Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sample-20240612-unpacked.exe

Overview

General Information

Sample name:sample-20240612-unpacked.exe
Analysis ID:1542814
MD5:0a781b3f657871233e03d73dc32279e6
SHA1:c3d1ba24a292c88768514d130a59e28a0cf8471d
SHA256:d883bb8c9c3263f60ae4c75432f17e2e558bfdbaf00936b4452fbe0d666a0a46
Tags:exeuser-verso1
Infos:

Detection

Metasploit
Score:87
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sample-20240612-unpacked.exe (PID: 6048 cmdline: "C:\Users\user\Desktop\sample-20240612-unpacked.exe" MD5: 0A781B3F657871233E03D73DC32279E6)
    • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xcopy.exe (PID: 7088 cmdline: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*" MD5: 7E9B7CE496D09F70C072930940F9F02C)
      • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mspaint.exe (PID: 4820 cmdline: mspaint.exe MD5: 986A191E95952C9E3FE6BE112FB92026)
  • pressica.exe (PID: 2748 cmdline: "C:\Users\user\Pictures\pressica.exe" MD5: 0A781B3F657871233E03D73DC32279E6)
    • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mspaint.exe (PID: 5024 cmdline: mspaint.exe MD5: 986A191E95952C9E3FE6BE112FB92026)
  • pressica.exe (PID: 6112 cmdline: "C:\Users\user\Pictures\pressica.exe" MD5: 0A781B3F657871233E03D73DC32279E6)
    • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mspaint.exe (PID: 6968 cmdline: mspaint.exe MD5: 986A191E95952C9E3FE6BE112FB92026)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Shell Bind TCP", "Listen Port": 20}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Metasploit_a6e956c9Identifies the API address lookup function leverage by metasploit shellcodeunknown
    • 0x6:$a1: 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20
    00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Metasploit_a6e956c9Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x6:$a1: 60 89 E5 31 C0 64 8B 50 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 7C 02 2C 20
      00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 7 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Pictures\pressica.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\sample-20240612-unpacked.exe, ProcessId: 6048, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\VirtualBox Guest Additions Manager
        Sigma detected: Suspicious Copy From or To System Directory
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*", CommandLine: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xcopy.exe, NewProcessName: C:\Windows\SysWOW64\xcopy.exe, OriginalFileName: C:\Windows\SysWOW64\xcopy.exe, ParentCommandLine: "C:\Users\user\Desktop\sample-20240612-unpacked.exe", ParentImage: C:\Users\user\Desktop\sample-20240612-unpacked.exe, ParentProcessId: 6048, ParentProcessName: sample-20240612-unpacked.exe, ProcessCommandLine: "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*", ProcessId: 7088, ProcessName: xcopy.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: sample-20240612-unpacked.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\Pictures\pressica.exeAvira: detection malicious, Label: TR/AD.Swrort.dxcpq
        Found malware configuration
        Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Shell Bind TCP", "Listen Port": 20}
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\Pictures\pressica.exeReversingLabs: Detection: 50%
        Multi AV Scanner detection for submitted file
        Source: sample-20240612-unpacked.exeReversingLabs: Detection: 50%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402450 strlen,CryptStringToBinaryA,CryptStringToBinaryA,free,0_2_00402450
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401280 _fwprintf,strlen,strlen,CryptBinaryToStringA,0_2_00401280
        Source: sample-20240612-unpacked.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownDNS traffic detected: query: S(]H7p#}ho:P4p__.str4ng3l.ov replaycode: Name error (3)
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_strdup,strlen,_fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen,0_2_00401580
        Source: global trafficDNS traffic detected: DNS query: S(]H7p#}ho:P4p__.str4ng3l.ov
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_strdup,strlen,_fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen,0_2_00401580
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_strdup,strlen,_fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen,0_2_00401580

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: sample-20240612-unpacked.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
        Source: classification engineClassification label: mal87.troj.evad.winEXE@15/2@3/0
        Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\Pictures\pressica.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
        Source: C:\Users\user\Pictures\pressica.exeMutant created: \Sessions\1\BaseNamedObjects\toxotidae
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
        Source: sample-20240612-unpacked.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: sample-20240612-unpacked.exeReversingLabs: Detection: 50%
        Source: unknownProcess created: C:\Users\user\Desktop\sample-20240612-unpacked.exe "C:\Users\user\Desktop\sample-20240612-unpacked.exe"
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*"
        Source: C:\Windows\SysWOW64\xcopy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
        Source: unknownProcess created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
        Source: unknownProcess created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*"Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dllJump to behavior
        Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeAutomated click: OK
        Source: C:\Users\user\Pictures\pressica.exeAutomated click: OK
        Source: C:\Users\user\Pictures\pressica.exeAutomated click: OK
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: sample-20240612-unpacked.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,strlen,RegSetValueExA,0_2_00401EA0
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402DE6 push ecx; ret 0_2_00402DF9
        Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\Pictures\pressica.exeJump to dropped file
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions ManagerJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found evasive API chain (may stop execution after checking mutex)
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-631
        Source: sample-20240612-unpacked.exe, 00000000.00000002.2093297747.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeAPI call chain: ExitProcess graph end nodegraph_0-608
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402B8C IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00402B8C
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,strlen,RegSetValueExA,0_2_00401EA0
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401CF0 GetProcessHeap,HeapAlloc,memcpy,memset,CreateProcessA,0_2_00401CF0
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402FD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402FD2
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402CEE SetUnhandledExceptionFilter,0_2_00402CEE
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402B8C IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00402B8C

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2B00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 3290000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2EF0000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processes
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00401C60 SetThreadContext,SetThreadContext,VirtualAllocEx,WriteProcessMemory,0_2_00401C60
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2B00000Jump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 3290000Jump to behavior
        Source: C:\Users\user\Pictures\pressica.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2EF0000Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*"Jump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Pictures\pressica.exeProcess created: C:\Windows\SysWOW64\mspaint.exe mspaint.exeJump to behavior
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402E1E cpuid 0_2_00402E1E
        Source: C:\Users\user\Desktop\sample-20240612-unpacked.exeCode function: 0_2_00402A7B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00402A7B

        Remote Access Functionality

        barindex
        Yara detected Metasploit Payload
        Source: Yara matchFile source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
        Native API        		1
        Registry Run Keys / Startup Folder        		311
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services2
        Clipboard Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		311
        Process Injection        		LSASS Memory121
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		1
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDS12
        System Information Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542814 Sample: sample-20240612-unpacked.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 87 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 3 other signatures 2->48 7 sample-20240612-unpacked.exe 1 2 2->7         started        11 pressica.exe 1 2->11         started        13 pressica.exe 1 2->13         started        process3 dnsIp4 36 S(]H7p#}ho:P4p__.str4ng3l.ov 7->36 50 Found evasive API chain (may stop execution after checking mutex) 7->50 52 Contains functionality to inject code into remote processes 7->52 54 Writes to foreign memory regions 7->54 15 xcopy.exe 3 7->15         started        18 conhost.exe 7->18         started        20 mspaint.exe 7->20         started        38 S(]H7p#}ho:P4p__.str4ng3l.ov 11->38 56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Allocates memory in foreign processes 11->60 22 conhost.exe 11->22         started        24 mspaint.exe 11->24         started        40 S(]H7p#}ho:P4p__.str4ng3l.ov 13->40 26 conhost.exe 13->26         started        28 mspaint.exe 13->28         started        signatures5 process6 file7 32 C:\Users\user\Pictures\pressica.exe, PE32 15->32 dropped 34 C:\Users\...\pressica.exe:Zone.Identifier, ASCII 15->34 dropped 30 conhost.exe 15->30         started        process8

