Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8LNER6Tma8.exe

Overview

General Information

Sample name:8LNER6Tma8.exe
renamed because original name is a hash value
Original sample name:9f48e2311b87096e2d6a9503a0eb7992ee074e585d311ac12d8744ed6c200349.exe
Analysis ID:1529787
MD5:f8abe45fd211e5e97b75f741e12b3b52
SHA1:54b3aa098faaafb865dadd50731f1b8514cdcdb6
SHA256:9f48e2311b87096e2d6a9503a0eb7992ee074e585d311ac12d8744ed6c200349
Tags:exeuser-adrian__luca
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8LNER6Tma8.exe (PID: 5600 cmdline: "C:\Users\user\Desktop\8LNER6Tma8.exe" MD5: F8ABE45FD211E5E97B75F741E12B3B52)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["easynation.duckdns.org"], "Port": "36584", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
8LNER6Tma8.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 C6 88 44 24 2B 88 44 24 2F B0 59 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x18898:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x30bd0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x18935:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x30c6d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x18a4a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x30d82:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x18546:$cnc4: POST / HTTP/1.1
      • 0x3087e:$cnc4: POST / HTTP/1.1
      00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.8LNER6Tma8.exe.4a60000.7.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.8LNER6Tma8.exe.4a60000.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.8LNER6Tma8.exe.4a60000.7.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x14328:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x143c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x144da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x13fd6:$cnc4: POST / HTTP/1.1
                  Click to see the 51 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-09T12:20:53.704358+020028531931Malware Command and Control Activity Detected192.168.2.549983176.126.114.7436584TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 8LNER6Tma8.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["easynation.duckdns.org"], "Port": "36584", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                  Multi AV Scanner detection for domain / URL
                  Source: easynation.duckdns.orgVirustotal: Detection: 9%Perma Link
                  Source: easynation.duckdns.orgVirustotal: Detection: 9%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: 8LNER6Tma8.exeReversingLabs: Detection: 60%
                  Source: 8LNER6Tma8.exeVirustotal: Detection: 53%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 8LNER6Tma8.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpackString decryptor: easynation.duckdns.org
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpackString decryptor: 36584
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpackString decryptor: <123456789>
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpackString decryptor: <Xwormmm>
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpackString decryptor: Grace
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpackString decryptor: USB.exe
                  Source: 8LNER6Tma8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: _.pdb source: 8LNER6Tma8.exe, 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000003.2045560037.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49704 -> 176.126.114.74:36584
                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49983 -> 176.126.114.74:36584
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: easynation.duckdns.org
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 176.126.114.74 ports 36584,3,4,5,6,8
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: easynation.duckdns.org
                  Source: global trafficTCP traffic: 192.168.2.5:49704 -> 176.126.114.74:36584
                  Source: Joe Sandbox ViewASN Name: SAARGATE-ASVSENETGmbHDE SAARGATE-ASVSENETGmbHDE
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: easynation.duckdns.org
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4502953845.00000000024E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8LNER6Tma8.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.4a60000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.3.8LNER6Tma8.exe.74bb28.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.34e5570.5.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.4a60000.7.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.8LNER6Tma8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.21bc4ce.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.34fe790.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.8LNER6Tma8.exe.34e5570.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00408C600_2_00408C60
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0040DC110_2_0040DC11
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00407C3F0_2_00407C3F
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00418CCC0_2_00418CCC
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00406CA00_2_00406CA0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004028B00_2_004028B0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0041A4BE0_2_0041A4BE
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004182440_2_00418244
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004016500_2_00401650
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00402F200_2_00402F20
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004193C40_2_004193C4
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004187880_2_00418788
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00402F890_2_00402F89
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00402B900_2_00402B90
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004073A00_2_004073A0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_022B10200_2_022B1020
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_022B10300_2_022B1030
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05AD97900_2_05AD9790
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05AD7EB80_2_05AD7EB8
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C745C00_2_05C745C0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C74E900_2_05C74E90
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C700400_2_05C70040
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C742780_2_05C74278
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: String function: 0040E1D8 appears 44 times
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000003.2043100666.000000000079C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4503753188.00000000052C9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000003.2042856799.0000000000795000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4502953845.00000000024E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000003.2045560037.0000000000763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exeBinary or memory string: OriginalFilenameGRACE.exe4 vs 8LNER6Tma8.exe
                  Source: 8LNER6Tma8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 8LNER6Tma8.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.8LNER6Tma8.exe.4a60000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.3.8LNER6Tma8.exe.74bb28.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.34e5570.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.4a60000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.8LNER6Tma8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.8LNER6Tma8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.21bc4ce.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.34fe790.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.34e5570.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@4/1
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeMutant created: \Sessions\1\BaseNamedObjects\tDEoQRIMG6oZQOlA
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCommand line argument: 08A0_2_00413780
                  Source: 8LNER6Tma8.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 8LNER6Tma8.exeReversingLabs: Detection: 60%
                  Source: 8LNER6Tma8.exeVirustotal: Detection: 53%
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: 8LNER6Tma8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: _.pdb source: 8LNER6Tma8.exe, 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000003.2045560037.0000000000763000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  .NET source code contains potential unpacker
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, Messages.cs.Net Code: Memory
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: 8LNER6Tma8.exeStatic PE information: real checksum: 0x23bfb should be: 0x2f9d7
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_022B4F14 pushfd ; ret 0_2_022B4F19
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_022B4F62 push eax; ret 0_2_022B4F65
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_022B438A push ss; iretd 0_2_022B439F
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_022B4F9C push ss; ret 0_2_022B4F9F
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C765EA push eax; ret 0_2_05C765F1
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C771A0 push eax; iretd 0_2_05C771A1
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C7720A pushfd ; iretd 0_2_05C77211
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_05C77212 pushfd ; iretd 0_2_05C77211
                  Source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pMiEUBtQkJ4Gg', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pMiEUBtQkJ4Gg', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pMiEUBtQkJ4Gg', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pMiEUBtQkJ4Gg', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pMiEUBtQkJ4Gg', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'pMiEUBtQkJ4Gg', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeMemory allocated: 2270000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeMemory allocated: 2310000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWindow / User API: threadDelayed 9753Jump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exe TID: 5596Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exe TID: 412Thread sleep count: 102 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exe TID: 412Thread sleep count: 9753 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4502122012.0000000000779000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPB|
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeAPI call chain: ExitProcess graph end nodegraph_0-32784
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: GetLocaleInfoA,0_2_00417A20
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4504214295.0000000005C80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s Defender\MsMpeng.exe
                  Source: 8LNER6Tma8.exe, 00000000.00000002.4504214295.0000000005C80000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4502122012.0000000000779000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4502122012.000000000073A000.00000004.00000020.00020000.00000000.sdmp, 8LNER6Tma8.exe, 00000000.00000002.4504214295.0000000005CA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\8LNER6Tma8.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected XWorm
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 8LNER6Tma8.exe PID: 5600, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected XWorm
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60000.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bd3b6.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.50a0000.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.21bc4ce.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.4a60ee8.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.8LNER6Tma8.exe.74bb28.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34fe790.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e6458.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.8LNER6Tma8.exe.34e5570.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 8LNER6Tma8.exe PID: 5600, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services1
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts131
                  Virtualization/Sandbox Evasion                  		LSASS Memory151
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Native API                  		Logon Script (Windows)Logon Script (Windows)11
                  Deobfuscate/Decode Files or Information                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Obfuscated Files or Information                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput Capture21
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Software Packing                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials24
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  8LNER6Tma8.exe61%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  8LNER6Tma8.exe53%VirustotalBrowse
                  8LNER6Tma8.exe100%AviraTR/ATRAPS.Gen
                  8LNER6Tma8.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  easynation.duckdns.org9%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  easynation.duckdns.org9%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  easynation.duckdns.org
                  		176.126.114.74
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  easynation.duckdns.orgtrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8LNER6Tma8.exe, 00000000.00000002.4502953845.00000000024E1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  176.126.114.74
                  		easynation.duckdns.orgUkraine
                  		9063SAARGATE-ASVSENETGmbHDEtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1529787
                  Start date and time:2024-10-09 12:17:04 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 19s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:8LNER6Tma8.exe
                  renamed because original name is a hash value
                  Original Sample Name:9f48e2311b87096e2d6a9503a0eb7992ee074e585d311ac12d8744ed6c200349.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@1/0@4/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 92%
                  • Number of executed functions: 27
                  • Number of non-executed functions: 32
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  06:18:02API Interceptor9402426x Sleep call for process: 8LNER6Tma8.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  easynation.duckdns.orgTrial Order_9567437879975646454456653457754353335545463224244545432234.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                  • 91.92.240.185

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SAARGATE-ASVSENETGmbHDE81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                  • 176.126.113.11
                  SecuriteInfo.com.Linux.Siggen.9999.16227.30183.elfGet hashmaliciousMiraiBrowse
                  • 195.66.5.171
                  45.128.232.240-mips-2024-07-06T07_07_43.elfGet hashmaliciousMiraiBrowse
                  • 195.66.5.151
                  DRKi1Olgjp.elfGet hashmaliciousMirai, MoobotBrowse
                  • 91.184.172.177
                  arm7.elfGet hashmaliciousMiraiBrowse
                  • 213.185.75.253
                  2cO52KdAG9.elfGet hashmaliciousMiraiBrowse
                  • 213.185.75.229
                  0ar3q66pGv.elfGet hashmaliciousMiraiBrowse
                  • 213.185.75.254
                  xktih0mnmY.elfGet hashmaliciousMirai, GafgytBrowse
                  • 213.185.75.238
                  o0KR5B0IZn.elfGet hashmaliciousMiraiBrowse
                  • 176.126.117.148
                  5mzNYOqDim.elfGet hashmaliciousMiraiBrowse
                  • 176.126.117.132

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.216696003089153
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:8LNER6Tma8.exe
                  File size:190'976 bytes
                  MD5:f8abe45fd211e5e97b75f741e12b3b52
                  SHA1:54b3aa098faaafb865dadd50731f1b8514cdcdb6
                  SHA256:9f48e2311b87096e2d6a9503a0eb7992ee074e585d311ac12d8744ed6c200349
                  SHA512:3d33ceb8ecf7653d089309c06a2adec34da999989aeb5f129c20f8b6664405bd3b760cb3cf29a9602e89b9223172c661535bcecc860a10f6a9c83e220454b87d
                  SSDEEP:3072:wDKW1LgppLRHMY0TBfJvjcTp5Xu8ZGc8Qwac51DhhRSC:wDKW1Lgbdl0TBBvjc/uBZVRhPr
                  TLSH:AF14AE2075C1C2B3C4B6113144EACB7A9A7934310B7A95D7B7DD2BBA6E213E1A3352CD
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~...................f....PE..L...t..P..........#........

