Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac.zip

Overview

General Information

Sample Name:MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac.zip
Analysis ID:718403
MD5:19267aa1300759962524e4967a50d4a1
SHA1:f20fa2514592e7695b59f1081a27f4a58341ee6b
SHA256:973e9e6711561e69784ad7449e95ea8720f28e4792d8ff61a818106ee45fa118
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara signature match
Tries to load missing DLLs
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to communicate with device drivers
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64_ra
  • hfs.exe (PID: 1472 cmdline: "C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe" MD5: 9E8557E98ED1269372FF0ACE91D63477)
    • chrome.exe (PID: 340 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://localhost/ MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
      • chrome.exe (PID: 320 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1800,i,15845607598309569979,15213409677868717559,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • hfs.exe (PID: 2592 cmdline: "C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe" MD5: 9E8557E98ED1269372FF0ACE91D63477)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    8.0.hfs.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      8.0.hfs.exe.400000.0.unpackINDICATOR_TOOL_HFS_WebServerDetects HFS Web ServerditekSHen
      • 0x37ac:$s1: SOFTWARE\Borland\Delphi\
      • 0x11b120:$s2: C:\code\mine\hfs\scriptLib.pas
      • 0x125a40:$s2: C:\code\mine\hfs\scriptLib.pas
      • 0x126054:$s3: hfs.*;*.htm*;descript.ion;*.comment;*.md5;*.corrupted;*.lnk
      • 0x157cd5:$s3: hfs.*;*.htm*;descript.ion;*.comment;*.md5;*.corrupted;*.lnk
      • 0x157478:$s4: Server: HFS

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
      Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
      Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: hfs.exe, 00000008.00000003.1504639466.0000000000732000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1603714019.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://TRENTRICHARDSON.COM
      Source: hfs.exe, 00000008.00000003.1504639466.0000000000732000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1603714019.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXT
      Source: hfs.exe, 00000008.00000003.1504639466.0000000000732000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1603714019.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://TRENTRICHARDSON.COM/IMPROMPTU/MIT-LICENSE.TXT
      Source: hfs.exe, 00000009.00000003.1603800287.000000000089D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://WWW.REJE
      Source: hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: HTTP://WWW.REJETTO.COM/HFS/
      Source: hfs.exe, 00000008.00000002.2105720860.0000000000D2A000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606570097.000000000253A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.3/
      Source: hfs.exe, 00000008.00000002.2100836601.000000000019A000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.3/.3/x
      Source: hfs.exe, 00000009.00000003.1606570097.000000000253A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.3/.js
      Source: hfs.exe, 00000008.00000002.2102065800.00000000006CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.168.2.3/L
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://2ip.ru
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://checkip.dyndns.org
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://hfsservice.rejetto.com/ipservices.php
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://hfstest.rejetto.com/?port=
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000008.00000002.2104806639.0000000000C44000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jquery.com/
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000008.00000002.2104806639.0000000000C44000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jquery.org/license
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://rejetto.webfactional.com/hfs/ip.php
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000008.00000002.2104806639.0000000000C44000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sizzlejs.com/
      Source: hfs.exe, 00000008.00000002.2106879567.0000000004970000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000009.00000003.1604528294.00000000049C7000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://trentrichardson.com
      Source: hfs.exe, 00000008.00000002.2106879567.0000000004970000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000009.00000003.1604528294.00000000049C7000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://trentrichardson.com/Impromptu/GPL-LICENSE.txt
      Source: hfs.exe, 00000008.00000002.2106879567.0000000004970000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000009.00000003.1604528294.00000000049C7000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://trentrichardson.com/Impromptu/MIT-LICENSE.txt
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.alexnolan.net/ip/
      Source: hfs.exe, 00000008.00000002.2102534464.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606850658.0000000000856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.canyouseeme.org
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.cjb.net/cgi-bin/dynip.cgi?username=
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.mario-online.com/mio_indirizzo_ip.php
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.melauto.it/public/rejetto/ip.php
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/forum/
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/forum/U
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs-donate
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs-donateU
      Source: hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604784665.000000000241A000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604447474.00000000049B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rejetto.com/hfs/
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs/U
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs/guide/
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs/guide/U
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs/guide/intro.html
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs/guide/intro.htmlU
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/hfs/hfs.updateinfo.txt
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/sw/?faq=hfs
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/sw/?faq=hfsU
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/sw/license.txt
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/sw/license.txtU
      Source: hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.rejetto.com/wiki/?title=HFS:_Event_scripts
      Source: hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.whatsmyrealip.com/
      Source: hfs.exe, 00000008.00000002.2102534464.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606850658.0000000000856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
      Source: hfs.exe, 00000008.00000002.2102534464.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606850658.0000000000856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
      Source: hfs.exe, 00000008.00000002.2102534464.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606850658.0000000000856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/88.0.1/releasenotes
      Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+620; __Secure-ENID=6.SE=cJKCBuSaL1dV3R8z2Y2al7-m2m5bGA74lqbYYkqC3uy-NtZ1f6n_bCBr25tlnnjvdmLpGQ81ZKzP3Te5vVjpSQjYWCwvlOMApK7tmZNWcORu0p4wniPJGQfTslQNnpQWhG9qkwkEgy49-6UG3UQ1eiUyFolJZWLeUM1p4KvjM9E
      Source: unknownDNS traffic detected: queries for: accounts.google.com
      Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.102Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 8.0.hfs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HFS Web Server Author: ditekSHen
      Source: 8.0.hfs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_HFS_WebServer author = ditekSHen, description = Detects HFS Web Server
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeCode function: 8_2_00407FCE: DeviceIoControl,8_2_00407FCE
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: unknownProcess created: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe "C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe"
      Source: unknownProcess created: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe "C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe"
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://localhost/
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1800,i,15845607598309569979,15213409677868717559,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://localhost/Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1800,i,15845607598309569979,15213409677868717559,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeMutant created: \Sessions\1\BaseNamedObjects\HttpFileServer
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeFile created: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\test.tmp~1090807242.tmpJump to behavior
      Source: classification engineClassification label: mal48.winZIP@24/0@5/6
      Source: Yara matchFile source: 8.0.hfs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeWindow found: window name: TButtonJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeCode function: 8_2_004079E6 push 00407A43h; ret 8_2_00407A3B
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeCode function: 8_2_004079E8 push 00407A43h; ret 8_2_00407A3B
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: hfs.exe, 00000008.00000002.2103419605.0000000000721000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://localhost/Jump to behavior
      Source: C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exeCode function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,8_2_00407070

