Edit tour

Windows Analysis Report
3312.PDF.scr

Overview

General Information

Sample name:	3312.PDF.scr renamed because original name is a hash value
Original sample name:	_i_300924_i_30_09_2024___UA973248410000000026006263312.PDF.scr
Analysis ID:	1523195
MD5:	4e30f8fa403546790a16a9b0e0c72f02
SHA1:	a22f898920194c5e191abfd535fa79ee387fbd8b
SHA256:	c62d2fd76a5742a08db7157ad38b2f0209a11e8e9cc698902dbf366913fae535
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

3312.PDF.scr (PID: 6328 cmdline: "C:\Users\user\Desktop\3312.PDF.scr" /S MD5: 4E30F8FA403546790A16A9B0E0C72F02)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

WerFault.exe (PID: 2228 cmdline: C:\Windows\system32\WerFault.exe -u -p 2580 -s 9020 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

djjergw (PID: 180 cmdline: C:\Users\user\AppData\Roaming\djjergw MD5: 4E30F8FA403546790A16A9B0E0C72F02)

explorer.exe (PID: 6480 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x654:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3544:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x654:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x37f4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x254:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x254:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\djjergw, CommandLine: C:\Users\user\AppData\Roaming\djjergw, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\djjergw, NewProcessName: C:\Users\user\AppData\Roaming\djjergw, OriginalFileName: C:\Users\user\AppData\Roaming\djjergw, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\djjergw, ProcessId: 180, ProcessName: djjergw

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T09:35:10.765857+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	45.143.201.14	80	TCP
2024-10-01T09:36:16.864957+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	45.143.201.14	80	TCP
2024-10-01T09:36:17.927460+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	45.143.201.14	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3312.PDF.scr

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\djjergw

Avira: detection malicious, Label: HEUR/AGEN.1312571

Found malware configuration

Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}

Multi AV Scanner detection for submitted file

Source: 3312.PDF.scr

Virustotal: Detection: 39%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\djjergw

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3312.PDF.scr

Joe Sandbox ML: detected

Source: 3312.PDF.scr

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\3312.PDF.scr

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 45.143.201.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 45.143.201.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 45.143.201.14:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 45.143.201.14 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://unicexpertmagazine.pw/index.php
Source: Malware configuration extractor	URLs: http://ceoconstractionstore.pl/index.php
Source: Malware configuration extractor	URLs: http://openclehardware.ru/index.php
Source: Malware configuration extractor	URLs: http://informcoopirationunicolceo.ru/index.php

Source: Joe Sandbox View

ASN Name: PATENT-MEDIA-ASRU PATENT-MEDIA-ASRU

Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mvrswdonrbcmf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: unicexpertmagazine.pw
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hdfqubgmiehcd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: unicexpertmagazine.pw
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rsswvdbjffron.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: unicexpertmagazine.pw

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: unicexpertmagazine.pw
Source: global traffic	DNS traffic detected: DNS query: ceoconstractionstore.pl
Source: global traffic	DNS traffic detected: DNS query: openclehardware.ru
Source: global traffic	DNS traffic detected: DNS query: informcoopirationunicolceo.ru
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mvrswdonrbcmf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: unicexpertmagazine.pw

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:35:10 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:35:10 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:36:16 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:36:17 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0

Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1746657492.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1746657492.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1743054691.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1744674085.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1743420076.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1745816371.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2681117571.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3kI
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2681117571.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1745816371.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/BA
Source: explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 0000000A.00000003.2718077768.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905595416.0000000008020000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1743944804.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2904513919.00000000054FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000001.00000000.1743944804.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bing.c
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 0000000A.00000003.2703067682.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705262424.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2712298809.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711027366.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707506218.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905595416.0000000008020000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comi
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBAJ56P.img
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comNES-PC
Source: explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1745816371.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comCE
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-ul
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/home-and-garden/13-thx
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 3312.PDF.scr

