Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Qi4Mj8hG3t.exe

Overview

General Information

Sample name:Qi4Mj8hG3t.exe
renamed because original name is a hash value
Original sample name:72eec8bbc11e7e184649111b6be19f254b54e1b1f955cf12b7bdcbe7a6c208c0.exe
Analysis ID:1496328
MD5:61c79ecb54722978e1cce297f460ae1c
SHA1:4e71999fe652445c0ce2e14285a8d89d744fa163
SHA256:72eec8bbc11e7e184649111b6be19f254b54e1b1f955cf12b7bdcbe7a6c208c0
Tags:45-66-231-202CoinMinerexe
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Qi4Mj8hG3t.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\Qi4Mj8hG3t.exe" MD5: 61C79ECB54722978E1CCE297F460AE1C)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • hehbwci (PID: 2912 cmdline: C:\Users\user\AppData\Roaming\hehbwci MD5: 61C79ECB54722978E1CCE297F460AE1C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x31f1:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x2a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 11 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\hehbwci, CommandLine: C:\Users\user\AppData\Roaming\hehbwci, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hehbwci, NewProcessName: C:\Users\user\AppData\Roaming\hehbwci, OriginalFileName: C:\Users\user\AppData\Roaming\hehbwci, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\hehbwci, ProcessId: 2912, ProcessName: hehbwci

      Suricata Signatures

      Timestamp:2024-08-21T07:11:33.779685+0200
      SID:2039103
      Severity:1
      Source Port:49736
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-08-21T07:11:59.918770+0200
      SID:2039103
      Severity:1
      Source Port:49736
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-08-21T07:11:34.420305+0200
      SID:2039103
      Severity:1
      Source Port:49736
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:2024-08-21T07:12:00.295440+0200
      SID:2039103
      Severity:1
      Source Port:49736
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Qi4Mj8hG3t.exeAvira: detected
      Antivirus detection for URL or domain
      Source: http://valarioulinity1.net/index.phpAvira URL Cloud: Label: malware
      Source: http://buriatiarutuhuob.net/index.phpAvira URL Cloud: Label: malware
      Source: http://selebration17io.io/index.phplAvira URL Cloud: Label: phishing
      Source: http://cassiosssionunu.me/index.phpAvira URL Cloud: Label: malware
      Source: http://selebration17io.io/index.phpAvira URL Cloud: Label: malware
      Source: http://selebration17io.io/index.phpyAvira URL Cloud: Label: phishing
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\hehbwciAvira: detection malicious, Label: TR/AD.SmokeLoader.nbtrk
      Found malware configuration
      Source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}
      Multi AV Scanner detection for domain / URL
      Source: selebration17io.ioVirustotal: Detection: 16%Perma Link
      Source: http://valarioulinity1.net/index.phpVirustotal: Detection: 14%Perma Link
      Source: http://buriatiarutuhuob.net/index.phpVirustotal: Detection: 15%Perma Link
      Source: http://selebration17io.io/index.phpVirustotal: Detection: 14%Perma Link
      Source: http://cassiosssionunu.me/index.phpVirustotal: Detection: 13%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\hehbwciReversingLabs: Detection: 65%
      Source: C:\Users\user\AppData\Roaming\hehbwciVirustotal: Detection: 81%Perma Link
      Multi AV Scanner detection for submitted file
      Source: Qi4Mj8hG3t.exeReversingLabs: Detection: 65%
      Source: Qi4Mj8hG3t.exeVirustotal: Detection: 81%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\hehbwciJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: Qi4Mj8hG3t.exeJoe Sandbox ML: detected
      Source: Qi4Mj8hG3t.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 188.40.141.211:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://valarioulinity1.net/index.php
      Source: Malware configuration extractorURLs: http://buriatiarutuhuob.net/index.php
      Source: Malware configuration extractorURLs: http://cassiosssionunu.me/index.php
      Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nhivofhdrhfmn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: selebration17io.io
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rthqivmpffucvlrr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: selebration17io.io
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rgfwevugokr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: selebration17io.io
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wdxggolynru.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: selebration17io.io
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: selebration17io.io
      Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nhivofhdrhfmn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: selebration17io.io
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:11:33 GMTData Raw: 03 00 00 00 1f 3d 19 Data Ascii: =
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:11:34 GMT
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:11:59 GMTData Raw: 03 00 00 00 1f 3d 19 Data Ascii: =
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:12:00 GMT
      Source: explorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: explorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: explorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: explorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: explorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
      Source: explorer.exe, 00000001.00000002.2966099831.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://rthqivmpffucvlrr.net/
      Source: explorer.exe, 00000001.00000000.1818126733.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1819606254.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.2959454522.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: explorer.exe, 00000001.00000002.2966066593.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2966488393.000000000E730000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2966453902.000000000E660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://selebration17io.io/index.php
      Source: explorer.exe, 00000001.00000002.2966488393.000000000E730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://selebration17io.io/index.phpl
      Source: explorer.exe, 00000001.00000002.2966066593.000000000CA42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://selebration17io.io/index.phpy
      Source: explorer.exe, 00000001.00000000.1821052424.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2964173446.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
      Source: explorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
      Source: explorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
      Source: explorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
      Source: explorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
      Source: explorer.exe, 00000001.00000000.1815214466.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2955742050.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2956717549.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1814342240.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000001.00000002.2960669138.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
      Source: explorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000001.00000002.2960669138.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
      Source: explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
      Source: explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
      Source: explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
      Source: explorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
      Source: explorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
      Source: explorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
      Source: explorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
      Source: explorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
      Source: explorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1821052424.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2964173446.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
      Source: explorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
      Source: explorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
      Source: explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
      Source: explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2105350044.00000000026BE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000005.00000002.2104904098.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00401553 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401553
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00403005 RtlCreateUserThread,NtTerminateProcess,0_2_00403005
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00401561 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401561
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_0040156B NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040156B
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_0040156F NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040156F
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401729
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_004023E5 NtQuerySystemInformation,0_2_004023E5
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00401583 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401583
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00401587 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401587
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_004026A0 NtEnumerateKey,0_2_004026A0
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00401553 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401553
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00403005 RtlCreateUserThread,NtTerminateProcess,5_2_00403005
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00401561 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401561
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_0040156B NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_0040156B
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_0040156F NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_0040156F
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401729
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_004023E5 NtQuerySystemInformation,5_2_004023E5
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00401583 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401583
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00401587 NtDuplicateObject,EntryPoint,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401587
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_004026A0 NtEnumerateKey,5_2_004026A0
      Source: C:\Windows\explorer.exeCode function: 1_2_07DC29681_2_07DC2968
      Source: C:\Windows\explorer.exeCode function: 1_2_088229681_2_08822968
      Source: Qi4Mj8hG3t.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2105350044.00000000026BE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000005.00000002.2104904098.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: Qi4Mj8hG3t.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: hehbwci.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@2/2@1/1
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_025D221F CreateToolhelp32Snapshot,Module32First,0_2_025D221F
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hehbwciJump to behavior
      Source: Qi4Mj8hG3t.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Qi4Mj8hG3t.exeReversingLabs: Detection: 65%
      Source: Qi4Mj8hG3t.exeVirustotal: Detection: 81%
      Source: unknownProcess created: C:\Users\user\Desktop\Qi4Mj8hG3t.exe "C:\Users\user\Desktop\Qi4Mj8hG3t.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\hehbwci C:\Users\user\AppData\Roaming\hehbwci
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeUnpacked PE file: 0.2.Qi4Mj8hG3t.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\hehbwciUnpacked PE file: 5.2.hehbwci.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00403253 push eax; ret 0_2_0040332D
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00401C64 push es; retf 0_2_00401C83
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_0040332A push eax; ret 0_2_0040332D
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_00402F91 push 60B44389h; retf 0_2_00402FAB
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_02451CCB push es; retf 0_2_02451CEA
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_02452FF8 push 60B44389h; retf 0_2_02453012
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_025CF05E push eax; ret 0_2_025CF06D
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_025CF14C push eax; retf 0_2_025CF14D
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00403253 push eax; ret 5_2_0040332D
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00401C64 push es; retf 5_2_00401C83
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_0040332A push eax; ret 5_2_0040332D
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_00402F91 push 60B44389h; retf 5_2_00402FAB
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_02451CCB push es; retf 5_2_02451CEA
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_02452FF8 push 60B44389h; retf 5_2_02453012
      Source: Qi4Mj8hG3t.exeStatic PE information: section name: .text entropy: 7.299516897254431
      Source: hehbwci.1.drStatic PE information: section name: .text entropy: 7.299516897254431
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hehbwciJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hehbwciJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\qi4mj8hg3t.exeJump to behavior
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\hehbwci:Zone.Identifier read attributes | deleteJump to behavior

      Malware Analysis System Evasion

      barindex
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Users\user\AppData\Roaming\hehbwciAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\AppData\Roaming\hehbwciAPI/Special instruction interceptor: Address: 7FFE2220D584
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: Qi4Mj8hG3t.exe, 00000000.00000002.1830453511.00000000025BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
      Source: hehbwci, 00000005.00000002.2105260691.00000000026AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKV
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 415Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 524Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 871Jump to behavior
      Source: C:\Windows\explorer.exe TID: 6780Thread sleep count: 415 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 1360Thread sleep count: 524 > 30Jump to behavior
      Source: explorer.exe, 00000001.00000000.1819387834.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1818830286.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
      Source: explorer.exe, 00000001.00000000.1816269337.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
      Source: explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
      Source: explorer.exe, 00000001.00000000.1819387834.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1814342240.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
      Source: explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000001.00000000.1819387834.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
      Source: explorer.exe, 00000001.00000000.1818830286.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
      Source: explorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000001.00000000.1819387834.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
      Source: explorer.exe, 00000001.00000002.2958133429.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
      Source: explorer.exe, 00000001.00000000.1818830286.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
      Source: explorer.exe, 00000001.00000000.1814342240.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: explorer.exe, 00000001.00000000.1814342240.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_0245092B mov eax, dword ptr fs:[00000030h]0_2_0245092B
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_02450D90 mov eax, dword ptr fs:[00000030h]0_2_02450D90
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_025D1AFC push dword ptr fs:[00000030h]0_2_025D1AFC
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_0245092B mov eax, dword ptr fs:[00000030h]5_2_0245092B
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_02450D90 mov eax, dword ptr fs:[00000030h]5_2_02450D90
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: 5_2_026C0934 push dword ptr fs:[00000030h]5_2_026C0934

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Benign windows process drops PE files
      Source: C:\Windows\explorer.exeFile created: hehbwci.1.drJump to dropped file
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeThread created: C:\Windows\explorer.exe EIP: 7DC1A88Jump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciThread created: unknown EIP: 8821A88Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\hehbwciSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: explorer.exe, 00000001.00000000.1814832507.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000001.00000000.1814832507.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.2956285661.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000001.00000002.2955742050.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1814342240.0000000001248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
      Source: explorer.exe, 00000001.00000000.1814832507.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.2956285661.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000001.00000000.1814832507.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.2956285661.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: InterlockedExchangeAdd,SetActiveWindow,CreateIcon,SetKeyboardState,GetStdHandle,FreeEnvironmentStringsW,AddAtomW,GetCurrentDirectoryW,GetCharWidthW,FatalAppExitA,GetUserDefaultLCID,WideCharToMultiByte,GetTimeZoneInformation,MoveFileExA,GetLocaleInfoA,0_2_0041D740
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: GetModuleFileNameA,GetAce,GetLocaleInfoA,0_2_0041D560
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: InterlockedExchangeAdd,SetActiveWindow,CreateIcon,SetKeyboardState,GetStdHandle,FreeEnvironmentStringsW,AddAtomW,GetCurrentDirectoryW,GetCharWidthW,FatalAppExitA,GetUserDefaultLCID,WideCharToMultiByte,GetTimeZoneInformation,MoveFileExA,GetLocaleInfoA,5_2_0041D740
      Source: C:\Users\user\AppData\Roaming\hehbwciCode function: GetModuleFileNameA,GetAce,GetLocaleInfoA,5_2_0041D560
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_0041D6C0 CreateNamedPipeA,SystemTimeToFileTime,0_2_0041D6C0
      Source: C:\Windows\explorer.exeCode function: 1_2_07DC35B8 GetUserNameW,1_2_07DC35B8
      Source: C:\Users\user\Desktop\Qi4Mj8hG3t.exeCode function: 0_2_0041D740 InterlockedExchangeAdd,SetActiveWindow,CreateIcon,SetKeyboardState,GetStdHandle,FreeEnvironmentStringsW,AddAtomW,GetCurrentDirectoryW,GetCharWidthW,FatalAppExitA,GetUserDefaultLCID,WideCharToMultiByte,GetTimeZoneInformation,MoveFileExA,GetLocaleInfoA,0_2_0041D740

      Stealing of Sensitive Information

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		33
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		12
      Virtualization/Sandbox Evasion      		LSASS Memory511
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media2
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)33
      Process Injection      		Security Account Manager12
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Hidden Files and Directories      		NTDS3
      Process Discovery      		Distributed Component Object ModelInput Capture113
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials1
      Account Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync1
      System Owner/User Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      File Deletion      		Proc Filesystem112
      System Information Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Qi4Mj8hG3t.exe66%ReversingLabsWin32.Trojan.SmokeLoader
      Qi4Mj8hG3t.exe81%VirustotalBrowse
      Qi4Mj8hG3t.exe100%AviraTR/AD.SmokeLoader.nbtrk
      Qi4Mj8hG3t.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\hehbwci100%AviraTR/AD.SmokeLoader.nbtrk
      C:\Users\user\AppData\Roaming\hehbwci100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\hehbwci66%ReversingLabsWin32.Trojan.SmokeLoader
      C:\Users\user\AppData\Roaming\hehbwci81%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      selebration17io.io17%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://aka.ms/odirmr0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
      https://powerpoint.office.comcember0%URL Reputationsafe
      https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
      https://excel.office.com0%URL Reputationsafe
      http://schemas.micro0%URL Reputationsafe
      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
      https://api.msn.com/q0%URL Reputationsafe
      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%URL Reputationsafe
      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl0%Avira URL Cloudsafe
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
      http://valarioulinity1.net/index.php100%Avira URL Cloudmalware
      https://wns.windows.com/L0%URL Reputationsafe
      https://word.office.com0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://aka.ms/Vh5j3k0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
      https://api.msn.com/v1/news/Feed/Windows?&0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
      https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
      https://android.notify.windows.com/iOS0%URL Reputationsafe
      https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%Avira URL Cloudsafe
      https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-0%Avira URL Cloudsafe
      https://api.msn.com/0%URL Reputationsafe
      https://outlook.com_0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
      https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi0%Avira URL Cloudsafe
      http://rthqivmpffucvlrr.net/0%Avira URL Cloudsafe
      https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-10%Avira URL Cloudsafe
      https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A0%Avira URL Cloudsafe
      http://buriatiarutuhuob.net/index.php100%Avira URL Cloudmalware
      http://selebration17io.io/index.phpl100%Avira URL Cloudphishing
      https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent0%Avira URL Cloudsafe
      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%Avira URL Cloudsafe
      https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%Avira URL Cloudsafe
      http://valarioulinity1.net/index.php15%VirustotalBrowse
      http://cassiosssionunu.me/index.php100%Avira URL Cloudmalware
      http://selebration17io.io/index.php100%Avira URL Cloudmalware
      https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar0%Avira URL Cloudsafe
      http://buriatiarutuhuob.net/index.php16%VirustotalBrowse
      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%Avira URL Cloudsafe
      https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d0%Avira URL Cloudsafe
      http://selebration17io.io/index.php15%VirustotalBrowse
      http://selebration17io.io/index.phpy100%Avira URL Cloudphishing
      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%VirustotalBrowse
      https://www.msn.com:443/en-us/feed0%Avira URL Cloudsafe
      http://cassiosssionunu.me/index.php14%VirustotalBrowse
      https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of0%Avira URL Cloudsafe
      https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at0%Avira URL Cloudsafe
      https://www.msn.com:443/en-us/feed1%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      selebration17io.io
      		188.40.141.211
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://valarioulinity1.net/index.phptrue
      • 15%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      http://buriatiarutuhuob.net/index.phptrue
      • 16%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      http://cassiosssionunu.me/index.phptrue
      • 14%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://aka.ms/odirmrexplorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://powerpoint.office.comcemberexplorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://excel.office.comexplorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://schemas.microexplorer.exe, 00000001.00000000.1818126733.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1819606254.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.2959454522.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://rthqivmpffucvlrr.net/explorer.exe, 00000001.00000002.2966099831.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://api.msn.com/qexplorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1821052424.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2964173446.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1821052424.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2964173446.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://selebration17io.io/index.phplexplorer.exe, 00000001.00000002.2966488393.000000000E730000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: phishing
      		unknown
      https://word.office.comexplorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://aka.ms/Vh5j3kexplorer.exe, 00000001.00000002.2958133429.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000001.00000002.2960669138.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1818830286.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://selebration17io.io/index.phpexplorer.exe, 00000001.00000002.2966066593.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2966488393.000000000E730000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2966453902.000000000E660000.00000004.00000020.00020000.00000000.sdmptrue
      • 15%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000002.2958133429.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1816269337.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://api.msn.com/explorer.exe, 00000001.00000000.1818830286.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2960669138.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://outlook.com_explorer.exe, 00000001.00000002.2964173446.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1821052424.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://selebration17io.io/index.phpyexplorer.exe, 00000001.00000002.2966066593.000000000CA42000.00000004.00000001.00020000.00000000.sdmptrue
      • Avira URL Cloud: phishing
      		unknown
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com:443/en-us/feedexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • 1%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000001.00000000.1816269337.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.2958133429.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      188.40.141.211
      		selebration17io.ioGermany
      		24940HETZNER-ASDEtrue

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1496328
      Start date and time:2024-08-21 07:10:08 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 5m 1s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:1
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Qi4Mj8hG3t.exe
      renamed because original name is a hash value
      Original Sample Name:72eec8bbc11e7e184649111b6be19f254b54e1b1f955cf12b7bdcbe7a6c208c0.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@2/2@1/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 86
      • Number of non-executed functions: 11
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtEnumerateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      01:11:32API Interceptor579x Sleep call for process: explorer.exe modified
      06:11:31Task SchedulerRun new task: Firefox Default Browser Agent 6A0EFD02A3BB95CB path: C:\Users\user\AppData\Roaming\hehbwci

