Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2704IeeQyo.exe

Overview

General Information

Sample name:2704IeeQyo.exe
renamed because original name is a hash value
Original sample name:6c6953ac5921ccfae5f328695e95f94d19ddc1e3b229964d84b02d0798048a50.exe
Analysis ID:1571564
MD5:6de5a8d67aa05e6fba7e6ee7ef69c550
SHA1:5220dbacdbc2a21178652d356f94eb1f17b4edfc
SHA256:6c6953ac5921ccfae5f328695e95f94d19ddc1e3b229964d84b02d0798048a50
Tags:213-21-220-222exeuser-JAMESWT_MHT
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2704IeeQyo.exe (PID: 3340 cmdline: "C:\Users\user\Desktop\2704IeeQyo.exe" MD5: 6DE5A8D67AA05E6FBA7E6EE7EF69C550)
    • 2704IeeQyo.exe (PID: 1904 cmdline: "C:\Users\user\Desktop\2704IeeQyo.exe" MD5: 6DE5A8D67AA05E6FBA7E6EE7EF69C550)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • vbjcjjt (PID: 6956 cmdline: C:\Users\user\AppData\Roaming\vbjcjjt MD5: 6DE5A8D67AA05E6FBA7E6EE7EF69C550)
    • vbjcjjt (PID: 1344 cmdline: C:\Users\user\AppData\Roaming\vbjcjjt MD5: 6DE5A8D67AA05E6FBA7E6EE7EF69C550)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1725623182.0000000000A18000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x7361:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbjcjjt.9e15a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        6.2.vbjcjjt.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          2.2.2704IeeQyo.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            0.2.2704IeeQyo.exe.24c15a0.1.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\vbjcjjt, CommandLine: C:\Users\user\AppData\Roaming\vbjcjjt, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vbjcjjt, NewProcessName: C:\Users\user\AppData\Roaming\vbjcjjt, OriginalFileName: C:\Users\user\AppData\Roaming\vbjcjjt, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\vbjcjjt, ProcessId: 6956, ProcessName: vbjcjjt

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-09T15:00:32.594559+010020391031A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              2024-12-09T15:00:33.214707+010020391031A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              2024-12-09T15:00:54.413939+010020391031A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              2024-12-09T15:00:54.871053+010020391031A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-09T15:00:32.594559+010028518151A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              2024-12-09T15:00:33.214707+010028518151A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              2024-12-09T15:00:54.413939+010028518151A Network Trojan was detected192.168.2.849706188.40.141.21180TCP
              2024-12-09T15:00:54.871053+010028518151A Network Trojan was detected192.168.2.849706188.40.141.21180TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\vbjcjjtReversingLabs: Detection: 78%
              Multi AV Scanner detection for submitted file
              Source: 2704IeeQyo.exeReversingLabs: Detection: 78%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\vbjcjjtJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 2704IeeQyo.exeJoe Sandbox ML: detected
              Source: 2704IeeQyo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Binary string: @]C:\nevukumovil\hucejotel2\zafobelu70_yanonuzunihagi\ku.pdb source: 2704IeeQyo.exe, vbjcjjt.3.dr
              Source: Binary string: C:\nevukumovil\hucejotel2\zafobelu70_yanonuzunihagi\ku.pdb source: 2704IeeQyo.exe, vbjcjjt.3.dr

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49706 -> 188.40.141.211:80
              Source: Network trafficSuricata IDS: 2851815 - Severity 1 - ETPRO MALWARE Sharik/Smokeloader CnC Beacon 18 : 192.168.2.8:49706 -> 188.40.141.211:80
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://host-file-host6.com/
              Source: Malware configuration extractorURLs: http://host-host-file8.com/
              Source: Joe Sandbox ViewIP Address: 188.40.141.211 188.40.141.211
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://soosrk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: host-file-host6.com
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jopkainnme.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: host-file-host6.com
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ddosk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 300Host: host-file-host6.com
              Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lfkse.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: host-file-host6.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: host-file-host6.com
              Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://soosrk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: host-file-host6.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 14:00:32 GMTData Raw: 03 00 00 00 7b fa b1 Data Ascii: {
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 14:00:32 GMT
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 7Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 14:00:54 GMTData Raw: 03 00 00 00 7b fa b1 Data Ascii: {
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Content-Length: 0Content-Type: application/octet-streamDate: Mon, 09 Dec 2024 14:00:54 GMT
              Source: explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000003.00000000.1532733481.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: explorer.exe, 00000003.00000002.2738086347.0000000010630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com/
              Source: explorer.exe, 00000003.00000002.2735346940.000000000C154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285084183.000000000C16D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com/6
              Source: explorer.exe, 00000003.00000002.2735346940.000000000C154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285084183.000000000C16D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com/V
              Source: explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com/te
              Source: explorer.exe, 00000003.00000002.2735346940.000000000C154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285084183.000000000C16D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285146318.000000000C1A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://host-file-host6.com:80/
              Source: explorer.exe, 00000003.00000003.2284538705.000000000C1C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://jopkainnme.net/
              Source: explorer.exe, 00000003.00000003.2284538705.000000000C1C6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://jopkainnme.net/application/x-www-form-urlencodedMozilla/5.0
              Source: explorer.exe, 00000003.00000003.2285195510.000000000C11C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2735346940.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285278916.000000000C12A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://lfkse.net/
              Source: explorer.exe, 00000003.00000003.2285195510.000000000C11C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2735346940.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285278916.000000000C12A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://lfkse.net/application/x-www-form-urlencodedMozilla/5.0
              Source: explorer.exe, 00000003.00000000.1530544430.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2724579568.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
              Source: explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000003.00000000.1532733481.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: explorer.exe, 00000003.00000002.2726864374.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2726887221.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1529860076.0000000002C80000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://soosrk.com/
              Source: explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://soosrk.com/rF
              Source: explorer.exe, 00000003.00000000.1532733481.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
              Source: explorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
              Source: explorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
              Source: explorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
              Source: explorer.exe, 00000003.00000002.2725242243.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
              Source: explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000003.00000000.1532733481.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
              Source: explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
              Source: explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
              Source: explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
              Source: explorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
              Source: explorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://java.co
              Source: explorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
              Source: explorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000003.00000002.2731142217.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284601893.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
              Source: explorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
              Source: explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected SmokeLoader
              Source: Yara matchFile source: 5.2.vbjcjjt.9e15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.vbjcjjt.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.2704IeeQyo.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.2704IeeQyo.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000005.00000002.1725623182.0000000000A18000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: 00000000.00000002.1476129405.00000000009F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
              Source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_024C0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_024C0110
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_0040180C Sleep,NtTerminateProcess,2_2_0040180C
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_00401818 Sleep,NtTerminateProcess,2_2_00401818
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_00401822 Sleep,NtTerminateProcess,2_2_00401822
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_00401826 Sleep,NtTerminateProcess,2_2_00401826
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_00401834 Sleep,NtTerminateProcess,2_2_00401834
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_009E0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,5_2_009E0110
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_0040180C Sleep,NtTerminateProcess,6_2_0040180C
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_00401818 Sleep,NtTerminateProcess,6_2_00401818
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_00401822 Sleep,NtTerminateProcess,6_2_00401822
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_00401826 Sleep,NtTerminateProcess,6_2_00401826
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_00401834 Sleep,NtTerminateProcess,6_2_00401834
              Source: C:\Windows\explorer.exeCode function: 3_2_00BA281C3_2_00BA281C
              Source: C:\Windows\explorer.exeCode function: 3_2_07F6281C3_2_07F6281C
              Source: 2704IeeQyo.exe, 00000000.00000000.1471858273.000000000088A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesglitters@ vs 2704IeeQyo.exe
              Source: 2704IeeQyo.exe, 00000002.00000000.1474684054.000000000088A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesglitters@ vs 2704IeeQyo.exe
              Source: 2704IeeQyo.exeBinary or memory string: OriginalFilenamesglitters@ vs 2704IeeQyo.exe
              Source: 2704IeeQyo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 00000005.00000002.1725623182.0000000000A18000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 00000000.00000002.1476129405.00000000009F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
              Source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
              Source: 2704IeeQyo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: vbjcjjt.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@1/1
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_00A0052F CreateToolhelp32Snapshot,Module32First,0_2_00A0052F
              Source: C:\Windows\explorer.exeCode function: 3_2_00BA368C CoCreateInstance,3_2_00BA368C
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vbjcjjtJump to behavior
              Source: 2704IeeQyo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 2704IeeQyo.exeReversingLabs: Detection: 78%
              Source: unknownProcess created: C:\Users\user\Desktop\2704IeeQyo.exe "C:\Users\user\Desktop\2704IeeQyo.exe"
              Source: C:\Users\user\Desktop\2704IeeQyo.exeProcess created: C:\Users\user\Desktop\2704IeeQyo.exe "C:\Users\user\Desktop\2704IeeQyo.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\vbjcjjt C:\Users\user\AppData\Roaming\vbjcjjt
              Source: C:\Users\user\AppData\Roaming\vbjcjjtProcess created: C:\Users\user\AppData\Roaming\vbjcjjt C:\Users\user\AppData\Roaming\vbjcjjt
              Source: C:\Users\user\Desktop\2704IeeQyo.exeProcess created: C:\Users\user\Desktop\2704IeeQyo.exe "C:\Users\user\Desktop\2704IeeQyo.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtProcess created: C:\Users\user\AppData\Roaming\vbjcjjt C:\Users\user\AppData\Roaming\vbjcjjtJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 2704IeeQyo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: @]C:\nevukumovil\hucejotel2\zafobelu70_yanonuzunihagi\ku.pdb source: 2704IeeQyo.exe, vbjcjjt.3.dr
              Source: Binary string: C:\nevukumovil\hucejotel2\zafobelu70_yanonuzunihagi\ku.pdb source: 2704IeeQyo.exe, vbjcjjt.3.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\2704IeeQyo.exeUnpacked PE file: 2.2.2704IeeQyo.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
              Source: C:\Users\user\AppData\Roaming\vbjcjjtUnpacked PE file: 6.2.vbjcjjt.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
              Source: 2704IeeQyo.exeStatic PE information: real checksum: 0x3ddf1 should be: 0x3de05
              Source: vbjcjjt.3.drStatic PE information: real checksum: 0x3ddf1 should be: 0x3de05
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_00A062CE pushad ; iretd 0_2_00A062D4
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_00A0142D push ebx; iretd 0_2_00A0146D
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_00A01442 push ebx; iretd 0_2_00A0146D
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_024C1977 push ebx; iretd 0_2_024C19B7
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_024C1970 push ebx; iretd 0_2_024C19B7
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_024C198B push ebx; iretd 0_2_024C19B7
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_004011D0 push ebx; iretd 2_2_00401217
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_004011D7 push ebx; iretd 2_2_00401217
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 2_2_004011EB push ebx; iretd 2_2_00401217
              Source: C:\Windows\explorer.exeCode function: 3_2_00BA1178 push 00000015h; ret 3_2_00BA117A
              Source: C:\Windows\explorer.exeCode function: 3_2_07F61178 push 00000015h; ret 3_2_07F6117A
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_009E198B push ebx; iretd 5_2_009E19B7
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_009E1977 push ebx; iretd 5_2_009E19B7
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_009E1970 push ebx; iretd 5_2_009E19B7
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_00A202A2 push ebx; iretd 5_2_00A202CD
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_00A2028D push ebx; iretd 5_2_00A202CD
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_00A2512E pushad ; iretd 5_2_00A25134
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_004011D0 push ebx; iretd 6_2_00401217
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_004011D7 push ebx; iretd 6_2_00401217
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 6_2_004011EB push ebx; iretd 6_2_00401217
              Source: 2704IeeQyo.exeStatic PE information: section name: .text entropy: 7.6408741446651725
              Source: vbjcjjt.3.drStatic PE information: section name: .text entropy: 7.6408741446651725
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vbjcjjtJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\vbjcjjtJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\2704ieeqyo.exeJump to behavior
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\vbjcjjt:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Checks if the current machine is a virtual machine (disk enumeration)
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\2704IeeQyo.exeAPI/Special instruction interceptor: Address: 7FFBCB7AE814
              Source: C:\Users\user\AppData\Roaming\vbjcjjtAPI/Special instruction interceptor: Address: 7FFBCB7AE814
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: 2704IeeQyo.exe, 00000002.00000002.1548524785.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, vbjcjjt, 00000006.00000002.1775691948.00000000001FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 450Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 392Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 888Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 861Jump to behavior
              Source: C:\Windows\explorer.exe TID: 5656Thread sleep count: 450 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 6868Thread sleep count: 392 > 30Jump to behavior
              Source: explorer.exe, 00000003.00000000.1532733481.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
              Source: explorer.exe, 00000003.00000000.1528943318.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: explorer.exe, 00000003.00000002.2727827672.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
              Source: explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
              Source: explorer.exe, 00000003.00000000.1528943318.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
              Source: explorer.exe, 00000003.00000000.1532733481.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: explorer.exe, 00000003.00000000.1532733481.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000003.00000000.1528943318.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: explorer.exe, 00000003.00000002.2727827672.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000003.00000000.1528943318.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSystem information queried: CodeIntegrityInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtSystem information queried: CodeIntegrityInformationJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_009FFE0C push dword ptr fs:[00000030h]0_2_009FFE0C
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_024C0042 push dword ptr fs:[00000030h]0_2_024C0042
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_009E0042 push dword ptr fs:[00000030h]5_2_009E0042
              Source: C:\Users\user\AppData\Roaming\vbjcjjtCode function: 5_2_00A1EC6C push dword ptr fs:[00000030h]5_2_00A1EC6C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Benign windows process drops PE files
              Source: C:\Windows\explorer.exeFile created: vbjcjjt.3.drJump to dropped file
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 188.40.141.211 80Jump to behavior
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_024C0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_024C0110
              Creates a thread in another existing process (thread injection)
              Source: C:\Users\user\Desktop\2704IeeQyo.exeThread created: C:\Windows\explorer.exe EIP: 7F61930Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtThread created: unknown EIP: BA1930Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\2704IeeQyo.exeMemory written: C:\Users\user\Desktop\2704IeeQyo.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtMemory written: C:\Users\user\AppData\Roaming\vbjcjjt base: 400000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
              Source: C:\Users\user\Desktop\2704IeeQyo.exeProcess created: C:\Users\user\Desktop\2704IeeQyo.exe "C:\Users\user\Desktop\2704IeeQyo.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\vbjcjjtProcess created: C:\Users\user\AppData\Roaming\vbjcjjt C:\Users\user\AppData\Roaming\vbjcjjtJump to behavior
              Source: explorer.exe, 00000003.00000000.1529527541.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2723371051.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000003.00000002.2722883876.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1529527541.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1528943318.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000003.00000000.1529527541.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2723371051.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
              Source: explorer.exe, 00000003.00000000.1529527541.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2723371051.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000003.00000000.1532733481.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
              Source: C:\Users\user\Desktop\2704IeeQyo.exeCode function: 0_2_00409D7D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00409D7D
              Source: C:\Windows\explorer.exeCode function: 3_2_07F63534 GetUserNameW,3_2_07F63534