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401529
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402FFA RtlCreateUserThread,NtTerminateProcess,	0_2_00402FFA
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401541
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401545
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401553
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402379 NtQuerySystemInformation,	0_2_00402379
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040237B NtQuerySystemInformation,	0_2_0040237B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401534
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DB
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_004020EA NtQuerySystemInformation,	0_2_004020EA
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402387 NtQuerySystemInformation,	0_2_00402387
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402397 NtQuerySystemInformation,	0_2_00402397
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040239B NtQuerySystemInformation,	0_2_0040239B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040239E NtQuerySystemInformation,	0_2_0040239E
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401529
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402FFA RtlCreateUserThread,NtTerminateProcess,	5_2_00402FFA
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401541
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401545
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401553
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402379 NtQuerySystemInformation,	5_2_00402379
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040237B NtQuerySystemInformation,	5_2_0040237B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401534
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014DB
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_004020EA NtQuerySystemInformation,	5_2_004020EA
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402387 NtQuerySystemInformation,	5_2_00402387
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402397 NtQuerySystemInformation,	5_2_00402397
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040239B NtQuerySystemInformation,	5_2_0040239B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040239E NtQuerySystemInformation,	5_2_0040239E

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00418730		0_2_00418730
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00418730		5_2_00418730

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 9020

Source: 3312.PDF.scr

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: 3312.PDF.scr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: djjergw.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000A.00000002.2905935716.0000000008B20000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.troj.evad.winSCR@4/9@8/1

Source: C:\Users\user\Desktop\3312.PDF.scr

Code function: 0_2_00830572 CreateToolhelp32Snapshot,Module32First,

0_2_00830572

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\djjergw

Jump to behavior

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2580

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b70fe613-99ea-4b8e-adac-660fdacd43a9

Jump to behavior

Source: unknown

Process created: C:\Windows\explorer.exe

Source: 3312.PDF.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3312.PDF.scr

Virustotal: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\3312.PDF.scr "C:\Users\user\Desktop\3312.PDF.scr" /S
Source: unknown	Process created: C:\Users\user\AppData\Roaming\djjergw C:\Users\user\AppData\Roaming\djjergw
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 9020
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe

Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3312.PDF.scr

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\3312.PDF.scr	Unpacked PE file: 0.2.3312.PDF.scr.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\djjergw	Unpacked PE file: 5.2.djjergw.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040237B push 000023C2h; retn 0023h	0_2_0040238B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_004025DC push ebp; ret	0_2_004025FC
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401284 pushad ; iretd	0_2_00401286
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A2643 push ebp; ret	0_2_006A2663
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A12EB pushad ; iretd	0_2_006A12ED
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A23E2 push 000023C2h; retn 0023h	0_2_006A23F2
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0082D88C push eax; retf	0_2_0082D88D
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00831297 pushad ; iretd	0_2_00831299
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00832DBC push es; retf	0_2_00832DD3
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00837ACF push esp; ret	0_2_00837AD0
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_008344EC push ebx; ret	0_2_008344EF
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040237B push 000023C2h; retn 0023h	5_2_0040238B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_004025DC push ebp; ret	5_2_004025FC
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401284 pushad ; iretd	5_2_00401286
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E2643 push ebp; ret	5_2_005E2663
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E12EB pushad ; iretd	5_2_005E12ED
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E23E2 push 000023C2h; retn 0023h	5_2_005E23F2
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0061306C push es; retf	5_2_00613083
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00617D7F push esp; ret	5_2_00617D80
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00611547 pushad ; iretd	5_2_00611549
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0060D7FC push eax; ret	5_2_0060D7FD
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0061479C push ebx; ret	5_2_0061479F

Source: 3312.PDF.scr	Static PE information: section name: .text entropy: 7.486122419985256
Source: djjergw.1.dr	Static PE information: section name: .text entropy: 7.486122419985256

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\djjergw

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\djjergw

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\3312.pdf.scr

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\djjergw:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: 3312.PDF.scr

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking system information)