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      188.40.141.211setup.exeGet hashmaliciousBabuk, DjvuBrowse
      • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
      SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
      • agressivemnaiq.xyz/
      A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • host-data-coin-11.com/
      be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exeGet hashmaliciousSmokeLoaderBrowse
      • host-data-coin-11.com/
      EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • host-data-coin-11.com/
      LisectAVT_2403002B_303.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • aucmoney.com/upload/
      LisectAVT_2403002C_47.exeGet hashmaliciousSmokeLoaderBrowse
      • trad-einmyus.com/index.php
      EF48AEBC0F1E77208BBCD5206C58678BB1181994507D1084E1D324DCA9D5D3B8.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • host-data-coin-11.com/
      E6D881EA9A11D23E31737469C38C5C74DE54ADC680A662D877C6CAB46E3A34AB.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • host-data-coin-11.com/
      D9B72DA68DB9EB3D54BFD70C71F9A07EF222B7D9662DE35E74BA080B473DF4E2.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • host-data-coin-11.com/

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      selebration17io.io987123[1].exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
      • 188.40.141.211
      Vjt694rffx.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
      • 91.215.85.120
      ak55ZgXKwt.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
      • 91.215.85.120
      tZksysDKeT.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
      • 91.215.85.120
      woM8Z8CFYx.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
      • 91.215.85.120
      6t0abj5L0W.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
      • 91.215.85.120
      UUVupNLfBb.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
      • 91.215.85.120
      FNzQAE7DvU.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
      • 91.215.85.120
      Hweat0i2VU.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
      • 91.215.85.120
      c2DmniR687.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
      • 91.215.85.120

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      HETZNER-ASDE53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
      • 88.99.2.111
      7GfciIf7ys.exeGet hashmaliciousUnknownBrowse
      • 213.239.213.220
      2pFytt52ws.exeGet hashmaliciousUnknownBrowse
      • 95.216.22.24
      53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
      • 195.201.62.78
      http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
      • 138.201.139.144
      https://monogogo.info/JQJMLAWN#em=npaladino@bigge.comGet hashmaliciousPhisherBrowse
      • 46.4.15.55
      http://www.lesliehawes.comGet hashmaliciousUnknownBrowse
      • 135.181.16.82
      KKveTTgaAAsecNNaaaa.sh4.elfGet hashmaliciousUnknownBrowse
      • 46.4.110.10
      ExeFile (267).exeGet hashmaliciousEmotetBrowse
      • 195.201.56.70
      ExeFile (27).exeGet hashmaliciousAZORult, PureLog StealerBrowse
      • 168.119.251.131

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Roaming\hehbwci

      Download File
      Process:C:\Windows\explorer.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):174080
      Entropy (8bit):6.743976758645583
      Encrypted:false
      SSDEEP:3072:I3f2uHIOIgqTtvccJ7V7lWqeZc/9Ply7Z3YriJygk:IP2uovTtvccJ7VhW0ipS7
      MD5:61C79ECB54722978E1CCE297F460AE1C
      SHA1:4E71999FE652445C0CE2E14285A8D89D744FA163
      SHA-256:72EEC8BBC11E7E184649111B6BE19F254B54E1B1F955CF12B7BDCBE7A6C208C0
      SHA-512:7E381A203217A851ECD9D2ADA93C2E22A678AC1425F77476F97782DFB1BE4882655C6615D7DF59D6D05B2FBC20463878B2C5C11D6DE7F51AA8F83A67A5BAD90C
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 66%
      • Antivirus: Virustotal, Detection: 81%, Browse
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................M......x......L.....u.............I......|......{.....Rich............PE..L....s{d.....................|......7.............@..........................0......z.......................................\...x........u...........................................................................................................text............................... ..`.rdata...+.......,..................@..@.data...,.... ...,..................@....rsrc....u.......v...2..............@..@................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Roaming\hehbwci:Zone.Identifier

      Download File
      Process:C:\Windows\explorer.exe
      File Type:ASCII text, with CRLF line terminators
      Category:modified
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:high, very likely benign file
      Preview:[ZoneTransfer]....ZoneId=0

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.743976758645583
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Qi4Mj8hG3t.exe
      File size:174'080 bytes
      MD5:61c79ecb54722978e1cce297f460ae1c
      SHA1:4e71999fe652445c0ce2e14285a8d89d744fa163
      SHA256:72eec8bbc11e7e184649111b6be19f254b54e1b1f955cf12b7bdcbe7a6c208c0
      SHA512:7e381a203217a851ecd9d2ada93c2e22a678ac1425f77476f97782dfb1be4882655c6615d7df59d6d05b2fbc20463878b2c5c11d6de7f51aa8f83a67a5bad90c
      SSDEEP:3072:I3f2uHIOIgqTtvccJ7V7lWqeZc/9Ply7Z3YriJygk:IP2uovTtvccJ7VhW0ipS7
      TLSH:9304AD3936E1E432C0AB0530E9B1C6718A3BB8E21671418777942BAE6EF17C0597B7D7
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................M.......x.......L.......u...............I.......|.......{.....Rich............PE..L....s{d...................

      File Icon

      Icon Hash:67376767d3771ee3

      Static PE Info

      General

      Entrypoint:0x401637
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:TERMINAL_SERVER_AWARE
      Time Stamp:0x647B731D [Sat Jun 3 17:06:37 2023 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:1
      File Version Major:5
      File Version Minor:1
      Subsystem Version Major:5
      Subsystem Version Minor:1
      Import Hash:3e9a9cf66c4a31d33ef1279b5d62e5f6

      Entrypoint Preview

      Instruction
      call 00007EFFF8D2DFA6h
      jmp 00007EFFF8D2AE0Eh
      mov edi, edi
      push ebp
      mov ebp, esp
      sub esp, 00000328h
      mov dword ptr [00424258h], eax
      mov dword ptr [00424254h], ecx
      mov dword ptr [00424250h], edx
      mov dword ptr [0042424Ch], ebx
      mov dword ptr [00424248h], esi
      mov dword ptr [00424244h], edi
      mov word ptr [00424270h], ss
      mov word ptr [00424264h], cs
      mov word ptr [00424240h], ds
      mov word ptr [0042423Ch], es
      mov word ptr [00424238h], fs
      mov word ptr [00424234h], gs
      pushfd
      pop dword ptr [00424268h]
      mov eax, dword ptr [ebp+00h]
      mov dword ptr [0042425Ch], eax
      mov eax, dword ptr [ebp+04h]
      mov dword ptr [00424260h], eax
      lea eax, dword ptr [ebp+08h]
      mov dword ptr [0042426Ch], eax
      mov eax, dword ptr [ebp-00000320h]
      mov dword ptr [004241A8h], 00010001h
      mov eax, dword ptr [00424260h]
      mov dword ptr [0042415Ch], eax
      mov dword ptr [00424150h], C0000409h
      mov dword ptr [00424154h], 00000001h
      mov eax, dword ptr [00422004h]
      mov dword ptr [ebp-00000328h], eax
      mov eax, dword ptr [00422008h]
      mov dword ptr [ebp-00000324h], eax
      call dword ptr [000000CCh]

      Rich Headers

      Programming Language:
      • [C++] VS2010 build 30319
      • [ASM] VS2010 build 30319
      • [ C ] VS2010 build 30319
      • [IMP] VS2008 SP1 build 30729
      • [RES] VS2010 build 30319
      • [LNK] VS2010 build 30319

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x2125c0x78.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1ecb0000x75c8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x19c.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1d5cb0x1d600a810a9c9120f4cdcf66a64506449fbebFalse0.7495927526595745data7.299516897254431IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x1f0000x2bd00x2c0008021782903f47ebf4a4654ea2d41b59False0.36656605113636365data4.954293942842169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x220000x1ea812c0x2c0004e2df9c2226af961535575c266f1656unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x1ecb0000x75c80x760067b0c2b948a339c6604fc076b5e384e1False0.56640625data5.624069862314347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_CURSOR0x1ed0bc80x130Device independent bitmap graphic, 32 x 64 x 1, image size 0EnglishUnited States0.4276315789473684
      RT_CURSOR0x1ed0d100x134Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.75
      RT_CURSOR0x1ed0e600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.31023454157782515
      RT_ICON0x1ecb4200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.4584221748400853
      RT_ICON0x1ecc2c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.6164259927797834
      RT_ICON0x1eccb700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.7033410138248848
      RT_ICON0x1ecd2380x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.7586705202312138
      RT_ICON0x1ecd7a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.6119294605809129
      RT_ICON0x1ecfd480x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.7131147540983607
      RT_ICON0x1ed06d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7677304964539007
      RT_STRING0x1ed1ed80xe0dataEnglishUnited States0.5491071428571429
      RT_STRING0x1ed1fb80x610dataEnglishUnited States0.43427835051546393
      RT_ACCELERATOR0x1ed0ba00x28dataEnglishUnited States1.0
      RT_GROUP_CURSOR0x1ed0cf80x14dataEnglishUnited States1.15
      RT_GROUP_CURSOR0x1ed0e480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
      RT_GROUP_CURSOR0x1ed1d080x14dataEnglishUnited States1.25
      RT_GROUP_ICON0x1ed0b380x68dataEnglishUnited States0.7115384615384616
      RT_VERSION0x1ed1d200x1b4dataEnglishUnited States0.573394495412844

      Imports

      DLLImport
      KERNEL32.dllHeapAlloc, SystemTimeToFileTime, GetUserDefaultLCID, WideCharToMultiByte, GetConsoleAliasExesLengthW, GetTimeZoneInformation, ReleaseSemaphore, ReplaceFileA, GetStdHandle, GetCurrentDirectoryW, SetLastError, CreateNamedPipeA, CreateTimerQueueTimer, BuildCommDCBW, LoadLibraryA, SystemTimeToTzSpecificLocalTime, LocalAlloc, GetFileType, AddAtomW, GetModuleFileNameA, lstrcatW, FreeEnvironmentStringsW, VirtualProtect, FatalAppExitA, EndUpdateResourceA, GetVolumeInformationW, CreateFileW, WriteConsoleW, ReadFile, GetProcessHeap, GetLocaleInfoA, MoveFileExA, InterlockedExchangeAdd, WriteConsoleOutputCharacterW, SetEndOfFile, SetStdHandle, GetLastError, HeapFree, EncodePointer, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, HeapCreate, Sleep, HeapSize, GetProcAddress, GetModuleHandleW, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, RtlUnwind, WriteFile, GetModuleFileNameW, GetEnvironmentStringsW, SetHandleCount, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, HeapReAlloc, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetFilePointer
      USER32.dllSetActiveWindow, SetKeyboardState, CreateIcon, GetClassLongA
      GDI32.dllGetCharWidthW
      ADVAPI32.dllGetAce
      ole32.dllCoTaskMemFree

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      Suricata IDS Alerts

      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
      2024-08-21T07:11:33.779685+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14973680192.168.2.4188.40.141.211
      2024-08-21T07:11:59.918770+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14973680192.168.2.4188.40.141.211
      2024-08-21T07:11:34.420305+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14973680192.168.2.4188.40.141.211
      2024-08-21T07:12:00.295440+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14973680192.168.2.4188.40.141.211

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 21, 2024 07:11:33.090862989 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:33.096759081 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:33.100511074 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:33.106575966 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:33.106646061 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:33.111350060 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:33.111629009 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:33.731317997 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:33.779685020 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:34.055602074 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:34.055645943 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:34.060544014 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:34.060781002 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:34.380569935 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:34.420305014 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:59.727905989 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:59.727948904 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:59.732784033 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:59.732801914 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:59.913721085 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:59.918770075 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:59.918806076 CEST4973680192.168.2.4188.40.141.211
      Aug 21, 2024 07:11:59.923590899 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:11:59.923700094 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:12:00.241142988 CEST8049736188.40.141.211192.168.2.4
      Aug 21, 2024 07:12:00.295439959 CEST4973680192.168.2.4188.40.141.211

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Aug 21, 2024 07:11:32.751893044 CEST5206453192.168.2.41.1.1.1
      Aug 21, 2024 07:11:33.072408915 CEST53520641.1.1.1192.168.2.4

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Aug 21, 2024 07:11:32.751893044 CEST192.168.2.41.1.1.10x7952Standard query (0)selebration17io.ioA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Aug 21, 2024 07:11:33.072408915 CEST1.1.1.1192.168.2.40x7952No error (0)selebration17io.io188.40.141.211A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • nhivofhdrhfmn.com
        • selebration17io.io
      • rthqivmpffucvlrr.net
      • rgfwevugokr.com
      • wdxggolynru.org

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.449736188.40.141.211802580C:\Windows\explorer.exe
      TimestampBytes transferredDirectionData
      Aug 21, 2024 07:11:33.106575966 CEST285OUTPOST /index.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://nhivofhdrhfmn.com/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 237
      Host: selebration17io.io
      Aug 21, 2024 07:11:33.106646061 CEST237OUTData Raw: 48 9d 8b bc 48 13 27 52 5e 01 24 24 0c db 5e cd 5b 1c 9b 13 fc 19 df da bc 6c a0 f6 70 f4 a7 e7 8a ad 8e b7 03 32 ee c7 a3 29 6a 7e 83 8a fc 12 f0 5f 3d 01 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 a4 f5 42 ac
      Data Ascii: HH'R^$$^[lp2)j~_=;}f=B!bOBn`u(o=yO-'Xb^[!&S]__"X #'<fx=C6`"(k/T;1[E%(C^6JRb5l=
      Aug 21, 2024 07:11:33.731317997 CEST151INHTTP/1.1 404 Not Found
      Server: nginx/1.18.0
      Content-Length: 7
      Content-Type: application/octet-stream
      Date: Wed, 21 Aug 2024 05:11:33 GMT
      Data Raw: 03 00 00 00 1f 3d 19
      Data Ascii: =
      Aug 21, 2024 07:11:34.055602074 CEST288OUTPOST /index.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://rthqivmpffucvlrr.net/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 142
      Host: selebration17io.io
      Aug 21, 2024 07:11:34.055645943 CEST142OUTData Raw: 48 9d 8b bc 48 13 27 52 5e 01 24 24 0c db 5e cd 5b 1c 9b 13 fc 19 df da bc 6c a0 f6 70 f4 a7 e7 8a ad 8e b7 03 32 ee c7 a3 29 6a 7e 83 8a fc 12 f0 5f 3d 01 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a2 19 c8 8a 14 62 cd d6 4f 96 9f bc 40 b0
      Data Ascii: HH'R^$$^[lp2)j~_=;}f=B!bO@'w4ZvAi6$b~*6Pk
      Aug 21, 2024 07:11:34.380569935 CEST144INHTTP/1.1 404 Not Found
      Server: nginx/1.18.0
      Content-Length: 0
      Content-Type: application/octet-stream
      Date: Wed, 21 Aug 2024 05:11:34 GMT
      Aug 21, 2024 07:11:59.727905989 CEST283OUTPOST /index.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://rgfwevugokr.com/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 341
      Host: selebration17io.io
      Aug 21, 2024 07:11:59.727948904 CEST341OUTData Raw: 48 9d 8b bc 48 13 27 52 5e 01 24 24 0c db 5e cd 5b 1c 9b 13 fc 19 df da bc 6c a0 f6 70 f4 a7 e7 8a ad 8e b7 03 32 ee c7 a3 29 6a 7e 83 8a fc 12 f0 5f 3d 01 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 f5 f3 40 dd
      Data Ascii: HH'R^$$^[lp2)j~_=;}f=B!bO@kBeHbv_$pO`.h%WcHF+R8pcYFB/JK#jvux9s>52:KKmis&BZ2b{TN*
      Aug 21, 2024 07:11:59.913721085 CEST151INHTTP/1.1 404 Not Found
      Server: nginx/1.18.0
      Content-Length: 7
      Content-Type: application/octet-stream
      Date: Wed, 21 Aug 2024 05:11:59 GMT
      Data Raw: 03 00 00 00 1f 3d 19
      Data Ascii: =
      Aug 21, 2024 07:11:59.918770075 CEST283OUTPOST /index.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://wdxggolynru.org/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 173
      Host: selebration17io.io
      Aug 21, 2024 07:11:59.918806076 CEST173OUTData Raw: 48 9d 8b bc 48 13 27 52 5e 01 24 24 0c db 5e cd 5b 1c 9b 13 fc 19 df da bc 6c a0 f6 70 f4 a7 e7 8a ad 8e b7 03 32 ee c7 a3 29 6a 7e 83 8a fc 12 f0 5f 3d 01 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a2 19 c8 8a 14 62 cd d6 4f 96 f2 ba 30 f8
      Data Ascii: HH'R^$$^[lp2)j~_=;}f=B!bO0o*(-4%:'cLJmZ,~?!D%Ah%wH
      Aug 21, 2024 07:12:00.241142988 CEST144INHTTP/1.1 404 Not Found
      Server: nginx/1.18.0
      Content-Length: 0
      Content-Type: application/octet-stream
      Date: Wed, 21 Aug 2024 05:12:00 GMT


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:01:11:03
      Start date:21/08/2024
      Path:C:\Users\user\Desktop\Qi4Mj8hG3t.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\Qi4Mj8hG3t.exe"
      Imagebase:0x400000
      File size:174'080 bytes
      MD5 hash:61C79ECB54722978E1CCE297F460AE1C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1830761735.0000000003F51000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1829948690.0000000002460000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
      Reputation:low
      Has exited:true

      General

      Target ID:1
      Start time:01:11:13
      Start date:21/08/2024
      Path:C:\Windows\explorer.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\Explorer.EXE
      Imagebase:0x7ff72b770000
      File size:5'141'208 bytes
      MD5 hash:662F4F92FDE3557E86D110526BB578D5
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
      Reputation:high
      Has exited:false

