Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPO49120.scr.exe

Overview

General Information

Sample name:rPO49120.scr.exe
Analysis ID:1564955
MD5:9f7b3b8d4066b235e9238a1e84a2619c
SHA1:e20d0c63cd20b227142f70376b13040d1666db13
SHA256:b7228f1612c886d9e36fe88d67561c3f99398f65094d7721c773a3d9a4cc5238
Tags:exeuser-Porcupine
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • rPO49120.scr.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\rPO49120.scr.exe" MD5: 9F7B3B8D4066B235E9238A1E84A2619C)
    • WerFault.exe (PID: 7452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 2424 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: rPO49120.scr.exeReversingLabs: Detection: 26%
Source: rPO49120.scr.exeVirustotal: Detection: 33%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: rPO49120.scr.exeJoe Sandbox ML: detected
Source: rPO49120.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 5.23.51.54:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: rPO49120.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rPO49120.scr.exe, 00000000.00000002.1980525385.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.pdbL} source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbmQ source: rPO49120.scr.exe, 00000000.00000002.1980525385.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n0C:\Windows\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1980208104.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1980525385.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb! source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Xml.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER56FF.tmp.dmp.3.dr
Source: Binary string: C:\Users\user\Desktop\rPO49120.scr.PDB source: rPO49120.scr.exe, 00000000.00000002.1980208104.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: %%.pdb source: rPO49120.scr.exe, 00000000.00000002.1980208104.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbW source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbAV source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Net.Http.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Drawing.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb4 source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Core.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: global trafficHTTP traffic detected: GET /wp-includes/N1j7IGsuRMa.php HTTP/1.1Host: www.new.eventawardsrussia.comConnection: Keep-Alive
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-includes/N1j7IGsuRMa.php HTTP/1.1Host: www.new.eventawardsrussia.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: www.new.eventawardsrussia.com
Source: rPO49120.scr.exe, 00000000.00000002.1981141955.0000000002DEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
Source: rPO49120.scr.exe, 00000000.00000002.1981141955.0000000002E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.new.eventawardsrussia.com
Source: rPO49120.scr.exe, 00000000.00000002.1981141955.0000000002E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.new.eventawardsrussia.comd
Source: rPO49120.scr.exe, 00000000.00000002.1981141955.0000000002DFA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.new.eventawardsrussia.com
Source: rPO49120.scr.exeString found in binary or memory: https://www.new.eventawardsrussia.com/wp-includes/N1j7IGsuRMa.php
Source: rPO49120.scr.exe, 00000000.00000002.1981141955.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.new.eventawardsrussia.com/wp-includes/N1j7IGsuRMa.phpt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 5.23.51.54:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\Desktop\rPO49120.scr.exeCode function: 0_2_013CCB3C0_2_013CCB3C
Source: C:\Users\user\Desktop\rPO49120.scr.exeCode function: 0_2_013CF3B80_2_013CF3B8
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 2424
Source: rPO49120.scr.exe, 00000000.00000002.1980525385.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rPO49120.scr.exe
Source: rPO49120.scr.exe, 00000000.00000000.1659070164.0000000000974000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCdiyhcctb.exe4 vs rPO49120.scr.exe
Source: rPO49120.scr.exeBinary or memory string: OriginalFilenameCdiyhcctb.exe4 vs rPO49120.scr.exe
Source: rPO49120.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@2/5@1/1
Source: C:\Users\user\Desktop\rPO49120.scr.exeMutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7268
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\7b5ad5a5-ce3d-4787-b94f-eb9e54c319acJump to behavior
Source: rPO49120.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rPO49120.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rPO49120.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: rPO49120.scr.exeReversingLabs: Detection: 26%
Source: rPO49120.scr.exeVirustotal: Detection: 33%
Source: C:\Users\user\Desktop\rPO49120.scr.exeFile read: C:\Users\user\Desktop\rPO49120.scr.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\rPO49120.scr.exe "C:\Users\user\Desktop\rPO49120.scr.exe"
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 2424
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: rPO49120.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rPO49120.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rPO49120.scr.exe, 00000000.00000002.1980525385.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.pdbL} source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbmQ source: rPO49120.scr.exe, 00000000.00000002.1980525385.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n0C:\Windows\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1980208104.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1980525385.0000000001170000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb! source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Xml.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER56FF.tmp.dmp.3.dr
Source: Binary string: C:\Users\user\Desktop\rPO49120.scr.PDB source: rPO49120.scr.exe, 00000000.00000002.1980208104.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: %%.pdb source: rPO49120.scr.exe, 00000000.00000002.1980208104.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbW source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbAV source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Net.Http.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Drawing.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: mscorlib.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: rPO49120.scr.exe, 00000000.00000002.1982069508.00000000067F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb4 source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Core.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.ni.pdb source: WER56FF.tmp.dmp.3.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER56FF.tmp.dmp.3.dr
Source: C:\Users\user\Desktop\rPO49120.scr.exeCode function: 0_2_013C8DB8 pushfd ; retf 0_2_013C8DC6
Source: C:\Users\user\Desktop\rPO49120.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeWindow / User API: threadDelayed 4500Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeWindow / User API: threadDelayed 1466Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -16602069666338586s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7332Thread sleep count: 4500 > 30Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7332Thread sleep count: 1466 > 30Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99875s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99766s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99656s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99438s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99328s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99219s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99103s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -99000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98891s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98729s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98625s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98516s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98391s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98172s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -98063s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97938s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97813s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97703s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97594s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97469s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97360s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97235s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -97110s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exe TID: 7300Thread sleep time: -96985s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99875Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99766Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99656Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99547Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99438Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99328Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99219Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99103Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 99000Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98891Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98729Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98625Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98516Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98391Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98281Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98172Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 98063Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97938Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97813Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97703Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97594Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97469Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97360Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97235Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 97110Jump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeThread delayed: delay time: 96985Jump to behavior
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rPO49120.scr.exe, 00000000.00000002.1980525385.0000000001135000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.3.drBinary or memory string: vmci.sys
Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware20,1
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeQueries volume information: C:\Users\user\Desktop\rPO49120.scr.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rPO49120.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Disable or Modify Tools		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets12
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
rPO49120.scr.exe26%ReversingLabsWin32.Trojan.Mardom
rPO49120.scr.exe34%VirustotalBrowse
rPO49120.scr.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
www.new.eventawardsrussia.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://www.new.eventawardsrussia.com/wp-includes/N1j7IGsuRMa.php0%Avira URL Cloudsafe
http://www.new.eventawardsrussia.comd0%Avira URL Cloudsafe
https://www.new.eventawardsrussia.com/wp-includes/N1j7IGsuRMa.phpt0%Avira URL Cloudsafe
http://www.new.eventawardsrussia.com0%Avira URL Cloudsafe
https://www.new.eventawardsrussia.com0%Avira URL Cloudsafe
https://www.new.eventawardsrussia.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.new.eventawardsrussia.com
5.23.51.54
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://www.new.eventawardsrussia.com/wp-includes/N1j7IGsuRMa.phpfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.3.drfalse
    		high
    https://www.new.eventawardsrussia.com/wp-includes/N1j7IGsuRMa.phptrPO49120.scr.exe, 00000000.00000002.1981141955.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerPO49120.scr.exe, 00000000.00000002.1981141955.0000000002DEE000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.new.eventawardsrussia.comrPO49120.scr.exe, 00000000.00000002.1981141955.0000000002E06000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.new.eventawardsrussia.comrPO49120.scr.exe, 00000000.00000002.1981141955.0000000002DFA000.00000004.00000800.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.new.eventawardsrussia.comdrPO49120.scr.exe, 00000000.00000002.1981141955.0000000002E06000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      5.23.51.54
      		www.new.eventawardsrussia.comRussian Federation
      		9123TIMEWEB-ASRUfalse

