2 wsprintfA _hwrite 98->103 99->103 102->28 107 4018e8-4018ec _lclose 103->107 108 4017d9-4017e0 103->108 104->69 104->83 110 401726-401737 RegCloseKey 105->110 106->110 107->102 111 4018d2-4018d9 108->111 112 4017e6-401801 call 401d50 108->112 110->91 111->107 114 4018db-4018e5 DeleteService 111->114 117 401807-401842 CreateServiceA 112->117 118 401888-40188f 112->118 114->107 119 401845-401847 117->119 118->107 120 401891-4018a3 call 401e4d 118->120 119->107 121 40184d-401886 GetLastError wsprintfA MessageBoxA 119->121 120->107 124 4018a5-4018cd ChangeServiceConfigA 120->124 121->107 124->119
                    APIs
                    • PostQuitMessage.USER32(00000000), ref: 00401212
                    • NtdllDefWindowProc_A.NTDLL(?,00000111,?,?), ref: 0040191F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageNtdllPostProc_QuitWindow
                    • String ID: user=%s;%s;%s;A norunhtm$ user=admin;;c:\shttps;A norunhtm$%s\$%s\http.exe$.bat$.cfg$.manifest$.txt$C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk$Can't create fileMay be preveus version now using?Close it and try again.$Can't setup server as service %X %X %d$Error$FFFF$Installation complete.$MMMM$Setup Small HTTP server 3.0$\%s$\Description.lnk$\License.lnk$\Small HTTP server.lnk$\http.exe$\http.exe service$\lang_notes.lnk$\shttps$admin$c:\shttps$http.cfg$http.exe$langpacks$langpacks\en$langpacks\ru$shttps
                    • API String ID: 4264772764-677475529
                    • Opcode ID: 4fa891964e1b53b47bea7c3725069e4d9f2c0916a5d9bf33ce57ae0c13ce698c
                    • Instruction ID: ad77f33f009af696028507b52b66b4365f063811db5eedcb52ffa2d8f5253592
                    • Opcode Fuzzy Hash: 4fa891964e1b53b47bea7c3725069e4d9f2c0916a5d9bf33ce57ae0c13ce698c
                    • Instruction Fuzzy Hash: 2F02A371A40200BBE7203BA4AC4AF7F3B68DB41705F244C7BF905B51E2D6B99950DB6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040192F Relevance: 56.2, APIs: 19, Strings: 13, Instructions: 248registrywindowserviceCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 125 40192f-40198c GetVersion 126 401991-401998 125->126 127 4019a5-4019ad 126->127 128 40199a-40199c 126->128 131 4019b3-4019b5 127->131 132 4019af-4019b1 127->132 129 4019bd-4019bf 128->129 130 40199e-4019a3 128->130 133 4019c5-4019dd OpenSCManagerA 129->133 134 401a6b-401acd LoadIconA LoadCursorA RegisterClassA 129->134 130->129 131->129 135 4019b7 131->135 132->126 136 401a57-401a65 MessageBoxA 133->136 137 4019df-4019f9 OpenServiceA 133->137 138 401ad3 134->138 139 401cab-401cb1 134->139 135->129 136->134 141 401a4b-401a55 137->141 142 4019fb-401a17 QueryServiceConfigA 137->142 140 401add-401af6 SHGetSpecialFolderLocation 138->140 143 401afc-401b3f SHGetPathFromIDList wsprintfA _lopen 140->143 144 401b7f-401b86 140->144 141->134 145 401a29-401a3c call 401e0a 142->145 146 401a19-401a26 call 401eec 142->146 143->144 147 401b41-401b7d GetFileTime _hread _lclose 143->147 148 401c12-401c30 RegOpenKeyA 144->148 149 401b8c-401b96 144->149 160 401a41 145->160 161 401a3e 145->161 146->145 152 401ba2-401ba8 147->152 153 401c32-401c39 148->153 154 401c79-401caa GetStockObject call 401005 ShowWindow 148->154 149->140 158 401baa 152->158 159 401b9b-401b9f 152->159 153->154 157 401c3b-401c55 RegQueryValueA 153->157 154->139 157->154 163 401c57-401c6a call 401e0a 157->163 158->148 164 401ba1 159->164 165 401bac-401bb4 159->165 160->141 161->160 171 401c6c 163->171 172 401c6f 163->172 164->152 165->164 168 401bb6-401bcd call 401e4d 165->168 168->164 174 401bcf-401bfa 168->174 171->172 172->154 175 401c08 174->175 176 401bfc-401bfd 174->176 175->148 177 401bfe-401c02 176->177 177->177 178 401c04 177->178 178->175
                    APIs
                    • GetVersion.KERNEL32 ref: 0040196D
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004019CF