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		11
      Process Injection      		LSASS Memory1
      File and Directory Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
      Non-Application Layer Protocol      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading      		Security Account Manager11
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Obfuscated Files or Information      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
      Ingress Tool Transfer      		SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 718403 Sample: MDE_File_Sample_d0c4192b65e... Startdate: 07/10/2022 Architecture: WINDOWS Score: 48 27 Malicious sample detected (through community Yara rule) 2->27 7 hfs.exe 15 2->7         started        9 hfs.exe 1 3 2->9         started        process3 process4 11 chrome.exe 14 7->11         started        dnsIp5 17 192.168.2.1 unknown unknown 11->17 19 239.255.255.250 unknown Reserved 11->19 14 chrome.exe 11->14         started        process6 dnsIp7 21 accounts.google.com 142.250.186.45, 443, 49694 GOOGLEUS United States 14->21 23 172.217.16.196, 443, 49713 GOOGLEUS United States 14->23 25 5 other IPs or domains 14->25

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://checkip.dyndns.org0%URL Reputationsafe
      http://checkip.dyndns.org0%URL Reputationsafe
      http://192.168.2.3/.js0%Avira URL Cloudsafe
      http://www.alexnolan.net/ip/0%Avira URL Cloudsafe
      http://www.melauto.it/public/rejetto/ip.php0%Avira URL Cloudsafe
      HTTP://WWW.REJE0%Avira URL Cloudsafe
      http://rejetto.webfactional.com/hfs/ip.php0%Avira URL Cloudsafe
      http://rejetto.webfactional.com/hfs/ip.php5%VirustotalBrowse
      http://www.alexnolan.net/ip/0%VirustotalBrowse
      http://www.melauto.it/public/rejetto/ip.php2%VirustotalBrowse
      http://192.168.2.3/0%Avira URL Cloudsafe
      http://192.168.2.3/.3/x0%Avira URL Cloudsafe
      http://192.168.2.3/L0%Avira URL Cloudsafe
      http://www.mario-online.com/mio_indirizzo_ip.php0%Avira URL Cloudsafe
      http://www.whatsmyrealip.com/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      accounts.google.com
      		142.250.186.45
      		truefalse
        		high
        www.google.com
        		142.250.185.196
        		truefalse
          		high
          clients.l.google.com
          		172.217.18.14
          		truefalse
            		high
            www.rejetto.com
            		94.23.66.84
            		truefalse
              		high
              clients2.google.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardfalse
                  		high
                  https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    HTTP://WWW.REJETTO.COM/HFS/hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://www.canyouseeme.orghfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                        		high
                        http://jquery.org/licensehfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000008.00000002.2104806639.0000000000C44000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://www.rejetto.com/hfs/guide/intro.htmlhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                            		high
                            http://www.cjb.net/cgi-bin/dynip.cgi?username=hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                              		high
                              http://www.rejetto.com/wiki/?title=HFS:_Event_scriptshfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                		high
                                http://www.alexnolan.net/ip/hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://sizzlejs.com/hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000008.00000002.2104806639.0000000000C44000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.rejetto.com/sw/?faq=hfsUhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                    		high
                                    http://www.rejetto.com/hfs/Uhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                      		high
                                      http://www.rejetto.com/hfs/hfs.updateinfo.txthfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                        		high
                                        HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXThfs.exe, 00000008.00000003.1504639466.0000000000732000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1603714019.00000000008A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.rejetto.com/hfs/guide/Uhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                            		high
                                            HTTP://WWW.REJEhfs.exe, 00000009.00000003.1603800287.000000000089D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://checkip.dyndns.orghfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://192.168.2.3/.jshfs.exe, 00000009.00000003.1606570097.000000000253A000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://rejetto.webfactional.com/hfs/ip.phphfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                            • 5%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.rejetto.com/hfs/guide/intro.htmlUhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                              		high
                                              http://www.melauto.it/public/rejetto/ip.phphfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                              • 2%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rejetto.com/hfs-donateUhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                		high
                                                http://www.mario-online.com/mio_indirizzo_ip.phphfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rejetto.com/sw/license.txthfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                  		high
                                                  http://www.rejetto.com/hfs/hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604784665.000000000241A000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604447474.00000000049B2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.rejetto.com/sw/license.txtUhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                      		high
                                                      http://trentrichardson.com/Impromptu/GPL-LICENSE.txthfs.exe, 00000008.00000002.2106879567.0000000004970000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000009.00000003.1604528294.00000000049C7000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://trentrichardson.com/Impromptu/MIT-LICENSE.txthfs.exe, 00000008.00000002.2106879567.0000000004970000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000009.00000003.1604528294.00000000049C7000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.rejetto.com/forum/hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                            		high
                                                            http://192.168.2.3/hfs.exe, 00000008.00000002.2105720860.0000000000D2A000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606570097.000000000253A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.rejetto.com/hfs-donatehfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                              		high
                                                              HTTP://TRENTRICHARDSON.COM/IMPROMPTU/MIT-LICENSE.TXThfs.exe, 00000008.00000003.1504639466.0000000000732000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1603714019.00000000008A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://2ip.ruhfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                  		high
                                                                  http://192.168.2.3/.3/xhfs.exe, 00000008.00000002.2100836601.000000000019A000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://hfsservice.rejetto.com/ipservices.phphfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                    		high
                                                                    http://www.rejetto.com/hfs/guide/hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                      		high
                                                                      http://www.autoitscript.com/autoit3hfs.exe, 00000008.00000002.2102534464.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606850658.0000000000856000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.rejetto.com/forum/Uhfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                          		high
                                                                          http://www.whatsmyrealip.com/hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          HTTP://TRENTRICHARDSON.COMhfs.exe, 00000008.00000003.1504639466.0000000000732000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1603714019.00000000008A5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://support.mozilla.orghfs.exe, 00000008.00000002.2102534464.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1606850658.0000000000856000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://192.168.2.3/Lhfs.exe, 00000008.00000002.2102065800.00000000006CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://trentrichardson.comhfs.exe, 00000008.00000002.2106879567.0000000004970000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000009.00000003.1604528294.00000000049C7000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1605338134.0000000002484000.00000004.00001000.00020000.00000000.sdmp, hfs.exe, 00000009.00000003.1604212828.0000000004962000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://hfstest.rejetto.com/?port=hfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                                  		high
                                                                                  http://jquery.com/hfs.exe, 00000008.00000000.1496967069.0000000000597000.00000002.00000001.01000000.00000005.sdmp, hfs.exe, 00000008.00000002.2104806639.0000000000C44000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.rejetto.com/sw/?faq=hfshfs.exe, 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      142.250.186.45
                                                                                      		accounts.google.comUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      239.255.255.250
                                                                                      		unknownReserved
                                                                                      		unknownunknownfalse
                                                                                      172.217.18.14
                                                                                      		clients.l.google.comUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      172.217.16.196
                                                                                      		unknownUnited States
                                                                                      		15169GOOGLEUSfalse

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.1
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                      Analysis ID:718403
                                                                                      Start date and time:2022-10-07 17:12:08 +02:00
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 4m 9s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Sample file name:MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac.zip
                                                                                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                      Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                                                                                      Number of analysed new started processes analysed:12
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal48.winZIP@24/0@5/6
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HDC Information:Failed
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 7
                                                                                      • Number of non-executed functions: 1
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .zip

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 20.190.159.4, 20.190.159.73, 40.126.31.67, 20.190.159.0, 20.190.159.23, 20.190.159.64, 40.126.31.71, 20.190.159.75, 172.217.18.99, 34.104.35.123, 142.250.74.202, 172.217.23.106, 142.250.185.202, 142.250.185.106, 142.250.186.170, 172.217.18.10, 142.250.186.106, 142.250.185.234, 142.250.185.74, 142.250.185.138, 142.250.181.234, 142.250.186.138, 172.217.16.138, 142.250.184.202, 216.58.212.138, 142.250.186.42
                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, prda.aadg.msidentity.com, edgedl.me.gvt1.com, content-autofill.googleapis.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, clientservices.googleapis.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      No simulations