      General

      Target ID:5
      Start time:01:11:31
      Start date:21/08/2024
      Path:C:\Users\user\AppData\Roaming\hehbwci
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Roaming\hehbwci
      Imagebase:0x400000
      File size:174'080 bytes
      MD5 hash:61C79ECB54722978E1CCE297F460AE1C
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2104950353.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2104992060.0000000002491000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2105350044.00000000026BE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2104904098.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
      Antivirus matches:
      • Detection: 100%, Avira
      • Detection: 100%, Joe Sandbox ML
      • Detection: 66%, ReversingLabs
      • Detection: 81%, Virustotal, Browse
      Reputation:low
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:7.5%
        Dynamic/Decrypted Code Coverage:19.4%
        Signature Coverage:52.8%
        Total number of Nodes:144
        Total number of Limit Nodes:5
        execution_graph 5142 403005 5143 40315c 5142->5143 5144 40302f 5142->5144 5144->5143 5145 4030ea RtlCreateUserThread NtTerminateProcess 5144->5145 5145->5143 5215 402e07 5217 402e1a 5215->5217 5216 40193e 11 API calls 5218 402f54 5216->5218 5217->5216 5217->5218 5234 401cca 5235 401cda 5234->5235 5236 401d20 HeapCreate 5235->5236 5236->5235 5237 401d3e 5236->5237 5275 40194a 5276 40194f 5275->5276 5277 401991 Sleep 5276->5277 5278 4019ac 5277->5278 5279 401553 10 API calls 5278->5279 5280 4019bd 5278->5280 5279->5280 5146 401d16 5147 401d09 5146->5147 5148 401d20 HeapCreate 5147->5148 5148->5147 5149 401d3e 5148->5149 5287 401561 5288 401570 5287->5288 5289 401608 NtDuplicateObject 5288->5289 5298 4018dd 5288->5298 5290 401625 NtCreateSection 5289->5290 5289->5298 5291 4016a5 NtCreateSection 5290->5291 5292 40164b NtMapViewOfSection 5290->5292 5294 4016d1 5291->5294 5291->5298 5292->5291 5293 40166e NtMapViewOfSection 5292->5293 5293->5291 5295 40168c 5293->5295 5296 4016db NtMapViewOfSection 5294->5296 5294->5298 5295->5291 5297 401702 NtMapViewOfSection 5296->5297 5296->5298 5297->5298 5299 401724 5297->5299 5299->5298 5300 401729 3 API calls 5299->5300 5300->5298 5127 25d1a7f 5128 25d1a8e 5127->5128 5131 25d221f 5128->5131 5134 25d223a 5131->5134 5132 25d2243 CreateToolhelp32Snapshot 5133 25d225f Module32First 5132->5133 5132->5134 5135 25d226e 5133->5135 5136 25d1a97 5133->5136 5134->5132 5134->5133 5138 25d1ede 5135->5138 5139 25d1f09 5138->5139 5140 25d1f1a VirtualAlloc 5139->5140 5141 25d1f52 5139->5141 5140->5141 5141->5141 5219 401c23 5220 401c24 5219->5220 5221 401cb6 5220->5221 5222 401d20 HeapCreate 5220->5222 5222->5220 5223 401d3e 5222->5223 5250 401cee 5251 401cf2 5250->5251 5253 401d3e 5250->5253 5252 401d20 HeapCreate 5251->5252 5252->5251 5252->5253 5347 245092b GetPEB 5348 2450972 5347->5348 5071 41d9f0 5074 41d9fd 5071->5074 5072 41dabf 5080 41d740 5072->5080 5074->5072 5075 41da32 GetFileType GetVolumeInformationW 5074->5075 5077 41da94 lstrcatW 5074->5077 5075->5074 5076 41dac4 5099 41cc80 VirtualProtect 5076->5099 5100 41d520 LoadLibraryA 5076->5100 5077->5074 5081 41d770 5080->5081 5083 41d7d6 InterlockedExchangeAdd SetActiveWindow CreateIcon SetKeyboardState 5081->5083 5092 41d845 5081->5092 5086 41d804 GetStdHandle FreeEnvironmentStringsW AddAtomW GetCurrentDirectoryW 5083->5086 5084 41d86f GetUserDefaultLCID WideCharToMultiByte GetTimeZoneInformation MoveFileExA GetLocaleInfoA 5097 41d8b8 5084->5097 5087 41d834 5086->5087 5088 41d82a GetCharWidthW 5086->5088 5089 41d83d FatalAppExitA 5087->5089 5087->5092 5088->5087 5089->5092 5091 41d945 5103 41cc80 VirtualProtect 5091->5103 5092->5084 5092->5097 5093 41d8f0 5102 41d520 LoadLibraryA 5093->5102 5095 41d94a 5104 41d6c0 5095->5104 5101 41cc50 LocalAlloc 5097->5101 5098 41d94f 5098->5076 5099->5076 5100->5076 5101->5093 5102->5091 5103->5095 5111 41d610 5104->5111 5107 41d725 5114 41d640 5107->5114 5108 41d6ef CreateNamedPipeA SystemTimeToFileTime 5108->5107 5112 41d621 RtlAllocateHeap LoadLibraryA 5111->5112 5113 41d635 5111->5113 5112->5113 5113->5107 5113->5108 5115 41d656 BuildCommDCBW 5114->5115 5117 41d665 5114->5117 5115->5117 5118 41d68b GetConsoleAliasExesLengthW 5117->5118 5119 41d696 5117->5119 5120 41d560 5117->5120 5118->5117 5119->5098 5121 41d580 GetModuleFileNameA 5120->5121 5122 41d58f 5120->5122 5121->5122 5123 41d5ab GetAce 5122->5123 5124 41d5be 5122->5124 5123->5124 5125 41d5f3 5124->5125 5126 41d5e2 GetLocaleInfoA 5124->5126 5125->5117 5126->5125 5150 245003c 5151 2450049 5150->5151 5163 2450e0f SetErrorMode SetErrorMode 5151->5163 5156 2450265 5157 24502ce VirtualProtect 5156->5157 5159 245030b 5157->5159 5158 2450439 VirtualFree 5162 24504be LoadLibraryA 5158->5162 5159->5158 5161 24508c7 5162->5161 5164 2450223 5163->5164 5165 2450d90 5164->5165 5166 2450dad 5165->5166 5167 2450dbb GetPEB 5166->5167 5168 2450238 VirtualAlloc 5166->5168 5167->5168 5168->5156 5169 402eba 5170 402ecc 5169->5170 5172 402f54 5170->5172 5173 40193e 5170->5173 5174 40194f 5173->5174 5175 401991 Sleep 5174->5175 5176 4019ac 5175->5176 5178 4019bd 5176->5178 5179 401553 5176->5179 5178->5172 5180 401563 5179->5180 5181 4018dd 5180->5181 5182 401608 NtDuplicateObject 5180->5182 5181->5178 5182->5181 5183 401625 NtCreateSection 5182->5183 5184 4016a5 NtCreateSection 5183->5184 5185 40164b NtMapViewOfSection 5183->5185 5184->5181 5187 4016d1 5184->5187 5185->5184 5186 40166e NtMapViewOfSection 5185->5186 5186->5184 5188 40168c 5186->5188 5187->5181 5189 4016db NtMapViewOfSection 5187->5189 5188->5184 5189->5181 5190 401702 NtMapViewOfSection 5189->5190 5190->5181 5191 401724 5190->5191 5191->5181 5193 401729 5191->5193 5194 40172b 5193->5194 5199 401724 5193->5199 5195 4016be NtCreateSection 5194->5195 5194->5199 5196 4016d1 5195->5196 5195->5199 5197 4016db NtMapViewOfSection 5196->5197 5196->5199 5198 401702 NtMapViewOfSection 5197->5198 5197->5199 5198->5199 5199->5181