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1564955
      Start date and time:2024-11-29 03:31:05 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 8s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:rPO49120.scr.exe
      Detection:MAL
      Classification:mal56.winEXE@2/5@1/1
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 12
      • Number of non-executed functions: 2
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 13.89.179.12
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      21:31:55API Interceptor27x Sleep call for process: rPO49120.scr.exe modified
      21:32:27API Interceptor1x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      5.23.51.54SpiMLVsYmg.exeGet hashmaliciousUnknownBrowse
      • ck12339.tmweb.ru/reciver.php

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      TIMEWEB-ASRUDCRatBuild.exeGet hashmaliciousDCRatBrowse
      • 185.114.245.123
      guia_luqf.vbsGet hashmaliciousUnknownBrowse
      • 92.53.116.138
      guia_evfs.vbsGet hashmaliciousUnknownBrowse
      • 92.53.116.138
      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
      • 185.178.47.86
      CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
      • 185.114.245.123
      DividasAtivas_tgj.vbsGet hashmaliciousUnknownBrowse
      • 92.53.116.138
      QYP0tD7z0c.exeGet hashmaliciousDCRatBrowse
      • 92.53.106.114
      EBalcao_ysx.vbsGet hashmaliciousUnknownBrowse
      • 92.53.116.138
      kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
      • 92.53.106.114
      phc.exeGet hashmaliciousUnknownBrowse
      • 92.53.116.138