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        sample-20240612-unpacked.exe50%ReversingLabsWin32.Trojan.TrickBotCrypt
        sample-20240612-unpacked.exe100%AviraTR/AD.Swrort.dxcpq

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\Pictures\pressica.exe100%AviraTR/AD.Swrort.dxcpq
        C:\Users\user\Pictures\pressica.exe50%ReversingLabsWin32.Trojan.TrickBotCrypt

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        S(]H7p#}ho:P4p__.str4ng3l.ov
        		unknown
        		unknowntrue
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1542814
          Start date and time:2024-10-26 13:59:09 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 20s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:14
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:sample-20240612-unpacked.exe
          Detection:MAL
          Classification:mal87.troj.evad.winEXE@15/2@3/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 11
          • Number of non-executed functions: 6
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: sample-20240612-unpacked.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          14:00:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager C:\Users\user\Pictures\pressica.exe
          14:00:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager C:\Users\user\Pictures\pressica.exe

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\Pictures\pressica.exe

          Download File
          Process:C:\Windows\SysWOW64\xcopy.exe
          File Type:PE32 executable (console) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):3.557959871664382
          Encrypted:false
          SSDEEP:192:Lf/WzPkcee3/2E0Hjyf4kiA8JoCcQEFcN4JE7Wtn40ZxUEIZ4CRCjbbE5pz6ekTo:LG8cmmghA8Jo104K7WrxeZ4ACjbb3Il
          MD5:0A781B3F657871233E03D73DC32279E6
          SHA1:C3D1BA24A292C88768514D130A59E28A0CF8471D
          SHA-256:D883BB8C9C3263F60AE4C75432F17E2E558BFDBAF00936B4452FBE0D666A0A46
          SHA-512:AF01B7E537AA840722AD66A3AFE0C7D7ACA84AD50D1B2C310227F4764CB72FC5278E3A972203C8AD9217060EE58F9A70429456E82295DB81225CA09E8766762E
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 50%
          Reputation:low
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i...:...:...:..R:...:...;...:...;...:...;...:...;...:...;...:...;...:...:...:4..;...:4.>:...:4..;...:Rich...:........PE..L.....hf................."...^.......'.......@....@..........................................................................I..@....................................F...............................F..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...DE...`...B...:..............@....rsrc................|..............@..@........................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\Pictures\pressica.exe:Zone.Identifier

          Download File
          Process:C:\Windows\SysWOW64\xcopy.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview:[ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (console) Intel 80386, for MS Windows
          Entropy (8bit):3.557959871664382
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:sample-20240612-unpacked.exe
          File size:32'768 bytes
          MD5:0a781b3f657871233e03d73dc32279e6
          SHA1:c3d1ba24a292c88768514d130a59e28a0cf8471d
          SHA256:d883bb8c9c3263f60ae4c75432f17e2e558bfdbaf00936b4452fbe0d666a0a46
          SHA512:af01b7e537aa840722ad66a3afe0c7d7aca84ad50d1b2c310227f4764cb72fc5278e3a972203c8ad9217060ee58f9a70429456e82295db81225ca09e8766762e
          SSDEEP:192:Lf/WzPkcee3/2E0Hjyf4kiA8JoCcQEFcN4JE7Wtn40ZxUEIZ4CRCjbbE5pz6ekTo:LG8cmmghA8Jo104K7WrxeZ4ACjbb3Il
          TLSH:6DE25C06FD131E51E87149FE6177D92CC8A87E612FA550C3E7D148DA4A3A8C2FA3D81E
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i...:...:...:..R:...:...;...:...;...:...;...:...;...:...;...:...;...:...:...:4..;...:4.>:...:4..;...:Rich...:........PE..L..

          File Icon

          Icon Hash:00928e8e8686b000

          Static PE Info

          General

          Entrypoint:0x4027f4
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows cui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x6668BAA6 [Tue Jun 11 20:59:18 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:f62f2592222535031386244184c40ea5

          Entrypoint Preview

          Instruction
          call 00007FC6513F6D64h
          jmp 00007FC6513F6909h
          push ebp
          mov ebp, esp
          mov eax, dword ptr [ebp+08h]
          push esi
          mov ecx, dword ptr [eax+3Ch]
          add ecx, eax
          movzx eax, word ptr [ecx+14h]
          lea edx, dword ptr [ecx+18h]
          add edx, eax
          movzx eax, word ptr [ecx+06h]
          imul esi, eax, 28h
          add esi, edx
          cmp edx, esi
          je 00007FC6513F6AABh
          mov ecx, dword ptr [ebp+0Ch]
          cmp ecx, dword ptr [edx+0Ch]
          jc 00007FC6513F6A9Ch
          mov eax, dword ptr [edx+08h]
          add eax, dword ptr [edx+0Ch]
          cmp ecx, eax
          jc 00007FC6513F6A9Eh
          add edx, 28h
          cmp edx, esi
          jne 00007FC6513F6A7Ch
          xor eax, eax
          pop esi
          pop ebp
          ret
          mov eax, edx
          jmp 00007FC6513F6A8Bh
          push esi
          call 00007FC6513F7202h
          test eax, eax
          je 00007FC6513F6AB2h
          mov eax, dword ptr fs:[00000018h]
          mov esi, 0040A1DCh
          mov edx, dword ptr [eax+04h]
          jmp 00007FC6513F6A96h
          cmp edx, eax
          je 00007FC6513F6AA2h
          xor eax, eax
          mov ecx, edx
          lock cmpxchg dword ptr [esi], ecx
          test eax, eax
          jne 00007FC6513F6A82h
          xor al, al
          pop esi
          ret
          mov al, 01h
          pop esi
          ret
          push ebp
          mov ebp, esp
          cmp dword ptr [ebp+08h], 00000000h
          jne 00007FC6513F6A99h
          mov byte ptr [0040A1E0h], 00000001h
          call 00007FC6513F702Ah
          call 00007FC6513F6D33h
          test al, al
          jne 00007FC6513F6A96h
          xor al, al
          pop ebp
          ret
          call 00007FC6513F6D26h
          test al, al
          jne 00007FC6513F6A9Ch
          push 00000000h
          call 00007FC6513F6D1Bh
          pop ecx
          jmp 00007FC6513F6A7Bh
          mov al, 01h
          pop ebp
          ret
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          cmp byte ptr [0040A1E1h], 00000000h
          je 00007FC6513F6A96h