        Executed Functions

        Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 86 401553-4015b2 call 4011cd 98 4015b4 86->98 99 4015b7-4015bc 86->99 98->99 101 4015c2-4015d3 99->101 102 4018df-4018e7 99->102 105 4015d9-401602 101->105 106 4018dd 101->106 102->99 107 4018ec-40193b call 4011cd 102->107 105->106 115 401608-40161f NtDuplicateObject 105->115 106->107 115->106 117 401625-401649 NtCreateSection 115->117 119 4016a5-4016cb NtCreateSection 117->119 120 40164b-40166c NtMapViewOfSection 117->120 119->106 122 4016d1-4016d5 119->122 120->119 121 40166e-40168a NtMapViewOfSection 120->121 121->119 124 40168c-4016a2 121->124 122->106 125 4016db-4016fc NtMapViewOfSection 122->125 124->119 125->106 127 401702-40171e NtMapViewOfSection 125->127 127->106 131 401724 127->131 131->106 132 401724 call 401729 131->132 132->106
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
        • Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
        • Opcode Fuzzy Hash: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
        • Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66
        Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 133 40156b-4015b2 call 4011cd 145 4015b4 133->145 146 4015b7-4015bc 133->146 145->146 148 4015c2-4015d3 146->148 149 4018df-4018e7 146->149 152 4015d9-401602 148->152 153 4018dd 148->153 149->146 154 4018ec-40193b call 4011cd 149->154 152->153 162 401608-40161f NtDuplicateObject 152->162 153->154 162->153 164 401625-401649 NtCreateSection 162->164 166 4016a5-4016cb NtCreateSection 164->166 167 40164b-40166c NtMapViewOfSection 164->167 166->153 169 4016d1-4016d5 166->169 167->166 168 40166e-40168a NtMapViewOfSection 167->168 168->166 171 40168c-4016a2 168->171 169->153 172 4016db-4016fc NtMapViewOfSection 169->172 171->166 172->153 174 401702-40171e NtMapViewOfSection 172->174 174->153 178 401724 174->178 178->153 179 401724 call 401729 178->179 179->153
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
        • Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
        • Opcode Fuzzy Hash: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
        • Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25
        Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 180 401561-4015b2 call 4011cd 190 4015b4 180->190 191 4015b7-4015bc 180->191 190->191 193 4015c2-4015d3 191->193 194 4018df-4018e7 191->194 197 4015d9-401602 193->197 198 4018dd 193->198 194->191 199 4018ec-40193b call 4011cd 194->199 197->198 207 401608-40161f NtDuplicateObject 197->207 198->199 207->198 209 401625-401649 NtCreateSection 207->209 211 4016a5-4016cb NtCreateSection 209->211 212 40164b-40166c NtMapViewOfSection 209->212 211->198 214 4016d1-4016d5 211->214 212->211 213 40166e-40168a NtMapViewOfSection 212->213 213->211 216 40168c-4016a2 213->216 214->198 217 4016db-4016fc NtMapViewOfSection 214->217 216->211 217->198 219 401702-40171e NtMapViewOfSection 217->219 219->198 223 401724 219->223 223->198 224 401724 call 401729 223->224 224->198
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
        • Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
        • Opcode Fuzzy Hash: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
        • Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25
        Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 225 40156f-4015b2 call 4011cd 233 4015b4 225->233 234 4015b7-4015bc 225->234 233->234 236 4015c2-4015d3 234->236 237 4018df-4018e7 234->237 240 4015d9-401602 236->240 241 4018dd 236->241 237->234 242 4018ec-40193b call 4011cd 237->242 240->241 250 401608-40161f NtDuplicateObject 240->250 241->242 250->241 252 401625-401649 NtCreateSection 250->252 254 4016a5-4016cb NtCreateSection 252->254 255 40164b-40166c NtMapViewOfSection 252->255 254->241 257 4016d1-4016d5 254->257 255->254 256 40166e-40168a NtMapViewOfSection 255->256 256->254 259 40168c-4016a2 256->259 257->241 260 4016db-4016fc NtMapViewOfSection 257->260 259->254 260->241 262 401702-40171e NtMapViewOfSection 260->262 262->241 266 401724 262->266 266->241 267 401724 call 401729 266->267 267->241
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
        • Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
        • Opcode Fuzzy Hash: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
        • Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24
        Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 268 401583-4015b2 call 4011cd 277 4015b4 268->277 278 4015b7-4015bc 268->278 277->278 280 4015c2-4015d3 278->280 281 4018df-4018e7 278->281 284 4015d9-401602 280->284 285 4018dd 280->285 281->278 286 4018ec-40193b call 4011cd 281->286 284->285 294 401608-40161f NtDuplicateObject 284->294 285->286 294->285 296 401625-401649 NtCreateSection 294->296 298 4016a5-4016cb NtCreateSection 296->298 299 40164b-40166c NtMapViewOfSection 296->299 298->285 301 4016d1-4016d5 298->301 299->298 300 40166e-40168a NtMapViewOfSection 299->300 300->298 303 40168c-4016a2 300->303 301->285 304 4016db-4016fc NtMapViewOfSection 301->304 303->298 304->285 306 401702-40171e NtMapViewOfSection 304->306 306->285 310 401724 306->310 310->285 311 401724 call 401729 310->311 311->285
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
        • Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
        • Opcode Fuzzy Hash: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
        • Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64
        Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 312 401587-4015b2 call 4011cd 316 4015b4 312->316 317 4015b7-4015bc 312->317 316->317 319 4015c2-4015d3 317->319 320 4018df-4018e7 317->320 323 4015d9-401602 319->323 324 4018dd 319->324 320->317 325 4018ec-40193b call 4011cd 320->325 323->324 333 401608-40161f NtDuplicateObject 323->333 324->325 333->324 335 401625-401649 NtCreateSection 333->335 337 4016a5-4016cb NtCreateSection 335->337 338 40164b-40166c NtMapViewOfSection 335->338 337->324 340 4016d1-4016d5 337->340 338->337 339 40166e-40168a NtMapViewOfSection 338->339 339->337 342 40168c-4016a2 339->342 340->324 343 4016db-4016fc NtMapViewOfSection 340->343 342->337 343->324 345 401702-40171e NtMapViewOfSection 343->345 345->324 349 401724 345->349 349->324 350 401724 call 401729 349->350 350->324
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
        • Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
        • Opcode Fuzzy Hash: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
        • Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24
        Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 351 401729 352 40172b 351->352 353 40172f-40174d 351->353 352->353 354 40172d 352->354 364 401764 353->364 365 401755-401778 353->365 354->353 356 4016be-4016cb NtCreateSection 354->356 358 4016d1-4016d5 356->358 359 4018dd-40193b call 4011cd 356->359 358->359 363 4016db-4016fc NtMapViewOfSection 358->363 363->359 367 401702-40171e NtMapViewOfSection 363->367 364->365 377 40177b-4017b8 365->377 367->359 369 401724 367->369 369->359 372 401724 call 401729 369->372 372->359 393 4017ba-4017e3 377->393 398 4017e5-4017eb 393->398 399 4017ed 393->399 400 4017f3-4017f9 398->400 399->400 401 401809-40180d 400->401 402 4017fb-401807 400->402 401->400 403 40180f-401814 401->403 402->401 404 401816 call 40181b 403->404 405 40187c-40188b 403->405 407 40188e-401891 405->407 408 401893-40189d 407->408 409 4018bb-4018d4 407->409 410 4018a0-4018a9 408->410 409->359 411 4018b7 410->411 412 4018ab-4018b5 410->412 411->410 413 4018b9 411->413 412->411 413->407
        APIs
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Section$View$Create
        • String ID:
        • API String ID: 33071139-0
        • Opcode ID: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
        • Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
        • Opcode Fuzzy Hash: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
        • Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B
        Function 00403005 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 430 403005-403029 431 40315c-403161 430->431 432 40302f-403047 430->432 432->431 433 40304d-40305e 432->433 434 403060-403069 433->434 435 40306e-40307c 434->435 435->435 436 40307e-403085 435->436 437 4030a7-4030ae 436->437 438 403087-4030a6 436->438 439 4030d0-4030d3 437->439 440 4030b0-4030cf 437->440 438->437 441 4030d5-4030d8 439->441 442 4030dc 439->442 440->439 441->442 444 4030da 441->444 442->434 443 4030de-4030e3 442->443 443->431 445 4030e5-4030e8 443->445 444->443 445->431 446 4030ea-403159 RtlCreateUserThread NtTerminateProcess 445->446 446->431
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateProcessTerminateThreadUser
        • String ID:
        • API String ID: 1921587553-0
        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
        • Instruction ID: 9349ae55c142a47270c9c73eabb89239111d3cd47c98212c67b606f4e0ccd907
        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
        • Instruction Fuzzy Hash: C5412531218E088FD7A8EF6CA88576377D5F798311F6643AAE809D3389EA34DC5187C5
        Function 025D221F Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 447 25d221f-25d2238 448 25d223a-25d223c 447->448 449 25d223e 448->449 450 25d2243-25d224f CreateToolhelp32Snapshot 448->450 449->450 451 25d225f-25d226c Module32First 450->451 452 25d2251-25d2257 450->452 453 25d226e-25d226f call 25d1ede 451->453 454 25d2275-25d227d 451->454 452->451 458 25d2259-25d225d 452->458 459 25d2274 453->459 458->448 458->451 459->454
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 025D2247
        • Module32First.KERNEL32(00000000,00000224), ref: 025D2267
        Memory Dump Source
        • Source File: 00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 025CF000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_25cf000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID: CreateFirstModule32SnapshotToolhelp32
        • String ID:
        • API String ID: 3833638111-0
        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
        • Instruction ID: 2bc5c0d9232812d48f03e7e3935c6e151595598ba663a14e2f5a2efe75d7d635
        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
        • Instruction Fuzzy Hash: 69F096326007156FD7303BFDA88CB6F7AE9BF49724F100528FA46D25C1DB70E9464A65
        Function 0041CC80 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 227memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 41cc80-41d514 VirtualProtect
        APIs
        • VirtualProtect.KERNELBASE(022C7958,022C7FB4,00000040,?,0BB7EA7B,4BBE82DD,2FC43CC7,52860AB1,6AD71B2C,43FE4454,34026A25), ref: 0041D508
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1828782266.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_40f000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: ProtectVirtual
        • String ID: )?u$:/X$F(+$O8##$R'._$U99x$X2R$dFfX$v;^:$o:?$6
        • API String ID: 544645111-975362989
        • Opcode ID: 985ff9a8783156675320d5b9838888b25fc8951c43582f0a07c71af294fdf713
        • Instruction ID: ffaf80d715431d49bc4616ad809a760da3813b36c7eddc0dadf79f6ac9c1cc88
        • Opcode Fuzzy Hash: 985ff9a8783156675320d5b9838888b25fc8951c43582f0a07c71af294fdf713
        • Instruction Fuzzy Hash: A00294B440E385CBD2B49F469689B8EBBE0BB91708F608E0CD6DD1A214CB754589CF97
        Function 0245003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1 245003c-2450047 2 245004c-2450263 call 2450a3f call 2450e0f call 2450d90 VirtualAlloc 1->2 3 2450049 1->3 18 2450265-2450289 call 2450a69 2->18 19 245028b-2450292 2->19 3->2 24 24502ce-24503c2 VirtualProtect call 2450cce call 2450ce7 18->24 21 24502a1-24502b0 19->21 23 24502b2-24502cc 21->23 21->24 23->21 30 24503d1-24503e0 24->30 31 24503e2-2450437 call 2450ce7 30->31 32 2450439-24504b8 VirtualFree 30->32 31->30 34 24505f4-24505fe 32->34 35 24504be-24504cd 32->35 38 2450604-245060d 34->38 39 245077f-2450789 34->39 37 24504d3-24504dd 35->37 37->34 41 24504e3-2450505 37->41 38->39 44 2450613-2450637 38->44 42 24507a6-24507b0 39->42 43 245078b-24507a3 39->43 52 2450517-2450520 41->52 53 2450507-2450515 41->53 45 24507b6-24507cb 42->45 46 245086e-24508be LoadLibraryA 42->46 43->42 47 245063e-2450648 44->47 49 24507d2-24507d5 45->49 51 24508c7-24508f9 46->51 47->39 50 245064e-245065a 47->50 54 2450824-2450833 49->54 55 24507d7-24507e0 49->55 50->39 56 2450660-245066a 50->56 57 2450902-245091d 51->57 58 24508fb-2450901 51->58 59 2450526-2450547 52->59 53->59 63 2450839-245083c 54->63 60 24507e4-2450822 55->60 61 24507e2 55->61 62 245067a-2450689 56->62 58->57 67 245054d-2450550 59->67 60->49 61->54 64 2450750-245077a 62->64 65 245068f-24506b2 62->65 63->46 66 245083e-2450847 63->66 64->47 68 24506b4-24506ed 65->68 69 24506ef-24506fc 65->69 70 2450849 66->70 71 245084b-245086c 66->71 73 2450556-245056b 67->73 74 24505e0-24505ef 67->74 68->69 75 24506fe-2450748 69->75 76 245074b 69->76 70->46 71->63 77 245056d 73->77 78 245056f-245057a 73->78 74->37 75->76 76->62 77->74 79 245057c-2450599 78->79 80 245059b-24505bb 78->80 85 24505bd-24505db 79->85 80->85 85->67
        APIs
        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0245024D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2450000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID: AllocVirtual
        • String ID: cess$kernel32.dll
        • API String ID: 4275171209-1230238691
        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
        • Instruction ID: c9fbaced24b664d85f2f51353405923b56babc5c95e3065eb613141c6d6e0ca0
        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
        • Instruction Fuzzy Hash: 3D525D75A01229DFDB64CF58C985BADBBB1BF09304F1480DAE94DA7352DB30AA85CF14
        Function 0041D9F0 Relevance: 4.6, APIs: 3, Instructions: 50stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 414 41d9f0-41da0e 416 41da19-41da20 414->416 417 41da26-41da30 416->417 418 41dabf call 41d740 416->418 420 41da63-41da6a 417->420 421 41da32-41da5d GetFileType GetVolumeInformationW 417->421 422 41dac4 418->422 423 41da88-41da92 420->423 424 41da6c-41da82 420->424 421->420 428 41dac4 call 41d520 422->428 429 41dac4 call 41cc80 422->429 425 41da94-41dab0 lstrcatW 423->425 426 41daba 423->426 424->423 425->426 427 41da10-41da16 426->427 427->416 428->422 429->422
        APIs
        • GetFileType.KERNEL32(00000000), ref: 0041DA34
        • GetVolumeInformationW.KERNEL32(00420C34,?,00000000,?,?,?,?,00000000), ref: 0041DA5D
        • lstrcatW.KERNEL32(?,00420C68), ref: 0041DAA0
        Memory Dump Source
        • Source File: 00000000.00000002.1828782266.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_40f000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: FileInformationTypeVolumelstrcat
        • String ID:
        • API String ID: 880640308-0
        • Opcode ID: 2f2dc669c62f6113b9801edf6543cb5ec700c74db123e39509a3d80e0da52efe
        • Instruction ID: 15a5cd5b2f8eb351202171c3d27230bdb0bdf3a9c172189cee9abf2db0b3138f
        • Opcode Fuzzy Hash: 2f2dc669c62f6113b9801edf6543cb5ec700c74db123e39509a3d80e0da52efe
        • Instruction Fuzzy Hash: 941196B1E45214EFC710CFD4F944BE9B7B8FB48705F5085BAE11196180DBB81A86CF59
        Function 02450E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 460 2450e0f-2450e24 SetErrorMode * 2 461 2450e26 460->461 462 2450e2b-2450e2c 460->462 461->462
        APIs
        • SetErrorMode.KERNELBASE(00000400,?,?,02450223,?,?), ref: 02450E19
        • SetErrorMode.KERNELBASE(00000000,?,?,02450223,?,?), ref: 02450E1E
        Memory Dump Source
        • Source File: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2450000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID: ErrorMode
        • String ID:
        • API String ID: 2340568224-0
        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
        • Instruction ID: e1b12fe88f2fad782c68d0e31ab567b73fc92b09f825ff25b4754dc4cb9b2f3f
        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
        • Instruction Fuzzy Hash: 0CD0123514512877D7002A94DC09BCE7B1CDF09B66F108011FB0DD9181C770954046E5
        Function 00401C23 Relevance: 1.7, APIs: 1, Instructions: 207memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 463 401c23 464 401c24-401c29 463->464 465 401c38 464->465 466 401c2e-401c4f 464->466 465->466 471 401c54-401c57 466->471 472 401c5b 466->472 473 401c5e call 4011cd 471->473 472->471 472->473 475 401c63-401ca9 473->475 477 401c36-401c37 475->477 478 401cab-401cb2 475->478 477->464 477->465 479 401cb4 478->479 480 401cf8-401d08 478->480 482 401cb6-401cc7 479->482 483 401c5a-401c62 479->483 481 401d09-401d3c call 4011cd HeapCreate 480->481 488 401d17 481->488 489 401d3e-401d75 481->489 483->475 488->481 491 401d79-401d9e 489->491 491->491 492 401da0-401df2 491->492 493 401df4-401e02 492->493 494 401e26-401e61 call 4011cd 492->494 501 401e63-401e77 494->501 502 401e79-401e8d 494->502 501->502 507 401e92 502->507 508 401e94-401ea0 507->508 509 401e1a-401e25 507->509 508->507 512 401ea2-401eb3 508->512 509->494
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 9c1e9cccb91d99d954687fe94e70fe720bb5ad39e5d31c5bbb3f34df5b56c3ae
        • Instruction ID: e299e37b8b1df7c2a428e8bb3617d2710998a2074ebf5d6b59d9fc61523cb6f3
        • Opcode Fuzzy Hash: 9c1e9cccb91d99d954687fe94e70fe720bb5ad39e5d31c5bbb3f34df5b56c3ae
        • Instruction Fuzzy Hash: 1551E032548B418BDB02BB74D44155AB760AF9A331B2847FBC8B27A1F0DA39C41387C7
        Function 00401CCA Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 514 401cca-401d03 521 401d18 514->521 522 401d09-401d14 514->522 521->522 523 401d1b-401d3c call 4011cd HeapCreate 521->523 522->523 526 401d17 523->526 527 401d3e-401d75 523->527 526->522 529 401d79-401d9e 527->529 529->529 530 401da0-401df2 529->530 531 401df4-401e02 530->531 532 401e26-401e61 call 4011cd 530->532 539 401e63-401e77 532->539 540 401e79-401e8d 532->540 539->540 545 401e92 540->545 546 401e94-401ea0 545->546 547 401e1a-401e25 545->547 546->545 550 401ea2-401eb3 546->550 547->532
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: ee18ed957e5d8fd6fe97fe65ba6efd433a2767e2441bc6e0a6dd3a94733726b3
        • Instruction ID: 2019c60d8d756749ae2e0594eba57d106c6ce98ddefb8964d76818405d97e010
        • Opcode Fuzzy Hash: ee18ed957e5d8fd6fe97fe65ba6efd433a2767e2441bc6e0a6dd3a94733726b3
        • Instruction Fuzzy Hash: 0B31BD23609941DBC702FF64E580993B724BF9B351B3485E7D4937A2A4EA3AD4338787
        Function 00401CD5 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: bd927fed9186f620e99b1458b04a6cb2ad46514be84c18feedda195de39cb596
        • Instruction ID: 84bd3a690f0247306fb1fa0ff4296918b7e83c91f35f317657599bdfd2f51459
        • Opcode Fuzzy Hash: bd927fed9186f620e99b1458b04a6cb2ad46514be84c18feedda195de39cb596
        • Instruction Fuzzy Hash: 0B31AC336059419BC702FF64E190993B320BF9B341B3886E7D4D26A2A4DA3694338783
        Function 00401CE8 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 469a71db9a512d42d5fed120fbd7df9fe46e9529541fcb62269fa8049ec6c364
        • Instruction ID: f0f4878299061b73063b93e34ea886a159c8618c5cae245c0e522450c8d06431
        • Opcode Fuzzy Hash: 469a71db9a512d42d5fed120fbd7df9fe46e9529541fcb62269fa8049ec6c364
        • Instruction Fuzzy Hash: 47317C336059419BC702FF64E190993B324BF9B351B3885E7D4927A2A4DA3A94339787
        Function 00401CEB Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: e8341f8f5e2f71de27e30eccaec3c4820a60556a34e0eece0aa28621751d1d79
        • Instruction ID: 5946a9f4b49d3d2b3432c33103b6b784d7caefca3cf00678a339ae37275966c9
        • Opcode Fuzzy Hash: e8341f8f5e2f71de27e30eccaec3c4820a60556a34e0eece0aa28621751d1d79
        • Instruction Fuzzy Hash: C5218E236059419BCB02FF74E190993B724AE9B351B2886E7D4927A6A4DA3694338783
        Function 00401CEE Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 8baa353fa8bea5cd2d4cf4c9d24d34266b39332e150569f710b4431279bcda07
        • Instruction ID: 461e80e40723c5157f6bacff0bdb58e681599cf1f2829c6c4aa551d367e5d2a4
        • Opcode Fuzzy Hash: 8baa353fa8bea5cd2d4cf4c9d24d34266b39332e150569f710b4431279bcda07
        • Instruction Fuzzy Hash: 5E21A4335059419FC702FF74E150893F724BE9B351B288AE7C4D26A6A5DA369437CB83
        Function 00401CFE Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 535ab7110f43846469d138036ff09167de867c0362d30e37a302cd9859231c72
        • Instruction ID: 9bd64a55ef0e6d05d786bfe3ad9f53275417bf4e045850c8d3495e84d7f2a4cb
        • Opcode Fuzzy Hash: 535ab7110f43846469d138036ff09167de867c0362d30e37a302cd9859231c72
        • Instruction Fuzzy Hash: BB21B323501D429FCB02FF74E190883F724BEDF35172486D6D4D269655DA3684738783
        Function 00401D16 Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 103d2295f5f21c8b5108fe1742efc3207eca7693211c4e3342358da7015b4894
        • Instruction ID: 77190e0f23bb221504da128019f00248055c08475e322dc54891d85dc81afa78
        • Opcode Fuzzy Hash: 103d2295f5f21c8b5108fe1742efc3207eca7693211c4e3342358da7015b4894
        • Instruction Fuzzy Hash: F021A223611D425FCB03FF74E194883F724BA9F3517288AD5D4E269668DA268433CB82
        Function 0041D520 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNELBASE(00424ED0,0041D945), ref: 0041D550
        Memory Dump Source
        • Source File: 00000000.00000002.1828782266.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_40f000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 40dcabdc535276487fd4439480a856f59d3f389268b30cd9a6c1a4ffe39e98f0
        • Instruction ID: a0e2f26091b3fc8c26fd1af7b13f2790643f76c88d5845c285f01d34eb581d14
        • Opcode Fuzzy Hash: 40dcabdc535276487fd4439480a856f59d3f389268b30cd9a6c1a4ffe39e98f0
        • Instruction Fuzzy Hash: E5D0C924669380CAEB21CF10FA097003F69F790708BCA50B89060CA233C3F8006ACB1D
        Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
        • Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
        • Opcode Fuzzy Hash: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
        • Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B
        Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
        • Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
        • Opcode Fuzzy Hash: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
        • Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B
        Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
        • Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
        • Opcode Fuzzy Hash: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
        • Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B
        Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
        • Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
        • Opcode Fuzzy Hash: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
        • Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B
        Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
        • Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
        • Opcode Fuzzy Hash: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
        • Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B
        Function 025D1EDE Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 025D1F2F
        Memory Dump Source
        • Source File: 00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 025CF000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_25cf000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
        • Instruction ID: 081e48b25daa177cb56d45073fd48b49260db9e31f62c1499b2a623f246ebf19
        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
        • Instruction Fuzzy Hash: E9112B79A00208EFDB01DF98C985E98BBF5AF08350F058094FA489B361D371EA50DF94
        Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
        • Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
        • Opcode Fuzzy Hash: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
        • Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B
        Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
        • Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
        • Opcode Fuzzy Hash: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
        • Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B

        Non-executed Functions

        Function 0041D740 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 215windowtimeCOMMON
        Download Yara Rule
        APIs
        • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041D7DC
        • SetActiveWindow.USER32(00000000), ref: 0041D7E3
        • CreateIcon.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041D7F0
        • SetKeyboardState.USER32(00000000), ref: 0041D7F7
        • GetStdHandle.KERNEL32(00000000), ref: 0041D805
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041D80C
        • AddAtomW.KERNEL32(00000000), ref: 0041D813
        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041D81B
        • GetCharWidthW.GDI32(00000000,00000000,00000000,00000000), ref: 0041D82E
        • FatalAppExitA.KERNEL32(00000000,00000000), ref: 0041D83F
        • GetUserDefaultLCID.KERNEL32 ref: 0041D87B
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041D889
        • GetTimeZoneInformation.KERNEL32(00000000), ref: 0041D890
        • MoveFileExA.KERNEL32(00420C30,00420C20,00000000), ref: 0041D8A1
        • GetLocaleInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041D8AB
          • Part of subcall function 0041CC50: LocalAlloc.KERNEL32(00000000,022C7FB4,0041D8F0), ref: 0041CC58
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1828782266.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_40f000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Char$ActiveAllocAtomByteCreateCurrentDefaultDirectoryEnvironmentExchangeExitFatalFileFreeHandleIconInfoInformationInterlockedKeyboardLocalLocaleMoveMultiStateStringsTimeUserWideWidthWindowZone
        • String ID: /t$o[@$tl_
        • API String ID: 3561384033-3634920357
        • Opcode ID: aa6ef055bebf60c1845bfe76d87d358f85cd57b0cbba025b9639cc9f79b5cd90
        • Instruction ID: 8514119693cf065204a7e9796b6eeace996b80cc16f33bae765e4b62243eb72b
        • Opcode Fuzzy Hash: aa6ef055bebf60c1845bfe76d87d358f85cd57b0cbba025b9639cc9f79b5cd90
        • Instruction Fuzzy Hash: 7F51E9F1D44310AFD310ABB5EDC9AABBB6CEB4C355F10483AF54552152CA388C858FB9
        Function 0041D560 Relevance: 4.5, APIs: 3, Instructions: 42COMMON
        Download Yara Rule
        APIs
        • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041D589
        • GetAce.ADVAPI32(?,00000000,00000000), ref: 0041D5B3
        • GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0041D5ED
        Memory Dump Source
        • Source File: 00000000.00000002.1828782266.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_40f000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: FileInfoLocaleModuleName
        • String ID:
        • API String ID: 3450822615-0
        • Opcode ID: f9166dc903e28250986c59ace9a31d147099614296784564ff03c099ebb82c00
        • Instruction ID: f0f8e5db37b50d1d97fa2259c3eb4cbbe46a2955217ca2896c6b6a6acf140aac
        • Opcode Fuzzy Hash: f9166dc903e28250986c59ace9a31d147099614296784564ff03c099ebb82c00
        • Instruction Fuzzy Hash: EF012271B04300EBE330DB50ED06BA977E4FB08706F40443AEA94DA2E0CAB45415CF69
        Function 0245092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2450000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID: .$GetProcAddress.$l
        • API String ID: 0-2784972518
        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
        • Instruction ID: ef04b08f49b47f73ac197ea453be697af2381266527df5cb0f9494033dee462b
        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
        • Instruction Fuzzy Hash: AF3139BA900619DFDB10CF99C880AAEBBF9FF48324F15504AD881A7315D771EA45CFA4
        Function 0041D6C0 Relevance: 3.0, APIs: 2, Instructions: 36pipetimeCOMMON
        Download Yara Rule
        APIs
          • Part of subcall function 0041D610: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0041D627
          • Part of subcall function 0041D610: LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,0041D94F), ref: 0041D62F
        • CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041D6FF
        • SystemTimeToFileTime.KERNEL32 ref: 0041D71F
        Memory Dump Source
        • Source File: 00000000.00000002.1828782266.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_40f000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID: Time$AllocateCreateFileHeapLibraryLoadNamedPipeSystem
        • String ID:
        • API String ID: 3791924093-0
        • Opcode ID: 9d3325a1bc1fe641eede449a7c7b3cc4eeb17aaa86d667392d6ff89e3d51ed93
        • Instruction ID: 7d6c2012e496a03f119ebb48baf7c3e9073562171f9cc45594f686545b34bf87
        • Opcode Fuzzy Hash: 9d3325a1bc1fe641eede449a7c7b3cc4eeb17aaa86d667392d6ff89e3d51ed93
        • Instruction Fuzzy Hash: C9F054B16082019FC714DF56F985B5BB7F8FB9C305F40442EF14982251DB34A589CFA6
        Function 025D1AFC Relevance: .1, Instructions: 61COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1830577442.00000000025CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 025CF000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_25cf000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
        • Instruction ID: baa546a71044b560848721f08ca031f271b8bf968d890acf5ee78e55c17f1bce
        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
        • Instruction Fuzzy Hash: 5711CE72340601AFE710CF5DDC80EA273EAFB88364B29C065ED08CB311E676E802CB60
        Function 02450D90 Relevance: .0, Instructions: 43COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1829890745.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_2450000_Qi4Mj8hG3t.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
        • Instruction ID: 97c5f606633d988940d90d4e470841c09bb514e6dbc887a5061ceb0af5f7922e
        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
        • Instruction Fuzzy Hash: BF01F27AA106108FDF21CF20C904BAB33E5EB8A306F1550A6DD4A97382E370A8458F80
        Function 004023E5 Relevance: .0, Instructions: 12COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
        • Instruction ID: d35cd02017a8908298582cacd0956aff43537afd2df8e264233619bb44fb754d
        • Opcode Fuzzy Hash: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
        • Instruction Fuzzy Hash: 82C08C72D960008AE65BC6908A87644BB33F003830B341F2DC5018F126D272C2178220
        Function 004026A0 Relevance: .0, Instructions: 9COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1828756309.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_400000_Qi4Mj8hG3t.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
        • Instruction ID: b8708e0fd601c17419c4bee628408aeaf70cc106fe2e9d70b960fe5b7e9fb35e
        • Opcode Fuzzy Hash: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
        • Instruction Fuzzy Hash: 0DC02B7308020940C754CE701A0010CF2D09555208F31FD234005FF182D260F1C755C2