                    • OpenServiceA.ADVAPI32(00000000,shttps,000F01FF), ref: 004019EB
                    • QueryServiceConfigA.ADVAPI32(00000000,0048C020,00000024,?), ref: 00401A0A
                    • MessageBoxA.USER32(00000000,Can't open SCM,Error,00000000), ref: 00401A65
                    • LoadIconA.USER32(000001F6,00000000), ref: 00401A78
                    • LoadCursorA.USER32(00000000,00007F00), ref: 00401A8B
                    • RegisterClassA.USER32(00000003), ref: 00401ABD
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000002,?,00000000), ref: 00401AED
                    • SHGetPathFromIDList.SHELL32(?,?), ref: 00401B0B
                    • wsprintfA.USER32 ref: 00401B1F
                    • _lopen.KERNEL32(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk,00000000), ref: 00401B2F
                    • GetFileTime.KERNEL32(00000000,0048C000,00000000,00000000), ref: 00401B4D
                    • _hread.KERNEL32(?,?,00000200), ref: 00401B60
                    • _lclose.KERNEL32(?), ref: 00401B74
                    • RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,0048C018), ref: 00401C22
                    • RegQueryValueA.ADVAPI32(00000268,http.exe,c:\shttps,?), ref: 00401C4D
                    • GetStockObject.GDI32(00000011), ref: 00401C7E
                    • ShowWindow.USER32(00000000,00000001), ref: 00401C9E
                    Strings
                    • user=admin;;c:\shttps;A norunhtm, xrefs: 00401975, 0040198C, 00401AA7
                    • FMform, xrefs: 00401AB2
                    • http.exe, xrefs: 00401C47
                    • Error, xrefs: 00401A59
                    • %s\Small HTTP server\Small HTTP server.lnk, xrefs: 00401B15
                    • c:\shttps, xrefs: 00401A1C, 00401A2D, 00401BDE, 00401C42, 00401C5B
                    • \, xrefs: 00401BAC
                    • \http.exe, xrefs: 00401BBB
                    • shttps, xrefs: 004019E5
                    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00401C18
                    • <html><head><style>font.h{font-size:9pt; line-height:10pt}font.f4a{font-size:6pt; line-height:8pt }font.f5{font-size:16pt; line-height:18pt }font.f {font-size:9pt; line-height:10pt }</style><meta name="keywords" content="VPN,HTTPS VPN,smtp,dns,web,serv, xrefs: 00401993
                    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk, xrefs: 00401B1A, 00401B2A
                    • Can't open SCM, xrefs: 00401A5E
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Open$LoadQueryService$ClassConfigCursorFileFolderFromIconListLocationManagerMessageObjectPathRegisterShowSpecialStockTimeValueVersionWindow_hread_lclose_lopenwsprintf
                    • String ID: user=admin;;c:\shttps;A norunhtm$%s\Small HTTP server\Small HTTP server.lnk$<html><head><style>font.h{font-size:9pt; line-height:10pt}font.f4a{font-size:6pt; line-height:8pt }font.f5{font-size:16pt; line-height:18pt }font.f {font-size:9pt; line-height:10pt }</style><meta name="keywords" content="VPN,HTTPS VPN,smtp,dns,web,serv$C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Small HTTP server\Small HTTP server.lnk$Can't open SCM$Error$FMform$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$\$\http.exe$c:\shttps$http.exe$shttps
                    • API String ID: 2375409431-4104254710
                    • Opcode ID: 1418981021b9c427e1f7c1582747d5b7edc8ca378df5453c7ba555c5ea995266
                    • Instruction ID: bdf7e1f42d158288ca00e50e0a9017894697840eced92667bff104173aa914e7
                    • Opcode Fuzzy Hash: 1418981021b9c427e1f7c1582747d5b7edc8ca378df5453c7ba555c5ea995266