          Rich Headers

          Programming Language:
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x49f40x140.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000x398.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x46900x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x46b00x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x40000x18c.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x21b30x2200880faa5accfa30133c22ebef5dab8443False0.5762867647058824data6.168271403256702IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x40000x139a0x14000a27d0f579334828451c614f9a2d0d6cFalse0.526171875PPMN archive data5.394686861242495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x60000x45440x4200a5e7248887cdd81f22bf04ef68146290False0.006924715909090909data0.04815515724184405IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xb0000x3980x4004eb1e799238d5b28878aa8383e4eb56cFalse0.4521484375data5.115018451058703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_MANIFEST0xb0600x336XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (762), with CRLF line terminatorsEnglishUnited States0.5048661800486618

          Imports

          DLLImport
          KERNEL32.dllCloseHandle, WaitForSingleObject, VerSetConditionMask, SetFileAttributesA, GetModuleFileNameA, LoadLibraryA, VerifyVersionInfoW, HeapFree, GetCurrentProcess, VirtualAllocEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, CreateProcessA, GetProcessHeap, HeapAlloc, GetProcAddress, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, QueryPerformanceCounter, TerminateProcess, GetModuleHandleA, ExitProcess, GetLastError, GetModuleHandleW, GetCurrentProcessId
          USER32.dllGetClipboardData, OpenClipboard, MessageBoxA, CloseClipboard
          ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
          SHELL32.dllShellExecuteA, SHGetKnownFolderPath
          WS2_32.dllrecvfrom, sendto, socket, WSAStartup, WSACleanup, inet_ntop, htons, inet_addr
          IPHLPAPI.DLLGetAdaptersAddresses
          CRYPT32.dllCryptStringToBinaryA, CryptBinaryToStringA
          VCRUNTIME140.dll_except_handler4_common, memcpy, memset, strstr
          api-ms-win-crt-string-l1-1-0.dllstrcpy, strcat, _strdup, strlen
          api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, free, malloc
          api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf, __p__commode, _set_fmode
          api-ms-win-crt-convert-l1-1-0.dllwcstombs
          api-ms-win-crt-runtime-l1-1-0.dll_c_exit, _register_thread_local_exe_atexit_callback, __p___argc, _set_app_type, _seh_filter_exe, _exit, _cexit, _register_onexit_function, _crt_atexit, _controlfp_s, terminate, _initialize_onexit_table, _initterm, exit, _get_initial_narrow_environment, _initialize_narrow_environment, __p___argv, _configure_narrow_argv, _initterm_e
          api-ms-win-crt-math-l1-1-0.dll__setusermatherr
          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Oct 26, 2024 14:00:05.269790888 CEST6285153192.168.2.58.8.4.4
          Oct 26, 2024 14:00:05.277434111 CEST53628518.8.4.4192.168.2.5
          Oct 26, 2024 14:00:20.559338093 CEST5621753192.168.2.58.8.4.4
          Oct 26, 2024 14:00:20.567835093 CEST53562178.8.4.4192.168.2.5
          Oct 26, 2024 14:00:28.250406981 CEST5621853192.168.2.58.8.4.4
          Oct 26, 2024 14:00:28.258223057 CEST53562188.8.4.4192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Oct 26, 2024 14:00:05.269790888 CEST192.168.2.58.8.4.40x17a0Standard query (0)S(]H7p#}ho:P4p__.str4ng3l.ovA (IP address)IN (0x0001)false
          Oct 26, 2024 14:00:20.559338093 CEST192.168.2.58.8.4.40xabcStandard query (0)S(]H7p#}ho:P4p__.str4ng3l.ovA (IP address)IN (0x0001)false
          Oct 26, 2024 14:00:28.250406981 CEST192.168.2.58.8.4.40x17e0Standard query (0)S(]H7p#}ho:P4p__.str4ng3l.ovA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Oct 26, 2024 14:00:05.277434111 CEST8.8.4.4192.168.2.50x17a0Name error (3)S(]H7p#}ho:P4p__.str4ng3l.ovnonenoneA (IP address)IN (0x0001)false
          Oct 26, 2024 14:00:20.567835093 CEST8.8.4.4192.168.2.50xabcName error (3)S(]H7p#}ho:P4p__.str4ng3l.ovnonenoneA (IP address)IN (0x0001)false
          Oct 26, 2024 14:00:28.258223057 CEST8.8.4.4192.168.2.50x17e0Name error (3)S(]H7p#}ho:P4p__.str4ng3l.ovnonenoneA (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:07:59:59
          Start date:26/10/2024
          Path:C:\Users\user\Desktop\sample-20240612-unpacked.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\sample-20240612-unpacked.exe"
          Imagebase:0x400000
          File size:32'768 bytes
          MD5 hash:0A781B3F657871233E03D73DC32279E6
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:07:59:59
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:08:00:04
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\xcopy.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*"
          Imagebase:0x670000
          File size:43'520 bytes
          MD5 hash:7E9B7CE496D09F70C072930940F9F02C
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:true

          General

          Target ID:4
          Start time:08:00:04
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:08:00:04
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\mspaint.exe
          Wow64 process (32bit):
          Commandline:mspaint.exe
          Imagebase:
          File size:743'424 bytes
          MD5 hash:986A191E95952C9E3FE6BE112FB92026
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:false

          General

          Target ID:7
          Start time:08:00:16
          Start date:26/10/2024
          Path:C:\Users\user\Pictures\pressica.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Pictures\pressica.exe"
          Imagebase:0x400000
          File size:32'768 bytes
          MD5 hash:0A781B3F657871233E03D73DC32279E6
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 50%, ReversingLabs
          Reputation:low
          Has exited:true

          General

          Target ID:8
          Start time:08:00:16
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:9
          Start time:08:00:19
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\mspaint.exe
          Wow64 process (32bit):
          Commandline:mspaint.exe
          Imagebase:
          File size:743'424 bytes
          MD5 hash:986A191E95952C9E3FE6BE112FB92026
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:false