Source: C:\Users\user\AppData\Roaming\djjergw	Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep			graph_5-4137
Source: C:\Users\user\Desktop\3312.PDF.scr	Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep			graph_0-4046

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3312.PDF.scr	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\3312.PDF.scr	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\djjergw	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\djjergw	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: djjergw, 00000005.00000002.2038222730.00000000005FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 377	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3037	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 735	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1517	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 494	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 470	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3752	Thread sleep count: 377 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep count: 3037 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep time: -303700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep count: 735 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep time: -73500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2004	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2932	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892	Thread sleep count: 346 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892	Thread sleep time: -34600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep count: 1517 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep time: -151700s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00418730 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418971h		0_2_00418730
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00418730 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418971h		5_2_00418730

Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008D93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000003.2703285048.0000000008DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000IO
Source: explorer.exe, 0000000A.00000003.2772623817.000000000B73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}xe@
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_0
Source: explorer.exe, 0000000A.00000002.2905935716.0000000008D46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000003.2749269947.000000000B7ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 0000000A.00000003.2791404151.000000000B772000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\xe=
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\xe
Source: explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}xe
Source: explorer.exe, 0000000A.00000003.2792005844.000000000B7EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 00000001.00000000.1742331928.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exeP
Source: explorer.exe, 00000001.00000000.1743944804.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000A.00000003.2792005844.000000000B7EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1740976335.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2703285048.0000000008DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oneNECVMWar VMware SATA CD00eswindir=C:\Windol&
Source: explorer.exe, 00000001.00000000.1744477786.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000001.00000000.1740976335.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 0000000A.00000002.2905935716.0000000008D46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000D&
Source: explorer.exe, 0000000A.00000003.2792005844.000000000B7EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Countercss.dll+0x191e6
Source: explorer.exe, 0000000A.00000003.2772623817.000000000B73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000M
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}xeL
Source: explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1744477786.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000k
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: explorer.exe, 0000000A.00000002.2901365364.00000000048C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\-
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\3312.PDF.scr

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\3312.PDF.scr	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	System information queried: CodeIntegrityInformation			Jump to behavior

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\3312.PDF.scr	Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep			graph_0-4046
Source: C:\Users\user\AppData\Roaming\djjergw	Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep			graph_5-4137

Source: C:\Users\user\Desktop\3312.PDF.scr	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A092B mov eax, dword ptr fs:[00000030h]	0_2_006A092B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A0D90 mov eax, dword ptr fs:[00000030h]	0_2_006A0D90
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0082FE4F push dword ptr fs:[00000030h]	0_2_0082FE4F
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E092B mov eax, dword ptr fs:[00000030h]	5_2_005E092B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E0D90 mov eax, dword ptr fs:[00000030h]	5_2_005E0D90
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_006100FF push dword ptr fs:[00000030h]	5_2_006100FF

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: djjergw.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 45.143.201.14 80

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\3312.PDF.scr	Thread created: C:\Windows\explorer.exe EIP: 34419F0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Thread created: unknown EIP: 87C19F0			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 0000000A.00000002.2901365364.0000000004875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.0000000004875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.0000000004875000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd29B%
Source: explorer.exe, 00000001.00000000.1742161033.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000048BA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2904441386.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: explorer.exe, 00000001.00000000.1740976335.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\3312.PDF.scr

Code function: 0_2_00418730 InterlockedCompareExchange,SetFocus,ReadConsoleA,FindAtomA,SearchPathA,GetConsoleMode,SearchPathW,GetDefaultCommConfigA,CopyFileExW,CreatePipe,GetEnvironmentStringsW,WriteConsoleOutputA,GetModuleFileNameW,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmW,WaitForSingleObject,SetCommMask,GetUserObjectInformationW,GetConsoleAliasesLengthW,GetComputerNameW,GetConsoleAliasExesLengthW,GetBinaryType,PurgeComm,LoadLibraryA,MoveFileW,InterlockedCompareExchange,