              Stealing of Sensitive Information

              barindex
              Yara detected SmokeLoader
              Source: Yara matchFile source: 5.2.vbjcjjt.9e15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.vbjcjjt.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.2704IeeQyo.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.2704IeeQyo.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected SmokeLoader
              Source: Yara matchFile source: 5.2.vbjcjjt.9e15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.vbjcjjt.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.2704IeeQyo.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.2704IeeQyo.exe.24c15a0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		512
              Process Injection              		11
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		12
              Virtualization/Sandbox Evasion              		LSASS Memory511
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)512
              Process Injection              		Security Account Manager12
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Hidden Files and Directories              		NTDS3
              Process Discovery              		Distributed Component Object ModelInput Capture113
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
              Software Packing              		Cached Domain Credentials1
              Account Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync1
              System Owner/User Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc Filesystem13
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571564 Sample: 2704IeeQyo.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 27 host-file-host6.com 2->27 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 5 other signatures 2->37 8 2704IeeQyo.exe 2->8         started        11 vbjcjjt 2->11         started        signatures3 process4 signatures5 47 Detected unpacking (changes PE section rights) 8->47 49 Contains functionality to inject code into remote processes 8->49 51 Injects a PE file into a foreign processes 8->51 13 2704IeeQyo.exe 8->13         started        53 Multi AV Scanner detection for dropped file 11->53 55 Machine Learning detection for dropped file 11->55 57 Switches to a custom stack to bypass stack traces 11->57 16 vbjcjjt 11->16         started        process6 signatures7 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->59 61 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->61 63 Maps a DLL or memory area into another process 13->63 18 explorer.exe 34 3 13->18 injected 65 Checks if the current machine is a virtual machine (disk enumeration) 16->65 67 Creates a thread in another existing process (thread injection) 16->67 process8 dnsIp9 29 host-file-host6.com 188.40.141.211, 49706, 80 HETZNER-ASDE Germany 18->29 23 C:\Users\user\AppData\Roaming\vbjcjjt, PE32 18->23 dropped 25 C:\Users\user\...\vbjcjjt:Zone.Identifier, ASCII 18->25 dropped 39 System process connects to network (likely due to code injection or exploit) 18->39 41 Benign windows process drops PE files 18->41 43 Deletes itself after installation 18->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->45 file10 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              2704IeeQyo.exe79%ReversingLabsWin32.Trojan.Smokeloader
              2704IeeQyo.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\vbjcjjt100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\vbjcjjt79%ReversingLabsWin32.Trojan.Smokeloader

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://soosrk.com/rF0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT0%Avira URL Cloudsafe
              http://jopkainnme.net/0%Avira URL Cloudsafe
              https://android.notify.windows.com/iOSd0%Avira URL Cloudsafe
              http://soosrk.com/0%Avira URL Cloudsafe
              http://lfkse.net/0%Avira URL Cloudsafe
              http://jopkainnme.net/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
              http://lfkse.net/application/x-www-form-urlencodedMozilla/5.00%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              host-file-host6.com
              		188.40.141.211
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://host-host-file8.com/false
                  		high
                  http://host-file-host6.com/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.1532733481.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://powerpoint.office.comerexplorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://android.notify.windows.com/iOSA4explorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://soosrk.com/rFexplorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1532733481.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.00000000091FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://java.coexplorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://excel.office.comexplorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.microexplorer.exe, 00000003.00000002.2726864374.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.2726887221.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1529860076.0000000002C80000.00000002.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://wns.windows.com/EM0explorer.exe, 00000003.00000002.2731142217.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284601893.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://host-file-host6.com/Vexplorer.exe, 00000003.00000002.2735346940.000000000C154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285084183.000000000C16D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://jopkainnme.net/explorer.exe, 00000003.00000003.2284538705.000000000C1C6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://soosrk.com/explorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://lfkse.net/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000003.00000003.2285195510.000000000C11C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2735346940.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285278916.000000000C12A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.microsoft.cexplorer.exe, 00000003.00000000.1532733481.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://lfkse.net/explorer.exe, 00000003.00000003.2285195510.000000000C11C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2735346940.000000000C12D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2727827672.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285278916.000000000C12A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://android.notify.windows.com/iOSdexplorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://host-file-host6.com/6explorer.exe, 00000003.00000002.2735346940.000000000C154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285084183.000000000C16D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://ns.adobeSexplorer.exe, 00000003.00000000.1530544430.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2724579568.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://outlook.comexplorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://jopkainnme.net/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000003.00000003.2284538705.000000000C1C6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&ocexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://host-file-host6.com:80/explorer.exe, 00000003.00000002.2735346940.000000000C154000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285084183.000000000C16D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285146318.000000000C1A8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://word.office.com48explorer.exe, 00000003.00000002.2731096848.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1535025074.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://host-file-host6.com/teexplorer.exe, 00000003.00000002.2727827672.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000003.00000000.1535025074.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2731142217.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2285356153.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.msn.com/explorer.exe, 00000003.00000002.2725242243.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.000000000702D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 00000003.00000002.2725242243.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1531087786.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                188.40.141.211
                                                                                                                		host-file-host6.comGermany
                                                                                                                		24940HETZNER-ASDEfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                Analysis ID:1571564
                                                                                                                Start date and time:2024-12-09 14:59:02 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 5m 24s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:9
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:1
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:2704IeeQyo.exe
                                                                                                                renamed because original name is a hash value
                                                                                                                Original Sample Name:6c6953ac5921ccfae5f328695e95f94d19ddc1e3b229964d84b02d0798048a50.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.evad.winEXE@6/2@1/1
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 95%
                                                                                                                • Number of executed functions: 49
                                                                                                                • Number of non-executed functions: 4
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • VT rate limit hit for: 2704IeeQyo.exe

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                09:00:30API Interceptor596x Sleep call for process: explorer.exe modified
                                                                                                                15:00:29Task SchedulerRun new task: Firefox Default Browser Agent 454431F86AD280CF path: C:\Users\user\AppData\Roaming\vbjcjjt

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                188.40.141.211e6reA52T4I.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • host-file-host6.com/
                                                                                                                w4DO1Z18yg.wsfGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • ceoconstractionstore.pl/index.php
                                                                                                                UkHkCa3IYV.wsfGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • ceoconstractionstore.pl/index.php
                                                                                                                3312.PDF.wsfGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • ceoconstractionstore.pl/index.php
                                                                                                                RmbF3635xY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • ceoconstractionstore.pl/index.php
                                                                                                                abc0f6a2936703cd32608e7a0c06cd7b1da2f012ad7eb.exeGet hashmaliciousCryptOne, Nymaim, PrivateLoader, RedLine, SmokeLoader, onlyLoggerBrowse
                                                                                                                • gmpeople.com/upload/
                                                                                                                vwaoMjcyAw.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • selebration17io.io/index.php
                                                                                                                Qi4Mj8hG3t.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • selebration17io.io/index.php
                                                                                                                br0A8E2X6I.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • selebration17io.io/index.php
                                                                                                                setup.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                • zexeq.com/test2/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4&first=true

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                host-file-host6.come6reA52T4I.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 188.40.141.211
                                                                                                                aac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                                                                                • 188.40.141.211
                                                                                                                461f0f86f52bfa5fbed84023d0a9c8652bcbca34fea76ad0cb5bb8c503b65c9a_dump.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 172.67.172.189
                                                                                                                tWuTbYx8n1.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 104.21.30.102
                                                                                                                toolspub2.exeGet hashmaliciousLummaC, Djvu, PureLog Stealer, SmokeLoader, zgRATBrowse
                                                                                                                • 172.67.172.189
                                                                                                                O2O2kYZgiH.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 104.21.30.102
                                                                                                                file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 104.21.30.102
                                                                                                                toolspub1.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 104.21.30.102
                                                                                                                toolspub2(1).exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 104.21.30.102
                                                                                                                OE83kvJ3ZA.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 104.21.30.102

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                HETZNER-ASDEe6reA52T4I.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                • 188.40.141.211
                                                                                                                x.ps1Get hashmaliciousPureLog Stealer, QuasarBrowse
                                                                                                                • 178.63.102.185
                                                                                                                32%20VPN.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                • 136.243.179.5
                                                                                                                222.exeGet hashmaliciousNjratBrowse
                                                                                                                • 136.243.179.5
                                                                                                                600%202024.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                • 178.63.102.185
                                                                                                                xhost.vbsGet hashmaliciousUnknownBrowse
                                                                                                                • 136.243.179.5
                                                                                                                800.vbsGet hashmaliciousUnknownBrowse
                                                                                                                • 136.243.179.5
                                                                                                                jew.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 94.130.241.86
                                                                                                                .main.elfGet hashmaliciousXmrigBrowse
                                                                                                                • 5.75.186.53
                                                                                                                .report_system.elfGet hashmaliciousXmrigBrowse
                                                                                                                • 5.75.186.53

                                                                                                                JA3 Fingerprints

                                                                                                                No context

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Roaming\vbjcjjt

                                                                                                                Download File
                                                                                                                Process:C:\Windows\explorer.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):237076
                                                                                                                Entropy (8bit):6.55759543789169
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:gM56ORFLlxTHRasQ6KJcAjXc2ZzW0VTpzvgW+tZORAeFF0RPkTlVPp:b5NRFLLRZQXWAjXc21VdYpOvIkrh
                                                                                                                MD5:6DE5A8D67AA05E6FBA7E6EE7EF69C550
                                                                                                                SHA1:5220DBACDBC2A21178652D356F94EB1F17B4EDFC
                                                                                                                SHA-256:6C6953AC5921CCFAE5F328695E95F94D19DDC1E3B229964D84B02D0798048A50
                                                                                                                SHA-512:A31B41C666F163B78E05794F8C2FB74BE363F060F56CE116B1316B934E257BE23B080169D76EE79F1F1ABCB52DA9762DBDE134AE29E28C87D09BBD5FBF7B16FE
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                Reputation:low
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Gk..Gk..Gk......Gk....Gk.....Gk.....Gk..Gj.wGk.....Gk......Gk......Gk.Rich.Gk.........................PE..L.....3d.................*....G......Q.......@....@...........................J.................................................P.....H.......................I.X...0...............................p/..@............................................text...J).......*.................. ..`.data....TF..@......................@....rsrc.........H......H..............@..@.reloc...D....I..F...X..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Roaming\vbjcjjt:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Windows\explorer.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:true
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):6.55759543789169
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                • InstallShield setup (43055/19) 0.43%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:2704IeeQyo.exe
                                                                                                                File size:237'076 bytes
                                                                                                                MD5:6de5a8d67aa05e6fba7e6ee7ef69c550
                                                                                                                SHA1:5220dbacdbc2a21178652d356f94eb1f17b4edfc
                                                                                                                SHA256:6c6953ac5921ccfae5f328695e95f94d19ddc1e3b229964d84b02d0798048a50
                                                                                                                SHA512:a31b41c666f163b78e05794f8c2fb74be363f060f56ce116b1316b934e257be23b080169d76ee79f1f1abcb52da9762dbde134ae29e28c87d09bbd5fbf7b16fe
                                                                                                                SSDEEP:3072:gM56ORFLlxTHRasQ6KJcAjXc2ZzW0VTpzvgW+tZORAeFF0RPkTlVPp:b5NRFLLRZQXWAjXc21VdYpOvIkrh
                                                                                                                TLSH:4734198382E13DB6F5268B729E1FC6F8770EF654CF597B6512298A2F05B10B2C263711
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Gk..Gk..Gk......Gk......Gk......Gk......Gk..Gj.wGk......Gk......Gk......Gk.Rich.Gk.........................PE..L.....3d...