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      239.255.255.250https://bedrapiona.com/Get hashmaliciousBrowse
                                                                                        https://www.cnesst-harceleur.com/Get hashmaliciousBrowse
                                                                                          http://107.22.28.167/Get hashmaliciousBrowse
                                                                                            https://websmail.managements.rest/functionality.html?mount=PDo2VVA7VylUMCctRTg2KU84NylEOzYlUjo2WUUrRi1POzJZTjowICA=Get hashmaliciousBrowse
                                                                                              https://mararthonengcorp-my.sharepoint.com:443/:o:/g/personal/acorbisello_marathonengcorp_com/EheRI0dvBU1Bppgmma8AG1UBFv2Pb6WAy90rIjxuz1Fiew?e=5%3aeNgMnx&at=9Get hashmaliciousBrowse
                                                                                                https://elevenmortgage81.hotgloo.io/share/awQvNXKYWWwCjdDGet hashmaliciousBrowse
                                                                                                  ContractCopy#7971_phish.htmlGet hashmaliciousBrowse
                                                                                                    https://rcbrightness.cl/V2/NOVAGAS%20/semtex.phpGet hashmaliciousBrowse
                                                                                                      decoded-base64.ps1Get hashmaliciousBrowse
                                                                                                        https://xsp550623-my.sharepoint.com/:o:/g/personal/valerie_eun_chavagne_fr/EvpkSulwGzdPuz_mPfWB254B73N_HAk7Ilu3NUIj8TG__A?e=riGWNNGet hashmaliciousBrowse
                                                                                                          Overdue#7017.htmlGet hashmaliciousBrowse
                                                                                                            https://xsp550623-my.sharepoint.com/:o:/g/personal/valerie_eun_chavagne_fr/EvpkSulwGzdPuz_mPfWB254B73N_HAk7Ilu3NUIj8TG__A?e=riGWNNGet hashmaliciousBrowse
                                                                                                              http://44.234.246.116/MB_Agent/Sure-XLite.binGet hashmaliciousBrowse
                                                                                                                https://wgdgvsfkgiwgk3dhum2erz5kvsz2sy-ipfs-dweb-link.translate.goog:443/?_x_tr_hp=bafybeic7iqe3sqn7z6demhxvp6w3&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US#geral@gnbre.ptGet hashmaliciousBrowse
                                                                                                                  http://47.23.89.61Get hashmaliciousBrowse
                                                                                                                    https://nimb.ws/C1lZ8uGet hashmaliciousBrowse
                                                                                                                      http://195.178.120.62/Fzoffwvk.bmpGet hashmaliciousBrowse
                                                                                                                        https://urlzs.com/xPhKqGet hashmaliciousBrowse
                                                                                                                          https://retraflex.pl/kjope-cvx-to-nok-nor2/Get hashmaliciousBrowse
                                                                                                                            hds.htmlGet hashmaliciousBrowse

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              www.google.comBBMT2022Q753 AA CARPENTRY SCAN.exeGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://bedrapiona.com/Get hashmaliciousBrowse
                                                                                                                              • 172.217.23.100
                                                                                                                              https://www.cnesst-harceleur.com/Get hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              http://107.22.28.167/Get hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://websmail.managements.rest/functionality.html?mount=PDo2VVA7VylUMCctRTg2KU84NylEOzYlUjo2WUUrRi1POzJZTjowICA=Get hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://mararthonengcorp-my.sharepoint.com:443/:o:/g/personal/acorbisello_marathonengcorp_com/EheRI0dvBU1Bppgmma8AG1UBFv2Pb6WAy90rIjxuz1Fiew?e=5%3aeNgMnx&at=9Get hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://elevenmortgage81.hotgloo.io/share/awQvNXKYWWwCjdDGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              Levelogger-4.6.2-Installer.exeGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              ContractCopy#7971_phish.htmlGet hashmaliciousBrowse
                                                                                                                              • 142.250.185.196
                                                                                                                              https://rcbrightness.cl/V2/NOVAGAS%20/semtex.phpGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              decoded-base64.ps1Get hashmaliciousBrowse
                                                                                                                              • 142.250.186.164
                                                                                                                              https://xsp550623-my.sharepoint.com/:o:/g/personal/valerie_eun_chavagne_fr/EvpkSulwGzdPuz_mPfWB254B73N_HAk7Ilu3NUIj8TG__A?e=riGWNNGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              Overdue#7017.htmlGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://xsp550623-my.sharepoint.com/:o:/g/personal/valerie_eun_chavagne_fr/EvpkSulwGzdPuz_mPfWB254B73N_HAk7Ilu3NUIj8TG__A?e=riGWNNGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              http://44.234.246.116/MB_Agent/Sure-XLite.binGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://wgdgvsfkgiwgk3dhum2erz5kvsz2sy-ipfs-dweb-link.translate.goog:443/?_x_tr_hp=bafybeic7iqe3sqn7z6demhxvp6w3&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US#geral@gnbre.ptGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              Setup.exeGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              http://47.23.89.61Get hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              https://nimb.ws/C1lZ8uGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              http://195.178.120.62/Fzoffwvk.bmpGet hashmaliciousBrowse
                                                                                                                              • 142.250.186.36
                                                                                                                              www.rejetto.comhfs.exeGet hashmaliciousBrowse
                                                                                                                              • 94.23.66.84
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 94.23.66.84
                                                                                                                              uUey7ZnTha.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              ijxxKAiHHB.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              http://37.1.211.221:1699Get hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              rjAAd0Yg6h.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7
                                                                                                                              hfs.exeGet hashmaliciousBrowse
                                                                                                                              • 185.20.49.7

                                                                                                                              ASNs

                                                                                                                              No context

                                                                                                                              JA3 Fingerprints

                                                                                                                              No context

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              No created / dropped files found