                    • Instruction Fuzzy Hash: 2891C270A40305ABE7206B649C4DFAF3BB8EB41705F2449BAF505B62E1D7B89940CF6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401CB2 Relevance: 9.0, APIs: 6, Instructions: 43windowserviceCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 179 401cb2-401cc8 call 40192f 182 401d09-401d10 179->182 183 401cca-401cdc KiUserCallbackDispatcher 179->183 185 401d12-401d1c CloseServiceHandle 182->185 186 401d1f-401d24 ExitProcess 182->186 183->182 184 401cde-401cf1 IsDialogMessage 183->184 184->183 187 401cf3-401d07 TranslateMessage DispatchMessageA 184->187 185->186 187->183
                    APIs
                      • Part of subcall function 0040192F: GetVersion.KERNEL32 ref: 0040196D
                      • Part of subcall function 0040192F: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004019CF
                      • Part of subcall function 0040192F: OpenServiceA.ADVAPI32(00000000,shttps,000F01FF), ref: 004019EB
                      • Part of subcall function 0040192F: QueryServiceConfigA.ADVAPI32(00000000,0048C020,00000024,?), ref: 00401A0A
                      • Part of subcall function 0040192F: LoadIconA.USER32(000001F6,00000000), ref: 00401A78
                      • Part of subcall function 0040192F: LoadCursorA.USER32(00000000,00007F00), ref: 00401A8B
                      • Part of subcall function 0040192F: RegisterClassA.USER32(00000003), ref: 00401ABD
                    • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00401CD4
                    • IsDialogMessage.USER32(?,00000000), ref: 00401CE7
                    • TranslateMessage.USER32(?), ref: 00401CF7
                    • DispatchMessageA.USER32(?), ref: 00401CFE
                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00401D16
                    • ExitProcess.KERNEL32 ref: 00401D24
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: MessageService$LoadOpen$CallbackClassCloseConfigCursorDialogDispatchDispatcherExitHandleIconManagerProcessQueryRegisterTranslateUserVersion
                    • String ID:
                    • API String ID: 3218121258-0
                    • Opcode ID: a511a6a22b10b7d4f71c0babda07e334c77ccdf14bd456d01fb9dae28049f7ee
                    • Instruction ID: 88b03b42188ecb4679e48b37e956e386189280f96473d3571298f1d449e4952c
                    • Opcode Fuzzy Hash: a511a6a22b10b7d4f71c0babda07e334c77ccdf14bd456d01fb9dae28049f7ee
                    • Instruction Fuzzy Hash: B5F031B0A05205ABEB107B75BD8DB1F3B6C9F04395F104839F905E61E2E634D958877D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401005 Relevance: 4.6, APIs: 3, Instructions: 73windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 188 401005-40104a CreateWindowExA 189 4010a8-4010b1 188->189 190 40104c-401059 188->190 191 40105c-401066 SendMessageA 190->191 191->189 192 401068-4010a6 CreateWindowExA 191->192 192->191
                    APIs
                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401044
                    • SendMessageA.USER32(00000000,00000030,?,00000000), ref: 0040105C
                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00401099
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: CreateWindow$MessageSend
                    • String ID:
                    • API String ID: 694543389-0
                    • Opcode ID: e476ae35bb9de5b7e20cd84b74d5ed3523fec7de9c0da29d2d442d9de08d16d0
                    • Instruction ID: 013e1d8283d70ba185c0d84172e7daa8c33a1d1213cf6e584b977faf54519835
                    • Opcode Fuzzy Hash: e476ae35bb9de5b7e20cd84b74d5ed3523fec7de9c0da29d2d442d9de08d16d0
                    • Instruction Fuzzy Hash: 3F210472600110BFDF258F89DC81F7B7BA9EB08751F0440A6FE04D91A6D239D860EB68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401D2A Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 193 401d2a-401d4b GetCommandLineA GetModuleHandleA call 401cb2
                    APIs
                    • GetCommandLineA.KERNEL32 ref: 00401D2F