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      3b5074b1b5d032e5620f69f9f700ff0eINQUIRY_pdf.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
      • 5.23.51.54
      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
      • 5.23.51.54
      RECEIPT DATED 28.11.2024,pdf.exeGet hashmaliciousSnake KeyloggerBrowse
      • 5.23.51.54
      drawing 10023. spec T4 300W .... dimn 560horsepower po 1198624 _ %00% spec .exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
      • 5.23.51.54
      file.exeGet hashmaliciousPython Stealer, Amadey, LummaC Stealer, Nymaim, StealcBrowse
      • 5.23.51.54
      file.exeGet hashmaliciousPython StealerBrowse
      • 5.23.51.54
      file.exeGet hashmaliciousPython StealerBrowse
      • 5.23.51.54
      segura.vbsGet hashmaliciousUnknownBrowse
      • 5.23.51.54
      seemebestthings.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
      • 5.23.51.54
      RE ADVANCE REMITTANCE-INV000567.exeGet hashmaliciousUnknownBrowse
      • 5.23.51.54

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rPO49120.scr.exe_9798764d35f957b0d5e6a02da0816564d6dae1b_cf240ac9_94c1c0c9-3ba7-41da-aef8-dcbc2b559880\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):1.2101601302410123
      Encrypted:false
      SSDEEP:192:EpwMFyD0BU/KaWOJoUT9OzuiFhZ24IO8T:WwMvBU/Kaxz9OzuiFhY4IO8T
      MD5:7057B2CBC7E10AF88BBAB510FFFB1C73
      SHA1:4C2E648341B5EFD99FA8CD8B3067D07D02543B73
      SHA-256:1E10918FFBB08411F67166FC4AD6FA7E67387A943A5D08B6EBAF57FD51236291
      SHA-512:C021B19B3E5E30543D7743F59D4B908C068EB33FA8C606864263BBB57C595A9360B97CE230B42C6CBBF4FA227E9705D7402958F5D444588070CF231BB243166C
      Malicious:true
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.3.2.1.1.1.8.8.2.1.6.3.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.3.2.1.1.1.9.4.3.1.0.1.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.c.1.c.0.c.9.-.3.b.a.7.-.4.1.d.a.-.a.e.f.8.-.d.c.b.c.2.b.5.5.9.8.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.6.c.e.e.9.2.-.d.c.b.e.-.4.5.b.5.-.b.1.4.4.-.8.e.f.b.9.a.4.c.0.4.3.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.P.O.4.9.1.2.0...s.c.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.d.i.y.h.c.c.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.4.-.0.0.0.1.-.0.0.1.4.-.d.1.2.b.-.1.5.d.b.0.6.4.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.f.8.d.7.5.6.8.c.f.1.7.3.1.b.1.1.0.4.f.1.f.6.a.d.7.6.2.f.0.9.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.2.0.d.0.c.6.3.c.d.2.0.b.2.2.7.1.4.2.f.7.0.3.7.6.b.1.3.0.4.0.d.1.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER56FF.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 15 streams, Fri Nov 29 02:31:59 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):364348
      Entropy (8bit):3.5073260484165907
      Encrypted:false
      SSDEEP:3072:LOBm34uEqv7Iqx0LTgKT0RK17RV/eyVYX2604OOc5IVmw:LOc34qIwqTgKT0RK17RVWyVw267FPEw
      MD5:D758498B4B4C1521E66AD2A76C366FA8
      SHA1:D2536A32E82A031C194A26A6691804C7EDC03EDD
      SHA-256:AE4B53580CD0F5587697F77EF1FEFD7706318C888E29971FB29AF62D1F49FF66
      SHA-512:7AF16154D292A529B7FBEF6AACDF05FE2CEE02240E83102BBAEBDAA72056B40F40749F96EAEEA648910E0F7A8008DDB11DD40C94140FC8551926F8D7A79178ED
      Malicious:false
      Reputation:low
      Preview:MDMP..a..... ........'Ig......................... ..........<...X+.......*...r..........`.......8...........T............^..|0...........+...........-..............................................................................eJ..............GenuineIntel............T.......d....'Ig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5877.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8436
      Entropy (8bit):3.7018206608487154
      Encrypted:false
      SSDEEP:192:R6l7wVeJ1R6u6Y96SU9AupgmfZ5xydprp89bJZIcsfPDm:R6lXJj6u6YwSU9AogmfAmJZIvfS
      MD5:E664607BEEF390ED2353AEBFE4FA5726
      SHA1:D76732F3BA07D0414031846966A03D1F1DFCB99C
      SHA-256:0B581494DB70A9049955254722603AAAB19BD4DEF0FA95FCA697DA438E4B2FE8
      SHA-512:761E861D932A698781AA8D8440DB85C14A34C4B4FC126977649FC8F137348523CC6DA6E37889B4F777F81A4D0653A276C83E07BC61E2B734578A49F6DF896095
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.8.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER58D6.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4780
      Entropy (8bit):4.504519619103894
      Encrypted:false
      SSDEEP:48:cvIwWl8zsmJg77aI9ZGJrWpW8VY5PYm8M4JnYFL+q8vASvvFWd:uIjf8I73GJa7VlJiKXvFWd