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                              Entropy (8bit):7.9997951692076565
                                                                                                                              TrID:
                                                                                                                              • ZIP compressed archive (8000/1) 100.00%
                                                                                                                              File name:MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac.zip
                                                                                                                              File size:993420
                                                                                                                              MD5:19267aa1300759962524e4967a50d4a1
                                                                                                                              SHA1:f20fa2514592e7695b59f1081a27f4a58341ee6b
                                                                                                                              SHA256:973e9e6711561e69784ad7449e95ea8720f28e4792d8ff61a818106ee45fa118
                                                                                                                              SHA512:f7e72422c3caaffdd2d5d50e4e279135a26105dcd36a674c6af594abe731aae8e9ba86b03c58862c738a73d0a7e24bc2125f296a4b95a1d9600adb11c619ea96
                                                                                                                              SSDEEP:12288:DJnnl2ggPkF+CcOc+3I0dmaHm+QfcayXSVncYKwy/t1ooCsyV1ckuKSdcCo4Rj8j:Nnnng8F6+OPPzC/GyotsiQ3S14RjID
                                                                                                                              TLSH:C22533E36390656A4EDCDEAD1E2B21D2C19E6D45C3CF168FDE9005B01C4ED920ED7AB8
                                                                                                                              File Content Preview:PK........dyGU.C...'...$!...$.hfs.exe.. ...........Q._.....Q._...w.Q._...&..uK:~l&.n...X...]c-Y..YB^u...>.j(.t..bI/...?.k..~......tB.n.$.....G.....\.[.n\.......t.|.m?+}Hh.fJ3m...8*..'P.^...7Wzl.X.N].....K..X.....%...]?>.}T9-a.k...29..'.4E.OP9.O.......X..7

                                                                                                                              Network Behavior

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 7, 2022 17:13:43.454807997 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.454886913 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.455007076 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.458492041 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.458542109 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.509876966 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.509952068 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.510036945 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.510409117 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.510442972 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.548655987 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.556546926 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.556596041 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.557652950 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.557758093 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.558933973 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.559149981 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.579088926 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.590445042 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.590495110 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.593825102 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.593915939 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.959955931 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.960031986 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.960355997 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.961004972 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.961080074 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.961158037 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:43.961206913 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.961390018 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.963215113 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.963258982 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.992311954 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.992388010 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:43.992433071 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.992604017 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.992676020 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:44.000567913 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:44.012363911 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:44.012646914 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:44.012731075 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:44.061609030 CEST49693443192.168.2.3172.217.18.14
                                                                                                                              Oct 7, 2022 17:13:44.061676025 CEST44349693172.217.18.14192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:44.063467026 CEST49694443192.168.2.3142.250.186.45
                                                                                                                              Oct 7, 2022 17:13:44.063519001 CEST44349694142.250.186.45192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.022001028 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.022072077 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.022193909 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.022430897 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.022464037 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.086687088 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.087064981 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.087121010 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.089097977 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.089200974 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.091578007 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.091597080 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.091806889 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.133877993 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:47.133929968 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.233819962 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:57.062248945 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:57.062369108 CEST44349713172.217.16.196192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:57.063384056 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:57.121592999 CEST49713443192.168.2.3172.217.16.196
                                                                                                                              Oct 7, 2022 17:13:57.121654987 CEST44349713172.217.16.196192.168.2.3

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Oct 7, 2022 17:13:43.327640057 CEST5149153192.168.2.31.1.1.1
                                                                                                                              Oct 7, 2022 17:13:43.328864098 CEST5786153192.168.2.31.1.1.1
                                                                                                                              Oct 7, 2022 17:13:43.346120119 CEST53578611.1.1.1192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:43.346196890 CEST53514911.1.1.1192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:44.663065910 CEST6290153192.168.2.31.1.1.1
                                                                                                                              Oct 7, 2022 17:13:44.697786093 CEST53629011.1.1.1192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:46.978419065 CEST5529553192.168.2.31.1.1.1
                                                                                                                              Oct 7, 2022 17:13:46.995682955 CEST53552951.1.1.1192.168.2.3
                                                                                                                              Oct 7, 2022 17:13:47.000432968 CEST5730453192.168.2.31.1.1.1
                                                                                                                              Oct 7, 2022 17:13:47.020476103 CEST53573041.1.1.1192.168.2.3

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Oct 7, 2022 17:13:43.327640057 CEST192.168.2.31.1.1.10xff01Standard query (0)accounts.google.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:43.328864098 CEST192.168.2.31.1.1.10xbf68Standard query (0)clients2.google.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:44.663065910 CEST192.168.2.31.1.1.10xe599Standard query (0)www.rejetto.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:46.978419065 CEST192.168.2.31.1.1.10x1bd8Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:47.000432968 CEST192.168.2.31.1.1.10x66e7Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Oct 7, 2022 17:13:43.346120119 CEST1.1.1.1192.168.2.30xbf68No error (0)clients2.google.comclients.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:43.346120119 CEST1.1.1.1192.168.2.30xbf68No error (0)clients.l.google.com172.217.18.14A (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:43.346196890 CEST1.1.1.1192.168.2.30xff01No error (0)accounts.google.com142.250.186.45A (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:44.697786093 CEST1.1.1.1192.168.2.30xe599No error (0)www.rejetto.com94.23.66.84A (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:46.995682955 CEST1.1.1.1192.168.2.30x1bd8No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)false
                                                                                                                              Oct 7, 2022 17:13:47.020476103 CEST1.1.1.1192.168.2.30x66e7No error (0)www.google.com172.217.16.196A (IP address)IN (0x0001)false