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x40cd2f
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:0
                  File Version Major:5
                  File Version Minor:0
                  Subsystem Version Major:5
                  Subsystem Version Minor:0
                  Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

                  Entrypoint Preview

                  Instruction
                  call 00007F20C0B1AA96h
                  jmp 00007F20C0B14C59h
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  sub esp, 20h
                  mov eax, dword ptr [ebp+08h]
                  push esi
                  push edi
                  push 00000008h
                  pop ecx
                  mov esi, 0041F058h
                  lea edi, dword ptr [ebp-20h]
                  rep movsd
                  mov dword ptr [ebp-08h], eax
                  mov eax, dword ptr [ebp+0Ch]
                  pop edi
                  mov dword ptr [ebp-04h], eax
                  pop esi
                  test eax, eax
                  je 00007F20C0B14DBEh
                  test byte ptr [eax], 00000008h
                  je 00007F20C0B14DB9h
                  mov dword ptr [ebp-0Ch], 01994000h
                  lea eax, dword ptr [ebp-0Ch]
                  push eax
                  push dword ptr [ebp-10h]
                  push dword ptr [ebp-1Ch]
                  push dword ptr [ebp-20h]
                  call dword ptr [0041B000h]
                  leave
                  retn 0008h
                  ret
                  mov eax, 00413563h
                  mov dword ptr [004228E4h], eax
                  mov dword ptr [004228E8h], 00412C4Ah
                  mov dword ptr [004228ECh], 00412BFEh
                  mov dword ptr [004228F0h], 00412C37h
                  mov dword ptr [004228F4h], 00412BA0h
                  mov dword ptr [004228F8h], eax
                  mov dword ptr [004228FCh], 004134DBh
                  mov dword ptr [00422900h], 00412BBCh
                  mov dword ptr [00422904h], 00412B1Eh
                  mov dword ptr [00422908h], 00412AABh
                  ret
                  mov edi, edi
                  push ebp
                  mov ebp, esp
                  call 00007F20C0B14D4Bh
                  call 00007F20C0B1B5D0h
                  cmp dword ptr [ebp+00h], 00000000h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2008 build 21022
                  • [IMP] VS2005 build 50727
                  • [C++] VS2008 build 21022
                  • [ C ] VS2008 build 21022
                  • [LNK] VS2008 build 21022

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000xc9a8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x197180x19800a337efd058e0bb0d90f1ea2b95c23eb1False0.5789483762254902data6.748485713144432IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x260000xc9a80xca00eb9f654f853dce6739134e3c685a0a4eFalse0.9882038985148515data7.983132698598487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_RCDATA0x261240xc43adata1.0005175777361945
                  RT_RCDATA0x325600x20data1.28125
                  RT_VERSION0x325800x23cdata0.4772727272727273
                  RT_MANIFEST0x327bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                  ole32.dllOleInitialize
                  OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-09T12:18:16.237605+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549704176.126.114.7436584TCP
                  2024-10-09T12:20:53.704358+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549983176.126.114.7436584TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 9, 2024 12:18:03.813425064 CEST4970436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:03.819339991 CEST3658449704176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:03.819442987 CEST4970436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:03.955197096 CEST4970436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:03.960098028 CEST3658449704176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:16.237605095 CEST4970436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:16.242456913 CEST3658449704176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:25.187426090 CEST3658449704176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:25.187511921 CEST4970436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:29.063342094 CEST4970436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:29.064541101 CEST4980236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:29.068423033 CEST3658449704176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:29.069550991 CEST3658449802176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:29.069645882 CEST4980236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:29.118823051 CEST4980236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:29.123617887 CEST3658449802176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:41.907552958 CEST4980236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:41.912707090 CEST3658449802176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:50.457479000 CEST3658449802176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:50.457678080 CEST4980236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:51.922679901 CEST4980236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:51.927021027 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:51.929281950 CEST3658449802176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:51.933499098 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:18:51.933577061 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:51.964549065 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:18:51.971107960 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:02.001075029 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:02.007311106 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:12.047791958 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:12.054164886 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:12.329016924 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:12.333970070 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:13.427773952 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:13.427858114 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:18.047735929 CEST4993936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:18.053416014 CEST3658449939176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:18.169599056 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:18.174585104 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:18.174664974 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:18.228444099 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:18.233555079 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:22.297796965 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:22.302978992 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:23.488986969 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:23.719327927 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:23.925853968 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:23.925869942 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:23.925909042 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:23.930882931 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:33.922750950 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:34.111730099 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:35.813493013 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:35.818408012 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:39.485702991 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:39.493792057 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:39.548161030 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:39.548223019 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:44.501013041 CEST4997936584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:44.502733946 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:44.506349087 CEST3658449979176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:44.508136988 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:44.508356094 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:44.641266108 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:44.646419048 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:55.516628981 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:55.521898985 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:55.688416004 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:55.693835974 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:55.750906944 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:55.755776882 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:55.766753912 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:55.771699905 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:55.813788891 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:55.818653107 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:19:55.954056025 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:19:55.958998919 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:03.875825882 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:03.880808115 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:05.894810915 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:05.894870043 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.126440048 CEST4998036584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.128145933 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.131504059 CEST3658449980176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:06.134838104 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:06.134975910 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.183533907 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.188714981 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:06.204263926 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.209207058 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:06.235235929 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.240309000 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:06.250823021 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:06.255937099 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:18.876041889 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:18.882059097 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:24.470010042 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:24.475142956 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:27.537622929 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:27.537733078 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:31.657330990 CEST4998136584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:31.662379026 CEST3658449981176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:31.777770996 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:31.782638073 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:31.782746077 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:31.838526011 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:31.843589067 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:32.219763994 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:32.224709988 