                                                                                                                File Icon

                                                                                                                Icon Hash:63796de971436e0f

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x4051b2
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x6433859D [Mon Apr 10 03:42:21 2023 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:5
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:5
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:5
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:ba9b5869ff07c7760737bc9dc65a7497

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                call 00007FAD7D2EEB6Bh
                                                                                                                jmp 00007FAD7D2E9E1Eh
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                mov ecx, dword ptr [esp+04h]
                                                                                                                test ecx, 00000003h
                                                                                                                je 00007FAD7D2E9FC6h
                                                                                                                mov al, byte ptr [ecx]
                                                                                                                add ecx, 01h
                                                                                                                test al, al
                                                                                                                je 00007FAD7D2E9FF0h
                                                                                                                test ecx, 00000003h
                                                                                                                jne 00007FAD7D2E9F91h
                                                                                                                add eax, 00000000h
                                                                                                                lea esp, dword ptr [esp+00000000h]
                                                                                                                lea esp, dword ptr [esp+00000000h]
                                                                                                                mov eax, dword ptr [ecx]
                                                                                                                mov edx, 7EFEFEFFh
                                                                                                                add edx, eax
                                                                                                                xor eax, FFFFFFFFh
                                                                                                                xor eax, edx
                                                                                                                add ecx, 04h
                                                                                                                test eax, 81010100h
                                                                                                                je 00007FAD7D2E9F8Ah
                                                                                                                mov eax, dword ptr [ecx-04h]
                                                                                                                test al, al
                                                                                                                je 00007FAD7D2E9FD4h
                                                                                                                test ah, ah
                                                                                                                je 00007FAD7D2E9FC6h
                                                                                                                test eax, 00FF0000h
                                                                                                                je 00007FAD7D2E9FB5h
                                                                                                                test eax, FF000000h
                                                                                                                je 00007FAD7D2E9FA4h
                                                                                                                jmp 00007FAD7D2E9F6Fh
                                                                                                                lea eax, dword ptr [ecx-01h]
                                                                                                                mov ecx, dword ptr [esp+04h]
                                                                                                                sub eax, ecx
                                                                                                                ret
                                                                                                                lea eax, dword ptr [ecx-02h]
                                                                                                                mov ecx, dword ptr [esp+04h]
                                                                                                                sub eax, ecx
                                                                                                                ret
                                                                                                                lea eax, dword ptr [ecx-03h]
                                                                                                                mov ecx, dword ptr [esp+04h]
                                                                                                                sub eax, ecx
                                                                                                                ret
                                                                                                                lea eax, dword ptr [ecx-04h]
                                                                                                                mov ecx, dword ptr [esp+04h]
                                                                                                                sub eax, ecx
                                                                                                                ret
                                                                                                                mov edi, edi
                                                                                                                push ebp
                                                                                                                mov ebp, esp
                                                                                                                sub esp, 20h
                                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                                push esi
                                                                                                                push edi
                                                                                                                push 00000008h
                                                                                                                pop ecx
                                                                                                                mov esi, 00401304h
                                                                                                                lea edi, dword ptr [ebp-20h]
                                                                                                                rep movsd
                                                                                                                mov dword ptr [ebp-08h], eax
                                                                                                                mov eax, dword ptr [ebp+0Ch]
                                                                                                                pop edi
                                                                                                                mov dword ptr [ebp-04h], eax
                                                                                                                pop esi
                                                                                                                test eax, eax
                                                                                                                je 00007FAD7D2E9FAEh
                                                                                                                test byte ptr [eax], 00000008h
                                                                                                                je 00007FAD7D2E9FA9h

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [ASM] VS2008 build 21022
                                                                                                                • [ C ] VS2008 build 21022
                                                                                                                • [C++] VS2008 build 21022
                                                                                                                • [IMP] VS2005 build 50727
                                                                                                                • [RES] VS2008 build 21022
                                                                                                                • [LNK] VS2008 build 21022

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x22e100x50.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x48a0000x10f00.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x49b0000xb58.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x12300x1c.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2f700x40.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x1e0.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x2294a0x22a00f7e74c52c46d367ce4ef3975447721adFalse0.8257417644404332data7.6408741446651725IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .data0x240000x4654fc0x1a00d0ab16f8fa0d91db3a60d39975aa773aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0x48a0000x10f000x11000d87dc2b5d269aea83470c4de62d8553fFalse0.36150045955882354data3.992474542832401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x49b0000x44080x4600622ca8434ae4266101ca6e440604a5caFalse0.14213169642857143data1.6585888400668538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0x48a5700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.538594470046083
                                                                                                                RT_ICON0x48ac380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4105809128630705
                                                                                                                RT_ICON0x48d1e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.449468085106383
                                                                                                                RT_ICON0x48d6780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.48933901918976547
                                                                                                                RT_ICON0x48e5200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.4706678700361011
                                                                                                                RT_ICON0x48edc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.430635838150289
                                                                                                                RT_ICON0x48f3300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.27800829875518673
                                                                                                                RT_ICON0x4918d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.2856472795497186
                                                                                                                RT_ICON0x4929800x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.31065573770491806
                                                                                                                RT_ICON0x4933080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.3395390070921986
                                                                                                                RT_ICON0x4937d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.27691897654584224
                                                                                                                RT_ICON0x4946800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.37184115523465705
                                                                                                                RT_ICON0x494f280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.3911290322580645
                                                                                                                RT_ICON0x4955f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.38945086705202314
                                                                                                                RT_ICON0x495b580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.274792531120332
                                                                                                                RT_ICON0x4981000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3022983114446529
                                                                                                                RT_ICON0x4991a80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.3209016393442623
                                                                                                                RT_ICON0x499b300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.3528368794326241
                                                                                                                RT_STRING0x49a2e80x4b6dataEnglishUnited States0.4386401326699834
                                                                                                                RT_STRING0x49a7a00x564dataEnglishUnited States0.4384057971014493
                                                                                                                RT_STRING0x49ad080x1f4dataEnglishUnited States0.514
                                                                                                                RT_ACCELERATOR0x49a0100x38dataEnglishUnited States0.8928571428571429
                                                                                                                RT_GROUP_ICON0x48d6480x30dataEnglishUnited States0.9375
                                                                                                                RT_GROUP_ICON0x499f980x76dataEnglishUnited States0.6779661016949152
                                                                                                                RT_GROUP_ICON0x4937700x68dataEnglishUnited States0.7019230769230769
                                                                                                                RT_VERSION0x49a0480x2a0dataEnglishUnited States0.5208333333333334

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                KERNEL32.dllSetVolumeLabelA, CreateFileA, FindFirstFileW, GetConsoleAliasesLengthW, SetComputerNameExA, FindResourceW, DeleteVolumeMountPointA, GlobalAddAtomA, GetCommState, GetConsoleAliasA, GetSystemWindowsDirectoryW, AddConsoleAliasW, FreeEnvironmentStringsA, GetModuleHandleW, GetTickCount, CreateNamedPipeW, GetConsoleAliasesA, GetPriorityClass, LoadLibraryW, GetConsoleAliasExesLengthW, IsProcessorFeaturePresent, TerminateProcess, lstrcatA, GetVolumePathNameA, GetConsoleAliasesW, GetLastError, InterlockedFlushSList, SetLastError, GetProcAddress, FillConsoleOutputCharacterA, BackupWrite, EnumSystemCodePagesW, SearchPathA, SetFileAttributesA, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, BuildCommDCBAndTimeoutsW, GetNumberFormatW, RemoveDirectoryW, SetConsoleWindowInfo, FoldStringW, GlobalFindAtomW, QueryMemoryResourceNotification, DebugBreakProcess, UpdateResourceW, VirtualProtect, PeekConsoleInputA, ReadConsoleInputW, GetWindowsDirectoryW, GetCurrentProcessId, AreFileApisANSI, LocalFileTimeToFileTime, CloseHandle, VirtualAlloc, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, RaiseException, RtlUnwind, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualFree, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, GetModuleFileNameA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapSize, SetHandleCount, GetFileType, GetStartupInfoA, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
                                                                                                                USER32.dllChangeDisplaySettingsW, LoadMenuW, CharToOemBuffA
                                                                                                                GDI32.dllGetCharABCWidthsFloatA

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2024-12-09T15:00:32.594559+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:32.594559+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:33.214707+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:33.214707+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:54.413939+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:54.413939+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:54.871053+01002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849706188.40.141.21180TCP
                                                                                                                2024-12-09T15:00:54.871053+01002851815ETPRO MALWARE Sharik/Smokeloader CnC Beacon 181192.168.2.849706188.40.141.21180TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 9, 2024 15:00:31.138981104 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:31.258441925 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:31.258599043 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:31.258841038 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:31.258865118 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:31.380255938 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:31.380270004 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:32.544589043 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:32.594558954 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:32.758799076 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:32.758799076 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:32.878417015 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:32.878436089 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:33.174859047 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:33.214706898 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:53.995233059 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:53.995274067 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:54.114746094 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:54.114774942 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:54.407413006 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:54.413938999 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:54.413985014 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:00:54.533426046 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:54.533442974 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:54.825900078 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:00:54.871052980 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:02:10.597569942 CET8049706188.40.141.211192.168.2.8
                                                                                                                Dec 9, 2024 15:02:10.598927021 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:02:10.599124908 CET4970680192.168.2.8188.40.141.211
                                                                                                                Dec 9, 2024 15:02:10.718655109 CET8049706188.40.141.211192.168.2.8

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Dec 9, 2024 15:00:30.919799089 CET6209153192.168.2.81.1.1.1
                                                                                                                Dec 9, 2024 15:00:31.137562990 CET53620911.1.1.1192.168.2.8

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Dec 9, 2024 15:00:30.919799089 CET192.168.2.81.1.1.10xb3fcStandard query (0)host-file-host6.comA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Dec 9, 2024 15:00:31.137562990 CET1.1.1.1192.168.2.80xb3fcNo error (0)host-file-host6.com188.40.141.211A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • soosrk.com
                                                                                                                  • host-file-host6.com
                                                                                                                • jopkainnme.net
                                                                                                                • ddosk.com
                                                                                                                • lfkse.net

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.849706188.40.141.211804084C:\Windows\explorer.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Dec 9, 2024 15:00:31.258841038 CET270OUTPOST / HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                Accept: */*
                                                                                                                Referer: http://soosrk.com/
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                Content-Length: 336
                                                                                                                Host: host-file-host6.com
                                                                                                                Dec 9, 2024 15:00:31.258865118 CET336OUTData Raw: 10 87 87 94 6c f4 d7 b3 bd 37 79 43 0a c9 ed fb 30 61 ae 31 d2 47 68 9f b8 ed a6 f3 8f d3 95 f5 6c b3 54 a2 10 13 bf e0 ed d8 f3 d1 c0 91 1f 19 6c 98 69 fc e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 2e 9b c0 69
                                                                                                                Data Ascii: l7yC0a1GhlTli\Fu$f]d.i+Yu27EUj=8D]gc_wx<4%'w&Cjd}H=/|$MV_,2-Tt8xGz6.RyisM0dnAIl_W:>4Y<1]W
                                                                                                                Dec 9, 2024 15:00:32.544589043 CET151INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Content-Length: 7
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Date: Mon, 09 Dec 2024 14:00:32 GMT
                                                                                                                Data Raw: 03 00 00 00 7b fa b1
                                                                                                                Data Ascii: {
                                                                                                                Dec 9, 2024 15:00:32.758799076 CET274OUTPOST / HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                Accept: */*
                                                                                                                Referer: http://jopkainnme.net/
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                Content-Length: 347
                                                                                                                Host: host-file-host6.com
                                                                                                                Dec 9, 2024 15:00:32.758799076 CET347OUTData Raw: 10 87 87 94 6c f4 d7 b3 bd 37 79 43 0a c9 ed fb 30 61 ae 31 d2 47 68 9f b8 ed a6 f3 8f d3 95 f5 6c b3 54 a2 10 13 bf e0 ed d8 f3 d1 c0 91 1f 19 6c 98 69 fc e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de ec 66 5d 02 c8 a1 c1 64 0f a0 da 25
                                                                                                                Data Ascii: l7yC0a1GhlTli\Fu$f]d%Z&U;OGqTb"0Ns?LOx cr)FfN]a-t//EC_-hRMHlmnMqTG{6@^f!JUQUCD[hju 'K
                                                                                                                Dec 9, 2024 15:00:33.174859047 CET144INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Content-Length: 0
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Date: Mon, 09 Dec 2024 14:00:32 GMT
                                                                                                                Dec 9, 2024 15:00:53.995233059 CET269OUTPOST / HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                Accept: */*
                                                                                                                Referer: http://ddosk.com/
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                Content-Length: 300
                                                                                                                Host: host-file-host6.com
                                                                                                                Dec 9, 2024 15:00:53.995274067 CET300OUTData Raw: 10 87 87 94 6c f4 d7 b3 bd 37 79 43 0a c9 ed fb 30 61 ae 31 d2 47 68 9f b8 ed a6 f3 8f d3 95 f5 6c b3 54 a2 10 13 bf e0 ed d8 f3 d1 c0 91 1f 19 6c 98 69 fc e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 40 a7 c7 38
                                                                                                                Data Ascii: l7yC0a1GhlTli\Fu$f]d@8N2fL/Ll<bFg{f3"LN.*?<=`1JUJEn#VMyGuwA5{x_BC(7b0X"X6fg!vhT4(3
                                                                                                                Dec 9, 2024 15:00:54.407413006 CET151INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Content-Length: 7
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Date: Mon, 09 Dec 2024 14:00:54 GMT
                                                                                                                Data Raw: 03 00 00 00 7b fa b1
                                                                                                                Data Ascii: {
                                                                                                                Dec 9, 2024 15:00:54.413938999 CET269OUTPOST / HTTP/1.1
                                                                                                                Connection: Keep-Alive
                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                Accept: */*
                                                                                                                Referer: http://lfkse.net/
                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                Content-Length: 124
                                                                                                                Host: host-file-host6.com
                                                                                                                Dec 9, 2024 15:00:54.413985014 CET124OUTData Raw: 10 87 87 94 6c f4 d7 b3 bd 37 79 43 0a c9 ed fb 30 61 ae 31 d2 47 68 9f b8 ed a6 f3 8f d3 95 f5 6c b3 54 a2 10 13 bf e0 ed d8 f3 d1 c0 91 1f 19 6c 98 69 fc e4 ec aa 80 eb 5c bd d2 e4 d8 46 d4 75 24 f3 c4 85 de ec 66 5d 02 c8 a1 c1 64 1d 86 d3 37
                                                                                                                Data Ascii: l7yC0a1GhlTli\Fu$f]d7ZE4{MRKF9%`P6$QNLUq
                                                                                                                Dec 9, 2024 15:00:54.825900078 CET144INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Content-Length: 0
                                                                                                                Content-Type: application/octet-stream
                                                                                                                Date: Mon, 09 Dec 2024 14:00:54 GMT