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • accounts.google.com
                                                                                                                              • clients2.google.com

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              0192.168.2.349694142.250.186.45443C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2022-10-07 15:13:43 UTC0OUTPOST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1
                                                                                                                              Host: accounts.google.com
                                                                                                                              Connection: keep-alive
                                                                                                                              Content-Length: 1
                                                                                                                              Origin: https://www.google.com
                                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                                              Sec-Fetch-Site: none
                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                              Cookie: CONSENT=PENDING+620; __Secure-ENID=6.SE=cJKCBuSaL1dV3R8z2Y2al7-m2m5bGA74lqbYYkqC3uy-NtZ1f6n_bCBr25tlnnjvdmLpGQ81ZKzP3Te5vVjpSQjYWCwvlOMApK7tmZNWcORu0p4wniPJGQfTslQNnpQWhG9qkwkEgy49-6UG3UQ1eiUyFolJZWLeUM1p4KvjM9E
                                                                                                                              2022-10-07 15:13:43 UTC0OUTData Raw: 20
                                                                                                                              Data Ascii:
                                                                                                                              2022-10-07 15:13:44 UTC2INHTTP/1.1 200 OK
                                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                                              Access-Control-Allow-Origin: https://www.google.com
                                                                                                                              Access-Control-Allow-Credentials: true
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                              Pragma: no-cache
                                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                              Date: Fri, 07 Oct 2022 15:13:43 GMT
                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport
                                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-gJWoK5UpF_Idx9277-86Zg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self'
                                                                                                                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist
                                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                              Cross-Origin-Opener-Policy: same-origin
                                                                                                                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                              Server: ESF
                                                                                                                              X-XSS-Protection: 0
                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                              Accept-Ranges: none
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Connection: close
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              2022-10-07 15:13:44 UTC4INData Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a
                                                                                                                              Data Ascii: 11["gaia.l.a.r",[]]
                                                                                                                              2022-10-07 15:13:44 UTC4INData Raw: 30 0d 0a 0d 0a
                                                                                                                              Data Ascii: 0


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              1192.168.2.349693172.217.18.14443C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              2022-10-07 15:13:43 UTC0OUTGET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.102&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1
                                                                                                                              Host: clients2.google.com
                                                                                                                              Connection: keep-alive
                                                                                                                              X-Goog-Update-Interactivity: fg
                                                                                                                              X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda
                                                                                                                              X-Goog-Update-Updater: chromecrx-104.0.5112.102
                                                                                                                              Sec-Fetch-Site: none
                                                                                                                              Sec-Fetch-Mode: no-cors
                                                                                                                              Sec-Fetch-Dest: empty
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                              Accept-Language: en-US,en;q=0.9
                                                                                                                              2022-10-07 15:13:43 UTC1INHTTP/1.1 200 OK
                                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-ew39Y8dwYWU_vTYloaTvxg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                              Pragma: no-cache
                                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                              Date: Fri, 07 Oct 2022 15:13:43 GMT
                                                                                                                              Content-Type: text/xml; charset=UTF-8
                                                                                                                              X-Daynum: 5758
                                                                                                                              X-Daystart: 29623
                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                                              Server: GSE
                                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                              Accept-Ranges: none
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Connection: close
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              2022-10-07 15:13:43 UTC2INData Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 37 35 38 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 32 39 36 32 33 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22
                                                                                                                              Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5758" elapsed_seconds="29623"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
                                                                                                                              2022-10-07 15:13:43 UTC2INData Raw: 6d 78 76 59 6e 4d 76 4e 7a 49 30 51 55 46 58 4e 56 39 7a 54 32 52 76 64 55 77 79 4d 45 52 45 53 45 5a 47 56 6d 4a 6e 51 51 2f 31 2e 30 2e 30 2e 36 5f 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69
                                                                                                                              Data Ascii: mxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" si
                                                                                                                              2022-10-07 15:13:43 UTC2INData Raw: 30 0d 0a 0d 0a
                                                                                                                              Data Ascii: 0


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:8
                                                                                                                              Start time:17:13:10
                                                                                                                              Start date:07/10/2022
                                                                                                                              Path:C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe"
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:2171904 bytes
                                                                                                                              MD5 hash:9E8557E98ED1269372FF0ACE91D63477
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000000.1495709992.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:9
                                                                                                                              Start time:17:13:20
                                                                                                                              Start date:07/10/2022
                                                                                                                              Path:C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:"C:\Users\user\Downloads\sMuqUfejlr\MDE_File_Sample_d0c4192b65e36553f6fd2b83f3123f6ae8380dac\hfs.exe"
                                                                                                                              Imagebase:0x400000
                                                                                                                              File size:2171904 bytes
                                                                                                                              MD5 hash:9E8557E98ED1269372FF0ACE91D63477
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:Borland Delphi
                                                                                                                              Reputation:low

                                                                                                                              General

                                                                                                                              Target ID:10
                                                                                                                              Start time:17:13:39
                                                                                                                              Start date:07/10/2022
                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://localhost/
                                                                                                                              Imagebase:0x7ff6566b0000
                                                                                                                              File size:2852640 bytes
                                                                                                                              MD5 hash:7BC7B4AEDC055BB02BCB52710132E9E1
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate