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:35.766575098 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:35.771500111 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:37.594696999 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:37.601227999 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:37.610580921 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:37.616812944 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:42.865123034 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:42.870148897 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:47.938545942 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:47.943521023 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:47.954044104 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:47.958894968 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:47.985460997 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:47.990431070 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:48.000790119 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:48.005660057 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:48.016480923 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:48.021377087 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:48.063429117 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:48.068310022 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:48.078943968 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:48.083834887 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:48.094759941 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:48.099626064 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:48.110125065 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:48.114976883 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.159300089 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.159451962 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.172538996 CEST4998236584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.176048994 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.177417040 CEST3658449982176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.180977106 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.181188107 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.264051914 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.269062996 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.426101923 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.431518078 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.532160997 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.537148952 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.625978947 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.631218910 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.704358101 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.877058983 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.877132893 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.882010937 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:53.985492945 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:53.990648031 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:57.112159014 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:57.116954088 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.502123117 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.506967068 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.641571999 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.646470070 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.750976086 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.755963087 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.797951937 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.802896023 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.813711882 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.818531990 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.844938040 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.849891901 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.969646931 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.974672079 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:20:59.985414028 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:20:59.990413904 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.204068899 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.208980083 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.376180887 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.382316113 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.407601118 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.412410975 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.438471079 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.443351984 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.516988993 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.521981001 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.548024893 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.552880049 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:10.564264059 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:10.569242954 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:14.550195932 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:14.550390005 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.641484022 CEST4998336584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.644016027 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.646358013 CEST3658449983176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:15.648812056 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:15.648870945 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.703037977 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.707874060 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:15.735342026 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.740294933 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:15.750952959 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.755750895 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:15.922790051 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.927954912 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:15.938334942 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:15.943295956 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:26.188383102 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:26.193608999 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:26.250906944 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:26.255995989 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:26.438412905 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:26.443228006 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:26.454144001 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:26.459043980 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:26.500900984 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:26.505781889 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:31.891521931 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:31.896393061 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:31.938471079 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:31.944072008 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:32.032335043 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:32.038678885 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:32.047826052 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:32.054924011 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:32.063316107 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:32.069596052 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:37.056689978 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:37.060182095 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:37.130193949 CEST4998436584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:37.138751984 CEST3658449984176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:37.239428997 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:37.244311094 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:37.244429111 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:37.378854036 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:37.383935928 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:43.673132896 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:43.678550959 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:49.813513994 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:49.819830894 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:54.722451925 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:54.727377892 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:56.375855923 CEST4998536584192.168.2.5176.126.114.74
                  Oct 9, 2024 12:21:56.417188883 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:58.629323006 CEST3658449985176.126.114.74192.168.2.5
                  Oct 9, 2024 12:21:58.629488945 CEST4998536584192.168.2.5176.126.114.74

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 9, 2024 12:18:03.665821075 CEST4924953192.168.2.51.1.1.1
                  Oct 9, 2024 12:18:03.797244072 CEST53492491.1.1.1192.168.2.5
                  Oct 9, 2024 12:19:18.050582886 CEST5178453192.168.2.51.1.1.1
                  Oct 9, 2024 12:19:18.168535948 CEST53517841.1.1.1192.168.2.5
                  Oct 9, 2024 12:20:31.659863949 CEST5753753192.168.2.51.1.1.1
                  Oct 9, 2024 12:20:31.776777029 CEST53575371.1.1.1192.168.2.5
                  Oct 9, 2024 12:21:37.133369923 CEST5627153192.168.2.51.1.1.1
                  Oct 9, 2024 12:21:37.238528967 CEST53562711.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 9, 2024 12:18:03.665821075 CEST192.168.2.51.1.1.10xc0dfStandard query (0)easynation.duckdns.orgA (IP address)IN (0x0001)false
                  Oct 9, 2024 12:19:18.050582886 CEST192.168.2.51.1.1.10xfe5eStandard query (0)easynation.duckdns.orgA (IP address)IN (0x0001)false
                  Oct 9, 2024 12:20:31.659863949 CEST192.168.2.51.1.1.10x7b6eStandard query (0)easynation.duckdns.orgA (IP address)IN (0x0001)false
                  Oct 9, 2024 12:21:37.133369923 CEST192.168.2.51.1.1.10xd3afStandard query (0)easynation.duckdns.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 9, 2024 12:18:03.797244072 CEST1.1.1.1192.168.2.50xc0dfNo error (0)easynation.duckdns.org176.126.114.74A (IP address)IN (0x0001)false
                  Oct 9, 2024 12:19:18.168535948 CEST1.1.1.1192.168.2.50xfe5eNo error (0)easynation.duckdns.org176.126.114.74A (IP address)IN (0x0001)false
                  Oct 9, 2024 12:20:31.776777029 CEST1.1.1.1192.168.2.50x7b6eNo error (0)easynation.duckdns.org176.126.114.74A (IP address)IN (0x0001)false
                  Oct 9, 2024 12:21:37.238528967 CEST1.1.1.1192.168.2.50xd3afNo error (0)easynation.duckdns.org176.126.114.74A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:06:17:54
                  Start date:09/10/2024
                  Path:C:\Users\user\Desktop\8LNER6Tma8.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\8LNER6Tma8.exe"
                  Imagebase:0x400000
                  File size:190'976 bytes
                  MD5 hash:F8ABE45FD211E5E97B75F741E12B3B52