0_2_00418730

Source: explorer.exe, 0000000A.00000002.2905935716.0000000008E31000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	32 Process Injection	111 Masquerading	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	33 Virtualization/Sandbox Evasion	LSASS Memory	631 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	33 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3312.PDF.scr	40%	Virustotal		Browse
3312.PDF.scr	100%	Avira	HEUR/AGEN.1312571
3312.PDF.scr	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\djjergw	100%	Avira	HEUR/AGEN.1312571
C:\Users\user\AppData\Roaming\djjergw	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.msn.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	Virustotal		Browse
https://aka.ms/odirmr	0%	Virustotal		Browse
https://deff.nelreports.net/api/report?cat=msn	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://aka.ms/odirm	0%	Virustotal		Browse
http://openclehardware.ru/index.php	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
http://ceoconstractionstore.pl/index.php	0%	Virustotal		Browse
https://aka.ms/Vh5j3kI	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	Virustotal		Browse
https://word.office.com	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
http://informcoopirationunicolceo.ru/index.php	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
unicexpertmagazine.pw	45.143.201.14	true	true		unknown
openclehardware.ru	unknown	unknown	true		unknown
informcoopirationunicolceo.ru	unknown	unknown	true		unknown
ceoconstractionstore.pl	unknown	unknown	true		unknown
api.msn.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://openclehardware.ru/index.php	true	0%, Virustotal, Browse	unknown
http://ceoconstractionstore.pl/index.php	true	0%, Virustotal, Browse	unknown
http://informcoopirationunicolceo.ru/index.php	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.mi	explorer.exe, 00000001.00000000.1746657492.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.comi	explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://word.office.comCE	explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2904513919.00000000054FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bing.c	explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://deff.nelreports.net/api/report?cat=msn	explorer.exe, 0000000A.00000003.2703067682.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705262424.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2712298809.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711027366.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707506218.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905595416.0000000008020000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1743054691.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1744674085.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1743420076.0000000008720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://aka.ms/odirm	explorer.exe, 0000000A.00000003.2703383894.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2681117571.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.comNES-PC	explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1745816371.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3kI	explorer.exe, 0000000A.00000003.2703383894.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2681117571.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm	explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-ul	explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1745816371.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark	explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.micr	explorer.exe, 00000001.00000000.1746657492.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/BA	explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1743944804.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1745816371.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1745816371.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/home-and-garden/13-thx	explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.143.201.14	unicexpertmagazine.pw	Russian Federation		202729	PATENT-MEDIA-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523195
Start date and time:	2024-10-01 09:33:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3312.PDF.scr renamed because original name is a hash value
Original Sample Name:	_i_300924_i_30_09_2024___UA973248410000000026006263312.PDF.scr
Detection:	MAL
Classification:	mal100.troj.evad.winSCR@4/9@8/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .scr

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe, TextInputHost.exe, StartMenuExperienceHost.exe, mobsync.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 2.23.209.166, 2.23.209.171, 2.23.209.162, 2.23.209.169, 2.23.209.160, 2.23.209.168, 2.23.209.156, 2.23.209.167, 2.23.209.173, 184.28.90.27, 2.23.209.136, 2.23.209.191, 2.23.209.141, 2.23.209.189, 2.23.209.133, 2.23.209.140, 2.23.209.192, 2.23.209.135, 2.23.209.188, 20.190.159.75, 20.190.159.0, 20.190.159.4, 40.126.31.73, 40.126.31.69, 20.190.159.73, 20.190.159.71, 20.190.159.68
Excluded domains from analysis (whitelisted): www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, slscr.update.microsoft.com, r.bing.com.edgekey.net, www.tm.v4.a.prd.aadg.akadns.net, a-0003.a-msedge.net, ctldl.windowsupdate.com, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, r.bing.com, prod.fs.microsoft.com.akadns.net, api-msn-com.a-0003.a-msedge.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:35:01	API Interceptor	98183x Sleep call for process: explorer.exe modified
08:35:09	Task Scheduler	Run new task: Firefox Default Browser Agent 494C779FAD7DA835 path: C:\Users\user\AppData\Roaming\djjergw