                                                                                                                              General

                                                                                                                              Target ID:11
                                                                                                                              Start time:17:13:40
                                                                                                                              Start date:07/10/2022
                                                                                                                              Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1800,i,15845607598309569979,15213409677868717559,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
                                                                                                                              Imagebase:0x7ff6566b0000
                                                                                                                              File size:2852640 bytes
                                                                                                                              MD5 hash:7BC7B4AEDC055BB02BCB52710132E9E1
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Execution Graph

                                                                                                                                Execution Coverage:9.5%
                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                Signature Coverage:22.9%
                                                                                                                                Total number of Nodes:48
                                                                                                                                Total number of Limit Nodes:3

                                                                                                                                Executed Functions

                                                                                                                                Function 00407070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 184registrylibraryCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 0 407070-4070b1 RegOpenKeyExA 2 4070f3-407136 0->2 3 4070b3-4070cf RegOpenKeyExA 0->3 9 407138-407154 2->9 10 40715a-407174 2->10 3->2 4 4070d1-4070ed RegOpenKeyExA 3->4 4->2 5 40717c-4071ad GetLocaleInfoA 4->5 14 4071b3-4071b7 5->14 15 407296-40729d 5->15 9->10 16 407156 9->16 18 4071c3-4071d9 14->18 19 4071b9-4071bd 14->19 16->10 21 4071dc-4071df 18->21 19->15 19->18 22 4071e1-4071e9 21->22 23 4071eb-4071f3 21->23 22->23 24 4071db 22->24 23->15 25 4071f9-4071fe 23->25 24->21 26 407200-407226 25->26 27 407228-40722a 25->27 26->27 27->15 28 40722c-407230 27->28 28->15 30 407232-407262 LoadLibraryExA 28->30 30->15 33 407264-407294 LoadLibraryExA 30->33 33->15
                                                                                                                                APIs
                                                                                                                                • RegOpenKeyExA.KERNEL32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 004070AA
                                                                                                                                • RegOpenKeyExA.KERNEL32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 004070C8
                                                                                                                                • RegOpenKeyExA.KERNEL32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 004070E6
                                                                                                                                • GetLocaleInfoA.KERNEL32(00000000), ref: 0040719F
                                                                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002), ref: 00407259
                                                                                                                                • LoadLibraryExA.KERNEL32(00000000,00000000,00000002), ref: 0040728F
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100915392.0000000000407000.00000040.00000001.01000000.00000005.sdmp, Offset: 00407000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_407000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: Open$LibraryLoad$InfoLocale
                                                                                                                                • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                • API String ID: 4041025014-3917250287
                                                                                                                                • Opcode ID: 4bc055594a0b34e814b33aaf8fc9219e5e9fc34e973681e86cc46028133426e9
                                                                                                                                • Instruction ID: c5ff98c6a6139f93c6704c79ab18b06f40684caa607cb0862b16daa4c1cf1b01
                                                                                                                                • Opcode Fuzzy Hash: 4bc055594a0b34e814b33aaf8fc9219e5e9fc34e973681e86cc46028133426e9
                                                                                                                                • Instruction Fuzzy Hash: 80517171E0420C7EFB21D6A49C46FEF77AC9B04744F4441B6BA04F66C2E678AE448B69
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00407F7E Relevance: 1.5, APIs: 1, Instructions: 19synchronizationCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 35 407f7e-407fa4 CreateMutexA
                                                                                                                                APIs
                                                                                                                                • CreateMutexA.KERNEL32(?,?,?), ref: 00407F97
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100915392.0000000000407000.00000040.00000001.01000000.00000005.sdmp, Offset: 00407000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_407000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateMutex
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1964310414-0
                                                                                                                                • Opcode ID: aac90e20a50084a577ced6f325ddde7fae3f822483f87fcda839c5e40715e318