        Execution Graph

        Execution Coverage:42.2%
        Dynamic/Decrypted Code Coverage:0%
        Signature Coverage:8%
        Total number of Nodes:200
        Total number of Limit Nodes:18
        execution_graph 2311 8821a35 2312 8821a3a 2311->2312 2315 8821aa8 2312->2315 2325 8821af8 2315->2325 2318 8821a9b 2319 8821ac3 SleepEx 2319->2319 2320 8821ad3 2319->2320 2332 88222ec 2320->2332 2326 8821b2f 2325->2326 2327 8821bf8 RtlCreateHeap 2326->2327 2331 8821aba 2326->2331 2328 8821c29 2327->2328 2329 8821da8 CreateThread 2328->2329 2328->2331 2330 8821dd9 CreateThread 2329->2330 2352 8823d1c 2329->2352 2330->2331 2349 8823df8 2330->2349 2331->2318 2331->2319 2333 882230a 2332->2333 2357 8824b68 2333->2357 2335 8821ae8 2336 8821eb4 2335->2336 2363 8824db8 2336->2363 2338 8821eef 2339 8821f20 CreateMutexExA 2338->2339 2340 8821f3a 2339->2340 2367 8824f28 2340->2367 2342 8821f79 2371 882202c 2342->2371 2347 8821fe6 2375 8822394 2347->2375 2381 8822df8 2347->2381 2350 8823e0a EnumWindows SleepEx 2349->2350 2351 8823e2e 2349->2351 2350->2350 2350->2351 2353 8823dd3 2352->2353 2354 8823d39 CreateToolhelp32Snapshot 2352->2354 2355 8823dbb SleepEx 2354->2355 2356 8823d4d 2354->2356 2355->2353 2355->2354 2356->2355 2358 8824b91 2357->2358 2359 8824ba5 GetTokenInformation 2358->2359 2362 8824c02 2358->2362 2360 8824bd0 2359->2360 2361 8824bda GetTokenInformation 2360->2361 2361->2362 2362->2335 2364 8824de5 GetVolumeInformationA 2363->2364 2366 8824e38 2364->2366 2366->2338 2370 8824f4a 2367->2370 2368 8824f8b RegQueryValueExA 2368->2370 2369 8824fde 2369->2342 2370->2368 2370->2369 2374 882204f 2371->2374 2372 8821fa5 CreateFileMappingA 2372->2347 2373 8822183 CreateFileW 2373->2372 2374->2372 2374->2373 2376 88223c5 2375->2376 2384 8823414 CreateFileW 2376->2384 2378 88223da 2386 8822434 2378->2386 2380 88223eb 2380->2347 2382 8823414 CreateFileW 2381->2382 2383 8822e1b 2382->2383 2383->2347 2385 8823469 2384->2385 2385->2378 2408 8823f08 2386->2408 2388 8822884 2388->2380 2389 8822487 2389->2388 2390 88226e0 2389->2390 2391 88228c5 2389->2391 2393 882277f 2390->2393 2394 8822821 2390->2394 2406 88226f8 2390->2406 2392 8823f08 RtlAllocateHeap 2391->2392 2398 88228ec 2392->2398 2393->2388 2396 8822794 DeleteFileW DeleteFileW 2393->2396 2395 8823f08 RtlAllocateHeap 2394->2395 2401 8822848 2395->2401 2397 88227b6 2396->2397 2399 8823f08 RtlAllocateHeap 2397->2399 2398->2388 2400 8822968 RtlAllocateHeap 2398->2400 2403 88227e0 2399->2403 2400->2388 2401->2388 2404 8822968 RtlAllocateHeap 2401->2404 2402 8823f08 RtlAllocateHeap 2402->2406 2405 88227fd SleepEx RtlExitUserThread 2403->2405 2404->2388 2405->2388 2406->2388 2406->2393 2406->2402 2412 8822968 2406->2412 2409 8823f37 2408->2409 2418 88240a4 2409->2418 2411 8824057 2411->2389 2413 8822971 2412->2413 2415 8822d8b 2412->2415 2414 88240a4 RtlAllocateHeap 2413->2414 2417 8822a70 2413->2417 2414->2417 2415->2406 2416 8823f08 RtlAllocateHeap 2416->2415 2417->2415 2417->2416 2420 88240e7 2418->2420 2421 88240ee 2418->2421 2419 882439e RtlAllocateHeap 2419->2420 2420->2411 2421->2419 2421->2420 2422 7dc1a35 2423 7dc1a3a 2422->2423 2426 7dc1aa8 2423->2426 2436 7dc1af8 2426->2436 2429 7dc1a9b 2430 7dc1ac3 SleepEx 2430->2430 2431 7dc1ad3 2430->2431 2442 7dc22ec 2431->2442 2438 7dc1b2f 2436->2438 2437 7dc1aba 2437->2429 2437->2430 2438->2437 2439 7dc1bf8 RtlCreateHeap 2438->2439 2440 7dc1c29 2439->2440 2440->2437 2441 7dc1da8 CreateThread FindCloseChangeNotification CreateThread FindCloseChangeNotification 2440->2441 2441->2437 2459 7dc3d1c 2441->2459 2467 7dc3df8 2441->2467 2443 7dc230a 2442->2443 2470 7dc4b68 2443->2470 2445 7dc1ae8 2446 7dc1eb4 2445->2446 2476 7dc4db8 2446->2476 2448 7dc1eef 2449 7dc1f20 CreateMutexExA 2448->2449 2450 7dc1f3a 2449->2450 2480 7dc4f28 2450->2480 2452 7dc1f79 2485 7dc202c 2452->2485 2457 7dc1fe6 2497 7dc2394 2457->2497 2503 7dc2df8 2457->2503 2460 7dc3d39 CreateToolhelp32Snapshot 2459->2460 2461 7dc3dd3 2459->2461 2462 7dc3d4d Process32First 2460->2462 2463 7dc3dbb SleepEx 2460->2463 2464 7dc3d65 2462->2464 2463->2460 2463->2461 2465 7dc3db2 FindCloseChangeNotification 2464->2465 2466 7dc3da0 Process32Next 2464->2466 2465->2463 2466->2464 2468 7dc3e2e 2467->2468 2469 7dc3e0a EnumWindows SleepEx 2467->2469 2469->2468 2469->2469 2471 7dc4b91 2470->2471 2472 7dc4ba5 GetTokenInformation 2471->2472 2475 7dc4c02 2471->2475 2473 7dc4bd0 2472->2473 2474 7dc4bda GetTokenInformation 2473->2474 2474->2475 2475->2445 2477 7dc4de5 GetVolumeInformationA 2476->2477 2479 7dc4e38 2477->2479 2479->2448 2481 7dc4f4a 2480->2481 2483 7dc4f8b RegQueryValueExA 2481->2483 2484 7dc4fde 2481->2484 2482 7dc5006 ObtainUserAgentString 2482->2452 2483->2481 2484->2482 2487 7dc204f 2485->2487 2486 7dc1fa5 CreateFileMappingA 2486->2457 2487->2486 2488 7dc20b3 DeleteFileW CopyFileW 2487->2488 2496 7dc2166 2487->2496 2488->2486 2489 7dc20d3 DeleteFileW 2488->2489 2492 7dc20e9 2489->2492 2491 7dc2183 CreateFileW 2491->2486 2493 7dc211e DeleteFileW 2492->2493 2494 7dc2132 2493->2494 2510 7dc4a48 2494->2510 2506 7dc35b8 2496->2506 2498 7dc23c5 2497->2498 2515 7dc3414 CreateFileW 2498->2515 2500 7dc23da 2517 7dc2434 2500->2517 2502 7dc23eb 2502->2457 2504 7dc3414 CreateFileW 2503->2504 2505 7dc2e1b 2504->2505 2505->2457 2507 7dc35d9 2506->2507 2508 7dc35f9 GetUserNameW 2507->2508 2509 7dc361a 2508->2509 2509->2491 2511 7dc4a6f 2510->2511 2512 7dc4a8f SetFileAttributesW CreateFileW 2511->2512 2513 7dc4ada SetFileTime 2512->2513 2514 7dc4afb 2513->2514 2514->2496 2516 7dc3469 2515->2516 2516->2500 2541 7dc3f08 2517->2541 2519 7dc28c5 2521 7dc3f08 2 API calls 2519->2521 2520 7dc26e0 2522 7dc277f 2520->2522 2524 7dc2821 2520->2524 2538 7dc26f8 2520->2538 2528 7dc28ec 2521->2528 2526 7dc2794 DeleteFileW DeleteFileW 2522->2526 2532 7dc2884 2522->2532 2523 7dc2487 2523->2532 2536 7dc26bc 2523->2536 2540 7dc4a48 3 API calls 2523->2540 2525 7dc3f08 2 API calls 2524->2525 2531 7dc2848 2525->2531 2527 7dc27b6 2526->2527 2530 7dc3f08 2 API calls 2527->2530 2529 7dc2968 2 API calls 2528->2529 2528->2532 2529->2532 2535 7dc27e0 2530->2535 2531->2532 2533 7dc2968 2 API calls 2531->2533 2532->2502 2533->2532 2534 7dc3f08 2 API calls 2534->2538 2537 7dc27fd SleepEx RtlExitUserThread 2535->2537 2536->2519 2536->2520 2537->2532 2538->2522 2538->2532 2538->2534 2545 7dc2968 2538->2545 2540->2536 2542 7dc3f37 2541->2542 2551 7dc40a4 2542->2551 2544 7dc4057 2544->2523 2546 7dc2d8b 2545->2546 2547 7dc2971 2545->2547 2546->2538 2548 7dc40a4 2 API calls 2547->2548 2549 7dc2a70 2547->2549 2548->2549 2549->2546 2550 7dc3f08 2 API calls 2549->2550 2550->2546 2552 7dc40ee 2551->2552 2553 7dc40e7 2551->2553 2552->2553 2554 7dc439e RtlAllocateHeap 2552->2554 2553->2544 2555 7dc43cb 2554->2555 2555->2553 2556 7dc43d7 RtlReAllocateHeap 2555->2556 2556->2555