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.143.201.14	0435.pdf.exe	Get hash	malicious	SmokeLoader	Browse	alfacentarusmulticopter.ru/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PATENT-MEDIA-ASRU	0435.pdf.exe	Get hash	malicious	SmokeLoader	Browse	45.143.201.14
	https://ird-tax-return-govt.com	Get hash	malicious	Unknown	Browse	45.143.201.203
	https://myvirgin-mobile-sign-in.com	Get hash	malicious	Unknown	Browse	45.143.201.203
	https://myvirgin-acc-login.com/	Get hash	malicious	Unknown	Browse	45.143.201.203
	3RDVB7Tu7q.exe	Get hash	malicious	Unknown	Browse	45.143.201.7
	8kZnhdYQR4.exe	Get hash	malicious	AsyncRAT, Azorult	Browse	45.143.201.4
	YDH48m4SJl.exe	Get hash	malicious	AsyncRAT, Raccoon Stealer v2	Browse	45.143.201.7
	nfdsame.exe	Get hash	malicious	Vidar	Browse	45.143.201.4
	dllhost.exe	Get hash	malicious	Raccoon Stealer v2	Browse	45.143.201.4
	vMpCBcWWPl.exe	Get hash	malicious	Raccoon Stealer v2	Browse	45.143.201.4