                                                                                                                                • Instruction ID: c790e31c200fdd215013f6f20d056eb62fdbe26bf6d17a02c93ee99176357472
                                                                                                                                • Opcode Fuzzy Hash: aac90e20a50084a577ced6f325ddde7fae3f822483f87fcda839c5e40715e318
                                                                                                                                • Instruction Fuzzy Hash: 6BD05E73A14208FFCB00DFADDC05D9E73ECEB18254B108429F418D7100D239EA009B24
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00407F80 Relevance: 1.5, APIs: 1, Instructions: 18synchronizationCOMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 37 407f80-407fa4 CreateMutexA
                                                                                                                                APIs
                                                                                                                                • CreateMutexA.KERNEL32(?,?,?), ref: 00407F97
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100915392.0000000000407000.00000040.00000001.01000000.00000005.sdmp, Offset: 00407000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_407000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID: CreateMutex
                                                                                                                                • String ID:
                                                                                                                                • API String ID: 1964310414-0
                                                                                                                                • Opcode ID: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
                                                                                                                                • Instruction ID: 349e1c842927ee80bb4e6aaef0f9b1f8cd2ec333b2a73608cae7dd49179f51a1
                                                                                                                                • Opcode Fuzzy Hash: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
                                                                                                                                • Instruction Fuzzy Hash: 21D05E73914208FFCB00DFA9D805D8E73ECEB18254B108429F418D7100D239EA009B24
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00421970 Relevance: .1, Instructions: 54COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 38 421970-421983 39 421985-42198a 38->39 40 42198d-4219b0 38->40 39->40 43 4219b2-4219dd 40->43 44 421a0b-421a11 40->44 46 4219e5-4219ff 43->46
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100974293.0000000000421000.00000040.00000001.01000000.00000005.sdmp, Offset: 00421000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_421000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e65c068728c9befbfb0bd2696387d1c550580650a046a058749063818c853c7b
                                                                                                                                • Instruction ID: d1efd2674946ddcb1477498d5fd98560e8a1a96f26c859c93cd1a0151d6e3682
                                                                                                                                • Opcode Fuzzy Hash: e65c068728c9befbfb0bd2696387d1c550580650a046a058749063818c853c7b
                                                                                                                                • Instruction Fuzzy Hash: EA115474E04648EFDB00DFA8D851AADFBF4EB45304F5180AAE504B7390D7355E41CB54
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00421B30 Relevance: .1, Instructions: 53COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 49 421b30-421b5c 50 421b5e-421b67 49->50 51 421bbf-421bd4 49->51 50->51 52 421b69-421bb4 call 421b30 call 421970 50->52 63 421bb9-421bbc 52->63 63->51
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100974293.0000000000421000.00000040.00000001.01000000.00000005.sdmp, Offset: 00421000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_421000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4e97f87f3650c6f85148b80b62df0b5d7665720ffbccf451877ef4d4b30a3dd6
                                                                                                                                • Instruction ID: 6589792cef98e809a9812f7c702a5b4da44f9991f1cefcbb9db66082a6a87442
                                                                                                                                • Opcode Fuzzy Hash: 4e97f87f3650c6f85148b80b62df0b5d7665720ffbccf451877ef4d4b30a3dd6
                                                                                                                                • Instruction Fuzzy Hash: 0D115E34A00148EFCB00DBA9D882D8DBBF5EF54304FA184A6E404E7661E774AF44CB59
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 00421BEA Relevance: .0, Instructions: 43COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 64 421bea-421c28 66 421c2a call 421a14 64->66 67 421c2f-421c46 call 421b30 64->67 66->67 71 421c4b-421c53 67->71 72 421c55 call 421a7c 71->72 73 421c5a-421c6b 71->73 72->73 76 421c72 73->76 77 421c6d call 421ac4 73->77 77->76
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100974293.0000000000421000.00000040.00000001.01000000.00000005.sdmp, Offset: 00421000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_421000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 4b6f4cad14f15868b6e16b35edbab0d0b0f9e8558c8b281c2a1114a9fb214b43
                                                                                                                                • Instruction ID: 9d60802b55ce9ca12f46bf9c0685bb143f0351e90864b0859f2ecfdc362365b2
                                                                                                                                • Opcode Fuzzy Hash: 4b6f4cad14f15868b6e16b35edbab0d0b0f9e8558c8b281c2a1114a9fb214b43
                                                                                                                                • Instruction Fuzzy Hash: 9601F538B40294BED716AF66E8017ADBFF8EF2A700FD540E6E40052271DB395D41C61C
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Function 004213E8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                Download Yara Rule