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:09:00:04
                                                                                                                Start date:09/12/2024
                                                                                                                Path:C:\Users\user\Desktop\2704IeeQyo.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\2704IeeQyo.exe"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:237'076 bytes
                                                                                                                MD5 hash:6DE5A8D67AA05E6FBA7E6EE7EF69C550
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1476129405.00000000009F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:09:00:05
                                                                                                                Start date:09/12/2024
                                                                                                                Path:C:\Users\user\Desktop\2704IeeQyo.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\2704IeeQyo.exe"
                                                                                                                Imagebase:0x400000
                                                                                                                File size:237'076 bytes
                                                                                                                MD5 hash:6DE5A8D67AA05E6FBA7E6EE7EF69C550
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.1549983614.0000000001F71000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000002.1548669667.00000000004C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:09:00:10
                                                                                                                Start date:09/12/2024
                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                Imagebase:0x7ff62d7d0000
                                                                                                                File size:5'141'208 bytes
                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:09:00:29
                                                                                                                Start date:09/12/2024
                                                                                                                Path:C:\Users\user\AppData\Roaming\vbjcjjt
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\AppData\Roaming\vbjcjjt
                                                                                                                Imagebase:0x400000
                                                                                                                File size:237'076 bytes
                                                                                                                MD5 hash:6DE5A8D67AA05E6FBA7E6EE7EF69C550
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1725623182.0000000000A18000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 79%, ReversingLabs
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:09:00:30
                                                                                                                Start date:09/12/2024
                                                                                                                Path:C:\Users\user\AppData\Roaming\vbjcjjt
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\AppData\Roaming\vbjcjjt
                                                                                                                Imagebase:0x400000
                                                                                                                File size:237'076 bytes
                                                                                                                MD5 hash:6DE5A8D67AA05E6FBA7E6EE7EF69C550
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1775958670.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.1775915077.0000000001F40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:34.6%
                                                                                                                  Dynamic/Decrypted Code Coverage:87%
                                                                                                                  Signature Coverage:47.8%
                                                                                                                  Total number of Nodes:46
                                                                                                                  Total number of Limit Nodes:7
                                                                                                                  execution_graph 596 9ffd7e 599 9ffd8f 596->599 600 9ffd9e 599->600 603 a0052f 600->603 608 a0054a 603->608 604 a00553 CreateToolhelp32Snapshot 605 a0056f Module32First 604->605 604->608 606 9ffd8e 605->606 607 a0057e 605->607 610 a001ee 607->610 608->604 608->605 611 a00219 610->611 612 a00262 611->612 613 a0022a VirtualAlloc 611->613 612->612 613->612 648 4051b2 651 409d7d 648->651 650 4051b7 650->650 652 409da2 651->652 653 409daf GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 651->653 652->653 654 409da6 652->654 653->654 654->650 614 24c0000 617 24c0630 614->617 616 24c0005 618 24c064c 617->618 620 24c1577 618->620 623 24c05b0 620->623 626 24c05dc 623->626 624 24c061e 625 24c05e2 GetFileAttributesA 625->626 626->624 626->625 628 24c0420 626->628 629 24c04f3 628->629 630 24c04ff CreateWindowExA 629->630 631 24c04fa 629->631 630->631 632 24c0540 PostMessageA 630->632 631->626 633 24c055f 632->633 633->631 635 24c0110 VirtualAlloc 633->635 637 24c016e 635->637 636 24c0414 636->633 637->636 638 24c024a CreateProcessA 637->638 638->636 639 24c025f VirtualFree VirtualAlloc Wow64GetThreadContext 638->639 639->636 640 24c02a9 ReadProcessMemory 639->640 641 24c02e5 VirtualAllocEx NtWriteVirtualMemory 640->641 642 24c02d5 NtUnmapViewOfSection 640->642 643 24c033b 641->643 642->641 644 24c039d WriteProcessMemory Wow64SetThreadContext ResumeThread 643->644 645 24c0350 NtWriteVirtualMemory 643->645 646 24c03fb ExitProcess 644->646 645->643

                                                                                                                  Executed Functions

                                                                                                                  Function 024C0110 Relevance: 21.2, APIs: 14, Instructions: 248memorynativethreadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 024C0156
                                                                                                                  • CreateProcessA.KERNELBASE(?,00000000), ref: 024C0255
                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 024C0270
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024C0283
                                                                                                                  • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 024C029F
                                                                                                                  • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 024C02C8
                                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 024C02E3
                                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 024C0304
                                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 024C032A
                                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 024C0399
                                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 024C03BF
                                                                                                                  • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 024C03E1
                                                                                                                  • ResumeThread.KERNELBASE(00000000), ref: 024C03ED
                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 024C0412
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476252456.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_24c0000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFreeReadResumeSectionUnmapView
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3993611425-0
                                                                                                                  • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                                  • Instruction ID: 68d1b5ef5790b1d9b3f12be2b31341b903c9732c517bf3e701b095e0bc00260b
                                                                                                                  • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                                  • Instruction Fuzzy Hash: A8B1B574A00208EFDB44CF98C895F9EBBB5BF88314F248158E909AB395D771AE41CF94
                                                                                                                  Function 00A0052F Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 42 a0052f-a00548 43 a0054a-a0054c 42->43 44 a00553-a0055f CreateToolhelp32Snapshot 43->44 45 a0054e 43->45 46 a00561-a00567 44->46 47 a0056f-a0057c Module32First 44->47 45->44 46->47 52 a00569-a0056d 46->52 48 a00585-a0058d 47->48 49 a0057e-a0057f call a001ee 47->49 53 a00584 49->53 52->43 52->47 53->48
                                                                                                                  APIs
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A00557
                                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 00A00577
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476129405.00000000009F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009F9000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_9f9000_2704IeeQyo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3833638111-0
                                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                  • Instruction ID: 92bbfd72613f0d3ee3445057e16f85efd2e99f4e089ca388b6bdf1f153e03088
                                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                  • Instruction Fuzzy Hash: 93F06D326007196BD7206BB9BC8DFAE76E8AF49725F104628E646D20C0DA70FD454A61
                                                                                                                  Function 024C0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 16 24c0420-24c04f8 18 24c04ff-24c053c CreateWindowExA 16->18 19 24c04fa 16->19 21 24c053e 18->21 22 24c0540-24c0558 PostMessageA 18->22 20 24c05aa-24c05ad 19->20 21->20 23 24c055f-24c0563 22->23 23->20 24 24c0565-24c0579 23->24 24->20 26 24c057b-24c0582 24->26 27 24c05a8 26->27 28 24c0584-24c0588 26->28 27->23 28->27 29 24c058a-24c0591 28->29 29->27 30 24c0593-24c0597 call 24c0110 29->30 32 24c059c-24c05a5 30->32 32->27
                                                                                                                  APIs
                                                                                                                  • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 024C0533
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476252456.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_24c0000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                                                  • API String ID: 716092398-2341455598
                                                                                                                  • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                                  • Instruction ID: 2dec8c50e11455f8be0790d08300b547ec296e0aa21e28045f0775cbd48a2c6d
                                                                                                                  • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                                  • Instruction Fuzzy Hash: 8A512974D08388DBEB11CBD8C849BEEBFB26F11708F24405DD5446F286C3BA5659CB66
                                                                                                                  Function 024C05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 33 24c05b0-24c05d5 34 24c05dc-24c05e0 33->34 35 24c061e-24c0621 34->35 36 24c05e2-24c05f5 GetFileAttributesA 34->36 37 24c05f7-24c05fe 36->37 38 24c0613-24c061c 36->38 37->38 39 24c0600-24c060b call 24c0420 37->39 38->34 41 24c0610 39->41 41->38
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesA.KERNELBASE(apfHQ), ref: 024C05EC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476252456.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_24c0000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID: apfHQ$o
                                                                                                                  • API String ID: 3188754299-2999369273
                                                                                                                  • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                                  • Instruction ID: c813cc2ac3b1a4066b4642cccab7d63d2ce0676721c3c496fa0aaa136dc16359
                                                                                                                  • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                                  • Instruction Fuzzy Hash: A3011E74D0425CEADB50DF98C5183AEBFB5AF41308F14809DC4092B341D7769B99CBA1
                                                                                                                  Function 00A001EE Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 55 a001ee-a00228 call a00501 58 a00276 55->58 59 a0022a-a0025d VirtualAlloc call a0027b 55->59 58->58 61 a00262-a00274 59->61 61->58
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00A0023F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476129405.00000000009F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009F9000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_9f9000_2704IeeQyo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                  • Instruction ID: e3594e88d82dc8cd42a0796ed967bd9234f1dfbd7edf286fe285fa50603302a8
                                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                  • Instruction Fuzzy Hash: E2110F79A00208EFDB01DF98C985E99BFF5AF08751F158094F9489B361D771EA50DF90

                                                                                                                  Non-executed Functions

                                                                                                                  Function 024C0042 Relevance: .1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476252456.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_24c0000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                  • Instruction ID: 9078d4ca35b740730e6e88edf387b0ee98e9fb755472cce85ed9549547e59390
                                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                  • Instruction Fuzzy Hash: F0117376340100DFD754DE5AEC90EA673DAFB89330B2A815AE904CB311D675E841CB60
                                                                                                                  Function 009FFE0C Relevance: .1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1476129405.00000000009F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009F9000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_9f9000_2704IeeQyo.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                  • Instruction ID: bbbd321d4657c7e8d925a5d09a46121e4b677a17bf65abe53b0a961ea3d27a9a
                                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                  • Instruction Fuzzy Hash: 6F11C272340104AFDB50DF55DC91FA673EAEF88320B298065EE04CB326E679EC02C760

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:12.6%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:23
                                                                                                                  Total number of Limit Nodes:0
                                                                                                                  execution_graph 667 402ad1 668 402ad2 667->668 670 402b56 668->670 671 40180c 668->671 672 40181b 671->672 673 40183e Sleep 672->673 675 401859 673->675 674 40186a NtTerminateProcess 676 401876 674->676 675->674 676->670 685 401818 686 40181b 685->686 687 40183e Sleep 686->687 688 401859 687->688 689 40186a NtTerminateProcess 688->689 690 401876 689->690 691 402a9d 692 402ad2 691->692 693 40180c 2 API calls 692->693 694 402b56 692->694 693->694 677 402bef 678 402cef 677->678 679 402c19 677->679 679->678 679->679 680 402c91 RtlCreateUserThread 679->680 680->678

                                                                                                                  Callgraph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  • Opacity -> Relevance
                                                                                                                  • Disassembly available
                                                                                                                  callgraph 0 Function_00401246 1 Function_00401748 2 Function_00401BC9 3 Function_00402ACE 53 Function_0040180C 3->53 4 Function_004011D0 5 Function_00402AD1 5->53 6 Function_00401DD3 7 Function_00401AD5 8 Function_004011D7 9 Function_00402B58 10 Function_00402DD8 11 Function_00402E59 12 Function_004023DB 13 Function_00402E5C 14 Function_004027DC 15 Function_0040195D 16 Function_0040275E 17 Function_004010DF 18 Function_00402DE2 19 Function_00401064 20 Function_004016E4 21 Function_00402B66 22 Function_00401D66 23 Function_00402F6A 24 Function_0040136B 25 Function_004011EB 26 Function_00402D6E 27 Function_00402BEF 28 Function_004025EF 29 Function_00402E75 30 Function_00402D75 31 Function_00402575 32 Function_004015F5 33 Function_00402DF5 34 Function_00402CF7 35 Function_00402D79 36 Function_004017F9 37 Function_0040187A 38 Function_00402B7A 39 Function_0040157F 40 Function_00402E7F 41 Function_004013FF 42 Function_00401381 43 Function_00402102 44 Function_00401E82 45 Function_00402B82 46 Function_00402E83 47 Function_00401884 48 Function_00401705 49 Function_00402706 50 Function_00401786 51 Function_00401686 52 Function_0040188B 53->42 54 Function_0040138C 55 Function_00401A8C 56 Function_00402993 57 Function_00402E14 58 Function_00401894 59 Function_00402794 60 Function_00402E94 61 Function_00401715 62 Function_00401297 63 Function_00401818 63->42 64 Function_00401898 65 Function_00402E98 66 Function_0040131A 67 Function_0040259B 68 Function_00402A9D 68->53 69 Function_0040281D 70 Function_0040139D 71 Function_00402E20 72 Function_004013A0 73 Function_00401822 73->42 74 Function_00401826 74->42 75 Function_00401427 76 Function_0040212C 77 Function_00401D31 78 Function_00401D32 79 Function_00401CB2 80 Function_00402D33 80->4 81 Function_00401834 81->42 82 Function_00402635 83 Function_00402DB9 84 Function_00401D3D