          General

          Target ID:10
          Start time:08:00:24
          Start date:26/10/2024
          Path:C:\Users\user\Pictures\pressica.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Pictures\pressica.exe"
          Imagebase:0x400000
          File size:32'768 bytes
          MD5 hash:0A781B3F657871233E03D73DC32279E6
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:11
          Start time:08:00:24
          Start date:26/10/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6d64d0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:12
          Start time:08:00:27
          Start date:26/10/2024
          Path:C:\Windows\SysWOW64\mspaint.exe
          Wow64 process (32bit):
          Commandline:mspaint.exe
          Imagebase:
          File size:743'424 bytes
          MD5 hash:986A191E95952C9E3FE6BE112FB92026
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_a6e956c9, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:moderate
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:49.5%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:21.7%
            Total number of Nodes:221
            Total number of Limit Nodes:3
            execution_graph 756 402660 760 402cee SetUnhandledExceptionFilter 756->760 758 402665 pre_c_initialization 759 40266a _set_new_mode 758->759 760->758 761 401120 malloc 764 40115d strlen 761->764 763 401265 764->763 765 402420 768 402250 765->768 767 402433 767->767 769 4022b4 GetProcessHeap HeapAlloc 768->769 770 4022d0 exit 769->770 771 4022d8 GetAdaptersAddresses 769->771 770->771 772 402314 771->772 773 4022f8 GetProcessHeap HeapFree 771->773 775 4023c9 strcpy 772->775 779 40237a inet_ntop strcpy 772->779 774 402316 773->774 774->769 774->772 776 4023dd GetProcessHeap HeapFree 775->776 777 401820 _fwprintf __stdio_common_vsprintf 776->777 778 402405 777->778 778->767 779->776 780 40192b 781 40193b MessageBoxA 780->781 782 401954 781->782 783 4025ad _set_app_type 806 402b1a 783->806 785 4025ba _set_fmode __p__commode 786 4025cc pre_c_initialization 785->786 807 4028ad 786->807 788 402b8c ___scrt_fastfail 6 API calls 789 402657 ___scrt_initialize_default_local_stdio_options 788->789 790 4025d5 __RTC_Initialize 804 402641 pre_c_initialization 790->804 817 402a66 790->817 792 4025ee pre_c_initialization 793 4025f3 _configure_narrow_argv 792->793 794 4025ff 793->794 793->804 820 402b20 InitializeSListHead 794->820 796 402604 pre_c_initialization 797 40260d __setusermatherr 796->797 798 402618 pre_c_initialization 796->798 797->798 821 402b2f _controlfp_s 798->821 800 402627 pre_c_initialization 801 40262c _configthreadlocale 800->801 802 402638 ___scrt_uninitialize_crt 801->802 803 40263c _initialize_narrow_environment 802->803 802->804 803->804 804->788 805 40264f 804->805 806->785 808 4028c0 807->808 809 4028bc 807->809 810 40294a 808->810 811 4028cd ___scrt_release_startup_lock 808->811 809->790 812 402b8c ___scrt_fastfail 6 API calls 810->812 814 4028da _initialize_onexit_table 811->814 815 4028f8 811->815 813 402951 812->813 814->815 816 4028e9 _initialize_onexit_table 814->816 815->790 816->815 826 402a2b 817->826 820->796 822 402b47 821->822 823 402b48 821->823 822->800 824 402b8c ___scrt_fastfail 6 API calls 823->824 825 402b4f 824->825 827 402a48 _crt_atexit 826->827 828 402a4f _register_onexit_function 826->828 829 402a5a 827->829 828->829 829->792 830 4027ad 831 402cab GetModuleHandleW 830->831 832 4027b5 831->832 833 4027b9 832->833 834 4027eb _exit 832->834 835 4027c4 833->835 836 4027bf _c_exit 833->836 836->835 837 4023ae 838 4023dd GetProcessHeap HeapFree 837->838 839 401820 _fwprintf __stdio_common_vsprintf 838->839 840 402405 839->840 579 402672 580 40267e ___scrt_is_nonwritable_in_current_image 579->580 601 402874 580->601 582 402685 583 4027de 582->583 587 4026af 582->587 623 402b8c IsProcessorFeaturePresent 583->623 585 4027e5 exit 586 4027eb _exit 585->586 588 4026b3 _initterm_e 587->588 592 4026fc ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 587->592 589 4026ce 588->589 590 4026df _initterm 588->590 590->592 591 402750 __p___argv __p___argc _get_initial_narrow_environment 605 401df0 591->605 592->591 595 402748 _register_thread_local_exe_atexit_callback 592->595 594 40276c 621 402cab GetModuleHandleW 594->621 595->591 598 40277a 599 402783 ___scrt_uninitialize_crt 598->599 600 40277e _cexit 598->600 599->589 600->599 602 40287d 601->602 627 402e1e IsProcessorFeaturePresent 602->627 604 402889 ___scrt_uninitialize_crt 604->582 629 401860 605->629 608 401e5a ExitProcess 609 401e0b WaitForSingleObject 634 4018d0 RegOpenKeyExA 609->634 613 401e35 GetModuleHandleA GetProcAddress 614 401e58 613->614 644 402010 GetModuleFileNameA 614->644 622 402776 621->622 622->585 622->598 624 402ba1 ___scrt_fastfail 623->624 625 402bad memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 624->625 626 402c97 ___scrt_fastfail 625->626 626->585 628 402e44 627->628 628->604 630 402450 5 API calls 629->630 631 40187c GetModuleHandleA GetProcAddress CreateMutexA GetLastError 630->631 632 4018b4 ExitProcess 631->632 633 4018bc 631->633 633->608 633->609 635 4018f5 RegQueryValueExA 634->635 636 40193b MessageBoxA 634->636 637 401929 635->637 638 40191d 635->638 639 401954 636->639 637->636 638->637 640 40192d RegCloseKey 638->640 641 402450 strlen 639->641 640->639 685 4024d0 _strdup 641->685 687 402230 strstr 644->687 646 40203e 655 401e77 646->655 688 402130 646->688 652 401820 _fwprintf __stdio_common_vsprintf 653 4020ed ShellExecuteA SetFileAttributesA 652->653 694 401ea0 653->694 656 401cf0 GetProcessHeap HeapAlloc memcpy 655->656 658 401d33 memset CreateProcessA 656->658 709 401c60 658->709 661 401580 662 40158d 661->662 735 401000 WSAStartup 662->735 665 401599 CloseHandle 665->594 666 40159e OpenClipboard 667 4015aa GetClipboardData CloseClipboard 666->667 668 4015bb 666->668 667->668 669 4015c1 _strdup 668->669 670 4015d2 668->670 669->670 670->670 671 4015d6 strlen 670->671 739 401280 671->739 674 401820 _fwprintf __stdio_common_vsprintf 675 401608 7 API calls 674->675 749 401070 strcat 675->749 679 4016f1 679->679 680 4016f5 strlen sendto 679->680 681 401723 680->681 681->681 682 401736 recvfrom 681->682 683 40175b 682->683 683->683 684 401763 strlen 683->684 684->665 686 402472 CryptStringToBinaryA CryptStringToBinaryA free 685->686 686->613 687->646 699 402150 memset VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 688->699 691 401820 701 401800 691->701 695 402450 5 API calls 694->695 696 401ec7 LoadLibraryA GetProcAddress RegCreateKeyExA GetProcAddress 695->696 697 402450 5 API calls 696->697 698 401fd9 strlen RegSetValueExA 697->698 698->655 700 40204f SHGetKnownFolderPath wcstombs 699->700 700->691 704 4017a0 701->704 708 401790 704->708 706 4017bf __stdio_common_vsprintf 707 4017db 706->707 707->652 708->706 713 401960 709->713 711 401c6b VirtualAllocEx WriteProcessMemory 712 401cbf 711->712 712->661 717 401972 713->717 714 4019a6 716 402450 5 API calls 714->716 715 402450 5 API calls 715->717 718 4019c5 GetModuleHandleA GetProcAddress 716->718 717->714 717->715 719 402450 5 API calls 718->719 720 401a11 GetModuleHandleA GetProcAddress 719->720 721 402450 5 API calls 720->721 722 401a5d GetModuleHandleA GetProcAddress 721->722 723 402450 5 API calls 722->723 724 401aa9 GetModuleHandleA GetProcAddress 723->724 725 402450 5 API calls 724->725 726 401af5 GetModuleHandleA GetProcAddress 725->726 727 402450 5 API calls 726->727 728 401b41 GetModuleHandleA GetProcAddress 727->728 729 402450 5 API calls 728->729 730 401b8d GetModuleHandleA GetProcAddress 729->730 731 402450 5 API calls 730->731 732 401bd9 GetModuleHandleA GetProcAddress 731->732 733 402450 5 API calls 732->733 734 401c25 GetModuleHandleA GetProcAddress 733->734 734->711 736 401028 735->736 737 40102c 735->737 736->665 736->666 737->736 738 401058 WSACleanup 737->738 738->736 740 40128d 739->740 741 401820 _fwprintf __stdio_common_vsprintf 740->741 742 40129b strlen 741->742 744 4012cb 742->744 745 4012d2 strlen CryptBinaryToStringA 744->745 746 401306 745->746 746->746 753 4014f0 746->753 750 4010a0 strlen 749->750 751 401097 750->751 752 401109 strlen 750->752 751->750 752->679 754 401820 _fwprintf __stdio_common_vsprintf 753->754 755 40131e 754->755 755->674 841 4027f4 844 402ac8 841->844 843 4027f9 843->843 845 402ade 844->845 847 402ae7 845->847 848 402a7b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 845->848 847->843 848->847 849 402799 _seh_filter_exe 850 402cfa 851 402d2f 850->851 853 402d0a 850->853 852 402d35 terminate 853->851 853->852 854 402ffa IsProcessorFeaturePresent 855 40300e 854->855 858 402fd2 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 855->858 857 4030f1 858->857 859 402dfb _except_handler4_common