        Executed Functions

        Function 07DC35B8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: NameUser
        • String ID:
        • API String ID: 2645101109-0
        • Opcode ID: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
        • Instruction ID: 7d27cf97cfdc44cc93b4331b4e34c9a0193e40733ed8736b56d9bc0c7adcc859
        • Opcode Fuzzy Hash: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
        • Instruction Fuzzy Hash: 0C113A70718B4D8FCB90EF68901835EB6D2EBDC201F500AAEA84EC7254DA7499458782
        Function 07DC1AF8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 299threadmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • RtlCreateHeap.NTDLL ref: 07DC1C0F
        • CreateThread.KERNEL32 ref: 07DC1DCA
        • FindCloseChangeNotification.KERNEL32 ref: 07DC1DD3
        • CreateThread.KERNEL32 ref: 07DC1DF1
        • FindCloseChangeNotification.KERNEL32 ref: 07DC1DFA
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: Create$ChangeCloseFindNotificationThread$Heap
        • String ID: iP+
        • API String ID: 2512633107-51890417
        • Opcode ID: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
        • Instruction ID: 42d642726ea8c587a94099f4aae601317bdf668517e2b4b10eece685ca550b6b
        • Opcode Fuzzy Hash: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
        • Instruction Fuzzy Hash: 8C91D2B0618E0A8FCF58EF28D8816A5B7D6FB98300B58017DDC8ECB157EA31D541DB96
        Function 07DC2434 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506filethreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 57 7dc2434-7dc2491 call 7dc3f08 60 7dc293f 57->60 61 7dc2497-7dc249c 57->61 62 7dc2945-7dc295f 60->62 61->60 63 7dc24a2-7dc24a5 61->63 63->60 64 7dc24ab-7dc24b6 63->64 65 7dc24bc-7dc24ef call 7dc50f0 64->65 66 7dc292f-7dc293d call 7dc5470 64->66 65->66 72 7dc24f5-7dc251a call 7dc5044 call 7dc5204 65->72 66->60 66->62 77 7dc251c-7dc2536 72->77 78 7dc2545 72->78 77->78 82 7dc2538-7dc2543 77->82 79 7dc254a-7dc2563 call 7dc5204 78->79 84 7dc2569-7dc257c 79->84 85 7dc26d2-7dc26da 79->85 82->79 86 7dc25ce-7dc25d0 84->86 87 7dc257e-7dc25c5 84->87 88 7dc28c5-7dc28f2 call 7dc3f08 85->88 89 7dc26e0-7dc26e4 85->89 86->85 93 7dc25d6-7dc2648 call 7dc5490 86->93 87->86 101 7dc28f4-7dc28fb 88->101 102 7dc2927-7dc292d 88->102 91 7dc278c-7dc281c call 7dc47c8 DeleteFileW * 2 call 7dc356c call 7dc3f08 call 7dc5470 SleepEx RtlExitUserThread 89->91 92 7dc26ea-7dc26f2 89->92 91->66 96 7dc26f8-7dc2705 92->96 97 7dc2821-7dc284e call 7dc3f08 92->97 134 7dc264a-7dc26c2 call 7dc5044 call 7dc50f0 call 7dc4a48 call 7dc53f4 93->134 135 7dc26c7-7dc26cd call 7dc5470 93->135 96->102 112 7dc270b-7dc270e 96->112 97->102 110 7dc2854-7dc285b 97->110 101->102 107 7dc28fd-7dc2900 101->107 102->66 107->102 111 7dc2902-7dc2922 call 7dc2968 call 7dc5470 107->111 110->102 115 7dc2861-7dc2864 110->115 111->102 112->102 118 7dc2714-7dc2718 112->118 115->102 121 7dc286a-7dc28c3 call 7dc2968 call 7dc47c8 call 7dc5470 115->121 123 7dc277f-7dc2786 118->123 124 7dc271a-7dc2747 call 7dc3f08 118->124 121->102 123->91 123->102 137 7dc2779-7dc277d 124->137 138 7dc2749-7dc2750 124->138 134->135 135->85 137->123 137->124 138->137 143 7dc2752-7dc2755 138->143 143->137 144 7dc2757-7dc2774 call 7dc2968 call 7dc5470 143->144 144->137
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: DeleteFile$ExitSleepThreadUser
        • String ID: |:|
        • API String ID: 2796381497-3736120136
        • Opcode ID: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
        • Instruction ID: 919f5a471bc6b9c895772f1d6347ea4497011156cd94440e38eb76fa41c586ce
        • Opcode Fuzzy Hash: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
        • Instruction Fuzzy Hash: 0AE1B770718F4A8FDB59EB6894593AAB6D1FB98311F10462ED49FC3280DF34E9028786
        Function 08822434 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506filethreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 162 8822434-8822491 call 8823f08 165 8822497-882249c 162->165 166 882293f 162->166 165->166 167 88224a2-88224a5 165->167 168 8822945-882295f 166->168 167->166 169 88224ab-88224b6 167->169 170 882292f-882293d call 8825470 169->170 171 88224bc-88224ef call 88250f0 169->171 170->166 170->168 171->170 177 88224f5-882251a call 8825044 call 8825204 171->177 182 8822545 177->182 183 882251c-8822536 177->183 184 882254a-8822563 call 8825204 182->184 183->182 187 8822538-8822543 183->187 189 88226d2-88226da 184->189 190 8822569-882257c 184->190 187->184 193 88226e0-88226e4 189->193 194 88228c5-88228f2 call 8823f08 189->194 191 88225ce-88225d0 190->191 192 882257e-88225c5 190->192 191->189 198 88225d6-8822648 call 8825490 191->198 192->191 196 88226ea-88226f2 193->196 197 882278c-882281c call 88247c8 DeleteFileW * 2 call 882356c call 8823f08 call 8825470 SleepEx RtlExitUserThread 193->197 207 8822927-882292d 194->207 208 88228f4-88228fb 194->208 202 8822821-882284e call 8823f08 196->202 203 88226f8-8822705 196->203 197->170 241 88226c7-88226cd call 8825470 198->241 242 882264a-88226c2 call 8825044 call 88250f0 call 8824a48 call 88253f4 198->242 202->207 216 8822854-882285b 202->216 203->207 218 882270b-882270e 203->218 207->170 208->207 212 88228fd-8822900 208->212 212->207 217 8822902-8822922 call 8822968 call 8825470 212->217 216->207 221 8822861-8822864 216->221 217->207 218->207 224 8822714-8822718 218->224 221->207 229 882286a-88228c3 call 8822968 call 88247c8 call 8825470 221->229 225 882271a-8822747 call 8823f08 224->225 226 882277f-8822786 224->226 239 8822779-882277d 225->239 240 8822749-8822750 225->240 226->197 226->207 229->207 239->225 239->226 240->239 244 8822752-8822755 240->244 241->189 242->241 244->239 250 8822757-8822774 call 8822968 call 8825470 244->250 250->239
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: DeleteFile$ExitSleepThreadUser
        • String ID: |:|
        • API String ID: 2796381497-3736120136
        • Opcode ID: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
        • Instruction ID: aa6fdcfd426567e6065b71f6fd2b226afd39611251b8ed2745272cfb06cafc35
        • Opcode Fuzzy Hash: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
        • Instruction Fuzzy Hash: 3CE19430718F58CFDB59AB6C84587AAB6D1FB98312F10462ED49FC3291DF34E9428786
        Function 07DC202C Relevance: 7.7, APIs: 5, Instructions: 172fileCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • DeleteFileW.KERNEL32 ref: 07DC20B6
        • CopyFileW.KERNEL32 ref: 07DC20C5
        • DeleteFileW.KERNEL32 ref: 07DC20D6
        • DeleteFileW.KERNEL32 ref: 07DC2121
          • Part of subcall function 07DC4A48: SetFileAttributesW.KERNEL32 ref: 07DC4A97
          • Part of subcall function 07DC4A48: CreateFileW.KERNEL32 ref: 07DC4AC1
          • Part of subcall function 07DC4A48: SetFileTime.KERNEL32 ref: 07DC4AEC
        • CreateFileW.KERNEL32 ref: 07DC21AD
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: File$Delete$Create$AttributesCopyTime
        • String ID:
        • API String ID: 642576546-0
        • Opcode ID: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
        • Instruction ID: 1ca7ceef873cf56b4046e69ba29a9e9e381890f6494679f154d76fe3592700ea
        • Opcode Fuzzy Hash: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
        • Instruction Fuzzy Hash: 68415E70718A4D8FDBA8EF6CA85836D75D2EBC8311F20016EA50FC7385DE349D068796
        Function 07DC3D1C Relevance: 7.6, APIs: 5, Instructions: 72processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 306 7dc3d1c-7dc3d33 307 7dc3d39-7dc3d4b CreateToolhelp32Snapshot 306->307 308 7dc3dd3-7dc3dec 306->308 309 7dc3d4d-7dc3d63 Process32First 307->309 310 7dc3dbb-7dc3dcd SleepEx 307->310 311 7dc3dae-7dc3db0 309->311 310->307 310->308 312 7dc3d65-7dc3d7c call 7dc51d8 311->312 313 7dc3db2-7dc3db5 FindCloseChangeNotification 311->313 316 7dc3d7e-7dc3d80 312->316 313->310 317 7dc3d94-7dc3d9b call 7dc483c 316->317 318 7dc3d82-7dc3d90 316->318 321 7dc3da0-7dc3da8 Process32Next 317->321 318->316 319 7dc3d92 318->319 319->321 321->311
        APIs
        • CreateToolhelp32Snapshot.KERNEL32 ref: 07DC3D3E
        • Process32First.KERNEL32 ref: 07DC3D5D
        • Process32Next.KERNEL32 ref: 07DC3DA8
        • FindCloseChangeNotification.KERNEL32 ref: 07DC3DB5
        • SleepEx.KERNEL32 ref: 07DC3DC0
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSleepSnapshotToolhelp32
        • String ID:
        • API String ID: 14014868-0
        • Opcode ID: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
        • Instruction ID: faae338e9dfda87454abd64ab23909d6d70d42bac8a43a0ad4436b479dcc3cb1
        • Opcode Fuzzy Hash: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
        • Instruction Fuzzy Hash: 8B21B470214A0A8FDB58EF64C0987AAB2E2FB88315F184A7ED44FDB189DB3495458762
        Function 08821AF8 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299threadmemoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 322 8821af8-8821b2d 323 8821b2f-8821b36 322->323 324 8821b4b-8821b4f 323->324 325 8821b51-8821b5d 324->325 326 8821b38-8821b49 324->326 327 8821b74-8821b79 325->327 328 8821b5f-8821b65 325->328 326->324 330 8821b7f-8821b86 327->330 329 8821b67-8821b72 328->329 328->330 329->330 331 8821b91-8821b97 330->331 332 8821b88-8821b8f 330->332 331->323 333 8821b99-8821ba3 331->333 332->331 332->333 334 8821bb2-8821bca call 8821e30 333->334 335 8821ba5-8821bac 333->335 336 8821e07 334->336 340 8821bd0-8821bf2 call 8821e30 334->340 335->334 335->336 338 8821e09-8821e27 336->338 340->336 343 8821bf8-8821c27 RtlCreateHeap 340->343 344 8821c29-8821c43 call 8825044 343->344 344->336 348 8821c49-8821c61 call 88253f4 344->348 348->344 351 8821c63-8821c7e call 8821e30 348->351 351->336 354 8821c84-8821ca3 call 8821e30 351->354 354->336 357 8821ca9-8821cc8 call 8821e30 354->357 357->336 360 8821cce-8821ced call 8821e30 357->360 360->336 363 8821cf3-8821d12 call 8821e30 360->363 363->336 366 8821d18-8821d37 call 8821e30 363->366 366->336 369 8821d3d-8821d98 call 8824c44 * 3 366->369 369->336 376 8821d9a-8821da1 369->376 376->336 377 8821da3-8821da6 376->377 377->336 378 8821da8-8821df8 CreateThread * 2 377->378 380 8821e00-8821e05 378->380 380->338
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: Create$Thread$Heap
        • String ID: iP+
        • API String ID: 1054751041-51890417
        • Opcode ID: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
        • Instruction ID: c73f8c0d525733d19083476a386c6e434dd7332ee817087d3165e795ef3a7455
        • Opcode Fuzzy Hash: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
        • Instruction Fuzzy Hash: 0A91C738618A08CFCF54EF18DC866A573D6FB94301B58017EDC4ECB256DA30E581CB96
        Function 07DC4A48 Relevance: 4.6, APIs: 3, Instructions: 84filetimeCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: File$AttributesCreateTime
        • String ID:
        • API String ID: 1986686026-0
        • Opcode ID: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
        • Instruction ID: 21437e5a993724e9763630cfd4e1a810fc686cff4b05e509bb000d9c398629cf
        • Opcode Fuzzy Hash: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
        • Instruction Fuzzy Hash: 4D21003071CA488FDF64EF68988879EB6E2FBDC705F10456EA85EC7245DA34DA058782
        Function 07DC40A4 Relevance: 3.4, APIs: 2, Instructions: 447COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 390 7dc40a4-7dc40e5 391 7dc40ee-7dc4134 call 7dc5450 call 7dc539c call 7dc455c 390->391 392 7dc40e7-7dc40e9 390->392 400 7dc4136-7dc4140 391->400 401 7dc4142-7dc4148 391->401 393 7dc44c4-7dc44de 392->393 402 7dc414a-7dc4158 400->402 401->402 404 7dc415e-7dc4195 402->404 405 7dc44b6-7dc44c2 call 7dc53f4 402->405 410 7dc44ab-7dc44ac 404->410 411 7dc419b-7dc41c6 404->411 405->393 410->405 411->410 413 7dc41cc-7dc41e1 411->413 414 7dc4237-7dc423c 413->414 415 7dc41e3-7dc41e5 413->415 416 7dc423f-7dc4278 414->416 415->416 417 7dc41e7-7dc4203 call 7dc5044 415->417 423 7dc427e-7dc4284 416->423 424 7dc4478-7dc4485 416->424 421 7dc4205-7dc421c call 7dc50f0 417->421 422 7dc4221-7dc4235 call 7dc5044 417->422 421->422 422->416 427 7dc42a6-7dc42b0 423->427 428 7dc4286-7dc42a3 423->428 433 7dc4487-7dc448d call 7dc53f4 424->433 434 7dc4492-7dc4495 424->434 431 7dc435b-7dc4381 427->431 432 7dc42b6-7dc42c1 427->432 428->427 445 7dc445a-7dc446b 431->445 446 7dc4387-7dc4398 431->446 436 7dc42c8-7dc4353 call 7dc5044 call 7dc5450 call 7dc54ac call 7dc5044 call 7dc44e8 call 7dc53f4 * 3 432->436 437 7dc42c3 432->437 433->434 440 7dc4497-7dc449d call 7dc53f4 434->440 441 7dc44a2-7dc44a8 434->441 436->431 437->436 440->441 441->410 445->424 453 7dc446d-7dc4473 call 7dc53f4 445->453 446->445 452 7dc439e-7dc43c9 RtlAllocateHeap 446->452 455 7dc43cb-7dc43d5 452->455 453->424 458 7dc43f5-7dc4413 455->458 459 7dc43d7-7dc43f3 RtlReAllocateHeap 455->459 463 7dc4415 458->463 464 7dc4417-7dc441c 458->464 459->458 463->464 464->455 466 7dc441e-7dc4429 464->466 467 7dc444a-7dc4452 466->467 468 7dc442b-7dc4431 call 7dc5490 466->468 467->445 472 7dc4436-7dc4440 468->472 472->467
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
        • Instruction ID: 8125b75ef5e52890d74d80edd5f396c9e4525de1f66d8d60fcfff18c63434b12
        • Opcode Fuzzy Hash: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
        • Instruction Fuzzy Hash: 44D1707071CB4A8FDB64EF68D45566EF7E2FB98701F20452DE44AD3241DE74E8028B86
        Function 07DC4F28 Relevance: 3.1, APIs: 2, Instructions: 122registryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 478 7dc4f28-7dc4f71 call 7dc5044 482 7dc4ffb-7dc502a call 7dc53f4 ObtainUserAgentString 478->482 483 7dc4f77 478->483 485 7dc4f79-7dc4fbb call 7dc5044 RegQueryValueExA 483->485 489 7dc4fbd-7dc4fdc call 7dc53f4 call 7dc5204 485->489 490 7dc502b call 7dc53f4 485->490 494 7dc5030-7dc5035 489->494 499 7dc4fde-7dc4fef 489->499 490->494 495 7dc5037 494->495 496 7dc4ff1-7dc4ff2 494->496 495->485 496->482 499->496
        APIs
        • RegQueryValueExA.KERNEL32 ref: 07DC4FAD
        • ObtainUserAgentString.URLMON ref: 07DC5016
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: AgentObtainQueryStringUserValue
        • String ID:
        • API String ID: 4107646653-0
        • Opcode ID: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
        • Instruction ID: 2f66f77be33080188a5596695abcc9f9007aa49924134ccf5fdbb39410b86c05
        • Opcode Fuzzy Hash: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
        • Instruction Fuzzy Hash: 0B31A671608A498FDB18EF68E8896E9B7D5FB98310B10027EE84BD7145EE74D80647D1
        Function 07DC1EB4 Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 07DC4DB8: GetVolumeInformationA.KERNEL32 ref: 07DC4E25
        • CreateMutexExA.KERNEL32 ref: 07DC1F27
        • CreateFileMappingA.KERNEL32 ref: 07DC1FD9
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: Create$FileInformationMappingMutexVolume
        • String ID:
        • API String ID: 3260430491-0
        • Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
        • Instruction ID: 327217043d6eab2122cece5a52630d927668a4d62e77a1a77e2ca00383b2f7a5
        • Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
        • Instruction Fuzzy Hash: B1417FB0618F0DCFEB64EB3880187AEB6D1EB98316F504A2E905FD7240CF74A6029742
        Function 08821EB4 Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
          • Part of subcall function 08824DB8: GetVolumeInformationA.KERNEL32 ref: 08824E25
        • CreateMutexExA.KERNEL32 ref: 08821F27
        • CreateFileMappingA.KERNEL32 ref: 08821FD9
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: Create$FileInformationMappingMutexVolume
        • String ID:
        • API String ID: 3260430491-0
        • Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
        • Instruction ID: f657260620f63d5d068b3738ebd9bc0aee7c472b69085f60cbb23f56d50bd8f8
        • Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
        • Instruction Fuzzy Hash: 93415E30718F18CFEB64EB38801C7AAB6D1EF98717F504A2E845ED6280CF7496469786
        Function 07DC4B68 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetTokenInformation.KERNELBASE ref: 07DC4BBC
        • GetTokenInformation.KERNELBASE ref: 07DC4BF3
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: InformationToken
        • String ID:
        • API String ID: 4114910276-0
        • Opcode ID: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
        • Instruction ID: 2120afd9b566bcbc2cc3007eba8be9858b9c8a2ae954a57231bc2ae198dc18c3
        • Opcode Fuzzy Hash: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
        • Instruction Fuzzy Hash: 41215170208A098FC754EF28D49866AB7E1FFD8311B100A6EE59BC7264DA30E8459B82
        Function 08824B68 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetTokenInformation.KERNELBASE ref: 08824BBC
        • GetTokenInformation.KERNELBASE ref: 08824BF3
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: InformationToken
        • String ID:
        • API String ID: 4114910276-0
        • Opcode ID: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
        • Instruction ID: 1e2e394a73439cc5c04453030fdfdd22e5d27a713d73089db79fa245b971330b
        • Opcode Fuzzy Hash: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
        • Instruction Fuzzy Hash: 6F213134608A188FC754EF2CC49866AB7E1FFD9311B004A6EE49AC7364DA30E845DB82
        Function 08823D1C Relevance: 3.1, APIs: 2, Instructions: 72processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 603 8823d1c-8823d33 604 8823dd3-8823dec 603->604 605 8823d39-8823d4b CreateToolhelp32Snapshot 603->605 606 8823dbb-8823dcd SleepEx 605->606 607 8823d4d-8823d63 605->607 606->604 606->605 609 8823dae-8823db0 607->609 610 8823db2-8823db3 609->610 611 8823d65-8823d7c call 88251d8 609->611 610->606 614 8823d7e-8823d80 611->614 615 8823d82-8823d90 614->615 616 8823d94-8823d9b call 882483c 614->616 615->614 617 8823d92 615->617 619 8823da0-8823da6 616->619 617->619 619->609
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: CreateSleepSnapshotToolhelp32
        • String ID:
        • API String ID: 684154974-0
        • Opcode ID: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
        • Instruction ID: 7e2b4711f8a1771e1e209debb93b09fbd742ab164b18ac7552fa83737ce24d4b
        • Opcode Fuzzy Hash: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
        • Instruction Fuzzy Hash: 4421DA30214A09CFDB58EF24C0987AA72E2FB88316F140B7ED84FDA256DB3895858751
        Function 07DC3DF8 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 620 7dc3df8-7dc3e08 621 7dc3e2e-7dc3e3c 620->621 622 7dc3e0a-7dc3e2c EnumWindows SleepEx 620->622 622->621 622->622
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: EnumSleepWindows
        • String ID:
        • API String ID: 498413330-0
        • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
        • Instruction ID: 08428121806811503df9c7af9d6ce96656ace08b68336ac79912b76c8662c05c
        • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
        • Instruction Fuzzy Hash: 3EE04F7050460A8FEB68EFA5C0DCBB036A5EB18206F14017EDC0EDE285CB764945C721
        Function 08823DF8 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: EnumSleepWindows
        • String ID:
        • API String ID: 498413330-0
        • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
        • Instruction ID: baef126816707304295376df6fb4b8a488ca38ac4c410933db8fd6863cc98fb6
        • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
        • Instruction Fuzzy Hash: 2EE04F34504609CFEB68AFA5C0DCBB036A1EB18206F14017EDC0EEDA95CB7A4989C720
        Function 088240A4 Relevance: 1.9, APIs: 1, Instructions: 447COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
        • Instruction ID: 0a79c32104296664d1beff6f7e6ddac28653b06f360d60dc9585437f73ecf952
        • Opcode Fuzzy Hash: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
        • Instruction Fuzzy Hash: A3D19130718B19CFDB54EF6CD4496AEB7E2FB98702F10452EE44AD3241DE74E8428B86
        Function 0882202C Relevance: 1.7, APIs: 1, Instructions: 172fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
        • Instruction ID: 1bf4e665700778fa748102314072d01097a4b13e97ba1142db020fcf7ea43f40
        • Opcode Fuzzy Hash: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
        • Instruction Fuzzy Hash: F2414E20718A5C8FDBA8EF6C945876E75D2EBDC312F50053EA90EC7385CE389D468786
        Function 07DC3414 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
        • Instruction ID: 207bb52b2c3e8c2fc534e70417cbb820f230b461ac4d45a2e781596e68bedbc9
        • Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
        • Instruction Fuzzy Hash: BD41A27071CA0E4FD75CEA6C985937AF6C2FB88611F20422EA59FC3245DE64A81247C2
        Function 08823414 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: CreateFile
        • String ID:
        • API String ID: 823142352-0
        • Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
        • Instruction ID: 48dc950bd15750edd38ed53c529f111461fbc30ae4667018e7fdce7d8311ddfb
        • Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
        • Instruction Fuzzy Hash: E141D63071CF1D8FD79CAA2C9859379B6C2FB99622F10026E959FC3351DE28985343C2
        Function 08824F28 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: QueryValue
        • String ID:
        • API String ID: 3660427363-0
        • Opcode ID: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
        • Instruction ID: e548fa5e829056531e0432d92c000067f4de0b75f299bac7ea9d2a06fbd012fd
        • Opcode Fuzzy Hash: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
        • Instruction Fuzzy Hash: 9D31C631608A58CFDB58EF6CD8896E977D1FB98321B00027EE84AC7685EE70D84687D1
        Function 07DC4DB8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • GetVolumeInformationA.KERNEL32 ref: 07DC4E25
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: InformationVolume
        • String ID:
        • API String ID: 2039140958-0
        • Opcode ID: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
        • Instruction ID: 0c93ebcea3032cd0f0ee54dc6cf4861091421577ec2b777d5a3501917ac73218
        • Opcode Fuzzy Hash: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
        • Instruction Fuzzy Hash: B6317930618A4C8FDB64EF28D448BAAB7E1FBD8311F10466E984FC7264DE30D945CB92
        Function 08824DB8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
        Download Yara Rule
        APIs
        • GetVolumeInformationA.KERNEL32 ref: 08824E25
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: InformationVolume
        • String ID:
        • API String ID: 2039140958-0
        • Opcode ID: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
        • Instruction ID: bab3da86d521e530facb340bf3927d5cd9b5695ce51e81a56b0453ac6f05aa6d
        • Opcode Fuzzy Hash: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
        • Instruction Fuzzy Hash: F7313731618A4C8FDBA4EF68C458BAA77E1FBD8311F10466E984EC7264DE34D945CB82
        Function 07DC1AA8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 07DC1AF8: RtlCreateHeap.NTDLL ref: 07DC1C0F
        • SleepEx.KERNEL32(?,?,?,?,?,?,?,07DC1A9B), ref: 07DC1AC8
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: CreateHeapSleep
        • String ID:
        • API String ID: 221814145-0
        • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
        • Instruction ID: 9eabfb1628c6b1f63c3882c0bdcbc216c6ccfffbdf38e7d587a38a3e5d449889
        • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
        • Instruction Fuzzy Hash: 10E0DFE0314F0E8BDB98FBB8C5D472CE090EB88250F48057DE40EC7286D836C8824322
        Function 08821AA8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
        Download Yara Rule
        APIs
          • Part of subcall function 08821AF8: RtlCreateHeap.NTDLL ref: 08821C0F
        • SleepEx.KERNEL32(?,?,?,?,?,?,?,08821A9B), ref: 08821AC8
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID: CreateHeapSleep
        • String ID:
        • API String ID: 221814145-0
        • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
        • Instruction ID: c5d26b14151a2b293504fd8e5011112bdd21e9542520fddee4ce07638b94d1ea
        • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
        • Instruction Fuzzy Hash: 81E0DF18314F1C8BDB94BBBCC5C872D7090EB88252FA005BEA81FC62C5D825E8C14312