      MD5:4BB9CC65DB6494688B651B7DF2B5C783
      SHA1:88C38B41B8D31F4EFDDC4422D88096F3727506EC
      SHA-256:A3CACB607E2AF466AD64DEF0EA70BDDFCEE895BD64D18563ABFD9BB54CF01FF1
      SHA-512:84CCD40E77B0D383AD7F5A13B512E6DE3F23190F3B831F963375A2B34CA43991176809407B6A94EA33ADCEAB3D112A08545F7DB839529636B61E7656C9E2F461
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="608734" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.4656311392114425
      Encrypted:false
      SSDEEP:6144:IIXfpi67eLPU9skLmb0b4YWSPKaJG8nAgejZMMhA2gX4WABl0uNndwBCswSbf:dXD94YWlLZMM6YFHR+f
      MD5:2FB51B2E7829A33DA5F16802DB1EA424
      SHA1:613A4871F4D694BD3F650F46D5CF4CE10F1A2021
      SHA-256:86A5B7058F204371A0C41FFBE08CF61177B714ABFBCAD3106B32290EDCD6188F
      SHA-512:C464FC1FB24E7F7A4D334EC243BAB34E6111A4D25560D1138B2B78A36A12E9CFEFC93C975AD2E43D970CEDF3F83C27CBC04EFC4A3097E42BE7FE28E00412FBC4
      Malicious:false
      Reputation:low
      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..G..B................................................................................................................................................................................................................................................................................................................................................P.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):4.97165190616697
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      • Win32 Executable (generic) a (10002005/4) 49.78%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:rPO49120.scr.exe
      File size:11'264 bytes
      MD5:9f7b3b8d4066b235e9238a1e84a2619c
      SHA1:e20d0c63cd20b227142f70376b13040d1666db13
      SHA256:b7228f1612c886d9e36fe88d67561c3f99398f65094d7721c773a3d9a4cc5238
      SHA512:f335a1e134a178a66e2536aaefa5e29791f60247eeaab17e879f59dc8a7034e6852e5ed39a8e4fe744f1938ccfb83a4cd24b50183207c683a46df357f8cd1fbb
      SSDEEP:192:A5/T1MJg4lNGgLkGzRBx7NzVNkDH1l+lhXRsasN+V/32:AVGdBLkGF5kz1l+lhXRsasN+V/3
      TLSH:F432A2D0EFD5C622D9E10BFAE86E4A404734A612A776CF6CF884D34A5C4161CDBD26F4
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Hg............................n/... ...@....@.. ....................................`................................

      File Icon

      Icon Hash:125ada12e9cc368b

      Static PE Info

      General

      Entrypoint:0x402f6e
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0x6748E4DA [Thu Nov 28 21:47:06 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x2f200x4b.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x16f2.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000xf740x1000678fb3ccceb9f361f287879f3c434166False0.580322265625data5.340693070350521IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0x40000x16f20x18007c510ab591fc5820a834524c3f060a12False0.2635091145833333data4.384835571668362IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x60000xc0x200da38bbbfd65412440a100e71e23c67dbFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x41300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.21060037523452158
      RT_GROUP_ICON0x51d80x14data1.1
      RT_VERSION0x51ec0x31cdata0.42839195979899497
      RT_MANIFEST0x55080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 29, 2024 03:31:57.124598026 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:57.124633074 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:57.124708891 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:57.140055895 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:57.140072107 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:58.629368067 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:58.629554033 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:58.632937908 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:58.632946968 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:58.633227110 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:58.682903051 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:58.688941002 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:58.735328913 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:59.192691088 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:59.192766905 CET443497305.23.51.54192.168.2.4
      Nov 29, 2024 03:31:59.192821026 CET49730443192.168.2.45.23.51.54
      Nov 29, 2024 03:31:59.200033903 CET49730443192.168.2.45.23.51.54