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4503313360.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4503701014.00000000050A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4503449110.0000000004A60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4502719755.000000000217C000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.2043983145.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:7.7%
                    Dynamic/Decrypted Code Coverage:53%
                    Signature Coverage:13%
                    Total number of Nodes:347
                    Total number of Limit Nodes:37
                    execution_graph 32462 22bb228 32463 22bb22c 32462->32463 32467 5c70f90 32463->32467 32471 5c71098 32463->32471 32475 5c70f7f 32463->32475 32468 5c70fbc 32467->32468 32469 5c71096 32468->32469 32479 5c71120 32468->32479 32469->32463 32472 5c7106f 32471->32472 32473 5c71096 32472->32473 32474 5c71120 GlobalMemoryStatusEx 32472->32474 32473->32463 32474->32472 32477 5c70fbc 32475->32477 32476 5c71096 32476->32463 32477->32476 32478 5c71120 GlobalMemoryStatusEx 32477->32478 32478->32477 32480 5c71155 32479->32480 32481 5c71236 32480->32481 32484 5c71991 32480->32484 32488 5c719a0 32480->32488 32481->32481 32485 5c719b5 32484->32485 32486 5c71c54 32485->32486 32492 5c769ff 32485->32492 32486->32481 32489 5c719b5 32488->32489 32490 5c71c54 32489->32490 32491 5c769ff GlobalMemoryStatusEx 32489->32491 32490->32481 32491->32490 32493 5c76a25 32492->32493 32497 5c77218 32493->32497 32500 5c77212 32493->32500 32494 5c76a87 32494->32486 32498 5c77226 32497->32498 32505 5c77242 32497->32505 32498->32494 32501 5c77216 32500->32501 32502 5c7720b 32500->32502 32504 5c77242 GlobalMemoryStatusEx 32501->32504 32502->32494 32503 5c77226 32503->32494 32504->32503 32506 5c7725d 32505->32506 32507 5c77285 32505->32507 32506->32498 32508 5c772a6 32507->32508 32509 5c7736e GlobalMemoryStatusEx 32507->32509 32508->32498 32510 5c7739e 32509->32510 32510->32498 32808 22b93c8 32809 22b9408 CloseHandle 32808->32809 32811 22b9439 32809->32811 32511 5ad10a8 32513 5ad10d6 32511->32513 32515 5ad0644 32513->32515 32514 5ad10f6 32514->32514 32516 5ad064f 32515->32516 32517 5ad1c1c 32516->32517 32519 5ad34a8 32516->32519 32517->32514 32520 5ad34c9 32519->32520 32521 5ad34ed 32520->32521 32524 5ad3648 32520->32524 32528 5ad3658 32520->32528 32521->32517 32525 5ad3658 32524->32525 32526 5ad369e 32525->32526 32532 5ad1874 32525->32532 32526->32521 32529 5ad3665 32528->32529 32530 5ad369e 32529->32530 32531 5ad1874 2 API calls 32529->32531 32530->32521 32531->32530 32533 5ad187f 32532->32533 32535 5ad3710 32533->32535 32536 5ad18a8 32533->32536 32535->32535 32537 5ad18b3 32536->32537 32543 5ad18b8 32537->32543 32539 5ad377f 32547 5ad8df0 32539->32547 32556 5ad8dd8 32539->32556 32540 5ad37b9 32540->32535 32546 5ad18c3 32543->32546 32544 5ad4d00 32544->32539 32545 5ad34a8 2 API calls 32545->32544 32546->32544 32546->32545 32549 5ad8e21 32547->32549 32551 5ad8f21 32547->32551 32548 5ad8e2d 32548->32540 32549->32548 32565 5ad9068 32549->32565 32568 5ad9058 32549->32568 32550 5ad8e6d 32571 5ada359 32550->32571 32575 5ada368 32550->32575 32551->32540 32558 5ad8f21 32556->32558 32559 5ad8e21 32556->32559 32557 5ad8e2d 32557->32540 32558->32540 32559->32557 32561 5ad9068 GetModuleHandleW 32559->32561 32562 5ad9058 GetModuleHandleW 32559->32562 32560 5ad8e6d 32563 5ada359 CreateWindowExW 32560->32563 32564 5ada368 CreateWindowExW 32560->32564 32561->32560 32562->32560 32563->32558 32564->32558 32579 5ad90a8 32565->32579 32566 5ad9072 32566->32550 32569 5ad9072 32568->32569 32570 5ad90a8 GetModuleHandleW 32568->32570 32569->32550 32570->32569 32572 5ada368 32571->32572 32573 5ada442 32572->32573 32584 5adb130 32572->32584 32576 5ada393 32575->32576 32577 5ada442 32576->32577 32578 5adb130 CreateWindowExW 32576->32578 32578->32577 32581 5ad90ad 32579->32581 32580 5ad90ec 32580->32566 32581->32580 32582 5ad92f0 GetModuleHandleW 32581->32582 32583 5ad931d 32582->32583 32583->32566 32586 5adb12d 32584->32586 32585 5adb232 32585->32573 32586->32584 32586->32585 32587 5adb353 CreateWindowExW 32586->32587 32588 5adb3b4 32587->32588 32812 5ad0848 32813 5ad088e GetCurrentProcess 32812->32813 32815 5ad08d9 32813->32815 32816 5ad08e0 GetCurrentThread 32813->32816 32815->32816 32817 5ad091d GetCurrentProcess 32816->32817 32818 5ad0916 32816->32818 32819 5ad0953 32817->32819 32818->32817 32820 5ad097b GetCurrentThreadId 32819->32820 32821 5ad09ac 32820->32821 32830 20bd0fc 32831 20bd114 32830->32831 32832 20bd16e 32831->32832 32837 5ad81ac 32831->32837 32847 5adb448 32831->32847 32851 5adb438 32831->32851 32855 5adc5a9 32831->32855 32838 5ad81b7 32837->32838 32839 5adc619 32838->32839 32841 5adc609 32838->32841 32842 5adc617 32839->32842 32882 5adc23c 32839->32882 32865 5adc80c 32841->32865 32870 5adc740 32841->32870 32874 5adc6b1 32841->32874 32878 5adc731 32841->32878 32848 5adb46e 32847->32848 32849 5ad81ac CallWindowProcW 32848->32849 32850 5adb48f 32849->32850 32850->32832 32852 5adb448 32851->32852 32853 5ad81ac CallWindowProcW 32852->32853 32854 5adb48f 32853->32854 32854->32832 32858 5adc5e5 32855->32858 32856 5adc619 32857 5adc23c CallWindowProcW 32856->32857 32860 5adc617 32856->32860 32857->32860 32858->32856 32859 5adc609 32858->32859 32861 5adc80c CallWindowProcW 32859->32861 32862 5adc731 CallWindowProcW 32859->32862 32863 5adc6b1 CallWindowProcW 32859->32863 32864 5adc740 CallWindowProcW 32859->32864 32861->32860 32862->32860 32863->32860 32864->32860 32866 5adc7ca 32865->32866 32867 5adc81a 32865->32867 32886 5adc7f8 32866->32886 32868 5adc7e0 32868->32842 32872 5adc754 32870->32872 32871 5adc7e0 32871->32842 32873 5adc7f8 CallWindowProcW 32872->32873 32873->32871 32875 5adc6ba 32874->32875 32875->32842 32877 5adc7f8 CallWindowProcW 32875->32877 32876 5adc7e0 32876->32842 32877->32876 32880 5adc754 32878->32880 32879 5adc7e0 32879->32842 32881 5adc7f8 CallWindowProcW 32880->32881 32881->32879 32883 5adc247 32882->32883 32884 5adda7a CallWindowProcW 32883->32884 32885 5adda29 32883->32885 32884->32885 32885->32842 32887 5adc809 32886->32887 32889 5add9b0 32886->32889 32887->32868 32890 5adc23c CallWindowProcW 32889->32890 32891 5add9ca 32890->32891 32891->32887 32822 22bb0c0 32823 22bb0df 32822->32823 32826 22bae38 32823->32826 32828 22bb360 SetWindowsHookExW 32826->32828 32829 22bb105 32828->32829 32892 22b0890 32893 22b08b1 32892->32893 32894 22b097a 32893->32894 32897 22b579c 32893->32897 32900 22b4dbb 32893->32900 32903 22b9140 32897->32903 32902 22b9140 VirtualProtect 32900->32902 32901 22b4dd7 32902->32901 32905 22b9153 32903->32905 32907 22b91f0 32905->32907 32908 22b9238 VirtualProtect 32907->32908 32910 22b57be 32908->32910 32589 40cbdd 32590 40cbe9 __setmbcp 32589->32590 32633 40d534 HeapCreate 32590->32633 32593 40cc46 32694 41087e 71 API calls 8 library calls 32593->32694 32596 40cc4c 32597 40cc50 32596->32597 32598 40cc58 __RTC_Initialize 32596->32598 32695 40cbb4 62 API calls 3 library calls 32597->32695 32635 411a15 67 API calls 3 library calls 32598->32635 32600 40cc57 32600->32598 32602 40cc66 32603 40cc72 GetCommandLineA 32602->32603 32604 40cc6a 32602->32604 32636 412892 71 API calls 3 library calls 32603->32636 32696 40e79a 62 API calls 3 library calls 32604->32696 32607 40cc71 32607->32603 32608 40cc82 32697 4127d7 107 API calls 3 library calls 32608->32697 32610 40cc8c 32611 40cc90 32610->32611 32612 40cc98 32610->32612 32698 40e79a 62 API calls 3 library calls 32611->32698 32637 41255f 106 API calls 6 library calls 32612->32637 32615 40cc97 32615->32612 32616 40cc9d 32617 40cca1 32616->32617 32618 40cca9 32616->32618 32699 40e79a 62 API calls 3 library calls 32617->32699 32638 40e859 73 API calls 5 library calls 32618->32638 32621 40cca8 32621->32618 32622 40ccb0 32623 40ccb5 32622->32623 32624 40ccbc 32622->32624 32700 40e79a 62 API calls 3 library calls 32623->32700 32639 4019f0 OleInitialize 32624->32639 32627 40ccbb 32627->32624 32628 40ccd8 32629 40ccea 32628->32629 32701 40ea0a 62 API calls _doexit 32628->32701 32702 40ea36 62 API calls _doexit 32629->32702 32632 40ccef __setmbcp 32634 40cc3a 32633->32634 32634->32593 32693 40cbb4 62 API calls 3 library calls 32634->32693 32635->32602 32636->32608 32637->32616 32638->32622 32640 401ab9 32639->32640 32703 40b99e 32640->32703 32642 401abf 32643 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 32642->32643 32669 402467 32642->32669 32644 401dc3 CloseHandle GetModuleHandleA 32643->32644 32653 401c55 32643->32653 32716 401650 32644->32716 32646 401e8b FindResourceA LoadResource LockResource SizeofResource 32718 40b84d 32646->32718 32650 401c9c CloseHandle 32650->32628 32651 401ecb _memset 32652 401efc SizeofResource 32651->32652 32654 401f1c 32652->32654 32655 401f5f 32652->32655 32653->32650 32656 401cf9 Module32Next 32653->32656 32654->32655 32774 401560 __VEC_memcpy __shift 32654->32774 32658 401f92 _memset 32655->32658 32775 401560 __VEC_memcpy __shift 32655->32775 32656->32644 32665 401d0f 32656->32665 32660 401fa2 FreeResource 32658->32660 32661 40b84d _malloc 62 API calls 32660->32661 32662 401fbb SizeofResource 32661->32662 32663 401fe5 _memset 32662->32663 32664 4020aa LoadLibraryA 32663->32664 32666 401650 32664->32666 32665->32650 32668 401dad Module32Next 32665->32668 32667 40216c GetProcAddress 32666->32667 32667->32669 32670 4021aa 32667->32670 32668->32644 32668->32665 32669->32628 32670->32669 32748 4018f0 32670->32748 32672 40243f 32672->32669 32776 40b6b5 62 API calls 2 library calls 32672->32776 32674 4021f1 32674->32672 32760 401870 32674->32760 32676 402269 VariantInit 32677 401870 75 API calls 32676->32677 32678 40228b VariantInit 32677->32678 32679 4022a7 32678->32679 32680 4022d9 SafeArrayCreate SafeArrayAccessData 32679->32680 32765 40b350 32680->32765 32683 40232c 32684 402354 SafeArrayDestroy 32683->32684 32692 40235b 32683->32692 32684->32692 32685 402392 SafeArrayCreateVector 32686 4023a4 32685->32686 32687 4023bc VariantClear VariantClear 32686->32687 32767 4019a0 32687->32767 32690 40242e 32691 4019a0 65 API calls 32690->32691 32691->32672 32692->32685 32693->32593 32694->32596 32695->32600 32696->32607 32697->32610 32698->32615 32699->32621 32700->32627 32701->32629 32702->32632 32706 40b9aa _strnlen __setmbcp 32703->32706 32704 40b9b8 32777 40bfc1 62 API calls __getptd_noexit 32704->32777 32706->32704 32708 40b9ec 32706->32708 32707 40b9bd 32778 40e744 6 API calls 2 library calls 32707->32778 32779 40d6e0 62 API calls 2 library calls 32708->32779 32711 40b9f3 32780 40b917 120 API calls 3 library calls 32711->32780 32713 40b9ff 32781 40ba18 LeaveCriticalSection _doexit 32713->32781 32714 40b9cd __setmbcp 32714->32642 32717 4017cc ___crtGetEnvironmentStringsA 32716->32717 32717->32646 32719 40b900 32718->32719 32729 40b85f 32718->32729 32789 40d2e3 6 API calls __decode_pointer 32719->32789 32721 40b906 32790 40bfc1 62 API calls __getptd_noexit 32721->32790 32726 40b8bc RtlAllocateHeap 32726->32729 32727 40b870 32727->32729 32782 40ec4d 62 API calls 2 library calls 32727->32782 32783 40eaa2 62 API calls 7 library calls 32727->32783 32784 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 32727->32784 32729->32726 32729->32727 32730 40b8ec 32729->32730 32733 40b8f1 32729->32733 32735 401ebf 32729->32735 32785 40b7fe 62 API calls 4 library calls 32729->32785 32786 40d2e3 6 API calls __decode_pointer 32729->32786 32787 40bfc1 62 API calls __getptd_noexit 