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_2a3bef5b-cedb-4c43-8137-0eaf458f5331\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.367697438023328
Encrypted:	false
SSDEEP:	384:tZC1L3BxwjAWMo+hiRichkMmzuiFDY4lO8k:tZ83Bxwj0o4QBhklzuiFDY4lO8
MD5:	749DCC569AEDEA22E062A59509F53B49
SHA1:	468523099EF81A5EE40E407EB1BC67E31FF77139
SHA-256:	685D213BB828855E3CE54E0566C8E33D6B4B4BEB57F51B308BCCD856F75656BD
SHA-512:	2FCB296AD91DD06EB85DCE8CC7F44A6D10DBA22F386C7108D4BCCE539980E62C269546270A511E21ECD9520137D37EB178CC0F7662CD2E1D89C56AD38E99E17C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.2.4.1.7.7.9.7.1.0.4.2.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.3.b.e.f.5.b.-.c.e.d.b.-.4.c.4.3.-.8.1.3.7.-.0.e.a.f.4.5.8.f.5.3.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.7.e.a.2.5.6.-.c.b.d.a.-.4.e.8.2.-.a.6.7.f.-.f.2.f.d.5.e.e.3.b.5.9.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.1.4.-.0.0.0.1.-.0.0.1.4.-.a.6.5.8.-.1.2.b.8.c.6.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE2.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, CheckSum 0x00000004, Tue Oct 1 07:36:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	982628
Entropy (8bit):	1.3911730031994762
Encrypted:	false
SSDEEP:	3072:TJtAFUSsaUP1Y0QPpzF2OuQH02EohelXKSW:NtApJU9Y0Qj2OJE+eLW
MD5:	8A5E02ADB730AEFAA543A1FC66440C83
SHA1:	6D9E2BEE0F873E9B7BBE7AD3C860DD195DA5E250
SHA-256:	ABD5215B5BB36FB2729F27BD402E8D622B11AACEE7835B6A95B078F818B057CA
SHA-512:	7747D0B20A206B55D20DB315F4E08892658F172B5191C63E4361E83666AB58575B914719FEF281F9C980C70F17B51F22DE8F5BD558B058939DACCDF25FD71595
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......t..f................ ........o..........................4...........(...........x.......8...........T...$.......H].....................................\|...............................................................................eJ..............Lw......................T...........'..f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF96.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10856
Entropy (8bit):	3.6963496747990137
Encrypted:	false
SSDEEP:	192:R6l7wVeJd57q0TH6YXzIgmfqzVUprY89bPK3DfhFm:R6lXJzmI6YjIgmfqzV8PiDf6
MD5:	96DFF97A2A90528042AF637F23CABD61
SHA1:	FECB314FC95BC782EA7E71ABCF0A0A31316F9B42
SHA-256:	A4E3D68F7F24BDB2D80A3BB6E6A037AFCD65AA01931B5A3886ED261142D4EBA9
SHA-512:	1D42C5292607BC84567D064524AB3E25B5601AB7A60DF2D88AD67861D9F111B56624908C5AFE28C5439980D31137391343D8EEE9D219BE5BDA7704DB3BB4780D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC6.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.46221060678181
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg771I9mJWpW8VYOYm8M4JYmFPIQyq85c21b9Q3jd:uIjfvI7N47VuJ3f01ba3jd
MD5:	2676CCFB915D230A180DFF64D978F7DA
SHA1:	4043C0745F84120AF34205A80C889E65EB2D8A4C
SHA-256:	F9CB77554C5AF57AD2CB6F1B70A6D85647F7E8CCF6873709B7556AC17B891E9A
SHA-512:	B0DD9569EC9DB5A2A26698225AA79612D50D38CF38C91C0A5B8358BC734C87969749CD4D7E467323F9E9494AE6EBD489BCA4B94356825672291A8081707CDCDA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="524079" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.005468489715424
Encrypted:	false
SSDEEP:	768:b7F9oInjxkCGHzOPqjk0+ACWHpfnzbNyLYduJxP7pxoZsR1v9nvnFOOmdypfR3Y8:hdkDzDrJvzgxhGiwGGnS5mFwiKui5l+a
MD5:	C9D3D880E24446CF243CD0C50AE2C72C
SHA1:	BBBFA2BA4D2312646EE8FB30D4534717D8CC4E7A
SHA-256:	EDFFDAAA2A7892545A927806E9C7CFD8E5B05C6A1A4097BBE5A42811FFC423DC
SHA-512:	4E31539CF5FB254E2EDE3C4DBCDC103A1AE4510992AFB4F9A0666DC078289CDFEF91346218A860D50124C7C5F2696ABA689AF2BB51FCE72DBA1510504429EFEB
Malicious:	false
Reputation:	low
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	108216
Entropy (8bit):	4.006765961093096
Encrypted:	false
SSDEEP:	768:ZHF9oEnjxkIG1zOPqjk0+ACWHpfnzbNYLYduJxP7pxoZsR1v95ZNFOOmdypfR3YY:3dk7zDrJvzsvhGiwGGns/mFIiK2ibl+a
MD5:	3F721CE7766342DB167895A3F2917A10
SHA1:	9830B84EE2B59A64ED6CDBF58E14092178E42FFE
SHA-256:	077AB0AD092ECBADFC16A375C76FAF67525C04B14BB63B4FF5B01FEDF4E865D3
SHA-512:	F94056BDE31301EC88D468D105C0BC18CFEC93D80E4CA215AE7FE6E86C6210C0955F70A183F1FAB926E5C2DBE9CAF1B7B2F5C1C4777A1BB9E0B1EA9A7C785C15
Malicious:	false
Reputation:	low
Preview:	....h... .......p.......P...........p...Y......^...................P...W.......e.n.-.C.H.;.e.n.-.G.B...............8..............P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u.................. ..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Windows[4].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	750
Entropy (8bit):	5.151163593527057
Encrypted:	false
SSDEEP:	12:YWgc2XZVDUH+BVDMmwPcH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB893c3Z:Yzc2JVDUHIVDokHt0drc6hE14
MD5:	80A3E52E937A0557FE54ECACDF3A9209
SHA1:	5E2569802D38E238D8BB296ED8358B982E5FF933
SHA-256:	6495C7482E99CAE11ECB964D5585F48DE573FCD974B7D7AB2DECA44A87688F55
SHA-512:	0597B07BD50A48C3ED041ABB6A05BE761896E012020AD250183E11A3109AB62B1A0CB488A4E31567F4936406BEBED9A211D0DCCA777E3E3681E81A4AA4791404
Malicious:	false
Reputation:	low
Preview:	{"serviceContext":{"serviceActivityId":"28279061-328c-472f-9d91-0bec632b1214","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"28279061-328c-472f-9d91-0bec632b1214\|2024-10-01T07:36:26.5242200Z\|fabric_msn\|EUS2-A\|News_863"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false},"isPartial":false}