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 29, 2024 03:31:56.201101065 CET5812753192.168.2.41.1.1.1
      Nov 29, 2024 03:31:57.116516113 CET53581271.1.1.1192.168.2.4

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Nov 29, 2024 03:31:56.201101065 CET192.168.2.41.1.1.10x2f5fStandard query (0)www.new.eventawardsrussia.comA (IP address)IN (0x0001)false

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Nov 29, 2024 03:31:57.116516113 CET1.1.1.1192.168.2.40x2f5fNo error (0)www.new.eventawardsrussia.com5.23.51.54A (IP address)IN (0x0001)false

      HTTP Request Dependency Graph

      • www.new.eventawardsrussia.com

      HTTPS Proxied Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.4497305.23.51.544437268C:\Users\user\Desktop\rPO49120.scr.exe
      TimestampBytes transferredDirectionData
      2024-11-29 02:31:58 UTC106OUTGET /wp-includes/N1j7IGsuRMa.php HTTP/1.1
      Host: www.new.eventawardsrussia.com
      Connection: Keep-Alive
      2024-11-29 02:31:59 UTC240INHTTP/1.1 200 OK
      Server: nginx/1.26.1
      Date: Fri, 29 Nov 2024 02:31:58 GMT
      Content-Type: text/html; charset=UTF-8
      Content-Length: 295
      Connection: close
      Set-Cookie: 396539c1ee079a1c42d1829d3f342f3akey=d41d8cd98f00b204e9800998ecf8427e
      2024-11-29 02:31:59 UTC295INData Raw: 3c 70 72 65 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 3c 66 6f 72 6d 20 6d 65 74 68 6f 64 3d 70 6f 73 74 3e 50 61 73 73 77 6f 72 64 3c 62 72 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 70 61 73 73 77 6f 72 64 20 6e 61 6d 65 3d 70 61 73 73 20 73 74 79 6c 65 3d 27 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 77 68 69 74 65 73 6d 6f 6b 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 46 46 46 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 27 20 72 65 71 75 69 72 65 64 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 73 75 62 6d 69 74 20 6e 61 6d 65 3d 27 77 61 74 63 68 69 6e 67 27 20 76 61 6c 75 65 3d 27 73 75 62 6d 69 74 27 20 73 74 79 6c 65 3d 27 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 36 41 44 31 35 3b 63
      Data Ascii: <pre align=center><form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke;border:1px solid #FFF;outline:none;' required><input type=submit name='watching' value='submit' style='border:none;background-color:#56AD15;c


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:21:31:55
      Start date:28/11/2024
      Path:C:\Users\user\Desktop\rPO49120.scr.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\rPO49120.scr.exe"
      Imagebase:0x970000
      File size:11'264 bytes
      MD5 hash:9F7B3B8D4066B235E9238A1E84A2619C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:3
      Start time:21:31:58
      Start date:28/11/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7268 -s 2424
      Imagebase:0xf50000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:7.8%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:0%
        Total number of Nodes:23
        Total number of Limit Nodes:2
        execution_graph 13600 13ca230 13604 13ca328 13600->13604 13609 13ca318 13600->13609 13601 13ca23f 13605 13ca35c 13604->13605 13606 13ca339 13604->13606 13605->13601 13606->13605 13607 13ca560 GetModuleHandleW 13606->13607 13608 13ca58d 13607->13608 13608->13601 13610 13ca35c 13609->13610 13611 13ca339 13609->13611 13610->13601 13611->13610 13612 13ca560 GetModuleHandleW 13611->13612 13613 13ca58d 13612->13613 13613->13601 13614 13ccc10 DuplicateHandle 13615 13ccca6 13614->13615 13616 13cc5c0 13617 13cc606 GetCurrentProcess 13616->13617 13619 13cc658 GetCurrentThread 13617->13619 13620 13cc651 13617->13620 13621 13cc68e 13619->13621 13622 13cc695 GetCurrentProcess 13619->13622 13620->13619 13621->13622 13625 13cc6cb 13622->13625 13623 13cc6f3 GetCurrentThreadId 13624 13cc724 13623->13624 13625->13623