                                                                                                                  Executed Functions

                                                                                                                  Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1547828595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_400000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                                                  • Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
                                                                                                                  • Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                                                  • Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B
                                                                                                                  Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1547828595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_400000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                                                  • Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
                                                                                                                  • Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                                                  • Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B
                                                                                                                  Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1547828595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_400000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                                                  • Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
                                                                                                                  • Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                                                  • Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B
                                                                                                                  Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1547828595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_400000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                                                  • Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
                                                                                                                  • Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                                                  • Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B
                                                                                                                  Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1547828595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_400000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                                                  • Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
                                                                                                                  • Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                                                  • Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B
                                                                                                                  Function 00402BEF Relevance: 1.6, APIs: 1, Instructions: 123threadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 100 402bef-402c13 101 402c19-402c2b 100->101 102 402cef-402cf4 100->102 101->102 103 402c31-402c42 101->103 104 402c44-402c4d 103->104 105 402c52-402c60 104->105 105->105 106 402c62-402c69 105->106 107 402c72-402c88 106->107 108 402c6b 106->108 110 402c8a-402c8f 107->110 108->104 109 402c6d-402c70 108->109 109->110 110->102 111 402c91-402ced RtlCreateUserThread 110->111 111->102
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000002.00000002.1547828595.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_2_2_400000_2704IeeQyo.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThreadUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1531140918-0
                                                                                                                  • Opcode ID: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                                                  • Instruction ID: 1db3e151d03db0a1b2d88b33ccc958aaf7204f5d63625af9f32895d8f10b8312
                                                                                                                  • Opcode Fuzzy Hash: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                                                  • Instruction Fuzzy Hash: D131F631218D098FE798DF1CD889BA273D1F798350F6542AAE809C3395EA74DC5187C6

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:43%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:7.3%
                                                                                                                  Total number of Nodes:179
                                                                                                                  Total number of Limit Nodes:16
                                                                                                                  execution_graph 2255 ba18c8 2256 ba1919 2255->2256 2259 ba1950 2256->2259 2269 ba19a0 2259->2269 2262 ba1943 2263 ba196b SleepEx 2263->2263 2264 ba197b 2263->2264 2276 ba2194 2264->2276 2271 ba19d7 2269->2271 2270 ba1962 2270->2262 2270->2263 2271->2270 2272 ba1aa4 RtlCreateHeap 2271->2272 2273 ba1ad5 2272->2273 2273->2270 2274 ba1c2f CreateThread 2273->2274 2275 ba1c5d CreateThread 2274->2275 2296 ba3ca4 2274->2296 2275->2270 2293 ba3d80 2275->2293 2277 ba21b2 2276->2277 2301 ba49a0 2277->2301 2279 ba1990 2280 ba1d34 2279->2280 2308 ba4be0 2280->2308 2282 ba1d6f 2283 ba1da0 CreateMutexExA 2282->2283 2284 ba1dba 2283->2284 2312 ba4d50 2284->2312 2286 ba1df9 2316 ba1ea4 2286->2316 2291 ba1e61 2321 ba223c 2291->2321 2327 ba2cac 2291->2327 2294 ba3d92 EnumWindows SleepEx 2293->2294 2295 ba3db6 2293->2295 2294->2294 2294->2295 2297 ba3d5b 2296->2297 2298 ba3cc1 CreateToolhelp32Snapshot 2296->2298 2299 ba3d43 SleepEx 2298->2299 2300 ba3cd5 2298->2300 2299->2297 2299->2298 2300->2299 2302 ba49c9 2301->2302 2303 ba49d1 GetTokenInformation 2302->2303 2306 ba4a2b 2302->2306 2307 ba5280 2303->2307 2305 ba4a00 GetTokenInformation 2305->2306 2306->2279 2309 ba4c0d GetVolumeInformationA 2308->2309 2311 ba4c60 2309->2311 2311->2282 2315 ba4d72 2312->2315 2313 ba4e06 2313->2286 2314 ba4db3 RegQueryValueExA 2314->2315 2315->2313 2315->2314 2317 ba1ec8 2316->2317 2318 ba1e25 CreateFileMappingA 2317->2318 2330 ba3534 2317->2330 2318->2291 2320 ba1ffa CreateFileW 2320->2318 2322 ba226d 2321->2322 2336 ba3394 CreateFileW 2322->2336 2324 ba2282 2338 ba22dc 2324->2338 2326 ba2293 2326->2291 2328 ba3394 CreateFileW 2327->2328 2329 ba2cd7 2328->2329 2329->2291 2331 ba3555 2330->2331 2334 ba368c CoCreateInstance 2331->2334 2333 ba35b1 2333->2320 2335 ba36ea 2334->2335 2335->2333 2337 ba33e9 2336->2337 2337->2324 2343 ba232f 2338->2343 2339 ba2647 DeleteFileW DeleteFileW 2340 ba2669 2339->2340 2342 ba26b1 SleepEx RtlExitUserThread 2340->2342 2341 ba26d5 2341->2326 2342->2341 2343->2339 2343->2341 2344 7f618c8 2345 7f61919 2344->2345 2348 7f61950 2345->2348 2358 7f619a0 2348->2358 2351 7f61943 2352 7f6196b SleepEx 2352->2352 2353 7f6197b 2352->2353 2365 7f62194 2353->2365 2360 7f619d7 2358->2360 2359 7f61962 2359->2351 2359->2352 2360->2359 2361 7f61aa4 RtlCreateHeap 2360->2361 2362 7f61ad5 2361->2362 2362->2359 2363 7f61c2f CreateThread 2362->2363 2364 7f61c5d CreateThread 2363->2364 2385 7f63ca4 2363->2385 2364->2359 2382 7f63d80 2364->2382 2366 7f621b2 2365->2366 2392 7f649a0 2366->2392 2368 7f61990 2369 7f61d34 2368->2369 2399 7f64be0 2369->2399 2371 7f61d6f 2372 7f61da0 CreateMutexExA 2371->2372 2373 7f61dba 2372->2373 2403 7f64d50 2373->2403 2375 7f61df9 2408 7f61ea4 2375->2408 2381 7f61e61 2420 7f6223c 2381->2420 2426 7f62cac 2381->2426 2383 7f63db6 2382->2383 2384 7f63d92 EnumWindows SleepEx 2382->2384 2384->2383 2384->2384 2386 7f63cc1 CreateToolhelp32Snapshot 2385->2386 2387 7f63d5b 2385->2387 2388 7f63cd5 Process32First 2386->2388 2389 7f63d43 SleepEx 2386->2389 2390 7f63ced 2388->2390 2389->2386 2389->2387 2390->2389 2391 7f63d28 Process32Next 2390->2391 2391->2390 2393 7f649c9 2392->2393 2394 7f649d1 GetTokenInformation 2393->2394 2397 7f64a2b 2393->2397 2398 7f65280 2394->2398 2396 7f64a00 GetTokenInformation 2396->2397 2397->2368 2400 7f64c0d GetVolumeInformationA 2399->2400 2402 7f64c60 2400->2402 2402->2371 2406 7f64d72 2403->2406 2404 7f64e2e ObtainUserAgentString 2404->2375 2405 7f64db3 RegQueryValueExA 2405->2406 2406->2405 2407 7f64e06 2406->2407 2407->2404 2410 7f61ec8 2408->2410 2409 7f61e25 CreateFileMappingA 2409->2381 2410->2409 2411 7f61f2a DeleteFileW CopyFileW 2410->2411 2419 7f61fdd 2410->2419 2411->2409 2412 7f61f4a DeleteFileW 2411->2412 2415 7f61f60 2412->2415 2414 7f61ffa CreateFileW 2414->2409 2416 7f61f95 DeleteFileW 2415->2416 2417 7f61fa9 2416->2417 2435 7f6487c 2417->2435 2429 7f63534 2419->2429 2421 7f6226d 2420->2421 2442 7f63394 CreateFileW 2421->2442 2423 7f62282 2444 7f622dc 2423->2444 2425 7f62293 2425->2381 2427 7f63394 CreateFileW 2426->2427 2428 7f62cd7 2427->2428 2428->2381 2430 7f63555 2429->2430 2431 7f63575 GetUserNameW 2430->2431 2432 7f63596 2431->2432 2440 7f6368c CoCreateInstance 2432->2440 2434 7f635b1 2434->2414 2436 7f648a3 2435->2436 2437 7f648d0 SetFileAttributesW CreateFileW 2436->2437 2438 7f6491b SetFileTime 2437->2438 2439 7f6493c 2438->2439 2439->2419 2441 7f636ea 2440->2441 2441->2434 2443 7f633e9 2442->2443 2443->2423 2468 7f63e6c 2444->2468 2446 7f6256e 2447 7f62592 2446->2447 2448 7f6277a 2446->2448 2450 7f62632 2447->2450 2451 7f626d5 2447->2451 2464 7f625aa 2447->2464 2449 7f63e6c RtlReAllocateHeap 2448->2449 2456 7f627a2 2449->2456 2453 7f62647 DeleteFileW DeleteFileW 2450->2453 2461 7f62739 2450->2461 2452 7f63e6c RtlReAllocateHeap 2451->2452 2460 7f626fd 2452->2460 2454 7f62669 2453->2454 2458 7f63e6c RtlReAllocateHeap 2454->2458 2455 7f6232f 2455->2446 2455->2461 2467 7f6487c 3 API calls 2455->2467 2457 7f6281c RtlReAllocateHeap 2456->2457 2456->2461 2457->2461 2459 7f62694 2458->2459 2465 7f626b1 SleepEx RtlExitUserThread 2459->2465 2460->2461 2463 7f6281c RtlReAllocateHeap 2460->2463 2461->2425 2462 7f63e6c RtlReAllocateHeap 2462->2464 2463->2461 2464->2450 2464->2461 2464->2462 2472 7f6281c 2464->2472 2465->2461 2467->2446 2469 7f63e9b 2468->2469 2478 7f64008 2469->2478 2471 7f63fbb 2471->2455 2473 7f62825 2472->2473 2476 7f62c3f 2472->2476 2474 7f64008 RtlReAllocateHeap 2473->2474 2477 7f62924 2473->2477 2474->2477 2475 7f63e6c RtlReAllocateHeap 2475->2476 2476->2464 2477->2475 2477->2476 2480 7f64052 2478->2480 2481 7f6404b 2478->2481 2479 7f6433b RtlReAllocateHeap 2479->2480 2480->2479 2480->2481 2481->2471