        Non-executed Functions

        Function 07DC2968 Relevance: .5, Instructions: 471COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.2959280811.0000000007DC1000.00000020.80000000.00040000.00000000.sdmp, Offset: 07DC1000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_7dc1000_explorer.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
        • Instruction ID: 6eead597deb5c245915aa6fe469c33bfb51e49c3d8210cdf048b54c64a96720d
        • Opcode Fuzzy Hash: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
        • Instruction Fuzzy Hash: D5D1A670718F0A8FDB64EF68849826EB6D2FB98301F60466ED44FC3255DF74E9068786
        Function 08822968 Relevance: .5, Instructions: 471COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000001.00000002.2960082267.0000000008821000.00000020.80000000.00040000.00000000.sdmp, Offset: 08821000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_1_2_8821000_explorer.jbxd
        Yara matches
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
        • Instruction ID: 8bd41ca849f61d22a9a05767c9847120c18a533d46ffec72832543fd033f8d87
        • Opcode Fuzzy Hash: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
        • Instruction Fuzzy Hash: FFD17530718F19CFCB68EF6C845826AB2D2FB98312F50466ED44EC3255DF74E9468785

        Execution Graph

        Execution Coverage:7.4%
        Dynamic/Decrypted Code Coverage:19.4%
        Signature Coverage:0%
        Total number of Nodes:144
        Total number of Limit Nodes:5
        execution_graph 5136 403005 5137 40315c 5136->5137 5138 40302f 5136->5138 5138->5137 5139 4030ea RtlCreateUserThread NtTerminateProcess 5138->5139 5139->5137 5224 402e07 5226 402e1a 5224->5226 5225 40193e 11 API calls 5227 402f54 5225->5227 5226->5225 5226->5227 5243 401cca 5244 401cda 5243->5244 5245 401d20 HeapCreate 5244->5245 5245->5244 5246 401d3e 5245->5246 5284 40194a 5285 40194f 5284->5285 5286 401991 Sleep 5285->5286 5287 4019ac 5286->5287 5288 401553 10 API calls 5287->5288 5289 4019bd 5287->5289 5288->5289 5140 401d16 5141 401d09 5140->5141 5142 401d20 HeapCreate 5141->5142 5142->5141 5143 401d3e 5142->5143 5194 26c08b7 5195 26c08c6 5194->5195 5198 26c1057 5195->5198 5199 26c1072 5198->5199 5200 26c107b CreateToolhelp32Snapshot 5199->5200 5201 26c1097 Module32First 5199->5201 5200->5199 5200->5201 5202 26c08cf 5201->5202 5203 26c10a6 5201->5203 5205 26c0d16 5203->5205 5206 26c0d41 5205->5206 5207 26c0d8a 5206->5207 5208 26c0d52 VirtualAlloc 5206->5208 5207->5207 5208->5207 5296 401561 5297 401570 5296->5297 5298 401608 NtDuplicateObject 5297->5298 5307 4018dd 5297->5307 5299 401625 NtCreateSection 5298->5299 5298->5307 5300 4016a5 NtCreateSection 5299->5300 5301 40164b NtMapViewOfSection 5299->5301 5303 4016d1 5300->5303 5300->5307 5301->5300 5302 40166e NtMapViewOfSection 5301->5302 5302->5300 5305 40168c 5302->5305 5304 4016db NtMapViewOfSection 5303->5304 5303->5307 5306 401702 NtMapViewOfSection 5304->5306 5304->5307 5305->5300 5306->5307 5308 401724 5306->5308 5308->5307 5309 401729 3 API calls 5308->5309 5309->5307 5228 401c23 5230 401c24 5228->5230 5229 401cb6 5230->5229 5231 401d20 HeapCreate 5230->5231 5231->5230 5232 401d3e 5231->5232 5259 401cee 5260 401cf2 5259->5260 5262 401d3e 5259->5262 5261 401d20 HeapCreate 5260->5261 5261->5260 5261->5262 5356 245092b GetPEB 5357 2450972 5356->5357 5080 41d9f0 5081 41d9fd 5080->5081 5082 41dabf 5081->5082 5084 41da32 GetFileType GetVolumeInformationW 5081->5084 5086 41da94 lstrcatW 5081->5086 5089 41d740 5082->5089 5084->5081 5085 41dac4 5108 41d520 LoadLibraryA 5085->5108 5109 41cc80 VirtualProtect 5085->5109 5086->5081 5090 41d770 5089->5090 5092 41d7d6 InterlockedExchangeAdd SetActiveWindow CreateIcon SetKeyboardState 5090->5092 5098 41d845 5090->5098 5095 41d804 GetStdHandle FreeEnvironmentStringsW AddAtomW GetCurrentDirectoryW 5092->5095 5093 41d86f GetUserDefaultLCID WideCharToMultiByte GetTimeZoneInformation MoveFileExA GetLocaleInfoA 5105 41d8b8 5093->5105 5096 41d834 5095->5096 5097 41d82a GetCharWidthW 5095->5097 5096->5098 5099 41d83d FatalAppExitA 5096->5099 5097->5096 5098->5093 5098->5105 5099->5098 5101 41d945 5112 41cc80 VirtualProtect 5101->5112 5102 41d8f0 5111 41d520 LoadLibraryA 5102->5111 5104 41d94a 5113 41d6c0 5104->5113 5110 41cc50 LocalAlloc 5105->5110 5107 41d94f 5107->5085 5108->5085 5109->5085 5110->5102 5111->5101 5112->5104 5120 41d610 5113->5120 5116 41d725 5123 41d640 5116->5123 5117 41d6ef CreateNamedPipeA SystemTimeToFileTime 5117->5116 5121 41d621 RtlAllocateHeap LoadLibraryA 5120->5121 5122 41d635 5120->5122 5121->5122 5122->5116 5122->5117 5124 41d665 5123->5124 5125 41d656 BuildCommDCBW 5123->5125 5127 41d696 5124->5127 5128 41d68b GetConsoleAliasExesLengthW 5124->5128 5129 41d560 5124->5129 5125->5124 5127->5107 5128->5124 5130 41d580 GetModuleFileNameA 5129->5130 5131 41d58f 5129->5131 5130->5131 5132 41d5ab GetAce 5131->5132 5133 41d5be 5131->5133 5132->5133 5134 41d5e2 GetLocaleInfoA 5133->5134 5135 41d5f3 5133->5135 5134->5135 5135->5124 5144 245003c 5145 2450049 5144->5145 5157 2450e0f SetErrorMode SetErrorMode 5145->5157 5150 2450265 5151 24502ce VirtualProtect 5150->5151 5153 245030b 5151->5153 5152 2450439 VirtualFree 5155 24504be LoadLibraryA 5152->5155 5153->5152 5156 24508c7 5155->5156 5158 2450223 5157->5158 5159 2450d90 5158->5159 5160 2450dad 5159->5160 5161 2450dbb GetPEB 5160->5161 5162 2450238 VirtualAlloc 5160->5162 5161->5162 5162->5150 5163 402eba 5165 402ecc 5163->5165 5164 402f54 5165->5164 5167 40193e 5165->5167 5168 40194f 5167->5168 5169 401991 Sleep 5168->5169 5170 4019ac 5169->5170 5172 4019bd 5170->5172 5173 401553 5170->5173 5172->5164 5174 401563 5173->5174 5175 4018dd 5174->5175 5176 401608 NtDuplicateObject 5174->5176 5175->5172 5176->5175 5177 401625 NtCreateSection 5176->5177 5178 4016a5 NtCreateSection 5177->5178 5179 40164b NtMapViewOfSection 5177->5179 5178->5175 5181 4016d1 5178->5181 5179->5178 5180 40166e NtMapViewOfSection 5179->5180 5180->5178 5183 40168c 5180->5183 5181->5175 5182 4016db NtMapViewOfSection 5181->5182 5182->5175 5184 401702 NtMapViewOfSection 5182->5184 5183->5178 5184->5175 5185 401724 5184->5185 5185->5175 5187 401729 5185->5187 5188 40172b 5187->5188 5193 401724 5187->5193 5189 4016be NtCreateSection 5188->5189 5188->5193 5190 4016d1 5189->5190 5189->5193 5191 4016db NtMapViewOfSection 5190->5191 5190->5193 5192 401702 NtMapViewOfSection 5191->5192 5191->5193 5192->5193 5193->5175