        Executed Functions

        Function 013CC5B0 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 526 13cc5b0-13cc64f GetCurrentProcess 530 13cc658-13cc68c GetCurrentThread 526->530 531 13cc651-13cc657 526->531 532 13cc68e-13cc694 530->532 533 13cc695-13cc6c9 GetCurrentProcess 530->533 531->530 532->533 534 13cc6cb-13cc6d1 533->534 535 13cc6d2-13cc6ea 533->535 534->535 547 13cc6ed call 13ccf78 535->547 548 13cc6ed call 13ccb99 535->548 539 13cc6f3-13cc722 GetCurrentThreadId 540 13cc72b-13cc78d 539->540 541 13cc724-13cc72a 539->541 541->540 547->539 548->539
        APIs
        • GetCurrentProcess.KERNEL32 ref: 013CC63E
        • GetCurrentThread.KERNEL32 ref: 013CC67B
        • GetCurrentProcess.KERNEL32 ref: 013CC6B8
        • GetCurrentThreadId.KERNEL32 ref: 013CC711
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID: Current$ProcessThread
        • String ID:
        • API String ID: 2063062207-0
        • Opcode ID: e20a847911c589752b8e1c8f4b4d029f354eaa6f2252003362a25415b1fe72cd
        • Instruction ID: 8d0653ae4a7849b919c8fbf26c5a84e9536cebf258aeca513e02fae14a8fa11d
        • Opcode Fuzzy Hash: e20a847911c589752b8e1c8f4b4d029f354eaa6f2252003362a25415b1fe72cd
        • Instruction Fuzzy Hash: 035165B49002498FDB14DFA9CA48BEEBFF1AF48314F248459E409A73A1DB346D84CF65
        Function 013CC5C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 549 13cc5c0-13cc64f GetCurrentProcess 553 13cc658-13cc68c GetCurrentThread 549->553 554 13cc651-13cc657 549->554 555 13cc68e-13cc694 553->555 556 13cc695-13cc6c9 GetCurrentProcess 553->556 554->553 555->556 557 13cc6cb-13cc6d1 556->557 558 13cc6d2-13cc6ea 556->558 557->558 570 13cc6ed call 13ccf78 558->570 571 13cc6ed call 13ccb99 558->571 562 13cc6f3-13cc722 GetCurrentThreadId 563 13cc72b-13cc78d 562->563 564 13cc724-13cc72a 562->564 564->563 570->562 571->562
        APIs
        • GetCurrentProcess.KERNEL32 ref: 013CC63E
        • GetCurrentThread.KERNEL32 ref: 013CC67B
        • GetCurrentProcess.KERNEL32 ref: 013CC6B8
        • GetCurrentThreadId.KERNEL32 ref: 013CC711
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID: Current$ProcessThread
        • String ID:
        • API String ID: 2063062207-0
        • Opcode ID: 03a671fa7a37bfc62cb74a3d70c0b01d98907cad25338ca68b6fb1a39ee88194
        • Instruction ID: 094beb6859afbb0e7c3b6a38495d170ca95863900b447112565466d0d58a1540
        • Opcode Fuzzy Hash: 03a671fa7a37bfc62cb74a3d70c0b01d98907cad25338ca68b6fb1a39ee88194
        • Instruction Fuzzy Hash: A55145B49002498FDB14DFA9DA48B9EBBF1EF48318F248459E419A7360DB34AD84CF65
        Function 013CA328 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 608 13ca328-13ca337 609 13ca339-13ca346 call 13c85e4 608->609 610 13ca363-13ca367 608->610 616 13ca35c 609->616 617 13ca348 609->617 612 13ca369-13ca373 610->612 613 13ca37b-13ca3bc 610->613 612->613 619 13ca3be-13ca3c6 613->619 620 13ca3c9-13ca3d7 613->620 616->610 666 13ca34e call 13ca5b0 617->666 667 13ca34e call 13ca5c0 617->667 619->620 621 13ca3d9-13ca3de 620->621 622 13ca3fb-13ca3fd 620->622 624 13ca3e9 621->624 625 13ca3e0-13ca3e7 call 13c9654 621->625 627 13ca400-13ca407 622->627 623 13ca354-13ca356 623->616 626 13ca498-13ca4a5 623->626 629 13ca3eb-13ca3f9 624->629 625->629 638 13ca4ab-13ca510 626->638 630 13ca409-13ca411 627->630 631 13ca414-13ca41b 627->631 629->627 630->631 634 13ca41d-13ca425 631->634 635 13ca428-13ca431 call 13c9664 631->635 634->635 639 13ca43e-13ca443 635->639 640 13ca433-13ca43b 635->640 658 13ca512-13ca558 638->658 641 13ca445-13ca44c 639->641 642 13ca461-13ca465 639->642 640->639 641->642 644 13ca44e-13ca45e call 13c9674 call 13c9684 641->644 664 13ca468 call 13ca8b0 642->664 665 13ca468 call 13ca8c0 642->665 644->642 647 13ca46b-13ca46e 649 13ca470-13ca48e 647->649 650 13ca491-13ca497 647->650 649->650 659 13ca55a-13ca55d 658->659 660 13ca560-13ca58b GetModuleHandleW 658->660 659->660 661 13ca58d-13ca593 660->661 662 13ca594-13ca5a8 660->662 661->662 664->647 665->647 666->623 667->623
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 013CA57E
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: c5a924c1319a8bcd36135ed7b047d751ca3b3686bcb0c600ee0d48817ac8e714
        • Instruction ID: 2b02c1d6b29e9ca51b87cb9e262cdd058a8c10d86d7e98855c0bc9564a8fb4db
        • Opcode Fuzzy Hash: c5a924c1319a8bcd36135ed7b047d751ca3b3686bcb0c600ee0d48817ac8e714
        • Instruction Fuzzy Hash: CE814370A00B098FDB25DF29D45575ABBF1BF88718F008A2ED48AD7B50E774E949CB90
        Function 013CCC08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 668 13ccc08-13ccca4 DuplicateHandle 669 13cccad-13cccca 668->669 670 13ccca6-13cccac 668->670 670->669
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013CCC97
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 72865914767ca56b8aff15e477ebe4cf67735943a8b23628dcbd28f4a8e95b87
        • Instruction ID: 6427b4c45f78878e45703535aadde50f76a1562dd8b4672e9d4db8975854a826