                                                                                                                  Executed Functions

                                                                                                                  Function 00BA368C Relevance: 1.9, APIs: 1, Instructions: 404comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateInstance
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 542301482-0
                                                                                                                  • Opcode ID: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                                                  • Instruction ID: e3229a68168703e6f2a44787d487ec442764adf0bfbe311465e185667e7b0b0a
                                                                                                                  • Opcode Fuzzy Hash: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                                                  • Instruction Fuzzy Hash: 1CE1D934608A4C8FCF94EF68C885EA9B7F1FFA9305F114699E44ACB265DB70E944CB41
                                                                                                                  Function 07F63534 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserNameW.ADVAPI32 ref: 07F63588
                                                                                                                    • Part of subcall function 07F6368C: CoCreateInstance.COMBASE ref: 07F636D9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateInstanceNameUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3213660374-0
                                                                                                                  • Opcode ID: 8c884506d26cdf02d1b48bf5057c53921ff6d3e6c26b0fc65ac87aae79f7f951
                                                                                                                  • Instruction ID: 7bfe8cd5dafeab533671fffdecfd79f111cf497f98a5efd2fa64dfe24c13ee05
                                                                                                                  • Opcode Fuzzy Hash: 8c884506d26cdf02d1b48bf5057c53921ff6d3e6c26b0fc65ac87aae79f7f951
                                                                                                                  • Instruction Fuzzy Hash: 3A110A70718B4C8FCB94EF6C940875EB6D2FBDC210F440A6E988ED7359DA748A458B82
                                                                                                                  Function 07F622DC Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 498filethreadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 105 7f622dc-7f6233a call 7f63e6c 108 7f627f5 105->108 109 7f62340-7f62345 105->109 111 7f627fb-7f62815 108->111 109->108 110 7f6234b-7f6234e 109->110 110->108 112 7f62354-7f6235f 110->112 113 7f627e5-7f627f3 call 7f652a0 112->113 114 7f62365-7f62398 call 7f64f18 112->114 113->108 113->111 114->113 120 7f6239e-7f623c3 call 7f64e6c call 7f6502c 114->120 125 7f623c5-7f623df 120->125 126 7f623f3 120->126 125->126 131 7f623e1-7f623f1 125->131 127 7f623f8-7f62411 call 7f6502c 126->127 132 7f62417-7f6242b 127->132 133 7f62584-7f6258c 127->133 131->127 134 7f6247e-7f62480 132->134 135 7f6242d-7f62475 132->135 136 7f62592-7f62596 133->136 137 7f6277a-7f627a8 call 7f63e6c 133->137 134->133 141 7f62486-7f624f9 call 7f652c0 134->141 135->134 139 7f6263f-7f626d0 call 7f64604 DeleteFileW * 2 call 7f634ec call 7f63e6c call 7f652a0 SleepEx RtlExitUserThread 136->139 140 7f6259c-7f625a4 136->140 150 7f627dd-7f627e3 137->150 151 7f627aa-7f627b1 137->151 139->113 144 7f626d5-7f62703 call 7f63e6c 140->144 145 7f625aa-7f625b7 140->145 184 7f624fb-7f62574 call 7f64e6c call 7f64f18 call 7f6487c call 7f65224 141->184 185 7f62579-7f6257f call 7f652a0 141->185 144->150 159 7f62709-7f62710 144->159 145->150 161 7f625bd-7f625c0 145->161 150->113 151->150 155 7f627b3-7f627b6 151->155 155->150 160 7f627b8-7f627d8 call 7f6281c call 7f652a0 155->160 159->150 163 7f62716-7f62719 159->163 160->150 161->150 166 7f625c6-7f625ca 161->166 163->150 170 7f6271f-7f62778 call 7f6281c call 7f64604 call 7f652a0 163->170 172 7f62632-7f62639 166->172 173 7f625cc-7f625fa call 7f63e6c 166->173 170->150 172->139 172->150 182 7f6262c-7f62630 173->182 183 7f625fc-7f62603 173->183 182->172 182->173 183->182 187 7f62605-7f62608 183->187 184->185 185->133 187->182 192 7f6260a-7f62627 call 7f6281c call 7f652a0 187->192 192->182
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteFile$ExitSleepThreadUser
                                                                                                                  • String ID: |:|
                                                                                                                  • API String ID: 2796381497-3736120136
                                                                                                                  • Opcode ID: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                                                  • Instruction ID: b3dc3a4df4a401dbe879a1bb71ffb2c6f7fd4b75dc4bcf0c495011e567dd71c9
                                                                                                                  • Opcode Fuzzy Hash: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                                                  • Instruction Fuzzy Hash: 09E1B1B0718F898FDB58AB68C85C7AA76D1FB98305F584A2DD48FC3281DF78D9418742
                                                                                                                  Function 00BA22DC Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 498filethreadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 ba22dc-ba233a call ba3e6c 3 ba2340-ba2345 0->3 4 ba27f5 0->4 3->4 5 ba234b-ba234e 3->5 6 ba27fb-ba2815 4->6 5->4 7 ba2354-ba235f 5->7 8 ba27e5-ba27f3 call ba52a0 7->8 9 ba2365-ba2398 call ba4f18 7->9 8->4 8->6 9->8 15 ba239e-ba23c3 call ba4e6c call ba502c 9->15 20 ba23f3 15->20 21 ba23c5-ba23df 15->21 22 ba23f8-ba2411 call ba502c 20->22 21->20 25 ba23e1-ba23f1 21->25 27 ba2417-ba242b 22->27 28 ba2584-ba258c 22->28 25->22 29 ba247e-ba2480 27->29 30 ba242d-ba2475 27->30 31 ba277a-ba27a8 call ba3e6c 28->31 32 ba2592-ba2596 28->32 29->28 35 ba2486-ba24f9 call ba52c0 29->35 30->29 43 ba27aa-ba27b1 31->43 44 ba27dd-ba27e3 31->44 33 ba263f-ba26d0 call ba4604 DeleteFileW * 2 call ba34ec call ba3e6c call ba52a0 SleepEx RtlExitUserThread 32->33 34 ba259c-ba25a4 32->34 33->8 38 ba25aa-ba25b7 34->38 39 ba26d5-ba2703 call ba3e6c 34->39 80 ba24fb-ba2574 call ba4e6c call ba4f18 call ba487c call ba5224 35->80 81 ba2579-ba257f call ba52a0 35->81 38->44 54 ba25bd-ba25c0 38->54 39->44 57 ba2709-ba2710 39->57 43->44 49 ba27b3-ba27b6 43->49 44->8 49->44 53 ba27b8-ba27d8 call ba281c call ba52a0 49->53 53->44 54->44 61 ba25c6-ba25ca 54->61 57->44 58 ba2716-ba2719 57->58 58->44 63 ba271f-ba2778 call ba281c call ba4604 call ba52a0 58->63 65 ba25cc-ba25fa call ba3e6c 61->65 66 ba2632-ba2639 61->66 63->44 78 ba262c-ba2630 65->78 79 ba25fc-ba2603 65->79 66->33 66->44 78->65 78->66 79->78 83 ba2605-ba2608 79->83 80->81 81->28 83->78 89 ba260a-ba2627 call ba281c call ba52a0 83->89 89->78
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: DeleteFile$ExitSleepThreadUser
                                                                                                                  • String ID: |:|
                                                                                                                  • API String ID: 2796381497-3736120136
                                                                                                                  • Opcode ID: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                                                  • Instruction ID: 52ba26a31811e7533e5156d1fbddabfcb78b2336c0ecde9376b001a0adbf7b80
                                                                                                                  • Opcode Fuzzy Hash: d91d37ed029c941088cdd60b12086b6f5c1a390fb29ca23f929d4654a35839fd
                                                                                                                  • Instruction Fuzzy Hash: 06E19D30718F488FDB69AB2CC4597AA76D1FB99305F50456EE48FC2281DF78ED818782
                                                                                                                  Function 07F61EA4 Relevance: 7.7, APIs: 5, Instructions: 170fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,07F61E25), ref: 07F61F2D
                                                                                                                  • CopyFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,07F61E25), ref: 07F61F3C
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,07F61E25), ref: 07F61F4D
                                                                                                                  • DeleteFileW.KERNEL32 ref: 07F61F98
                                                                                                                    • Part of subcall function 07F6487C: SetFileAttributesW.KERNEL32 ref: 07F648D8
                                                                                                                    • Part of subcall function 07F6487C: CreateFileW.KERNEL32 ref: 07F64902
                                                                                                                    • Part of subcall function 07F6487C: SetFileTime.KERNEL32 ref: 07F6492D
                                                                                                                  • CreateFileW.KERNEL32 ref: 07F62021
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Delete$Create$AttributesCopyTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 642576546-0
                                                                                                                  • Opcode ID: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                                                  • Instruction ID: d6c407319c4415d967ec449e7b0dac4c2cedeb8d4e78b0a3bbd13e282ea33f10
                                                                                                                  • Opcode Fuzzy Hash: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                                                  • Instruction Fuzzy Hash: B0415C70718A4C8FCFA8FF6898587AD72D2EB98300F58416D984EC7395DE34CE468782
                                                                                                                  Function 07F619A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 290threadmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 305 7f619a0-7f619d5 306 7f619d7-7f619de 305->306 307 7f619f7-7f619fb 306->307 308 7f619e0-7f619f5 307->308 309 7f619fd-7f61a09 307->309 308->307 310 7f61a20-7f61a25 309->310 311 7f61a0b-7f61a11 309->311 313 7f61a2b-7f61a32 310->313 312 7f61a13-7f61a1e 311->312 311->313 312->313 314 7f61a34-7f61a3b 313->314 315 7f61a3d-7f61a43 313->315 314->315 316 7f61a45-7f61a4f 314->316 315->306 315->316 317 7f61a51-7f61a58 316->317 318 7f61a5e-7f61a76 call 7f61cb0 316->318 317->318 319 7f61c88 317->319 318->319 323 7f61a7c-7f61a9e call 7f61cb0 318->323 322 7f61c8a-7f61ca8 319->322 323->319 326 7f61aa4-7f61ad3 RtlCreateHeap 323->326 327 7f61ad5-7f61aef call 7f64e6c 326->327 327->319 331 7f61af5-7f61b0d call 7f65224 327->331 331->327 334 7f61b0f-7f61b2a call 7f61cb0 331->334 334->319 337 7f61b30-7f61b4f call 7f61cb0 334->337 337->319 340 7f61b55-7f61b74 call 7f61cb0 337->340 340->319 343 7f61b7a-7f61b99 call 7f61cb0 340->343 343->319 346 7f61b9f-7f61bbe call 7f61cb0 343->346 346->319 349 7f61bc4-7f61c1f call 7f64a6c * 3 346->349 349->319 356 7f61c21-7f61c28 349->356 356->319 357 7f61c2a-7f61c2d 356->357 357->319 358 7f61c2f-7f61c7c CreateThread * 2 357->358 360 7f61c84-7f61c86 358->360 360->322
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$Thread$Heap
                                                                                                                  • String ID: iP+
                                                                                                                  • API String ID: 1054751041-51890417
                                                                                                                  • Opcode ID: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                                                  • Instruction ID: f320f30a65891aa81f2111dc962828316d7435461eb78a303005f39606f7e90e
                                                                                                                  • Opcode Fuzzy Hash: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                                                  • Instruction Fuzzy Hash: 57918270618A0C8FCF48EF18DCC9AE977E6FB98300B4846799C4ECB256DA34D555CB92
                                                                                                                  Function 00BA19A0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 290threadmemoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 249 ba19a0-ba19d5 250 ba19d7-ba19de 249->250 251 ba19f7-ba19fb 250->251 252 ba19fd-ba1a09 251->252 253 ba19e0-ba19f5 251->253 254 ba1a0b-ba1a11 252->254 255 ba1a20-ba1a25 252->255 253->251 256 ba1a2b-ba1a32 254->256 257 ba1a13-ba1a1e 254->257 255->256 258 ba1a3d-ba1a43 256->258 259 ba1a34-ba1a3b 256->259 257->256 258->250 260 ba1a45-ba1a4f 258->260 259->258 259->260 261 ba1a5e-ba1a76 call ba1cb0 260->261 262 ba1a51-ba1a58 260->262 263 ba1c88 261->263 267 ba1a7c-ba1a9e call ba1cb0 261->267 262->261 262->263 265 ba1c8a-ba1ca8 263->265 267->263 270 ba1aa4-ba1ad3 RtlCreateHeap 267->270 271 ba1ad5-ba1aef call ba4e6c 270->271 271->263 275 ba1af5-ba1b0d call ba5224 271->275 275->271 278 ba1b0f-ba1b2a call ba1cb0 275->278 278->263 281 ba1b30-ba1b4f call ba1cb0 278->281 281->263 284 ba1b55-ba1b74 call ba1cb0 281->284 284->263 287 ba1b7a-ba1b99 call ba1cb0 284->287 287->263 290 ba1b9f-ba1bbe call ba1cb0 287->290 290->263 293 ba1bc4-ba1c1f call ba4a6c * 3 290->293 293->263 300 ba1c21-ba1c28 293->300 300->263 301 ba1c2a-ba1c2d 300->301 301->263 302 ba1c2f-ba1c7c CreateThread * 2 301->302 304 ba1c84-ba1c86 302->304 304->265
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$Thread$Heap
                                                                                                                  • String ID: iP+
                                                                                                                  • API String ID: 1054751041-51890417
                                                                                                                  • Opcode ID: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                                                  • Instruction ID: fe02814033975a6cecd994475b846819a2332bafd913907939e98105c3fb4e1c
                                                                                                                  • Opcode Fuzzy Hash: 26f900cbed04e092ee0982a3be71c41bf08b15ef31f8e9e270c5fbcd78812b0b
                                                                                                                  • Instruction Fuzzy Hash: 5591923421CA089FCF88EF1CD8C26A573E1FB99310F0449B99C4ECB256EA34DA558B91
                                                                                                                  Function 07F63CA4 Relevance: 6.1, APIs: 4, Instructions: 72processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 361 7f63ca4-7f63cbb 362 7f63cc1-7f63cd3 CreateToolhelp32Snapshot 361->362 363 7f63d5b-7f63d74 361->363 364 7f63cd5-7f63ceb Process32First 362->364 365 7f63d43-7f63d55 SleepEx 362->365 366 7f63d36-7f63d38 364->366 365->362 365->363 367 7f63ced-7f63d04 call 7f65000 366->367 368 7f63d3a-7f63d3b 366->368 371 7f63d06-7f63d08 367->371 368->365 372 7f63d1c-7f63d23 call 7f64678 371->372 373 7f63d0a-7f63d18 371->373 376 7f63d28-7f63d30 Process32Next 372->376 373->371 374 7f63d1a 373->374 374->376 376->366
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CreateFirstNextSleepSnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1819645093-0
                                                                                                                  • Opcode ID: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                                                  • Instruction ID: 8a880de4004a1a1c2c2f154ffad8b8d0e953cd7d89ab0aa05c64f882b0f59af4
                                                                                                                  • Opcode Fuzzy Hash: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                                                  • Instruction Fuzzy Hash: 06113370218A4E8FEB14EF24C48C3BA76E2FF88314F1C0A79D94BDA295DB7484818741
                                                                                                                  Function 07F6487C Relevance: 4.6, APIs: 3, Instructions: 87filetimeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: File$AttributesCreateTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1986686026-0
                                                                                                                  • Opcode ID: f5498ff0e911ccfe91ba0c0551e8fa87a213adc709a22552d401718206ad2213
                                                                                                                  • Instruction ID: 01da2e76254ca16ecdcafc00855c252dbb7edaba6cbf14917f9ddb4de14cd0ad
                                                                                                                  • Opcode Fuzzy Hash: f5498ff0e911ccfe91ba0c0551e8fa87a213adc709a22552d401718206ad2213
                                                                                                                  • Instruction Fuzzy Hash: E821103170CA4C8FDFA4EF69D88879E76E2FBD8301F10456DA84EC7255DA34CA458782
                                                                                                                  Function 07F64D50 Relevance: 3.1, APIs: 2, Instructions: 122registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 387 7f64d50-7f64d99 call 7f64e6c 391 7f64e23-7f64e52 call 7f65224 ObtainUserAgentString 387->391 392 7f64d9f 387->392 394 7f64da1-7f64de3 call 7f64e6c RegQueryValueExA 392->394 398 7f64de5-7f64e04 call 7f65224 call 7f6502c 394->398 399 7f64e53 call 7f65224 394->399 402 7f64e58-7f64e5d 398->402 408 7f64e06-7f64e17 398->408 399->402 404 7f64e5f 402->404 405 7f64e19-7f64e1a 402->405 404->394 405->391 408->405
                                                                                                                  APIs
                                                                                                                  • RegQueryValueExA.KERNEL32 ref: 07F64DD5
                                                                                                                  • ObtainUserAgentString.URLMON ref: 07F64E3E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AgentObtainQueryStringUserValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4107646653-0
                                                                                                                  • Opcode ID: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                                                  • Instruction ID: 0d6f891c8229b4ee6fd8eaf29c13bed245c7eb4e8143916153f2a17f78e9180e
                                                                                                                  • Opcode Fuzzy Hash: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                                                  • Instruction Fuzzy Hash: 3431B275608A488FDB18FF68E88D5E977E2FB98310B04027AE84EC7145EE60D90287D2
                                                                                                                  Function 07F61D34 Relevance: 3.1, APIs: 2, Instructions: 120synchronizationCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 07F64BE0: GetVolumeInformationA.KERNEL32 ref: 07F64C4D
                                                                                                                  • CreateMutexExA.KERNEL32 ref: 07F61DA7
                                                                                                                  • CreateFileMappingA.KERNEL32 ref: 07F61E54
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$FileInformationMappingMutexVolume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3260430491-0
                                                                                                                  • Opcode ID: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                                                  • Instruction ID: 78bb5b6b0850d5c07d24168b668133a65157600ccabf6b009c610d5322bdd747
                                                                                                                  • Opcode Fuzzy Hash: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                                                  • Instruction Fuzzy Hash: DA3172B0B14F488FCB65EB39C44C3AF76D2EB99305F58492E809ED7241CF74A6068786
                                                                                                                  Function 00BA1D34 Relevance: 3.1, APIs: 2, Instructions: 120synchronizationCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 410 ba1d34-ba1dbf call ba4be0 call ba4e6c call ba5224 CreateMutexExA 419 ba1dc1-ba1dce 410->419 420 ba1dd6-ba1e27 call ba5308 call ba5280 call ba4d50 call ba51cc call ba5224 call ba1ea4 410->420 419->420 434 ba1e29 420->434 435 ba1e33-ba1e5b CreateFileMappingA 420->435 434->435 436 ba1e61-ba1e64 call ba223c 435->436 438 ba1e69-ba1e6b 436->438 438->436 439 ba1e6d-ba1e74 438->439 440 ba1e76-ba1e7d 439->440 441 ba1e87 439->441 440->441 442 ba1e7f-ba1e82 call ba2cac 440->442 443 ba1e8c-ba1e9a 441->443 442->441 446 ba1e9c 443->446 446->436
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00BA4BE0: GetVolumeInformationA.KERNEL32 ref: 00BA4C4D
                                                                                                                  • CreateMutexExA.KERNEL32 ref: 00BA1DA7
                                                                                                                  • CreateFileMappingA.KERNEL32 ref: 00BA1E54
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: Create$FileInformationMappingMutexVolume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3260430491-0
                                                                                                                  • Opcode ID: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                                                  • Instruction ID: 073afa72a09ff8271732fb156fc0b2ba4299632d60bef7fe599218ab369035a9
                                                                                                                  • Opcode Fuzzy Hash: 97bb87496fde6e4db97111b52ca229a5d1b0978d98986e1021884b3d981a9ef1
                                                                                                                  • Instruction Fuzzy Hash: 6431A430708F484FCBA5EB39C0093AF76D2EB9A305F544C6E949FD6241CF749A068746
                                                                                                                  Function 07F649A0 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetTokenInformation.KERNELBASE ref: 07F649EC
                                                                                                                  • GetTokenInformation.KERNELBASE ref: 07F64A1C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4114910276-0
                                                                                                                  • Opcode ID: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                                                  • Instruction ID: 4fdedbc43e60d7bd6716ecbb0ec993e34a4882d33d48d421d2be50521b9c1e5c
                                                                                                                  • Opcode Fuzzy Hash: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                                                  • Instruction Fuzzy Hash: 0C215434608A488FC754EF2CD4885AAB7F1FFD9311B044A5EE49BD7264CB70E945CB82
                                                                                                                  Function 00BA49A0 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 484 ba49a0-ba49cb 486 ba4a53-ba4a64 484->486 487 ba49d1-ba4a23 GetTokenInformation call ba5280 GetTokenInformation 484->487 490 ba4a2b-ba4a49 call ba5224 487->490 490->486
                                                                                                                  APIs
                                                                                                                  • GetTokenInformation.KERNELBASE ref: 00BA49EC
                                                                                                                  • GetTokenInformation.KERNELBASE ref: 00BA4A1C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4114910276-0
                                                                                                                  • Opcode ID: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                                                  • Instruction ID: af5a16b5a3afed303f587736f914fe62cab75eb69065fa6ed9483805eb047e07
                                                                                                                  • Opcode Fuzzy Hash: 652aecce9067a30358b91952564671c85239d7f531018ec1d7311adbfa28af3f
                                                                                                                  • Instruction Fuzzy Hash: E8214234208B488FC754EF2CD4886AAB7F1FFD9311B004A5EE49AC7264CB70E945CB82
                                                                                                                  Function 00BA3CA4 Relevance: 3.1, APIs: 2, Instructions: 72processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 504 ba3ca4-ba3cbb 505 ba3d5b-ba3d74 504->505 506 ba3cc1-ba3cd3 CreateToolhelp32Snapshot 504->506 507 ba3d43-ba3d55 SleepEx 506->507 508 ba3cd5-ba3ceb 506->508 507->505 507->506 510 ba3d36-ba3d38 508->510 511 ba3d3a-ba3d3b 510->511 512 ba3ced-ba3d04 call ba5000 510->512 511->507 515 ba3d06-ba3d08 512->515 516 ba3d0a-ba3d18 515->516 517 ba3d1c-ba3d23 call ba4678 515->517 516->515 519 ba3d1a 516->519 520 ba3d28-ba3d2e 517->520 519->520 520->510
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateSleepSnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 684154974-0
                                                                                                                  • Opcode ID: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                                                  • Instruction ID: f588b8948ff237f1a4cd573a8a7f1923d21cc534ce9a8b37a0250590e48103ec
                                                                                                                  • Opcode Fuzzy Hash: 1adf98eb8c503d42aecd34c6b39fce325a4a04e32c54699d588d18b6d36bf1ef
                                                                                                                  • Instruction Fuzzy Hash: A911363020CA498FDB14EF24C4883BA76D2FB8A314F180AB9E48BDA295DB7489418741
                                                                                                                  Function 07F63D80 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 524 7f63d80-7f63d90 525 7f63db6-7f63dc4 524->525 526 7f63d92-7f63db4 EnumWindows SleepEx 524->526 526->525 526->526
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: EnumSleepWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 498413330-0
                                                                                                                  • Opcode ID: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                                                  • Instruction ID: 3239ebca653b960446de560d7c882fb118cb1853ebb1114ef54174478a26682b
                                                                                                                  • Opcode Fuzzy Hash: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                                                  • Instruction Fuzzy Hash: FFE04FB0A0868E4FEB18DBB4C4CC7F63691DB19205F5808B9DD4BDD696C6A65484C312
                                                                                                                  Function 00BA3D80 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 521 ba3d80-ba3d90 522 ba3d92-ba3db4 EnumWindows SleepEx 521->522 523 ba3db6-ba3dc4 521->523 522->522 522->523
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: EnumSleepWindows
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 498413330-0
                                                                                                                  • Opcode ID: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                                                  • Instruction ID: db63dc6b292757d9cc0bb4d2c4a94669f9b4a8a1eb595e6edc9406dfebf39b54
                                                                                                                  • Opcode Fuzzy Hash: f3c7586747357b588c35315657a812ba148d3fa2d02c4e479e86db6dcc9cbd3e
                                                                                                                  • Instruction Fuzzy Hash: 42E04F30A086898FEB58EBB4C4CC7F636D1DB1A305F5808B9DC4ADD696C6AA5984C311
                                                                                                                  Function 07F64008 Relevance: 1.9, APIs: 1, Instructions: 447COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5f808b6709be1d712b9c517ecd9c93eda4043063f06578d6a062a0bf28ad2d93
                                                                                                                  • Instruction ID: f50dda670be94a86b4e270f2fc02997801763a2a1c4c7c1055f75241b6d2e929
                                                                                                                  • Opcode Fuzzy Hash: 5f808b6709be1d712b9c517ecd9c93eda4043063f06578d6a062a0bf28ad2d93
                                                                                                                  • Instruction Fuzzy Hash: A9D17470B18B498FDB58EF68D8496BEB7E2FB98701F14452DE44AC3241DF74D9428B82
                                                                                                                  Function 07F6368C Relevance: 1.9, APIs: 1, Instructions: 404comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateInstance
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 542301482-0
                                                                                                                  • Opcode ID: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                                                  • Instruction ID: 6b650e5c7b44ff7448a3beb92aeb3070a3f5b75a9c5569d9b73e7a98a2179c7d
                                                                                                                  • Opcode Fuzzy Hash: 2208a6a82576e187932f5e6c94c4aea895329bbb5408a92f633c0b1253718546
                                                                                                                  • Instruction Fuzzy Hash: F2E1DA34608A488FCF94EF68C889EA9B7F1FFA9305F114659E44ACB265DB70E944CB41
                                                                                                                  Function 00BA1EA4 Relevance: 1.7, APIs: 1, Instructions: 170fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                                                  • Instruction ID: f62687f760642ce7a5e263ed3da2a73aae2d60cf597dcface3680b00de5c14f9
                                                                                                                  • Opcode Fuzzy Hash: 8d1e4db704517eea09dd1d3d297329f0e9ff07853cce15996669b6bd33a65373
                                                                                                                  • Instruction Fuzzy Hash: EA413A3071CA4C4FCBA8EF6C94597AD72D2EB99700F5045ADA80EC7396DE74CE468781
                                                                                                                  Function 07F63394 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                                                  • Instruction ID: ce987026576f42007bb827f8d6078b8bf77680bb8e1eb9aafde6ebc6ac943f5d
                                                                                                                  • Opcode Fuzzy Hash: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                                                  • Instruction Fuzzy Hash: A141B37071CE094FD75CEA6C9C5C3BAB6D2EBC9261F18062EA4AFC3351DE2498164782
                                                                                                                  Function 00BA3394 Relevance: 1.7, APIs: 1, Instructions: 157fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                                                  • Instruction ID: f361a814a0b9c63663eb8fe4f806c991392deca9050d59d75f4ba7f59c7a77ac
                                                                                                                  • Opcode Fuzzy Hash: bce1ea647a0ad53f7809f43b4b76498aa7ec4cacb6875e2a025e8a9db3f2ac28
                                                                                                                  • Instruction Fuzzy Hash: 7041A23071CF090FD75CAA6C98593BAB6C1EBCA711F14066EA49FC3352DE2499024781
                                                                                                                  Function 00BA4D50 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3660427363-0
                                                                                                                  • Opcode ID: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                                                  • Instruction ID: ce1eea77e614cf637bb23a1f366d971e70ab942e0fb39f5b99f4eb7e656c7c3a
                                                                                                                  • Opcode Fuzzy Hash: 997ac8fe02efc5f307ac4cae89ba3b52f0d6671010cb042dd0c96d2438d46594
                                                                                                                  • Instruction Fuzzy Hash: B531743160CA4C8FDB18EF68E8895E977D5FB99314B0002BAE84EC7145EF709D4587D1
                                                                                                                  Function 07F64BE0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetVolumeInformationA.KERNEL32 ref: 07F64C4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationVolume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2039140958-0
                                                                                                                  • Opcode ID: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                                                  • Instruction ID: 44fcd4a0542779d0243649d9d094ed8fbe37e37748e94ff6afb6b0d9ac9fc8c8
                                                                                                                  • Opcode Fuzzy Hash: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                                                  • Instruction Fuzzy Hash: 61317B30614A4C8FD764EF68C8486EA77E1FBE8311F10466E994EC7264DE30DA45CBC2
                                                                                                                  Function 00BA4BE0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetVolumeInformationA.KERNEL32 ref: 00BA4C4D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: InformationVolume
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2039140958-0
                                                                                                                  • Opcode ID: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                                                  • Instruction ID: e47286072ea36bfed45c22fae9867753f0c644b95cad93da92fd5da4900cb56b
                                                                                                                  • Opcode Fuzzy Hash: 849063828afd568fceaff528b4835c67d3789973111070d710bf79c2b37fb4e8
                                                                                                                  • Instruction Fuzzy Hash: 3D315530618A4C4FD7A4EF68C4486EA77E1FBE8311F10466EA94EC7265DE70DA45CBC1
                                                                                                                  Function 07F61950 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 07F619A0: RtlCreateHeap.NTDLL ref: 07F61ABB
                                                                                                                  • SleepEx.KERNEL32(?,?,?,?,?,?,?,07F61943), ref: 07F61970
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHeapSleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 221814145-0
                                                                                                                  • Opcode ID: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                                                  • Instruction ID: b5a5c5077fe56b589e84cfdff298bbfb0ec36ae269d8940b394259b4b4263297
                                                                                                                  • Opcode Fuzzy Hash: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                                                  • Instruction Fuzzy Hash: 9DE048A0B14B0D4BDB98BB68D4CC32C7192DB89154F4C09796559C7295E9258C854312
                                                                                                                  Function 00BA1950 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00BA19A0: RtlCreateHeap.NTDLL ref: 00BA1ABB
                                                                                                                  • SleepEx.KERNEL32(?,?,?,?,?,?,?,00BA1943), ref: 00BA1970
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHeapSleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 221814145-0
                                                                                                                  • Opcode ID: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                                                  • Instruction ID: 1cdeeee279c200e5be50863e4aae222d6dcdb5b00e47a18bba594b2c50e17814
                                                                                                                  • Opcode Fuzzy Hash: 27439b667a4ceb6ac9e8a4e5b9f5677b2aaa942c4ffff63dd0c687c138e059ef
                                                                                                                  • Instruction Fuzzy Hash: D9E04F2071CB080BDBD8BB6CD4D532D66D1DB8A350F940DF9B95ED7296D9298C86C312