        Executed Functions

        Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 86 401553-4015b2 call 4011cd 98 4015b4 86->98 99 4015b7-4015bc 86->99 98->99 101 4015c2-4015d3 99->101 102 4018df-4018e7 99->102 105 4015d9-401602 101->105 106 4018dd 101->106 102->99 107 4018ec-40193b call 4011cd 102->107 105->106 115 401608-40161f NtDuplicateObject 105->115 106->107 115->106 117 401625-401649 NtCreateSection 115->117 119 4016a5-4016cb NtCreateSection 117->119 120 40164b-40166c NtMapViewOfSection 117->120 119->106 123 4016d1-4016d5 119->123 120->119 122 40166e-40168a NtMapViewOfSection 120->122 122->119 126 40168c-4016a2 122->126 123->106 124 4016db-4016fc NtMapViewOfSection 123->124 124->106 127 401702-40171e NtMapViewOfSection 124->127 126->119 127->106 129 401724 127->129 129->106 132 401724 call 401729 129->132 132->106
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
        • Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
        • Opcode Fuzzy Hash: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
        • Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66
        Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 133 40156b-4015b2 call 4011cd 145 4015b4 133->145 146 4015b7-4015bc 133->146 145->146 148 4015c2-4015d3 146->148 149 4018df-4018e7 146->149 152 4015d9-401602 148->152 153 4018dd 148->153 149->146 154 4018ec-40193b call 4011cd 149->154 152->153 162 401608-40161f NtDuplicateObject 152->162 153->154 162->153 164 401625-401649 NtCreateSection 162->164 166 4016a5-4016cb NtCreateSection 164->166 167 40164b-40166c NtMapViewOfSection 164->167 166->153 170 4016d1-4016d5 166->170 167->166 169 40166e-40168a NtMapViewOfSection 167->169 169->166 173 40168c-4016a2 169->173 170->153 171 4016db-4016fc NtMapViewOfSection 170->171 171->153 174 401702-40171e NtMapViewOfSection 171->174 173->166 174->153 176 401724 174->176 176->153 179 401724 call 401729 176->179 179->153
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
        • Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
        • Opcode Fuzzy Hash: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
        • Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25
        Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 180 401561-4015b2 call 4011cd 190 4015b4 180->190 191 4015b7-4015bc 180->191 190->191 193 4015c2-4015d3 191->193 194 4018df-4018e7 191->194 197 4015d9-401602 193->197 198 4018dd 193->198 194->191 199 4018ec-40193b call 4011cd 194->199 197->198 207 401608-40161f NtDuplicateObject 197->207 198->199 207->198 209 401625-401649 NtCreateSection 207->209 211 4016a5-4016cb NtCreateSection 209->211 212 40164b-40166c NtMapViewOfSection 209->212 211->198 215 4016d1-4016d5 211->215 212->211 214 40166e-40168a NtMapViewOfSection 212->214 214->211 218 40168c-4016a2 214->218 215->198 216 4016db-4016fc NtMapViewOfSection 215->216 216->198 219 401702-40171e NtMapViewOfSection 216->219 218->211 219->198 221 401724 219->221 221->198 224 401724 call 401729 221->224 224->198
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
        • Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
        • Opcode Fuzzy Hash: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
        • Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25
        Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 225 40156f-4015b2 call 4011cd 233 4015b4 225->233 234 4015b7-4015bc 225->234 233->234 236 4015c2-4015d3 234->236 237 4018df-4018e7 234->237 240 4015d9-401602 236->240 241 4018dd 236->241 237->234 242 4018ec-40193b call 4011cd 237->242 240->241 250 401608-40161f NtDuplicateObject 240->250 241->242 250->241 252 401625-401649 NtCreateSection 250->252 254 4016a5-4016cb NtCreateSection 252->254 255 40164b-40166c NtMapViewOfSection 252->255 254->241 258 4016d1-4016d5 254->258 255->254 257 40166e-40168a NtMapViewOfSection 255->257 257->254 261 40168c-4016a2 257->261 258->241 259 4016db-4016fc NtMapViewOfSection 258->259 259->241 262 401702-40171e NtMapViewOfSection 259->262 261->254 262->241 264 401724 262->264 264->241 267 401724 call 401729 264->267 267->241
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
        • Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
        • Opcode Fuzzy Hash: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
        • Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24
        Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 268 401583-4015b2 call 4011cd 277 4015b4 268->277 278 4015b7-4015bc 268->278 277->278 280 4015c2-4015d3 278->280 281 4018df-4018e7 278->281 284 4015d9-401602 280->284 285 4018dd 280->285 281->278 286 4018ec-40193b call 4011cd 281->286 284->285 294 401608-40161f NtDuplicateObject 284->294 285->286 294->285 296 401625-401649 NtCreateSection 294->296 298 4016a5-4016cb NtCreateSection 296->298 299 40164b-40166c NtMapViewOfSection 296->299 298->285 302 4016d1-4016d5 298->302 299->298 301 40166e-40168a NtMapViewOfSection 299->301 301->298 305 40168c-4016a2 301->305 302->285 303 4016db-4016fc NtMapViewOfSection 302->303 303->285 306 401702-40171e NtMapViewOfSection 303->306 305->298 306->285 308 401724 306->308 308->285 311 401724 call 401729 308->311 311->285
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
        • Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
        • Opcode Fuzzy Hash: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
        • Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64
        Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 312 401587-4015b2 call 4011cd 316 4015b4 312->316 317 4015b7-4015bc 312->317 316->317 319 4015c2-4015d3 317->319 320 4018df-4018e7 317->320 323 4015d9-401602 319->323 324 4018dd 319->324 320->317 325 4018ec-40193b call 4011cd 320->325 323->324 333 401608-40161f NtDuplicateObject 323->333 324->325 333->324 335 401625-401649 NtCreateSection 333->335 337 4016a5-4016cb NtCreateSection 335->337 338 40164b-40166c NtMapViewOfSection 335->338 337->324 341 4016d1-4016d5 337->341 338->337 340 40166e-40168a NtMapViewOfSection 338->340 340->337 344 40168c-4016a2 340->344 341->324 342 4016db-4016fc NtMapViewOfSection 341->342 342->324 345 401702-40171e NtMapViewOfSection 342->345 344->337 345->324 347 401724 345->347 347->324 350 401724 call 401729 347->350 350->324
        APIs
        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create$DuplicateObject
        • String ID:
        • API String ID: 1546783058-0
        • Opcode ID: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
        • Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
        • Opcode Fuzzy Hash: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
        • Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24
        Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179nativeCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 351 401729 352 40172b 351->352 353 40172f-40174d 351->353 352->353 354 40172d 352->354 366 401764 353->366 367 401755-401778 353->367 354->353 357 4016be-4016cb NtCreateSection 354->357 359 4016d1-4016d5 357->359 360 4018dd-40193b call 4011cd 357->360 359->360 361 4016db-4016fc NtMapViewOfSection 359->361 361->360 365 401702-40171e NtMapViewOfSection 361->365 365->360 369 401724 365->369 366->367 377 40177b-4017b8 367->377 369->360 372 401724 call 401729 369->372 372->360 393 4017ba-4017e3 377->393 398 4017e5-4017eb 393->398 399 4017ed 393->399 400 4017f3-4017f9 398->400 399->400 401 401809-40180d 400->401 402 4017fb-401807 400->402 401->400 403 40180f-401814 401->403 402->401 404 401816 call 40181b 403->404 405 40187c-40188b 403->405 407 40188e-401891 405->407 408 401893-40189d 407->408 409 4018bb-4018d4 407->409 410 4018a0-4018a9 408->410 409->360 411 4018b7 410->411 412 4018ab-4018b5 410->412 411->410 413 4018b9 411->413 412->411 413->407
        APIs
        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: Section$View$Create
        • String ID:
        • API String ID: 33071139-0
        • Opcode ID: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
        • Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
        • Opcode Fuzzy Hash: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
        • Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B
        Function 00403005 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 430 403005-403029 431 40315c-403161 430->431 432 40302f-403047 430->432 432->431 433 40304d-40305e 432->433 434 403060-403069 433->434 435 40306e-40307c 434->435 435->435 436 40307e-403085 435->436 437 4030a7-4030ae 436->437 438 403087-4030a6 436->438 439 4030d0-4030d3 437->439 440 4030b0-4030cf 437->440 438->437 441 4030d5-4030d8 439->441 442 4030dc 439->442 440->439 441->442 443 4030da 441->443 442->434 444 4030de-4030e3 442->444 443->444 444->431 445 4030e5-4030e8 444->445 445->431 446 4030ea-403159 RtlCreateUserThread NtTerminateProcess 445->446 446->431
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateProcessTerminateThreadUser
        • String ID:
        • API String ID: 1921587553-0
        • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
        • Instruction ID: 9349ae55c142a47270c9c73eabb89239111d3cd47c98212c67b606f4e0ccd907
        • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
        • Instruction Fuzzy Hash: C5412531218E088FD7A8EF6CA88576377D5F798311F6643AAE809D3389EA34DC5187C5
        Function 0041CC80 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 227memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 0 41cc80-41d514 VirtualProtect
        APIs
        • VirtualProtect.KERNELBASE(022C7958,022C7FB4,00000040,?,0BB7EA7B,4BBE82DD,2FC43CC7,52860AB1,6AD71B2C,43FE4454,34026A25), ref: 0041D508
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.2103383707.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_40f000_hehbwci.jbxd
        Similarity
        • API ID: ProtectVirtual
        • String ID: )?u$:/X$F(+$O8##$R'._$U99x$X2R$dFfX$v;^:$o:?$6
        • API String ID: 544645111-975362989
        • Opcode ID: 985ff9a8783156675320d5b9838888b25fc8951c43582f0a07c71af294fdf713
        • Instruction ID: ffaf80d715431d49bc4616ad809a760da3813b36c7eddc0dadf79f6ac9c1cc88
        • Opcode Fuzzy Hash: 985ff9a8783156675320d5b9838888b25fc8951c43582f0a07c71af294fdf713
        • Instruction Fuzzy Hash: A00294B440E385CBD2B49F469689B8EBBE0BB91708F608E0CD6DD1A214CB754589CF97
        Function 0245003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 1 245003c-2450047 2 245004c-2450263 call 2450a3f call 2450e0f call 2450d90 VirtualAlloc 1->2 3 2450049 1->3 18 2450265-2450289 call 2450a69 2->18 19 245028b-2450292 2->19 3->2 23 24502ce-24503c2 VirtualProtect call 2450cce call 2450ce7 18->23 21 24502a1-24502b0 19->21 22 24502b2-24502cc 21->22 21->23 22->21 30 24503d1-24503e0 23->30 31 24503e2-2450437 call 2450ce7 30->31 32 2450439-24504b8 VirtualFree 30->32 31->30 34 24505f4-24505fe 32->34 35 24504be-24504cd 32->35 36 2450604-245060d 34->36 37 245077f-2450789 34->37 39 24504d3-24504dd 35->39 36->37 40 2450613-2450637 36->40 43 24507a6-24507b0 37->43 44 245078b-24507a3 37->44 39->34 42 24504e3-2450505 39->42 47 245063e-2450648 40->47 51 2450517-2450520 42->51 52 2450507-2450515 42->52 45 24507b6-24507cb 43->45 46 245086e-24508be LoadLibraryA 43->46 44->43 49 24507d2-24507d5 45->49 56 24508c7-24508f9 46->56 47->37 50 245064e-245065a 47->50 53 2450824-2450833 49->53 54 24507d7-24507e0 49->54 50->37 55 2450660-245066a 50->55 59 2450526-2450547 51->59 52->59 63 2450839-245083c 53->63 60 24507e4-2450822 54->60 61 24507e2 54->61 62 245067a-2450689 55->62 57 2450902-245091d 56->57 58 24508fb-2450901 56->58 58->57 64 245054d-2450550 59->64 60->49 61->53 65 2450750-245077a 62->65 66 245068f-24506b2 62->66 63->46 67 245083e-2450847 63->67 69 2450556-245056b 64->69 70 24505e0-24505ef 64->70 65->47 71 24506b4-24506ed 66->71 72 24506ef-24506fc 66->72 73 2450849 67->73 74 245084b-245086c 67->74 75 245056d 69->75 76 245056f-245057a 69->76 70->39 71->72 77 24506fe-2450748 72->77 78 245074b 72->78 73->46 74->63 75->70 79 245057c-2450599 76->79 80 245059b-24505bb 76->80 77->78 78->62 85 24505bd-24505db 79->85 80->85 85->64
        APIs
        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0245024D
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.2104904098.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_2450000_hehbwci.jbxd
        Yara matches
        Similarity
        • API ID: AllocVirtual
        • String ID: cess$kernel32.dll
        • API String ID: 4275171209-1230238691
        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
        • Instruction ID: c9fbaced24b664d85f2f51353405923b56babc5c95e3065eb613141c6d6e0ca0
        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
        • Instruction Fuzzy Hash: 3D525D75A01229DFDB64CF58C985BADBBB1BF09304F1480DAE94DA7352DB30AA85CF14
        Function 0041D9F0 Relevance: 4.6, APIs: 3, Instructions: 50stringCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 414 41d9f0-41da0e 416 41da19-41da20 414->416 417 41da26-41da30 416->417 418 41dabf call 41d740 416->418 420 41da63-41da6a 417->420 421 41da32-41da5d GetFileType GetVolumeInformationW 417->421 422 41dac4 418->422 423 41da88-41da92 420->423 424 41da6c-41da82 420->424 421->420 428 41dac4 call 41d520 422->428 429 41dac4 call 41cc80 422->429 425 41da94-41dab0 lstrcatW 423->425 426 41daba 423->426 424->423 425->426 427 41da10-41da16 426->427 427->416 428->422 429->422
        APIs
        • GetFileType.KERNEL32(00000000), ref: 0041DA34
        • GetVolumeInformationW.KERNEL32(00420C34,?,00000000,?,?,?,?,00000000), ref: 0041DA5D
        • lstrcatW.KERNEL32(?,00420C68), ref: 0041DAA0
        Memory Dump Source
        • Source File: 00000005.00000002.2103383707.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_40f000_hehbwci.jbxd
        Similarity
        • API ID: FileInformationTypeVolumelstrcat
        • String ID:
        • API String ID: 880640308-0
        • Opcode ID: 2f2dc669c62f6113b9801edf6543cb5ec700c74db123e39509a3d80e0da52efe
        • Instruction ID: 15a5cd5b2f8eb351202171c3d27230bdb0bdf3a9c172189cee9abf2db0b3138f
        • Opcode Fuzzy Hash: 2f2dc669c62f6113b9801edf6543cb5ec700c74db123e39509a3d80e0da52efe
        • Instruction Fuzzy Hash: 941196B1E45214EFC710CFD4F944BE9B7B8FB48705F5085BAE11196180DBB81A86CF59
        Function 026C1057 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 447 26c1057-26c1070 448 26c1072-26c1074 447->448 449 26c107b-26c1087 CreateToolhelp32Snapshot 448->449 450 26c1076 448->450 451 26c1089-26c108f 449->451 452 26c1097-26c10a4 Module32First 449->452 450->449 451->452 457 26c1091-26c1095 451->457 453 26c10ad-26c10b5 452->453 454 26c10a6-26c10a7 call 26c0d16 452->454 458 26c10ac 454->458 457->448 457->452 458->453
        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 026C107F
        • Module32First.KERNEL32(00000000,00000224), ref: 026C109F
        Memory Dump Source
        • Source File: 00000005.00000002.2105350044.00000000026BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 026BE000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_26be000_hehbwci.jbxd
        Yara matches
        Similarity
        • API ID: CreateFirstModule32SnapshotToolhelp32
        • String ID:
        • API String ID: 3833638111-0
        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
        • Instruction ID: c50e198c7e42bcde2ec4eaccda3ccab24975a470fdd5f1e4e1b882f974d2c40d
        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
        • Instruction Fuzzy Hash: B3F0C2322003516BD7303AB4A88CB7E76E8EF4A235F20056DE646A11C0CF70E8058A61
        Function 02450E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 460 2450e0f-2450e24 SetErrorMode * 2 461 2450e26 460->461 462 2450e2b-2450e2c 460->462 461->462
        APIs
        • SetErrorMode.KERNELBASE(00000400,?,?,02450223,?,?), ref: 02450E19
        • SetErrorMode.KERNELBASE(00000000,?,?,02450223,?,?), ref: 02450E1E
        Memory Dump Source
        • Source File: 00000005.00000002.2104904098.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_2450000_hehbwci.jbxd
        Yara matches
        Similarity
        • API ID: ErrorMode
        • String ID:
        • API String ID: 2340568224-0
        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
        • Instruction ID: e1b12fe88f2fad782c68d0e31ab567b73fc92b09f825ff25b4754dc4cb9b2f3f
        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
        • Instruction Fuzzy Hash: 0CD0123514512877D7002A94DC09BCE7B1CDF09B66F108011FB0DD9181C770954046E5
        Function 00401C23 Relevance: 1.7, APIs: 1, Instructions: 207memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 463 401c23 464 401c24-401c29 463->464 465 401c38 464->465 466 401c2e-401c4f 464->466 465->466 471 401c54-401c57 466->471 472 401c5b 466->472 473 401c5e call 4011cd 471->473 472->471 472->473 475 401c63-401ca9 473->475 477 401c36-401c37 475->477 478 401cab-401cb2 475->478 477->464 477->465 479 401cb4 478->479 480 401cf8-401d08 478->480 481 401cb6-401cc7 479->481 482 401c5a-401c62 479->482 483 401d09-401d3c call 4011cd HeapCreate 480->483 482->475 488 401d17 483->488 489 401d3e-401d75 483->489 488->483 491 401d79-401d9e 489->491 491->491 492 401da0-401df2 491->492 493 401df4-401e02 492->493 494 401e26-401e61 call 4011cd 492->494 501 401e63-401e77 494->501 502 401e79-401e8d 494->502 501->502 507 401e92 502->507 508 401e94-401ea0 507->508 509 401e1a-401e25 507->509 508->507 512 401ea2-401eb3 508->512 509->494
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 9c1e9cccb91d99d954687fe94e70fe720bb5ad39e5d31c5bbb3f34df5b56c3ae
        • Instruction ID: e299e37b8b1df7c2a428e8bb3617d2710998a2074ebf5d6b59d9fc61523cb6f3
        • Opcode Fuzzy Hash: 9c1e9cccb91d99d954687fe94e70fe720bb5ad39e5d31c5bbb3f34df5b56c3ae
        • Instruction Fuzzy Hash: 1551E032548B418BDB02BB74D44155AB760AF9A331B2847FBC8B27A1F0DA39C41387C7
        Function 00401CCA Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 514 401cca-401d03 521 401d18 514->521 522 401d09-401d14 514->522 521->522 523 401d1b-401d3c call 4011cd HeapCreate 521->523 522->523 526 401d17 523->526 527 401d3e-401d75 523->527 526->522 529 401d79-401d9e 527->529 529->529 530 401da0-401df2 529->530 531 401df4-401e02 530->531 532 401e26-401e61 call 4011cd 530->532 539 401e63-401e77 532->539 540 401e79-401e8d 532->540 539->540 545 401e92 540->545 546 401e94-401ea0 545->546 547 401e1a-401e25 545->547 546->545 550 401ea2-401eb3 546->550 547->532
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: ee18ed957e5d8fd6fe97fe65ba6efd433a2767e2441bc6e0a6dd3a94733726b3
        • Instruction ID: 2019c60d8d756749ae2e0594eba57d106c6ce98ddefb8964d76818405d97e010
        • Opcode Fuzzy Hash: ee18ed957e5d8fd6fe97fe65ba6efd433a2767e2441bc6e0a6dd3a94733726b3
        • Instruction Fuzzy Hash: 0B31BD23609941DBC702FF64E580993B724BF9B351B3485E7D4937A2A4EA3AD4338787
        Function 00401CD5 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: bd927fed9186f620e99b1458b04a6cb2ad46514be84c18feedda195de39cb596
        • Instruction ID: 84bd3a690f0247306fb1fa0ff4296918b7e83c91f35f317657599bdfd2f51459
        • Opcode Fuzzy Hash: bd927fed9186f620e99b1458b04a6cb2ad46514be84c18feedda195de39cb596
        • Instruction Fuzzy Hash: 0B31AC336059419BC702FF64E190993B320BF9B341B3886E7D4D26A2A4DA3694338783
        Function 00401CE8 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 469a71db9a512d42d5fed120fbd7df9fe46e9529541fcb62269fa8049ec6c364
        • Instruction ID: f0f4878299061b73063b93e34ea886a159c8618c5cae245c0e522450c8d06431
        • Opcode Fuzzy Hash: 469a71db9a512d42d5fed120fbd7df9fe46e9529541fcb62269fa8049ec6c364
        • Instruction Fuzzy Hash: 47317C336059419BC702FF64E190993B324BF9B351B3885E7D4927A2A4DA3A94339787
        Function 00401CEB Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: e8341f8f5e2f71de27e30eccaec3c4820a60556a34e0eece0aa28621751d1d79
        • Instruction ID: 5946a9f4b49d3d2b3432c33103b6b784d7caefca3cf00678a339ae37275966c9
        • Opcode Fuzzy Hash: e8341f8f5e2f71de27e30eccaec3c4820a60556a34e0eece0aa28621751d1d79
        • Instruction Fuzzy Hash: C5218E236059419BCB02FF74E190993B724AE9B351B2886E7D4927A6A4DA3694338783
        Function 00401CEE Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 8baa353fa8bea5cd2d4cf4c9d24d34266b39332e150569f710b4431279bcda07
        • Instruction ID: 461e80e40723c5157f6bacff0bdb58e681599cf1f2829c6c4aa551d367e5d2a4
        • Opcode Fuzzy Hash: 8baa353fa8bea5cd2d4cf4c9d24d34266b39332e150569f710b4431279bcda07
        • Instruction Fuzzy Hash: 5E21A4335059419FC702FF74E150893F724BE9B351B288AE7C4D26A6A5DA369437CB83
        Function 00401CFE Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 535ab7110f43846469d138036ff09167de867c0362d30e37a302cd9859231c72
        • Instruction ID: 9bd64a55ef0e6d05d786bfe3ad9f53275417bf4e045850c8d3495e84d7f2a4cb
        • Opcode Fuzzy Hash: 535ab7110f43846469d138036ff09167de867c0362d30e37a302cd9859231c72
        • Instruction Fuzzy Hash: BB21B323501D429FCB02FF74E190883F724BEDF35172486D6D4D269655DA3684738783
        Function 00401D16 Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
        Download Yara Rule
        APIs
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateHeap
        • String ID:
        • API String ID: 10892065-0
        • Opcode ID: 103d2295f5f21c8b5108fe1742efc3207eca7693211c4e3342358da7015b4894
        • Instruction ID: 77190e0f23bb221504da128019f00248055c08475e322dc54891d85dc81afa78
        • Opcode Fuzzy Hash: 103d2295f5f21c8b5108fe1742efc3207eca7693211c4e3342358da7015b4894
        • Instruction Fuzzy Hash: F021A223611D425FCB03FF74E194883F724BA9F3517288AD5D4E269668DA268433CB82
        Function 0041D520 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
        Download Yara Rule
        APIs
        • LoadLibraryA.KERNELBASE(00424ED0,0041D945), ref: 0041D550
        Memory Dump Source
        • Source File: 00000005.00000002.2103383707.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_40f000_hehbwci.jbxd
        Similarity
        • API ID: LibraryLoad
        • String ID:
        • API String ID: 1029625771-0
        • Opcode ID: 40dcabdc535276487fd4439480a856f59d3f389268b30cd9a6c1a4ffe39e98f0
        • Instruction ID: a0e2f26091b3fc8c26fd1af7b13f2790643f76c88d5845c285f01d34eb581d14
        • Opcode Fuzzy Hash: 40dcabdc535276487fd4439480a856f59d3f389268b30cd9a6c1a4ffe39e98f0
        • Instruction Fuzzy Hash: E5D0C924669380CAEB21CF10FA097003F69F790708BCA50B89060CA233C3F8006ACB1D
        Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
        • Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
        • Opcode Fuzzy Hash: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
        • Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B
        Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
        • Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
        • Opcode Fuzzy Hash: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
        • Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B
        Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
        • Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
        • Opcode Fuzzy Hash: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
        • Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B
        Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
        • Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
        • Opcode Fuzzy Hash: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
        • Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B
        Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
        • Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
        • Opcode Fuzzy Hash: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
        • Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B
        Function 026C0D16 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 026C0D67
        Memory Dump Source
        • Source File: 00000005.00000002.2105350044.00000000026BE000.00000040.00000020.00020000.00000000.sdmp, Offset: 026BE000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_26be000_hehbwci.jbxd
        Yara matches
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
        • Instruction ID: 7e81e794a5029d4c7f4efc8421c1e95f907096345d7e4b48f5cfd5450bbf022d
        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
        • Instruction Fuzzy Hash: A9113C79A00208EFDB01DF98C985E98BBF5EF08350F158094F9489B361D771EA90DF80
        Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
        • Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
        • Opcode Fuzzy Hash: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
        • Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B
        Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON
        Download Yara Rule
        APIs
        • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
          • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
          • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
        Memory Dump Source
        • Source File: 00000005.00000002.2103363796.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_400000_hehbwci.jbxd
        Similarity
        • API ID: CreateDuplicateObjectSectionSleep
        • String ID:
        • API String ID: 4152845823-0
        • Opcode ID: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
        • Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
        • Opcode Fuzzy Hash: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
        • Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B

        Non-executed Functions

        Function 0041D740 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 215windowtimeCOMMON
        Download Yara Rule
        APIs
        • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0041D7DC
        • SetActiveWindow.USER32(00000000), ref: 0041D7E3
        • CreateIcon.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041D7F0
        • SetKeyboardState.USER32(00000000), ref: 0041D7F7
        • GetStdHandle.KERNEL32(00000000), ref: 0041D805
        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041D80C
        • AddAtomW.KERNEL32(00000000), ref: 0041D813
        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0041D81B
        • GetCharWidthW.GDI32(00000000,00000000,00000000,00000000), ref: 0041D82E
        • FatalAppExitA.KERNEL32(00000000,00000000), ref: 0041D83F
        • GetUserDefaultLCID.KERNEL32 ref: 0041D87B
        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041D889
        • GetTimeZoneInformation.KERNEL32(00000000), ref: 0041D890
        • MoveFileExA.KERNEL32(00420C30,00420C20,00000000), ref: 0041D8A1
        • GetLocaleInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041D8AB
          • Part of subcall function 0041CC50: LocalAlloc.KERNEL32(00000000,022C7FB4,0041D8F0), ref: 0041CC58
        Strings
        Memory Dump Source
        • Source File: 00000005.00000002.2103383707.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_5_2_40f000_hehbwci.jbxd
        Similarity
        • API ID: Char$ActiveAllocAtomByteCreateCurrentDefaultDirectoryEnvironmentExchangeExitFatalFileFreeHandleIconInfoInformationInterlockedKeyboardLocalLocaleMoveMultiStateStringsTimeUserWideWidthWindowZone
        • String ID: /t$o[@$tl_
        • API String ID: 3561384033-3634920357
        • Opcode ID: aa6ef055bebf60c1845bfe76d87d358f85cd57b0cbba025b9639cc9f79b5cd90
        • Instruction ID: 8514119693cf065204a7e9796b6eeace996b80cc16f33bae765e4b62243eb72b
        • Opcode Fuzzy Hash: aa6ef055bebf60c1845bfe76d87d358f85cd57b0cbba025b9639cc9f79b5cd90
        • Instruction Fuzzy Hash: 7F51E9F1D44310AFD310ABB5EDC9AABBB6CEB4C355F10483AF54552152CA388C858FB9