        • Opcode Fuzzy Hash: 72865914767ca56b8aff15e477ebe4cf67735943a8b23628dcbd28f4a8e95b87
        • Instruction Fuzzy Hash: 262100B5D002489FDB10CFAAD584AEEBFF4EB48324F14841AE958A3310C379A945CFA0
        Function 013CCC10 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 673 13ccc10-13ccca4 DuplicateHandle 674 13cccad-13cccca 673->674 675 13ccca6-13cccac 673->675 675->674
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013CCC97
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 3ea8957649e6821cca87e66699dda506cbb2f1d410ec8da3747872e066ee291e
        • Instruction ID: fbb45b1830d1c40ee0e7dbdf7bee0d7a6fa99f9fddb2c0e3b0577824fcaa7b9d
        • Opcode Fuzzy Hash: 3ea8957649e6821cca87e66699dda506cbb2f1d410ec8da3747872e066ee291e
        • Instruction Fuzzy Hash: 8721E4B59002089FDB10CFAAD584ADEFFF4EB48310F14841AE918A3310D378A944CFA4
        Function 013CA518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 678 13ca518-13ca558 679 13ca55a-13ca55d 678->679 680 13ca560-13ca58b GetModuleHandleW 678->680 679->680 681 13ca58d-13ca593 680->681 682 13ca594-13ca5a8 680->682 681->682
        APIs
        • GetModuleHandleW.KERNEL32(00000000), ref: 013CA57E
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 781beb978b40daa5c25340646469bdb50ca2078b3db1c092669e6c9ee658eaa2
        • Instruction ID: 1d2395b45d1bbaeca1e473c9f825df194965d80969e3d05903bd9cc4f9209769
        • Opcode Fuzzy Hash: 781beb978b40daa5c25340646469bdb50ca2078b3db1c092669e6c9ee658eaa2
        • Instruction Fuzzy Hash: 8A11DFB6C00349CFDB10DF9AC444ADEFBF4AB88624F10C42AD559A7210D379A945CFA5
        Function 00F3D4A0 Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980357493.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f3d000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2562debfaf455deee7b1f73c4cf205409872d09e519867de4d3bdb8aff32390a
        • Instruction ID: 25100bac848d0c2859d8963937863076a22f84c0d69ae38d5530ee746f106e47
        • Opcode Fuzzy Hash: 2562debfaf455deee7b1f73c4cf205409872d09e519867de4d3bdb8aff32390a
        • Instruction Fuzzy Hash: 85213A72944204DFDB05DF14E9C0B27BF65FB94338F24C169E90A0B256C336D855E7A2
        Function 00F4D01C Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980396987.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f4d000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 83fc6e74975275a2b77a078d3ccfc52ed056d39221ab15829ac5d03c174cc9ee
        • Instruction ID: 9da388e98f6334664675c04cd2f1bdbea911cc6de6cbbe18155aa8ae35f909d5
        • Opcode Fuzzy Hash: 83fc6e74975275a2b77a078d3ccfc52ed056d39221ab15829ac5d03c174cc9ee
        • Instruction Fuzzy Hash: AA21F271604200DFCB14DF18D984B26BFA5EB84324F20C56DDC0A4B39AC33AD847DA61
        Function 00F4D005 Relevance: .1, Instructions: 62COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980396987.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f4d000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e25c3aa2568d9ecae2689f73be3d3944514b1305b59504484b711d544e5f0c41
        • Instruction ID: f15c52582fedf13d81ac6093af266754b73fe0953b98fc0c07937d549b13139e
        • Opcode Fuzzy Hash: e25c3aa2568d9ecae2689f73be3d3944514b1305b59504484b711d544e5f0c41
        • Instruction Fuzzy Hash: 05218E755093808FCB02CF24D994715BF71EB46324F28C5EAD8498F2A7C33A980ACB62
        Function 00F3D49B Relevance: .1, Instructions: 56COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980357493.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f3d000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
        • Instruction ID: 0eed1f799a22d24f0b3ffc8fadcb6f133e8251048ab83e6a0c3b7be9515e1a94
        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
        • Instruction Fuzzy Hash: 8411D376904244CFDB16CF14D5C4B16BF72FB94334F28C5A9D9090B256C336D85ADBA2
        Function 00F3D76D Relevance: .0, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980357493.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f3d000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a089169bca172bdde28abf07e6e5cdbd9ba1c3f6e3f412a9a771fa9d158475fd
        • Instruction ID: d598a78026c3809186c2b6dcbd2440bb54f83563f6390870afecc674c618036c
        • Opcode Fuzzy Hash: a089169bca172bdde28abf07e6e5cdbd9ba1c3f6e3f412a9a771fa9d158475fd
        • Instruction Fuzzy Hash: F901D6324093449AE7108B29ED84B67FFD8EF41374F18C52AED094B286C279DC40E6B1
        Function 00F3D76C Relevance: .0, Instructions: 36COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980357493.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_f3d000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 2ed34f7c71f04bb0de1b50cd6ffc43ce89851639d343aafa1fcfd24d4b4edd1e
        • Instruction ID: a3b6767a90f47a006c0974e54b440da68d435074e0b8ebd809eaafa24c01a491
        • Opcode Fuzzy Hash: 2ed34f7c71f04bb0de1b50cd6ffc43ce89851639d343aafa1fcfd24d4b4edd1e
        • Instruction Fuzzy Hash: 41F09071409344AEE7108B1AECC8B67FFA8EF51734F18C55AED484F686C2799C44DAB1