            Callgraph

            • Executed
            • Not Executed
            • Opacity -> Relevance
            • Disassembly available
            callgraph 0 Function_00402FC1 1 Function_00402842 72 Function_00402FB5 1->72 2 Function_00402D43 3 Function_00402AC8 34 Function_00402A7B 3->34 4 Function_004029CA 5 Function_004018D0 6 Function_00402450 10 Function_004024D0 6->10 7 Function_00402150 8 Function_00402250 55 Function_00401820 8->55 9 Function_00402B50 11 Function_00402B51 12 Function_00402952 36 Function_004027FE 12->36 59 Function_00402DA0 12->59 13 Function_00402FD2 14 Function_00402B57 14->11 47 Function_00401790 14->47 15 Function_00401C60 17 Function_00401960 15->17 16 Function_00401860 16->6 17->6 18 Function_00402660 22 Function_00402CEE 18->22 48 Function_00402B13 18->48 19 Function_00402A66 60 Function_00402A2B 19->60 20 Function_004029E6 20->72 21 Function_00402DE6 23 Function_00402D6F 24 Function_00401CF0 24->15 25 Function_00401DF0 25->5 25->6 25->16 25->24 37 Function_00401580 25->37 46 Function_00402010 25->46 26 Function_00401070 27 Function_004014F0 27->55 28 Function_00402672 28->1 28->12 28->20 28->25 29 Function_00402874 28->29 42 Function_00402B80 28->42 43 Function_00402A03 28->43 44 Function_00402B86 28->44 45 Function_00402B8C 28->45 28->59 62 Function_00402CAB 28->62 52 Function_00402E1E 29->52 63 Function_00402B2C 29->63 30 Function_00402B74 31 Function_004027F4 31->3 32 Function_00402CFA 33 Function_00402FFA 33->13 35 Function_00402DFB 37->26 38 Function_00401000 37->38 40 Function_00401280 37->40 41 Function_00402580 37->41 37->55 39 Function_00401800 58 Function_004017A0 39->58 40->27 40->41 40->55 69 Function_00401330 40->69 43->63 74 Function_00402D3B 45->74 53 Function_00401EA0 46->53 46->55 70 Function_00402230 46->70 71 Function_00402130 46->71 49 Function_00402B16 50 Function_00402799 51 Function_00402B1A 53->6 54 Function_00401120 55->39 56 Function_00402420 56->8 57 Function_00402B20 58->47 61 Function_0040192B 64 Function_004028AD 64->45 64->72 65 Function_004025AD 65->2 65->9 65->14 65->19 65->30 65->45 65->48 65->49 65->51 65->57 65->63 65->64 68 Function_00402B2F 65->68 66 Function_004027AD 66->62 67 Function_004023AE 67->55 68->45 71->7 73 Function_004029B7