32730->32787 32788 40bfc1 62 API calls __getptd_noexit 32733->32788 32736 40af66 32735->32736 32738 40af70 32736->32738 32737 40b84d _malloc 62 API calls 32737->32738 32738->32737 32739 40af8a 32738->32739 32743 40af8c std::bad_alloc::bad_alloc 32738->32743 32791 40d2e3 6 API calls __decode_pointer 32738->32791 32739->32651 32742 40afbc 32794 40cd39 RaiseException 32742->32794 32746 40afb2 32743->32746 32792 40d2bd 73 API calls __cinit 32743->32792 32793 40af49 62 API calls std::exception::exception 32746->32793 32747 40afca 32749 401903 lstrlenA 32748->32749 32750 4018fc 32748->32750 32795 4017e0 32749->32795 32750->32674 32753 401940 GetLastError 32755 40194b MultiByteToWideChar 32753->32755 32757 40198d 32753->32757 32754 401996 32754->32674 32756 4017e0 72 API calls 32755->32756 32758 401970 MultiByteToWideChar 32756->32758 32757->32754 32803 401030 GetLastError 32757->32803 32758->32757 32761 40af66 74 API calls 32760->32761 32762 40187c 32761->32762 32763 401885 SysAllocString 32762->32763 32764 4018a4 32762->32764 32763->32764 32764->32676 32766 40231a SafeArrayUnaccessData 32765->32766 32766->32683 32768 4019aa InterlockedDecrement 32767->32768 32773 4019df VariantClear 32767->32773 32769 4019b8 32768->32769 32768->32773 32770 4019c2 SysFreeString 32769->32770 32772 4019c9 32769->32772 32769->32773 32770->32772 32807 40aec0 63 API calls 2 library calls 32772->32807 32773->32690 32774->32654 32775->32658 32776->32669 32777->32707 32779->32711 32780->32713 32781->32714 32782->32727 32783->32727 32785->32729 32786->32729 32787->32733 32788->32735 32789->32721 32790->32735 32791->32738 32792->32746 32793->32742 32794->32747 32796 4017e9 32795->32796 32797 401844 32796->32797 32802 40182d 32796->32802 32804 40b783 72 API calls 4 library calls 32796->32804 32801 40186d MultiByteToWideChar 32797->32801 32806 40b743 62 API calls 2 library calls 32797->32806 32801->32753 32801->32754 32802->32797 32805 40b6b5 62 API calls 2 library calls 32802->32805 32804->32802 32805->32797 32806->32797 32807->32773 32911 5ad0a90 DuplicateHandle 32912 5ad0b26 32911->32912

                    Executed Functions

                    Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 18 401c98-401c9a 16->18 20 401c7d-401c83 17->20 21 401c8f-401c91 17->21 22 401cb0-401cce call 401650 18->22 23 401c9c-401caf CloseHandle 18->23 20->16 25 401c85-401c8d 20->25 21->18 33 401cd0-401cd4 22->33 25->14 25->21 29 401ef3-401f1a call 401300 SizeofResource 27->29 28->29 38 401f1c-401f2f 29->38 39 401f5f-401f69 29->39 36 401cf0-401cf2 33->36 37 401cd6-401cd8 33->37 42 401cf5-401cf7 36->42 40 401cda-401ce0 37->40 41 401cec-401cee 37->41 43 401f33-401f5d call 401560 38->43 44 401f73-401f75 39->44 45 401f6b-401f72 39->45 40->36 46 401ce2-401cea 40->46 41->42 42->23 47 401cf9-401d09 Module32Next 42->47 43->39 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 44->49 50 401f77-401f8d call 401560 44->50 45->44 46->33 46->41 47->7 51 401d0f 47->51 49->5 87 4021aa-4021c0 49->87 50->49 52 401d10-401d2e call 401650 51->52 61 401d30-401d34 52->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 68 401d55-401d57 63->68 66 401d3a-401d40 64->66 67 401d4c-401d4e 64->67 66->63 70 401d42-401d4a 66->70 67->68 68->23 71 401d5d-401d7b call 401650 68->71 70->61 70->67 77 401d80-401d84 71->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 81 401da5-401da7 79->81 83 401d8a-401d90 80->83 84 401d9c-401d9e 80->84 81->23 86 401dad-401dbd Module32Next 81->86 83->79 85 401d92-401d9a 83->85 84->81 85->77 85->84 86->7 86->52 89 4021c6-4021ca 87->89 90 40246a-402470 87->90 89->90 93 4021d0-402217 call 4018f0 89->93 91 402472-402475 90->91 92 40247a-402480 90->92 91->92 92->5 94 402482-402487 92->94 98 40221d-40223d 93->98 99 40244f-40245f 93->99 94->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 20ad01d 122->154 155 40234e call 20ad006 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 133 402377-402379 131->133 134 40237b 131->134 135 40237d-40238f call 4018d0 133->135 134->135 152 402390 call 20ad01d 135->152 153 402390 call 20ad006 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 141 4023b6-4023b8 140->141 142 4023ba 140->142 144 4023bc-402417 VariantClear * 2 call 4019a0 141->144 142->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 004019FD
                    • _getenv.LIBCMT ref: 00401ABA
                    • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                    • Module32First.KERNEL32 ref: 00401C48
                    • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                    • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                    • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                    • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                    • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                    • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                    • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                    • LockResource.KERNEL32(00000000), ref: 00401EA7
                    • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                    • _malloc.LIBCMT ref: 00401EBA
                    • _memset.LIBCMT ref: 00401EDD
                    • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                    • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                    • API String ID: 1430744539-2962942730
                    • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                    • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                    • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
                    • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                    Function 05C745C0 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504191508.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5c70000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a28dfcb27df7cbd483f2b35c6944fbbab42102ffc384acd2980bbceb12700c3d
                    • Instruction ID: 5cce81ab41e6fa43b7bf9a4411696d6fa53bbb9d5aeb5dd02a81dee9af22734c
                    • Opcode Fuzzy Hash: a28dfcb27df7cbd483f2b35c6944fbbab42102ffc384acd2980bbceb12700c3d
                    • Instruction Fuzzy Hash: C3B16A70E0020DDFDF18CFA9C985BAEBBF2BF88304F148529D815A7694EB749945CB85
                    Function 05C74E90 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504191508.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5c70000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 85c074d9a1ba5320465e20e73200bf0c5cc02a2a9c98058cfb56925bce3a5460
                    • Instruction ID: 93d73029db3e2e8e6861a12001e73e5d1d807f05c0781be20889562d065a9139
                    • Opcode Fuzzy Hash: 85c074d9a1ba5320465e20e73200bf0c5cc02a2a9c98058cfb56925bce3a5460
                    • Instruction Fuzzy Hash: F5B18D70E0020DDFDF14CFA9C9857AEBBF2BF88314F148929D419A7694EB349981CB81
                    Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 205 4018f0-4018fa 206 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 205->206 207 4018fc-401900 205->207 210 401940-401949 GetLastError 206->210 211 401996-40199a 206->211 212 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 210->212 213 40198d-40198f 210->213 212->213 213->211 215 401991 call 401030 213->215 215->211
                    APIs
                    • lstrlenA.KERNEL32(?), ref: 00401906
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                    • GetLastError.KERNEL32 ref: 00401940
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLastlstrlen
                    • String ID:
                    • API String ID: 3322701435-0
                    • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                    • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                    • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                    • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                    Function 05AD0838 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 218 5ad0838-5ad08d7 GetCurrentProcess 223 5ad08d9-5ad08df 218->223 224 5ad08e0-5ad0914 GetCurrentThread 218->224 223->224 225 5ad091d-5ad0951 GetCurrentProcess 224->225 226 5ad0916-5ad091c 224->226 227 5ad095a-5ad0972 225->227 228 5ad0953-5ad0959 225->228 226->225 240 5ad0975 call 5ad0e08 227->240 241 5ad0975 call 5ad0a18 227->241 228->227 232 5ad097b-5ad09aa GetCurrentThreadId 233 5ad09ac-5ad09b2 232->233 234 5ad09b3-5ad0a15 232->234 233->234 240->232 241->232
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 05AD08C6
                    • GetCurrentThread.KERNEL32 ref: 05AD0903
                    • GetCurrentProcess.KERNEL32 ref: 05AD0940
                    • GetCurrentThreadId.KERNEL32 ref: 05AD0999
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: f8d82517cef99548f839c075a7eb5ab19093d7b250840cd0ef59db8cd1a34095
                    • Instruction ID: b22ecf0c82e5cd19a83234675ab8649e92e19ee06a8928d7f7f9b973e06d0d62
                    • Opcode Fuzzy Hash: f8d82517cef99548f839c075a7eb5ab19093d7b250840cd0ef59db8cd1a34095
                    • Instruction Fuzzy Hash: 015145B09003498FDB04DFAAD648B9EBFF5FF48304F208459E519A7260D738A944CF69
                    Function 05AD0848 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 242 5ad0848-5ad08d7 GetCurrentProcess 246 5ad08d9-5ad08df 242->246 247 5ad08e0-5ad0914 GetCurrentThread 242->247 246->247 248 5ad091d-5ad0951 GetCurrentProcess 247->248 249 5ad0916-5ad091c 247->249 250 5ad095a-5ad0972 248->250 251 5ad0953-5ad0959 248->251 249->248 263 5ad0975 call 5ad0e08 250->263 264 5ad0975 call 5ad0a18 250->264 251->250 255 5ad097b-5ad09aa GetCurrentThreadId 256 5ad09ac-5ad09b2 255->256 257 5ad09b3-5ad0a15 255->257 256->257 263->255 264->255
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 05AD08C6
                    • GetCurrentThread.KERNEL32 ref: 05AD0903
                    • GetCurrentProcess.KERNEL32 ref: 05AD0940
                    • GetCurrentThreadId.KERNEL32 ref: 05AD0999
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: ca4a84e6b6e3f1042f12c7590b09ef9bc777892edbe032cd12c1b901838f702e
                    • Instruction ID: 4cfaccbd0214715c3a9aa1e009c76435373b869e9d106b0707b56b7428e189be
                    • Opcode Fuzzy Hash: ca4a84e6b6e3f1042f12c7590b09ef9bc777892edbe032cd12c1b901838f702e
                    • Instruction Fuzzy Hash: 455146B09003498FDB04DFAAD548B9EBBF5FF48314F208459E519A7260D7389944CF69
                    Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 265 40af66-40af6e 266 40af7d-40af88 call 40b84d 265->266 269 40af70-40af7b call 40d2e3 266->269 270 40af8a-40af8b 266->270 269->266 273 40af8c-40af98 269->273 274 40afb3-40afca call 40af49 call 40cd39 273->274 275 40af9a-40afb2 call 40aefc call 40d2bd 273->275 275->274
                    APIs
                    • _malloc.LIBCMT ref: 0040AF80
                      • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                      • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                      • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                    • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                      • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                    • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                    • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                    • String ID:
                    • API String ID: 1411284514-0
                    • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                    • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                    • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
                    • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                    Function 05ADB130 Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 429 5adb130-5adb176 430 5adb17d 429->430 431 5adb12d-5adb12f 430->431 432 5adb17f-5adb21c 430->432 431->429 435 5adb28f-5adb2f6 432->435 436 5adb21e-5adb230 432->436 439 5adb2f8-5adb2fe 435->439 440 5adb301-5adb308 435->440 437 5adb27e-5adb28e 436->437 438 5adb232-5adb270 call 5ad8184 436->438 437->435 444 5adb275-5adb276 438->444 439->440 442 5adb30a-5adb310 440->442 443 5adb313-5adb34b 440->443 442->443 446 5adb353-5adb3b2 CreateWindowExW 443->446 447 5adb3bb-5adb3f3 446->447 448 5adb3b4-5adb3ba 446->448 452 5adb3f5-5adb3f8 447->452 453 5adb400 447->453 448->447 452->453 454 5adb401 453->454 454->454
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d259537e26eff4f74ed285f29c9d44c674ebc3f1296dca9713257ffeba55361
                    • Instruction ID: ab0516816bec20240875f1769cd54b67a0c4fadd8e519822d3ec7b41ebb816f0
                    • Opcode Fuzzy Hash: 7d259537e26eff4f74ed285f29c9d44c674ebc3f1296dca9713257ffeba55361
                    • Instruction Fuzzy Hash: 8B9170B1C093889FCB02CFA5C8549CDBFB1FF0A250F1A819BE455AB262D7349845DF61
                    Function 05AD90A8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 455 5ad90a8-5ad90c7 457 5ad90c9-5ad90d6 call 5ad7fcc 455->457 458 5ad90f3-5ad90f7 455->458 465 5ad90ec 457->465 466 5ad90d8 457->466 459 5ad90f9-5ad9103 458->459 460 5ad910b-5ad914c 458->460 459->460 467 5ad914e-5ad9156 460->467 468 5ad9159-5ad9167 460->468 465->458 511 5ad90de call 5ad9341 466->511 512 5ad90de call 5ad9350 466->512 467->468 469 5ad9169-5ad916e 468->469 470 5ad918b-5ad918d 468->470 473 5ad9179 469->473 474 5ad9170-5ad9177 call 5ad7fd8 469->474 472 5ad9190-5ad9197 470->472 471 5ad90e4-5ad90e6 471->465 475 5ad9228-5ad92e8 471->475 476 5ad9199-5ad91a1 472->476 477 5ad91a4-5ad91ab 472->477 479 5ad917b-5ad9189 473->479 474->479 506 5ad92ea-5ad92ed 475->506 507 5ad92f0-5ad931b GetModuleHandleW 475->507 476->477 480 5ad91ad-5ad91b5 477->480 481 5ad91b8-5ad91c1 call 5ad15b8 477->481 479->472 480->481 487 5ad91ce-5ad91d3 481->487 488 5ad91c3-5ad91cb 481->488 489 5ad91d5-5ad91dc 487->489 490 5ad91f1-5ad91fe 487->490 488->487 489->490 492 5ad91de-5ad91ee call 5ad7e48 call 5ad7fe8 489->492 496 5ad9221-5ad9227 490->496 497 5ad9200-5ad921e 490->497 492->490 497->496 506->507 508 5ad931d-5ad9323 507->508 509 5ad9324-5ad9338 507->509 508->509 511->471 512->471
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 05AD930E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: ddc8042a65ef350f0a8be256b466be037963f5da2d191d58ce1bcb7e4c9c5de6
                    • Instruction ID: 33942d0f8b7196c6576b784968761828a5588627fad82ee9d605078d30d0e990
                    • Opcode Fuzzy Hash: ddc8042a65ef350f0a8be256b466be037963f5da2d191d58ce1bcb7e4c9c5de6
                    • Instruction Fuzzy Hash: 3E812570A00B458FD764EF69D558B9BBBF2FF48200F008A2DE45AD7A50D734E946CBA0
                    Function 05C77242 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 513 5c77242-5c7725b 514 5c77285-5c772a4 call 5c76c70 513->514 515 5c7725d-5c77284 call 5c76c64 513->515 521 5c772a6-5c772a9 514->521 522 5c772aa-5c77309 514->522 529 5c7730f-5c7739c GlobalMemoryStatusEx 522->529 530 5c7730b-5c7730e 522->530 533 5c773a5-5c773cd 529->533 534 5c7739e-5c773a4 529->534 534->533
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504191508.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5c70000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ee0e4ecb5f57a8698c566b1338cf1870c0e1ec5fea29222700f547f3327636f
                    • Instruction ID: 8c939224570085d537c5c3635de63e99a67e33c5b7e45bfe9a695388718c97e9
                    • Opcode Fuzzy Hash: 6ee0e4ecb5f57a8698c566b1338cf1870c0e1ec5fea29222700f547f3327636f
                    • Instruction Fuzzy Hash: AD411372E043998FCB04DFB9D8046DEBFF1EF89310F1589AAD454A7691DB389841CBA0
                    Function 05ADB290 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 537 5adb290-5adb2f6 538 5adb2f8-5adb2fe 537->538 539 5adb301-5adb308 537->539 538->539 540 5adb30a-5adb310 539->540 541 5adb313-5adb34b 539->541 540->541 542 5adb353-5adb3b2 CreateWindowExW 541->542 543 5adb3bb-5adb3f3 542->543 544 5adb3b4-5adb3ba 542->544 548 5adb3f5-5adb3f8 543->548 549 5adb400 543->549 544->543 548->549 550 5adb401 549->550 550->550
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05ADB3A2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 70e41028f4876ef1b54f5bb3b7a7ce64bb46105de946b8189aea49617d32cd72
                    • Instruction ID: 42e454f504b19d350b0fcb4e466385eab7210ad73f3c0812b3f1b574bcbca5da
                    • Opcode Fuzzy Hash: 70e41028f4876ef1b54f5bb3b7a7ce64bb46105de946b8189aea49617d32cd72
                    • Instruction Fuzzy Hash: 4541A0B1D103099FDB14DF9AC984ADEFBB5FF48314F25812AE819AB210D775A845CFA0
                    Function 05ADC23C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05ADDAA1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: CallProcWindow
                    • String ID:
                    • API String ID: 2714655100-0
                    • Opcode ID: df96ebeeb6df21da795f50232f7961c652bc264ea9887d91ad858fddda9bf42f
                    • Instruction ID: 398d26d99a4bb3792fee74115ec12fbcd248244b3b8250095bf2394585bc0814
                    • Opcode Fuzzy Hash: df96ebeeb6df21da795f50232f7961c652bc264ea9887d91ad858fddda9bf42f
                    • Instruction Fuzzy Hash: FD4108B8A043099FCB14DF99C448EAAFBF5FF88314F24C459E519A7321D778A845CBA0
                    Function 05AD0A88 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05AD0B17
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: a9e06a13002efb807ea2b3e6f2741d9c698bb313d69301b7d9e889a029a1879b
                    • Instruction ID: c5c800d51e2876bced81914863c68b70ed772b974bc7d23faf339386aa12632c
                    • Opcode Fuzzy Hash: a9e06a13002efb807ea2b3e6f2741d9c698bb313d69301b7d9e889a029a1879b
                    • Instruction Fuzzy Hash: EF21E3B5D002499FDB10DFAAD984ADEFBF4FF48314F14841AE919A3210D378A944CF60
                    Function 05AD0A90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05AD0B17
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: fd76b92698bbba704e8693e70d03ff8d39ca71abb192fcd7a7084079f0d3c8a3
                    • Instruction ID: 0545b685a6c12fec3650b13757845a5c8590c79de3a5ca59dcd9afe0b217cb08
                    • Opcode Fuzzy Hash: fd76b92698bbba704e8693e70d03ff8d39ca71abb192fcd7a7084079f0d3c8a3
                    • Instruction Fuzzy Hash: 2321C2B59002489FDB10DFAAD984ADEFBF8FB48314F14841AE919A3350D378A954CFA5
                    Function 022BAE38 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowsHookExW.USER32(04AC7B1C,00000000,?,?), ref: 022BB3DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502777716.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_22b0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 789dfd2983ca9ceb7373e8d6c347d6a5522f6f70ecc220f63a4093c09c4b1b73
                    • Instruction ID: b72ca1366fbd519618713c8e9deef2a2890fa18504c0d923b3d8e9d186b74f20
                    • Opcode Fuzzy Hash: 789dfd2983ca9ceb7373e8d6c347d6a5522f6f70ecc220f63a4093c09c4b1b73
                    • Instruction Fuzzy Hash: FD2135B59102098FCB14DFAAD944BEEFBF5FF88314F108429E419A7250CB78A940CFA1
                    Function 022B91F0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(?,?,?,?), ref: 022B9264
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502777716.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_22b0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 169ba87c5fe3ac36c713fce58a304ea88db5b0828f49bab828ade922fb010e06
                    • Instruction ID: 6c053a73062dc85a1c2285c22661639e9a93d5f4cc971e43de26d45e9f592fa6
                    • Opcode Fuzzy Hash: 169ba87c5fe3ac36c713fce58a304ea88db5b0828f49bab828ade922fb010e06
                    • Instruction Fuzzy Hash: 6311F4B1D002099FDB10DFAAC544AEEFBF4FF48320F10842AD519A7250C779A944CFA1
                    Function 05C77328 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32 ref: 05C7738F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504191508.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5c70000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID:
                    • API String ID: 1890195054-0
                    • Opcode ID: 5024a7b68cac491ac5317eadf7b999e64551f47830aaae0a1ccc89b733f1b1bb
                    • Instruction ID: 9174fab35b52ec5c42ab948f1bb078d20f7ce5d247ad95ac0029eaa8344f9667
                    • Opcode Fuzzy Hash: 5024a7b68cac491ac5317eadf7b999e64551f47830aaae0a1ccc89b733f1b1bb
                    • Instruction Fuzzy Hash: A011EFB1C006599FCB10DFAAC545A9EFBF4FF48320F15856AE818B7240D778A944CFA5
                    Function 05AD92A8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 05AD930E
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 2d695028e91a82fafb96685b23692cf693329227fb49094e9d938fa6562c85ec
                    • Instruction ID: 4e20f662afa389e6eb84c663ad89c7317dbbb874e16223d73728a23c3693b78e
                    • Opcode Fuzzy Hash: 2d695028e91a82fafb96685b23692cf693329227fb49094e9d938fa6562c85ec
                    • Instruction Fuzzy Hash: 0111DFB5C002498FCB10DF9AD544A9EFBF4EF88714F10841AD82AB7250D379A545CFA1
                    Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                    • SysAllocString.OLEAUT32 ref: 00401898
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: AllocString_malloc
                    • String ID:
                    • API String ID: 959018026-0
                    • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                    • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                    • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                    • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                    Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    APIs
                    • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: CreateHeap
                    • String ID:
                    • API String ID: 10892065-0
                    • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                    • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                    • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                    • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                    Function 022B93C8 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502777716.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_22b0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: 1fbab435a7b23e767a74eff7f14ab4cc3e29d26d21944d7719c1dfe5699883ae
                    • Instruction ID: 0531ed871e83e0de0446ec7ec7ed7b2e6fe91f7b4b4695be5bff46f61c3a4655
                    • Opcode Fuzzy Hash: 1fbab435a7b23e767a74eff7f14ab4cc3e29d26d21944d7719c1dfe5699883ae