        Non-executed Functions

        Function 013CF3B8 Relevance: .3, Instructions: 315COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9c67ff2f87531e2d0d6b0062ddd0c00ebceb82d4ece3a47076d9ceed7f3ea78b
        • Instruction ID: 9c80692a5fcd4024a83448f3fea4369aae55d575af2fbe303363437b13bd8705
        • Opcode Fuzzy Hash: 9c67ff2f87531e2d0d6b0062ddd0c00ebceb82d4ece3a47076d9ceed7f3ea78b
        • Instruction Fuzzy Hash: 8112D4F0D81B468AD752DF75EA4C3893BB2BB44399FD04B09C2612B2E5DBB4116ACF44
        Function 013CCB3C Relevance: .3, Instructions: 264COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1980783328.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_13c0000_rPO49120.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: fbe6867d76c769b3ee6b9dcfc9acad07459148669854f78d90606ee8ef5af781
        • Instruction ID: e752f6f33cbd9b7359d3c5d8ee9b3bf64841e68149f70ee770532ccdd7b3836a
        • Opcode Fuzzy Hash: fbe6867d76c769b3ee6b9dcfc9acad07459148669854f78d90606ee8ef5af781
        • Instruction Fuzzy Hash: 87A16C36E0021A8FCF09DFA8C84459EBBB2FF85704B15857EE906AB261DB31ED15CB50