            Executed Functions

            Function 00401580 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160networkclipboardstringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00401000: WSAStartup.WS2_32(?,?), ref: 0040101E
            • OpenClipboard.USER32(00000000), ref: 004015A0
            • GetClipboardData.USER32(00000001), ref: 004015AC
            • CloseClipboard.USER32 ref: 004015B5
            • _strdup.API-MS-WIN-CRT-STRING-L1-1-0(none-found), ref: 004015C6
            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 004015DE
            • _fwprintf.LIBCONCRTD ref: 00401603
            • socket.WS2_32(00000002,00000002,00000011), ref: 00401623
            • htons.WS2_32(00000035), ref: 00401637
            • inet_addr.WS2_32(8.8.4.4), ref: 00401646
            • htons.WS2_32(00000001), ref: 0040165A
            • memset.VCRUNTIME140(00000000,0000000C,00000000), ref: 0040166C
            • GetCurrentProcessId.KERNEL32 ref: 00401674
            • htons.WS2_32(00000000), ref: 0040167B
            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 004016CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: Clipboardhtons$strlen$CloseCurrentDataOpenProcessStartup_fwprintf_strdupinet_addrmemsetsocket
            • String ID: %s.str4ng3l.ov$8.8.4.4$none-found
            • API String ID: 2000981365-3607574045
            • Opcode ID: eb56a7ec2e373c3d97ff8ae132adfaf26211d7365408f8d15ea60574dd93959f
            • Instruction ID: 1c81fc003f21d9003d6b0755760c0b5893c700c3e49a6ba2a16b9424b610dee6
            • Opcode Fuzzy Hash: eb56a7ec2e373c3d97ff8ae132adfaf26211d7365408f8d15ea60574dd93959f
            • Instruction Fuzzy Hash: 145150B5D00205ABCB00DBE0DC46BEEB774BF98304F10857AF605BB3D1E6B85A448B59
            Function 00401EA0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 104libraryregistryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00402450: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000040), ref: 0040245A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00401F7E
            • GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 00401F8F
            • RegCreateKeyExA.KERNELBASE(80000001,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00401FB5
            • GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 00401FC0
            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00404598), ref: 00401FE0
            • RegSetValueExA.KERNELBASE(?,VirtualBox Guest Additions Manager,00000000,00000001,00404598,00000000), ref: 00401FFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: AddressBinaryCryptProcStringstrlen$CreateLibraryLoadValuefree
            • String ID: RegCreateKeyExA$RegSetValueExA$Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce$VirtualBox Guest Additions Manager$advapi32.dll$E@
            • API String ID: 1940006588-3047555729
            • Opcode ID: 8a7f5cb782defaf38c33c433ebfbaa240f438dd25e7dc5da04f53e923f325b97
            • Instruction ID: 200ae719776af242690ab4aa0805dff1e03ad15c39d9fc42218c0088994233b2
            • Opcode Fuzzy Hash: 8a7f5cb782defaf38c33c433ebfbaa240f438dd25e7dc5da04f53e923f325b97
            • Instruction Fuzzy Hash: 2351D060D483C8E9EB12C7A8D849BDDBFB55F16708F184098E6843A2C2C6FE5558C77A
            Function 00401CF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77memoryprocessCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00401CFD
            • HeapAlloc.KERNEL32(00000000), ref: 00401D04
            • memcpy.VCRUNTIME140(?,004042F8,0000014A), ref: 00401D22
            • memset.VCRUNTIME140(?,00000000,00000044), ref: 00401D8E
            • CreateProcessA.KERNELBASE(00000000,mspaint.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00401DC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: HeapProcess$AllocCreatememcpymemset
            • String ID: mspaint.exe
            • API String ID: 2943094347-4111900996
            • Opcode ID: 7f0d24b6ed000782dd19411b5a1524e3348bc89ebe63c12fa413385846a4e432
            • Instruction ID: 796acfbc54956ddbaa5ab302f9b6bc5e8c0facad5ae133ab4fbef51741e684b8
            • Opcode Fuzzy Hash: 7f0d24b6ed000782dd19411b5a1524e3348bc89ebe63c12fa413385846a4e432
            • Instruction Fuzzy Hash: F73141B0E40308EFDB04DFA4CD46BADBBB5AF84704F2040A9E605BB2C1D6B95A41CB59
            Function 00401C60 Relevance: 3.1, APIs: 2, Instructions: 54memoryinjectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 95 401c60-401cbd call 401960 VirtualAllocEx WriteProcessMemory 98 401cc8 95->98 99 401cbf-401cc6 95->99 101 401cec-401cef 98->101 99->98 100 401cca-401ce8 99->100 100->101
            APIs
              • Part of subcall function 00401960: GetModuleHandleA.KERNEL32(?,?), ref: 004019DC
              • Part of subcall function 00401960: GetProcAddress.KERNEL32(00000000), ref: 004019E3
              • Part of subcall function 00401960: GetModuleHandleA.KERNEL32(?,?), ref: 00401A28
              • Part of subcall function 00401960: GetProcAddress.KERNEL32(00000000), ref: 00401A2F
              • Part of subcall function 00401960: GetModuleHandleA.KERNEL32(?,?), ref: 00401A74
              • Part of subcall function 00401960: GetProcAddress.KERNEL32(00000000), ref: 00401A7B
            • VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040), ref: 00401C9D
            • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 00401CB8
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: AddressHandleModuleProc$AllocMemoryProcessVirtualWrite
            • String ID:
            • API String ID: 2210121904-0
            • Opcode ID: 51e4183b2145bcb5d91174e005a31e457aa2573a06920961aa21320a3e465d99
            • Instruction ID: 09b69f5ba5c78ad979e0241707377fcd12f5f09ae4e0cf85786f600d02c5112e
            • Opcode Fuzzy Hash: 51e4183b2145bcb5d91174e005a31e457aa2573a06920961aa21320a3e465d99
            • Instruction Fuzzy Hash: 4A115BB5600208BBEB04DF94C855FAE77B9EB88700F048169FA08AB3D0D674DA00CB99
            Function 00402010 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 84COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402027
              • Part of subcall function 00402230: strstr.VCRUNTIME140(?,> @,?,0040203E,?,pressica), ref: 0040223B
            • SHGetKnownFolderPath.SHELL32(?,00000000,00000000,?), ref: 00402092
            • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000104,?,00000000,00000000,?), ref: 004020AA
            • _fwprintf.LIBCONCRTD ref: 004020C6
            • _fwprintf.LIBCONCRTD ref: 004020E8
            • ShellExecuteA.SHELL32(00000000,open,xcopy,?,00000000,00000006), ref: 00402107
            • SetFileAttributesA.KERNELBASE(?,00000007), ref: 00402116
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: File_fwprintf$AttributesExecuteFolderKnownModuleNamePathShellstrstrwcstombs
            • String ID: %s\pressica.exe$/f /y "%s" "%s*"$dF@$open$pressica$xcopy
            • API String ID: 2111494811-197669631
            • Opcode ID: 1757b982fa089392bf5f118aa6db93af42186ebb5022e7ccb81df2fcd7739adb
            • Instruction ID: 0b0c04f054531d5838bd78e44578d8c1b27464883403b62d052641579363b7ff
            • Opcode Fuzzy Hash: 1757b982fa089392bf5f118aa6db93af42186ebb5022e7ccb81df2fcd7739adb
            • Instruction Fuzzy Hash: AD3166F1D00208ABDB10DB90DD45FEE7778AB48704F1085AAF708B61D1E7B9AB45CB99
            Function 00401DF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48libraryloadersynchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00401860: GetModuleHandleA.KERNEL32(kernel32.dll,?), ref: 00401888