                    • GetModuleHandleA.KERNEL32(00000000), ref: 00401D3C
                      • Part of subcall function 00401CB2: KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00401CD4
                      • Part of subcall function 00401CB2: IsDialogMessage.USER32(?,00000000), ref: 00401CE7
                      • Part of subcall function 00401CB2: TranslateMessage.USER32(?), ref: 00401CF7
                      • Part of subcall function 00401CB2: DispatchMessageA.USER32(?), ref: 00401CFE
                      • Part of subcall function 00401CB2: CloseServiceHandle.ADVAPI32(00000000), ref: 00401D16
                      • Part of subcall function 00401CB2: ExitProcess.KERNEL32 ref: 00401D24
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: Message$Handle$CallbackCloseCommandDialogDispatchDispatcherExitLineModuleProcessServiceTranslateUser
                    • String ID:
                    • API String ID: 3571228673-0
                    • Opcode ID: fff666ef60e92346b41963b5030b90aecf46d68ea704bc1e0473bf1de2b8f5d3
                    • Instruction ID: f1cb8cdefddc9d1c58b65790ab8eea70dcf06e3ea0d9b66c49c9a3b664ea9285
                    • Opcode Fuzzy Hash: fff666ef60e92346b41963b5030b90aecf46d68ea704bc1e0473bf1de2b8f5d3
                    • Instruction Fuzzy Hash: 5ED012B0E843083BE50033B56C8FF0B3B1C9B00B89F000834FA00A62D2E8A4A91802AE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0042B4E0 Relevance: .7, Instructions: 663COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0f00f92e646f6d6443de7fab33e2e83e788cb557e8ea9941dd611c2619865767
                    • Instruction ID: eb1c9b355b539179080e509e46a2257bb9d3d6d4dde2041c59d767f7b07d22e4
                    • Opcode Fuzzy Hash: 0f00f92e646f6d6443de7fab33e2e83e788cb557e8ea9941dd611c2619865767
                    • Instruction Fuzzy Hash: 0F4270367206158BD718CE58CC906E6B363FFCC754F494838D912EB785DA68FA0EDA90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040113E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 54sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • DdeInitializeA.USER32(?,00401000,003C0010,00000000), ref: 00401160
                    • DdeCreateStringHandleA.USER32(00000000,PROGMAN,00000000), ref: 00401174
                    • DdeConnect.USER32(00000000,00000000,00000000,00000000), ref: 00401185
                    • DdeClientTransaction.USER32(?,00000001,00000000,00000000,00000000,00004050,000000FF,?), ref: 004011AC
                    • Sleep.KERNEL32(?), ref: 004011B8
                    • DdeDisconnect.USER32(00000000), ref: 004011BF
                    • DdeUninitialize.USER32(?), ref: 004011C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1741799050.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1741785601.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741799050.000000000048F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741851712.0000000000490000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1741862945.0000000000491000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                    Similarity
                    • API ID: ClientConnectCreateDisconnectHandleInitializeSleepStringTransactionUninitialize
                    • String ID: PROGMAN
                    • API String ID: 532732372-601570409
                    • Opcode ID: df3534c660d0f51f632db640770731d9ec140e9d250e32698ead5a2d9e2d0d34
                    • Instruction ID: 9fe984f5f76234e692d1fad102eef6593fc30ae901094038cc9b185eb3b288d1
                    • Opcode Fuzzy Hash: df3534c660d0f51f632db640770731d9ec140e9d250e32698ead5a2d9e2d0d34
                    • Instruction Fuzzy Hash: AB0175719402157AEB117AA5DC42FFF776CEF00714F10052ABA20B61E1D7B9691086DD
                    Uniqueness

                    Uniqueness Score: -1.00%