                                                                                                                                Control-flow Graph

                                                                                                                                • Executed
                                                                                                                                • Not Executed
                                                                                                                                control_flow_graph 79 4213e8-421407 81 42142c-42143b 79->81 83 421409-42140c 81->83 84 42143d-421454 call 421044 81->84 87 421416-42141f 83->87 87->84 89 421421-421429 87->89 89->81
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100974293.0000000000421000.00000040.00000001.01000000.00000005.sdmp, Offset: 00421000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_421000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 9f64d00ef102ad1af902d2e05236edb25d0ea4c129a09f24e2c0ec02db4d65ab
                                                                                                                                • Instruction ID: 8edcc4c43b3520b0e993df5f19bf5dbf676e64913b229a4b9fb3c6233d21f5cd
                                                                                                                                • Opcode Fuzzy Hash: 9f64d00ef102ad1af902d2e05236edb25d0ea4c129a09f24e2c0ec02db4d65ab
                                                                                                                                • Instruction Fuzzy Hash: 79F03C38704214FFC710EF55F95196977F8EB643147F18066F808A3662EA39AE02AB4C
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                Non-executed Functions

                                                                                                                                Function 00407FCE Relevance: .0, Instructions: 2COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000008.00000002.2100915392.0000000000407000.00000040.00000001.01000000.00000005.sdmp, Offset: 00407000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_8_2_407000_hfs.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f47502fed7009dd2242633c869eb6d4c5e6d7f210b0dba8c156ea9c0ec4b88f2
                                                                                                                                • Instruction ID: c1fed7b65ea2b632cabae2a3fa9ac6ceb8095e1cb4539e7ca024ea703b2bd8d1
                                                                                                                                • Opcode Fuzzy Hash: f47502fed7009dd2242633c869eb6d4c5e6d7f210b0dba8c156ea9c0ec4b88f2
                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%