              • Part of subcall function 00401860: GetProcAddress.KERNEL32(00000000), ref: 0040188F
              • Part of subcall function 00401860: CreateMutexA.KERNELBASE(00000000,00000000,00406000), ref: 004018A1
              • Part of subcall function 00401860: GetLastError.KERNEL32 ref: 004018A7
              • Part of subcall function 00401860: ExitProcess.KERNEL32 ref: 004018B6
            • WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 00401E11
              • Part of subcall function 004018D0: RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Notepad,00000000,00020019,?), ref: 004018EB
              • Part of subcall function 004018D0: RegQueryValueExA.ADVAPI32(?,SymbolicKuriza,00000000,?,?,00000004), ref: 00401913
              • Part of subcall function 004018D0: MessageBoxA.USER32(00000000,004042BC,A PLANETARY CRASH OCCURRED,00000010), ref: 00401949
              • Part of subcall function 00402450: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000040), ref: 0040245A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • GetModuleHandleA.KERNEL32(kernel32.dll,?), ref: 00401E41
            • GetProcAddress.KERNEL32(00000000), ref: 00401E48
            • ExitProcess.KERNEL32 ref: 00401E5C
            • CloseHandle.KERNELBASE(000000FF), ref: 00401E85
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: Handle$AddressBinaryCryptExitModuleProcProcessString$CloseCreateErrorLastMessageMutexObjectOpenQuerySingleValueWaitfreestrlen
            • String ID: kernel32.dll$pE@
            • API String ID: 531105469-1479712415
            • Opcode ID: fc2790c8cca93ee3f0aa94e1f9630981776b881151abace160e9d655bb5bd8ef
            • Instruction ID: be50e093aebf102d3a884409ee660d86585cca1e1a1aa734280ce22902ef2981
            • Opcode Fuzzy Hash: fc2790c8cca93ee3f0aa94e1f9630981776b881151abace160e9d655bb5bd8ef
            • Instruction Fuzzy Hash: BF115EB1C00208EBCB00EFF4DE09AAE77B8AB44315F104679FB15B61E1D7B846448B99
            Function 004018D0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45registrywindowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 72 4018d0-4018f3 RegOpenKeyExA 73 4018f5-40191b RegQueryValueExA 72->73 74 40193b-40194f MessageBoxA 72->74 75 401929 73->75 76 40191d-401921 73->76 77 401954-401957 74->77 75->74 76->75 78 401923-401927 76->78 78->75 79 40192d-401939 RegCloseKey 78->79 79->77
            APIs
            • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Notepad,00000000,00020019,?), ref: 004018EB
            • RegQueryValueExA.ADVAPI32(?,SymbolicKuriza,00000000,?,?,00000004), ref: 00401913
            • RegCloseKey.ADVAPI32(?), ref: 00401931
            • MessageBoxA.USER32(00000000,004042BC,A PLANETARY CRASH OCCURRED,00000010), ref: 00401949
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: CloseMessageOpenQueryValue
            • String ID: A PLANETARY CRASH OCCURRED$Software\Microsoft\Notepad$SymbolicKuriza
            • API String ID: 3230402025-460206704
            • Opcode ID: 4405efb58e1f226a1f28677c1173a715a00bef615cf651f634922d8d7907816e
            • Instruction ID: d98d3d3d05217db93c2a751f322fe3da004ff4d1560c8446da0a25170dde1759
            • Opcode Fuzzy Hash: 4405efb58e1f226a1f28677c1173a715a00bef615cf651f634922d8d7907816e
            • Instruction Fuzzy Hash: D1014FF5B40208BBEB10DBD09D55FAE77B8AB44B08F1045BAFB02B61D0D2B85A44DB59
            Function 00401860 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 32libraryloadersynchronizationCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00402450: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000040), ref: 0040245A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • GetModuleHandleA.KERNEL32(kernel32.dll,?), ref: 00401888
            • GetProcAddress.KERNEL32(00000000), ref: 0040188F
            • CreateMutexA.KERNELBASE(00000000,00000000,00406000), ref: 004018A1
            • GetLastError.KERNEL32 ref: 004018A7
            • ExitProcess.KERNEL32 ref: 004018B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: BinaryCryptString$AddressCreateErrorExitHandleLastModuleMutexProcProcessfreestrlen
            • String ID: PB@$kernel32.dll
            • API String ID: 1934550070-1708312098
            • Opcode ID: c07ef5bd6689a8a528c9e70477044eb04c9e2e7b3c5f446b37cddfae9adb379a
            • Instruction ID: 669e2303d3973f65e162ef5743e714aa6bc30ec1011120787717f9b88450d532
            • Opcode Fuzzy Hash: c07ef5bd6689a8a528c9e70477044eb04c9e2e7b3c5f446b37cddfae9adb379a
            • Instruction Fuzzy Hash: 3BF030B5D40308ABDB00FBE0AE49B5D7B78EB84701F108069FF45F62C1E7B456048B59
            Function 0040192B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 92 40192b 93 40193b-40194f MessageBoxA 92->93 94 401954-401957 93->94
            APIs
            • MessageBoxA.USER32(00000000,004042BC,A PLANETARY CRASH OCCURRED,00000010), ref: 00401949
            Strings
            • A PLANETARY CRASH OCCURRED, xrefs: 0040193D
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: Message
            • String ID: A PLANETARY CRASH OCCURRED
            • API String ID: 2030045667-2055004300
            • Opcode ID: af7cc8ee93d73c50879489ada7bfb7d18cc0382d562da4ac0826856e0066e744
            • Instruction ID: c2efebe2c81e7fa1e788115d848d9b68e55f17e073cf02b02e4ca2a00a4aa88f
            • Opcode Fuzzy Hash: af7cc8ee93d73c50879489ada7bfb7d18cc0382d562da4ac0826856e0066e744
            • Instruction Fuzzy Hash: B0C092B03C82087BE1101A81AC17B6076508784F46F2005FFBF0AB92E295FF2870519E
            Function 00401000 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 102 401000-401026 WSAStartup 103 401028-40102a 102->103 104 40102c-40103e 102->104 105 401064-401067 103->105 106 401040-401056 104->106 107 401058-401060 WSACleanup 104->107 106->107 108 401062 106->108 107->105 108->105
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: CleanupStartup
            • String ID:
            • API String ID: 915672949-0
            • Opcode ID: 8a12681aa40c1235f46164687111d45405783a7ff23716213953e9d1018d8997
            • Instruction ID: d6d0ac8f56efb8b1936121e8681ee368fe6fefc78c9a698b733bc57127530eb9
            • Opcode Fuzzy Hash: 8a12681aa40c1235f46164687111d45405783a7ff23716213953e9d1018d8997
            • Instruction Fuzzy Hash: DFF0E2744042A8E2DB209B658D166FA73A99F41701F0080B6E689BAAD1D53D49CAF738
            Function 004027AD Relevance: 3.0, APIs: 2, Instructions: 20COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 109 4027ad 110 4027b0 call 402cab 109->110 111 4027b5-4027b7 110->111 112 4027b9-4027bd 111->112 113 4027eb-4027f3 _exit 111->113 114 4027c4-4027dd 112->114 115 4027bf _c_exit 112->115 115->114
            APIs
              • Part of subcall function 00402CAB: GetModuleHandleW.KERNEL32(00000000,00402776), ref: 00402CAD
            • _c_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004027BF
            • _exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000007,004049B8,00000014), ref: 004027EE
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: HandleModule_c_exit_exit
            • String ID:
            • API String ID: 750871209-0
            • Opcode ID: 82fbd4238e8361e83298ee6b9891a99185d4f3ca960daa7bd796523b232392b2
            • Instruction ID: c3fd705a7179785db2234165942c491110a1834d125afe461d4e34ecd3656e04
            • Opcode Fuzzy Hash: 82fbd4238e8361e83298ee6b9891a99185d4f3ca960daa7bd796523b232392b2
            • Instruction Fuzzy Hash: 87E04636A042499FDF24AB98D9067EDBB71AB4836DF10057BE921372E1C77919008A68