                                                                                                                  Non-executed Functions

                                                                                                                  Function 07F6281C Relevance: .5, Instructions: 470COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2727337644.0000000007F61000.00000020.80000000.00040000.00000000.sdmp, Offset: 07F61000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_7f61000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ed8e561d2aded3cf35dfa807ea338411b8afdadea20685239f91ad9b7eda59f
                                                                                                                  • Instruction ID: fde5b293ddeed28f8b4e2434bee80a0ebfcb9bbab55f055418dafc5c28694d13
                                                                                                                  • Opcode Fuzzy Hash: 9ed8e561d2aded3cf35dfa807ea338411b8afdadea20685239f91ad9b7eda59f
                                                                                                                  • Instruction Fuzzy Hash: 5AD18170B18F098FCB68EF6C849C26E72E2FB98311F54452ED48ED3255DE74E9468782
                                                                                                                  Function 00BA281C Relevance: .5, Instructions: 470COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000003.00000002.2723120684.0000000000BA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00BA1000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_3_2_ba1000_explorer.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9ed8e561d2aded3cf35dfa807ea338411b8afdadea20685239f91ad9b7eda59f
                                                                                                                  • Instruction ID: 96b54d50ae75c7cb0428e02577bf0b4777ee9b065c3adf2324e22caec26686bf
                                                                                                                  • Opcode Fuzzy Hash: 9ed8e561d2aded3cf35dfa807ea338411b8afdadea20685239f91ad9b7eda59f
                                                                                                                  • Instruction Fuzzy Hash: 12D1723071CF084FCB68EF6C84992AE72E2FB99711F5045AEE44EC3256DE74E9468781