                    • Instruction Fuzzy Hash: E21125B19002498BCB20DFAAC5457EFFBF4EF89324F248419D519A7240CB78A944CFA5
                    Function 020AD610 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502420835.00000000020AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_20ad000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2f72598d3a1a5948e96a885f83ef7dc2f877abd21839d492164627ea62da0133
                    • Instruction ID: 73a064f841889c5ec342e00132aa6f35561208fa4928f599ffa3b9cf8356eccd
                    • Opcode Fuzzy Hash: 2f72598d3a1a5948e96a885f83ef7dc2f877abd21839d492164627ea62da0133
                    • Instruction Fuzzy Hash: DB2145B5500300DFDB05DF98C9D0F2ABFA5FB88310F648169E90D0B616C33AD406EBA1
                    Function 020BD0FC Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502469874.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_20bd000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d793841506f83831aa3b1a339d66f7dcc2075546138f971f88ae3923e51fcc59
                    • Instruction ID: af87cd4a65161ca1238a11e0b209be8ffda2c1930489131c4cfe989ab125e157
                    • Opcode Fuzzy Hash: d793841506f83831aa3b1a339d66f7dcc2075546138f971f88ae3923e51fcc59
                    • Instruction Fuzzy Hash: 50212FB1600304AFDB26DF24C980B26FBA5EF88314F20C969D8094B256C33AD806DA61
                    Function 020AD60B Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502420835.00000000020AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_20ad000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
                    • Instruction ID: bd1071a7fb71dc563940820148102acec5f50c2c25fee89c9b256975b2f7ea1a
                    • Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
                    • Instruction Fuzzy Hash: AA110376504380CFCB02CF44D5C4B16BFB1FB88314F24C5A9D9484B616C336D45ADBA2
                    Function 020BD0F7 Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502469874.00000000020BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_20bd000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
                    • Instruction ID: ce1135594525957e53b2b75ad4c164905cd44e8cbd3ed5351e7d0baa809573d6
                    • Opcode Fuzzy Hash: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
                    • Instruction Fuzzy Hash: B111BB75504380DFDB16CF10D9C4B15FFA2FB88214F28CAAAD8494B256C33AD44ADB62
                    Function 020AD006 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502420835.00000000020AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_20ad000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c4f98e0c2dfac1a0200abe9dbad9f50f41b1475f3e98e2c3378b0246265cbf1a
                    • Instruction ID: 68c911cf9e9b20a19f65c8d343e8161d1b097b588ff468cf1dbd756604a1a21c
                    • Opcode Fuzzy Hash: c4f98e0c2dfac1a0200abe9dbad9f50f41b1475f3e98e2c3378b0246265cbf1a
                    • Instruction Fuzzy Hash: 5401696100D3C09ED7134B258898B52BFB8EF43224F0985DBE9888F2A3C2685C45DB72
                    Function 020AD01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502420835.00000000020AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 020AD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_20ad000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 19adf1fffe14fb858d22afa6a4ebed71b7133a1f0c40386a01de00dbd6689d2e
                    • Instruction ID: 243b49f7de9ab4332db3326fd2059ec15034a9ff7df4d348465d69b834ff4aeb
                    • Opcode Fuzzy Hash: 19adf1fffe14fb858d22afa6a4ebed71b7133a1f0c40386a01de00dbd6689d2e
                    • Instruction Fuzzy Hash: B50126710043409EE7218BAACD85F6BBFDCEF46324F18C42AED480B686C3799801DAB1

                    Non-executed Functions

                    Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 004136F4
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                    • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                    • TerminateProcess.KERNEL32(00000000), ref: 00413737
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID:
                    • API String ID: 2579439406-0
                    • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                    • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                    • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                    • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                    Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$@$PA
                    • API String ID: 0-3039612711
                    • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                    • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
                    • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
                    • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
                    Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32 ref: 0040ADD0
                    • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: Heap$FreeProcess
                    • String ID:
                    • API String ID: 3859560861-0
                    • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                    • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                    • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                    • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                    Function 05C70040 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504191508.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5c70000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb33974ad6a1a618052f449977d3476179a12b3441e46500dc2855c0d2bb835d
                    • Instruction ID: afbf3a891ce8380c5d2ed93fdfde4465d708b4e0bbeab078f69f1ceea5f7212a
                    • Opcode Fuzzy Hash: bb33974ad6a1a618052f449977d3476179a12b3441e46500dc2855c0d2bb835d
                    • Instruction Fuzzy Hash: 4AF14C70A00209CFDB14DFA9C948BADBBF2FF48304F158968E40AAB665DB74E945CF50
                    Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                    • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
                    • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
                    • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
                    Function 022B1020 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502777716.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_22b0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q
                    • API String ID: 0-1259897404
                    • Opcode ID: 2d0d06ca2a980350f700596a5a68573ac9754b1c399dfa29a34cf447661a0bf5
                    • Instruction ID: 5f80fb88448d380cecdafe15e3e716a0599c82e7110c528e8d7d517743f83a32
                    • Opcode Fuzzy Hash: 2d0d06ca2a980350f700596a5a68573ac9754b1c399dfa29a34cf447661a0bf5
                    • Instruction Fuzzy Hash: 62514E74A002058FD748EF7AE950A9ABBE3FFD9304B04C569C005AF269DF789906CF91
                    Function 022B1030 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4502777716.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022B0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_22b0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4']q
                    • API String ID: 0-1259897404
                    • Opcode ID: db793aa89df93374564654f751116c49e5be2abcd316165e7088914115caca7e
                    • Instruction ID: 1aa9d0f0dee4a61c7d602ecff65e0f74c60fbbb27c1bd4b3ca332eeeb7700838
                    • Opcode Fuzzy Hash: db793aa89df93374564654f751116c49e5be2abcd316165e7088914115caca7e
                    • Instruction Fuzzy Hash: 13512C74A002458FD748EF6AE950A9ABBE7FFD9304B04C569C005AF269DF789806CF91
                    Function 00407C3F Relevance: .8, Instructions: 783COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                    • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
                    • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
                    • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
                    Function 004073A0 Relevance: .6, Instructions: 633COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                    • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
                    • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
                    • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
                    Function 05AD9790 Relevance: .5, Instructions: 521COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 701d5224868397b1bb89c0ddf9b97e56b0b1e9109dab3c88f2f314def2065692
                    • Instruction ID: 878597c0de3d6fa087141adbea8626ea999bfd9071e13dc5dbd50c1e4fb24498
                    • Opcode Fuzzy Hash: 701d5224868397b1bb89c0ddf9b97e56b0b1e9109dab3c88f2f314def2065692
                    • Instruction Fuzzy Hash: 7B5227B0904725EFD791CF19E8885997BF2FB61318B904219E1616F2A0D7BCB98BCF44
                    Function 00406CA0 Relevance: .4, Instructions: 401COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                    • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
                    • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
                    • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
                    Function 05AD7EB8 Relevance: .3, Instructions: 264COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504016903.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5ad0000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ccc8f6a0227ea319a9950bface6767f1923e311f31ca7ccc798d179d5c0e0d2
                    • Instruction ID: 3df8e80896c2f08c4a14540b8e31a7cc393198fcdf7eb780f72eb4b3f5314267
                    • Opcode Fuzzy Hash: 3ccc8f6a0227ea319a9950bface6767f1923e311f31ca7ccc798d179d5c0e0d2
                    • Instruction Fuzzy Hash: 8DA17232F002168FCF19EFB4C9449AEF7B2FF88300B15416AE816AB265DB75D956CB50
                    Function 05C74278 Relevance: .2, Instructions: 238COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4504191508.0000000005C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_5c70000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7d52c897af0c9e25578d9c54dae0c58caa661f40f9cfe8f86e7c4bab8d2c0a40
                    • Instruction ID: 19cb38d34285a8cc883e48e411793f4a380769f1e554438f0dc705e7b4930bb0
                    • Opcode Fuzzy Hash: 7d52c897af0c9e25578d9c54dae0c58caa661f40f9cfe8f86e7c4bab8d2c0a40
                    • Instruction Fuzzy Hash: 96914CB0E0020D9FDF18CFA9D9857ADBBF2FF88304F148529E409A7694EB749945CB91
                    Function 00402B90 Relevance: .2, Instructions: 212COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                    • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
                    • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
                    • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
                    Function 004028B0 Relevance: .2, Instructions: 184COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                    • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
                    • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
                    • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