            Non-executed Functions

            Function 00401280 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57stringencryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 210 401280-40129b call 402580 call 401820 215 40129e-4012a0 210->215 215->215 216 4012a2-4012a4 215->216 216->216 217 4012a6-4012cb strlen call 401330 216->217 220 4012ce-4012d0 217->220 220->220 221 4012d2-401300 strlen CryptBinaryToStringA 220->221 222 401306-401308 221->222 222->222 223 40130a-401324 call 4014f0 222->223
            APIs
            • _fwprintf.LIBCONCRTD ref: 00401296
              • Part of subcall function 00401820: _fread.LIBCMTD ref: 0040183A
            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 004012B1
            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,40000001,?,00002000), ref: 004012F0
            • CryptBinaryToStringA.CRYPT32(?,00000000,00002000), ref: 00401300
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: strlen$BinaryCryptString_fread_fwprintf
            • String ID: 12345
            • API String ID: 1673313646-3421846044
            • Opcode ID: 48ae50794edba505917c658fa9e8973ec0995a3dd87b5b287c2cce179089f69d
            • Instruction ID: fe676a3341625b72832572ae7441fe0738a427ecb38ca2ba08709ecd35e1c63b
            • Opcode Fuzzy Hash: 48ae50794edba505917c658fa9e8973ec0995a3dd87b5b287c2cce179089f69d
            • Instruction Fuzzy Hash: 041173BAD00108B7DB15DB91DC52DDF737C9B98304F0086BAF605B6191FA78AB048BA5
            Function 00402450 Relevance: 6.0, APIs: 4, Instructions: 46encryptionstringCOMMON
            Download Yara Rule
            APIs
            • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000040), ref: 0040245A
              • Part of subcall function 004024D0: _strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00402472,?,?,?,?,00000040), ref: 004024DA
            • CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
            • CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: BinaryCryptString$_strdupfreestrlen
            • String ID:
            • API String ID: 3935018635-0
            • Opcode ID: c9de511b8970b722d39bb4fb153f7bf62d743a3a7ad644a1447610fdae834917
            • Instruction ID: e5c2183285be56b41c4785deced1c7c39a64db2bbe833c67ee48bc07c55a1278
            • Opcode Fuzzy Hash: c9de511b8970b722d39bb4fb153f7bf62d743a3a7ad644a1447610fdae834917
            • Instruction Fuzzy Hash: 9C0125B5A50308BBEB10DF94DD46F9E7779AB44700F104564FB04AB2C0D671AA54C7A5
            Function 00402CEE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_00002CFA,00402665), ref: 00402CF3
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 4624fdc9bf38d70b079e48dd4a0717aae957004d099a57db058a4038ee2f2183
            • Instruction ID: 7b3a7fbd28eeb06f38601b15cc9528321e579126e4b0af8758f223b2c6d07d70
            • Opcode Fuzzy Hash: 4624fdc9bf38d70b079e48dd4a0717aae957004d099a57db058a4038ee2f2183
            • Instruction Fuzzy Hash:
            Function 00401960 Relevance: 27.2, APIs: 18, Instructions: 245libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleHandleA.KERNEL32(?,?), ref: 004019DC
            • GetProcAddress.KERNEL32(00000000), ref: 004019E3
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401A28
            • GetProcAddress.KERNEL32(00000000), ref: 00401A2F
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401A74
            • GetProcAddress.KERNEL32(00000000), ref: 00401A7B
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401AC0
            • GetProcAddress.KERNEL32(00000000), ref: 00401AC7
              • Part of subcall function 00402450: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000040), ref: 0040245A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,00000000,?,00000000,00000000), ref: 0040248A
              • Part of subcall function 00402450: CryptStringToBinaryA.CRYPT32(00000040,00000000,00000001,?,?,00000000,00000000), ref: 004024A4
              • Part of subcall function 00402450: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040,?,?,?,?,00000040), ref: 004024B7
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401B0C
            • GetProcAddress.KERNEL32(00000000), ref: 00401B13
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401B58
            • GetProcAddress.KERNEL32(00000000), ref: 00401B5F
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401BA4
            • GetProcAddress.KERNEL32(00000000), ref: 00401BAB
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401BF0
            • GetProcAddress.KERNEL32(00000000), ref: 00401BF7
            • GetModuleHandleA.KERNEL32(?,?), ref: 00401C3C
            • GetProcAddress.KERNEL32(00000000), ref: 00401C43
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: AddressHandleModuleProc$BinaryCryptString$freestrlen
            • String ID:
            • API String ID: 381363526-0
            • Opcode ID: f9e9ce23ecb477a9bd318799b4bdaffa6956efc943755a2bb846985e15b82871
            • Instruction ID: 4550be7fb57ab333a49d72e2806c53260d2aaa3ffafb7322355188c24874c5b9
            • Opcode Fuzzy Hash: f9e9ce23ecb477a9bd318799b4bdaffa6956efc943755a2bb846985e15b82871
            • Instruction Fuzzy Hash: BDA1ECB5D00208EFDB04DFA8D999B9DBBB9EF88304F108568E605F7291E774AA05CB54
            Function 00402250 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 129memorystringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 187 402250-4022ad 188 4022b4-4022ce GetProcessHeap HeapAlloc 187->188 189 4022d0-4022d2 exit 188->189 190 4022d8-4022f6 GetAdaptersAddresses 188->190 189->190 191 402314 190->191 192 4022f8-402323 GetProcessHeap HeapFree 190->192 194 40232b-40232f 191->194 192->194 195 402325-402329 192->195 196 402335-402338 194->196 197 4023c9-4023da strcpy 194->197 195->188 195->194 199 40233b-40233f 196->199 198 4023dd-402414 GetProcessHeap HeapFree call 401820 197->198 199->197 201 402345-402352 199->201 203 402354-40235b 201->203 204 4023bb-4023c4 201->204 205 402366-40236a 203->205 204->199 205->204 206 40236c-402378 205->206 207 4023b0-4023b9 206->207 208 40237a-4023ac inet_ntop strcpy 206->208 207->205 208->198
            APIs
            • GetProcessHeap.KERNEL32(00000000,00003A98), ref: 004022BA
            • HeapAlloc.KERNEL32(00000000), ref: 004022C1
            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000001), ref: 004022D2
            • GetAdaptersAddresses.IPHLPAPI(00000002,00000010,00000000,00000000,00003A98), ref: 004022EA
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004022FE
            • HeapFree.KERNEL32(00000000), ref: 00402305
            • inet_ntop.WS2_32(00000002,?,?,00000064), ref: 00402397
            • strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 004023A4
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004023E3
            • HeapFree.KERNEL32(00000000), ref: 004023EA
            • _fwprintf.LIBCONCRTD ref: 00402400
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: Heap$Process$Free$AdaptersAddressesAlloc_fwprintfexitinet_ntopstrcpy
            • String ID: 0.0.0.0$d$o
            • API String ID: 2270386545-2822489677
            • Opcode ID: 76410c49e516318949d708376e42d06478d44f16ed5c20773a29492f0188022a
            • Instruction ID: c3e7275d39989bb3dc813cb4a503f84ba46128ba8244ca674528b176bfbf346c
            • Opcode Fuzzy Hash: 76410c49e516318949d708376e42d06478d44f16ed5c20773a29492f0188022a
            • Instruction Fuzzy Hash: 4851F7B1D00209EBDB04DFE4D949BEEBBB4FB44304F108569E6057B280D7B95A85CFA5
            Function 00402150 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
            Download Yara Rule
            APIs
            • memset.VCRUNTIME140(?,00000000,00000100), ref: 00402199
            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 004021C2
            • VerSetConditionMask.KERNEL32(00000000), ref: 004021CA
            • VerSetConditionMask.KERNEL32(00000000), ref: 004021D2
            • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000,?), ref: 0040220B
            Memory Dump Source
            • Source File: 00000000.00000002.2093130989.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2093119116.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093145022.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093157776.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2093168653.000000000040B000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_sample-20240612-unpacked.jbxd
            Similarity
            • API ID: ConditionMask$InfoVerifyVersionmemset
            • String ID:
            • API String ID: 375572348-0
            • Opcode ID: 69253ae718b90deda0e76316189793a22e8b5579226ca5095490ee7f94383c5d
            • Instruction ID: e5c2bfe32ea68744dc9bbdcd428afb0c47dd67ce15f24e361d93a7a02ca45b0a
            • Opcode Fuzzy Hash: 69253ae718b90deda0e76316189793a22e8b5579226ca5095490ee7f94383c5d
            • Instruction Fuzzy Hash: F021E2B4D44318ABEB14DFA1DD19BEEB7B8AF48701F108099F644B72C0D7B44B548B59