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:32%
                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:40
                                                                                                                  Total number of Limit Nodes:7
                                                                                                                  execution_graph 664 9e0000 667 9e0630 664->667 666 9e0005 668 9e064c 667->668 670 9e1577 668->670 673 9e05b0 670->673 676 9e05dc 673->676 674 9e061e 675 9e05e2 GetFileAttributesA 675->676 676->674 676->675 678 9e0420 676->678 679 9e04f3 678->679 680 9e04ff CreateWindowExA 679->680 681 9e04fa 679->681 680->681 682 9e0540 PostMessageA 680->682 681->676 683 9e055f 682->683 683->681 685 9e0110 VirtualAlloc 683->685 686 9e016e 685->686 687 9e0414 686->687 688 9e024a CreateProcessA 686->688 687->683 688->687 689 9e025f VirtualFree VirtualAlloc Wow64GetThreadContext 688->689 689->687 690 9e02a9 ReadProcessMemory 689->690 691 9e02e5 VirtualAllocEx NtWriteVirtualMemory 690->691 692 9e02d5 NtUnmapViewOfSection 690->692 693 9e033b 691->693 692->691 694 9e039d WriteProcessMemory Wow64SetThreadContext ResumeThread 693->694 695 9e0350 NtWriteVirtualMemory 693->695 696 9e03fb ExitProcess 694->696 695->693 698 a1ebde 701 a1ebef 698->701 702 a1ebfe 701->702 705 a1f38f 702->705 711 a1f3aa 705->711 706 a1f3b3 CreateToolhelp32Snapshot 707 a1f3cf Module32First 706->707 706->711 708 a1f3de 707->708 710 a1ebee 707->710 712 a1f04e 708->712 711->706 711->707 713 a1f079 712->713 714 a1f0c2 713->714 715 a1f08a VirtualAlloc 713->715 714->714 715->714

                                                                                                                  Executed Functions

                                                                                                                  Function 009E0110 Relevance: 21.2, APIs: 14, Instructions: 248memorynativethreadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 009E0156
                                                                                                                  • CreateProcessA.KERNELBASE(?,00000000), ref: 009E0255
                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 009E0270
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 009E0283
                                                                                                                  • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 009E029F
                                                                                                                  • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 009E02C8
                                                                                                                  • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 009E02E3
                                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 009E0304
                                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 009E032A
                                                                                                                  • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 009E0399
                                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 009E03BF
                                                                                                                  • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 009E03E1
                                                                                                                  • ResumeThread.KERNELBASE(00000000), ref: 009E03ED
                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 009E0412
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1725536589.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_9e0000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFreeReadResumeSectionUnmapView
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3993611425-0
                                                                                                                  • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                                  • Instruction ID: 61976801cf5a36a2989af2553c254594dd9cfcb22d3c2f07ee00b0aa0d38e8df
                                                                                                                  • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                                                                                  • Instruction Fuzzy Hash: 1EB1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E549AB395D771AD81CF94
                                                                                                                  Function 009E0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 16 9e0420-9e04f8 18 9e04ff-9e053c CreateWindowExA 16->18 19 9e04fa 16->19 21 9e053e 18->21 22 9e0540-9e0558 PostMessageA 18->22 20 9e05aa-9e05ad 19->20 21->20 23 9e055f-9e0563 22->23 23->20 24 9e0565-9e0579 23->24 24->20 26 9e057b-9e0582 24->26 27 9e05a8 26->27 28 9e0584-9e0588 26->28 27->23 28->27 29 9e058a-9e0591 28->29 29->27 30 9e0593-9e0597 call 9e0110 29->30 32 9e059c-9e05a5 30->32 32->27
                                                                                                                  APIs
                                                                                                                  • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 009E0533
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1725536589.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_9e0000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateWindow
                                                                                                                  • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                                                                                  • API String ID: 716092398-2341455598
                                                                                                                  • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                                  • Instruction ID: c1a383ad220f069ddc7454c9bf489a6198e5f615e73aac90836e532008ef6831
                                                                                                                  • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                                                                                  • Instruction Fuzzy Hash: 62511770D083C8DAEB11CB99C849B9DBFB66F51708F144058E5446F286C7FA5A58CB62
                                                                                                                  Function 009E05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 33 9e05b0-9e05d5 34 9e05dc-9e05e0 33->34 35 9e061e-9e0621 34->35 36 9e05e2-9e05f5 GetFileAttributesA 34->36 37 9e05f7-9e05fe 36->37 38 9e0613-9e061c 36->38 37->38 39 9e0600-9e060b call 9e0420 37->39 38->34 41 9e0610 39->41 41->38
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesA.KERNELBASE(apfHQ), ref: 009E05EC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1725536589.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_9e0000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID: apfHQ$o
                                                                                                                  • API String ID: 3188754299-2999369273
                                                                                                                  • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                                  • Instruction ID: 279a7184914854cc844be62e39526e7c153c0d10461cc77759fa3407dc996ba5
                                                                                                                  • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                                                                                  • Instruction Fuzzy Hash: 88012170C0428CEEDF11DB99C5183AEBFB5AF81308F1481D9D4092B252D7B69F98CBA1
                                                                                                                  Function 00A1F38F Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 42 a1f38f-a1f3a8 43 a1f3aa-a1f3ac 42->43 44 a1f3b3-a1f3bf CreateToolhelp32Snapshot 43->44 45 a1f3ae 43->45 46 a1f3c1-a1f3c7 44->46 47 a1f3cf-a1f3dc Module32First 44->47 45->44 46->47 53 a1f3c9-a1f3cd 46->53 48 a1f3e5-a1f3ed 47->48 49 a1f3de-a1f3df call a1f04e 47->49 54 a1f3e4 49->54 53->43 53->47 54->48
                                                                                                                  APIs
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A1F3B7
                                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 00A1F3D7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1725623182.0000000000A18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A18000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_a18000_vbjcjjt.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3833638111-0
                                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                  • Instruction ID: 7c71ec89689002643d36e2cbc45788ef07888b8c6a91da9e2ed160c4956e1746
                                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                  • Instruction Fuzzy Hash: 13F09632100751AFD7203BF5AD8DBAE76ECAF49765F100539E662D60C0DB74EC864661
                                                                                                                  Function 00A1F04E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 55 a1f04e-a1f088 call a1f361 58 a1f0d6 55->58 59 a1f08a-a1f0bd VirtualAlloc call a1f0db 55->59 58->58 61 a1f0c2-a1f0d4 59->61 61->58
                                                                                                                  APIs
                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00A1F09F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000005.00000002.1725623182.0000000000A18000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A18000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_5_2_a18000_vbjcjjt.jbxd
                                                                                                                  Yara matches
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                  • Instruction ID: bd5af9dd0b726aaec98601b8d66beffe52b941e313aa413c8078cebd67f7a43d
                                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                  • Instruction Fuzzy Hash: 0A113F79A00208EFDB01DF98C985E99BBF5AF08751F0580A4F9489B362D371EA90DF80

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:12.6%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:23
                                                                                                                  Total number of Limit Nodes:0
                                                                                                                  execution_graph 667 402ad1 668 402ad2 667->668 670 402b56 668->670 671 40180c 668->671 672 40181b 671->672 673 40183e Sleep 672->673 675 401859 673->675 674 40186a NtTerminateProcess 676 401876 674->676 675->674 676->670 685 401818 686 40181b 685->686 687 40183e Sleep 686->687 688 401859 687->688 689 40186a NtTerminateProcess 688->689 690 401876 689->690 691 402a9d 692 402ad2 691->692 693 40180c 2 API calls 692->693 694 402b56 692->694 693->694 677 402bef 678 402cef 677->678 679 402c19 677->679 679->678 679->679 680 402c91 RtlCreateUserThread 679->680 680->678

                                                                                                                  Callgraph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  • Opacity -> Relevance
                                                                                                                  • Disassembly available
                                                                                                                  callgraph 0 Function_00401246 1 Function_00401748 2 Function_00401BC9 3 Function_00402ACE 53 Function_0040180C 3->53 4 Function_004011D0 5 Function_00402AD1 5->53 6 Function_00401DD3 7 Function_00401AD5 8 Function_004011D7 9 Function_00402B58 10 Function_00402DD8 11 Function_00402E59 12 Function_004023DB 13 Function_00402E5C 14 Function_004027DC 15 Function_0040195D 16 Function_0040275E 17 Function_004010DF 18 Function_00402DE2 19 Function_00401064 20 Function_004016E4 21 Function_00402B66 22 Function_00401D66 23 Function_00402F6A 24 Function_0040136B 25 Function_004011EB 26 Function_00402D6E 27 Function_00402BEF 28 Function_004025EF 29 Function_00402E75 30 Function_00402D75 31 Function_00402575 32 Function_004015F5 33 Function_00402DF5 34 Function_00402CF7 35 Function_00402D79 36 Function_004017F9 37 Function_0040187A 38 Function_00402B7A 39 Function_0040157F 40 Function_00402E7F 41 Function_004013FF 42 Function_00401381 43 Function_00402102 44 Function_00401E82 45 Function_00402B82 46 Function_00402E83 47 Function_00401884 48 Function_00401705 49 Function_00402706 50 Function_00401786 51 Function_00401686 52 Function_0040188B 53->42 54 Function_0040138C 55 Function_00401A8C 56 Function_00402993 57 Function_00402E14 58 Function_00401894 59 Function_00402794 60 Function_00402E94 61 Function_00401715 62 Function_00401297 63 Function_00401818 63->42 64 Function_00401898 65 Function_00402E98 66 Function_0040131A 67 Function_0040259B 68 Function_00402A9D 68->53 69 Function_0040281D 70 Function_0040139D 71 Function_00402E20 72 Function_004013A0 73 Function_00401822 73->42 74 Function_00401826 74->42 75 Function_00401427 76 Function_0040212C 77 Function_00401D31 78 Function_00401D32 79 Function_00401CB2 80 Function_00402D33 80->4 81 Function_00401834 81->42 82 Function_00402635 83 Function_00402DB9 84 Function_00401D3D

                                                                                                                  Executed Functions

                                                                                                                  Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.1775746726.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                                                  • Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
                                                                                                                  • Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
                                                                                                                  • Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B
                                                                                                                  Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.1775746726.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                                                  • Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
                                                                                                                  • Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
                                                                                                                  • Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B
                                                                                                                  Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.1775746726.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                                                  • Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
                                                                                                                  • Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
                                                                                                                  • Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B
                                                                                                                  Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.1775746726.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                                                  • Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
                                                                                                                  • Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
                                                                                                                  • Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B
                                                                                                                  Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39sleepnativeCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(00001388), ref: 00401846
                                                                                                                  • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.1775746726.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProcessSleepTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 417527130-0
                                                                                                                  • Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                                                  • Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
                                                                                                                  • Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
                                                                                                                  • Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B
                                                                                                                  Function 00402BEF Relevance: 1.6, APIs: 1, Instructions: 123threadCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 100 402bef-402c13 101 402c19-402c2b 100->101 102 402cef-402cf4 100->102 101->102 103 402c31-402c42 101->103 104 402c44-402c4d 103->104 105 402c52-402c60 104->105 105->105 106 402c62-402c69 105->106 107 402c72-402c88 106->107 108 402c6b 106->108 110 402c8a-402c8f 107->110 108->104 109 402c6d-402c70 108->109 109->110 110->102 111 402c91-402ced RtlCreateUserThread 110->111 111->102
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.1775746726.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbjcjjt.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateThreadUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1531140918-0
                                                                                                                  • Opcode ID: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                                                  • Instruction ID: 1db3e151d03db0a1b2d88b33ccc958aaf7204f5d63625af9f32895d8f10b8312
                                                                                                                  • Opcode Fuzzy Hash: 7297fe9666f666a234085e31a7a962aeb3571d674ea4f6f510c8001b8e52953f
                                                                                                                  • Instruction Fuzzy Hash: D131F631218D098FE798DF1CD889BA273D1F798350F6542AAE809C3395EA74DC5187C6