                    Function 00401650 Relevance: .1, Instructions: 111COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                    • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
                    • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
                    • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
                    Function 00402F20 Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                    • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
                    • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
                    • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
                    Function 00402F89 Relevance: .1, Instructions: 77COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                    • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
                    • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
                    • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
                    Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                    • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,021618D0), ref: 004170C5
                    • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                    • _malloc.LIBCMT ref: 0041718A
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                    • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                    • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                    • _malloc.LIBCMT ref: 0041724C
                    • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                    • __freea.LIBCMT ref: 004172A4
                    • __freea.LIBCMT ref: 004172AD
                    • ___ansicp.LIBCMT ref: 004172DE
                    • ___convertcp.LIBCMT ref: 00417309
                    • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                    • _malloc.LIBCMT ref: 00417362
                    • _memset.LIBCMT ref: 00417384
                    • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                    • ___convertcp.LIBCMT ref: 004173BA
                    • __freea.LIBCMT ref: 004173CF
                    • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                    • String ID:
                    • API String ID: 3809854901-0
                    • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                    • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                    • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
                    • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                    Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    • _malloc.LIBCMT ref: 004057DE
                      • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                      • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                      • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                    • _malloc.LIBCMT ref: 00405842
                    • _malloc.LIBCMT ref: 00405906
                    • _malloc.LIBCMT ref: 00405930
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: _malloc$AllocateHeap
                    • String ID: 1.2.3
                    • API String ID: 680241177-2310465506
                    • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                    • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                    • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
                    • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                    Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                    • String ID:
                    • API String ID: 3886058894-0
                    • Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
                    • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                    • Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
                    • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                    Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 0040C6C8
                    • __fileno.LIBCMT ref: 0040C6D6
                    • __fileno.LIBCMT ref: 0040C6E2
                    • __fileno.LIBCMT ref: 0040C6EE
                    • __fileno.LIBCMT ref: 0040C6FE
                      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                    • String ID: 'B
                    • API String ID: 2805327698-2787509829
                    • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                    • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                    • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                    • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                    Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 00414744
                      • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                      • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                    • __getptd.LIBCMT ref: 0041475B
                    • __amsg_exit.LIBCMT ref: 00414769
                    • __lock.LIBCMT ref: 00414779
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                    • String ID: @.B
                    • API String ID: 3521780317-470711618
                    • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                    • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                    • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                    • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                    Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 00413FD8
                      • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                      • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                    • __amsg_exit.LIBCMT ref: 00413FF8
                    • __lock.LIBCMT ref: 00414008
                    • InterlockedDecrement.KERNEL32(?), ref: 00414025
                    • InterlockedIncrement.KERNEL32(02161670), ref: 00414050
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                    • String ID:
                    • API String ID: 4271482742-0
                    • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                    • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                    • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                    • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                    Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: P$B$`$B
                    • API String ID: 3494438863-235554963
                    • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                    • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                    • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                    • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                    Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: IsProcessorFeaturePresent$KERNEL32
                    • API String ID: 1646373207-3105848591
                    • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                    • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                    • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                    • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                    Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___addlocaleref.LIBCMT ref: 0041470C
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                      • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                    • ___removelocaleref.LIBCMT ref: 00414717
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                      • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                    • ___freetlocinfo.LIBCMT ref: 0041472B
                      • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                      • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                      • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                    • String ID: @.B
                    • API String ID: 467427115-470711618
                    • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                    • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                    • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                    • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                    Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __fileno.LIBCMT ref: 0040C77C
                    • __locking.LIBCMT ref: 0040C791
                      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: __decode_pointer__fileno__getptd_noexit__locking
                    • String ID:
                    • API String ID: 2395185920-0
                    • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                    • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                    • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                    • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                    Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: _fseek_malloc_memset
                    • String ID:
                    • API String ID: 208892515-0
                    • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                    • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                    • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
                    • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                    Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                    • __flush.LIBCMT ref: 0040BB6E
                    • __fileno.LIBCMT ref: 0040BB8E
                    • __locking.LIBCMT ref: 0040BB95
                    • __flsbuf.LIBCMT ref: 0040BBC0
                      • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                      • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                    • String ID:
                    • API String ID: 3240763771-0
                    • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                    • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                    • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                    • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                    Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                    • __isleadbyte_l.LIBCMT ref: 00415307
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                    • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                    • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                    • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                    Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.4501829268.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.4501789754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501853344.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.4501874258.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_8LNER6Tma8.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                    • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89