C:\Users\user\AppData\Roaming\djjergw

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	219648
Entropy (8bit):	6.518601542855416
Encrypted:	false
SSDEEP:	3072:SaLB7RwDvY4WMouj3QF7b5qlY8ZeyrgoidA33nMs3j42:SaLlRwDvHNxTZeypbXXT
MD5:	4E30F8FA403546790A16A9B0E0C72F02
SHA1:	A22F898920194C5E191ABFD535FA79EE387FBD8B
SHA-256:	C62D2FD76A5742A08DB7157AD38B2F0209A11E8E9CC698902DBF366913FAE535
SHA-512:	A185E55C43D91395460BED714DE3832AABCE18227148C6B23A1E35388D6172C19C7AA7769999D04BF81D38BE62BAFB46DAC2E641C8AFC4679EF051AE94CDC015
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IE...E...E...[...Y...[...V...[.......bu..B...E...7...[...D...[...D...[...D...RichE...........................PE..L.....Zd.................\|...\....................@.............................................................................P....P...............................................................................................................text....{.......\|.................. ..`.rdata... ......."..................@..@.data...............................@....tls.........@......................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\djjergw:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.518601542855416
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3312.PDF.scr
File size:	219'648 bytes
MD5:	4e30f8fa403546790a16a9b0e0c72f02
SHA1:	a22f898920194c5e191abfd535fa79ee387fbd8b
SHA256:	c62d2fd76a5742a08db7157ad38b2f0209a11e8e9cc698902dbf366913fae535
SHA512:	a185e55c43d91395460bed714de3832aabce18227148c6b23a1e35388d6172c19c7aa7769999d04bf81d38be62bafb46dac2e641c8afc4679ef051ae94cdc015
SSDEEP:	3072:SaLB7RwDvY4WMouj3QF7b5qlY8ZeyrgoidA33nMs3j42:SaLlRwDvHNxTZeypbXXT
TLSH:	B3246B1176E092A6EFF347316975FB941ABBBCFA6A30508E2240321F2E773D14966707
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IE...E...E...[...Y...[...V...[.......bu..B...E...7...[...D...[...D...[...D...RichE...........................PE..L.....Zd...

File Icon


Icon Hash:	0b310a1a12646513

Static PE Info

General

Entrypoint:	0x401716
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x645AEF8C [Wed May 10 01:12:44 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	abd58e636146ae1edca4aa616a47bb50

Entrypoint Preview

Instruction
call 00007FF398DE699Ch
jmp 00007FF398DE2ABEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041D888h], eax
mov dword ptr [0041D884h], ecx
mov dword ptr [0041D880h], edx
mov dword ptr [0041D87Ch], ebx
mov dword ptr [0041D878h], esi
mov dword ptr [0041D874h], edi
mov word ptr [0041D8A0h], ss
mov word ptr [0041D894h], cs
mov word ptr [0041D870h], ds
mov word ptr [0041D86Ch], es
mov word ptr [0041D868h], fs
mov word ptr [0041D864h], gs
pushfd
pop dword ptr [0041D898h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041D88Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041D890h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041D89Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041D7D8h], 00010001h
mov eax, dword ptr [0041D890h]
mov dword ptr [0041D78Ch], eax
mov dword ptr [0041D780h], C0000409h
mov dword ptr [0041D784h], 00000001h
mov eax, dword ptr [0041C008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041C00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a784	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x115000	0x199a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a490	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17b7f	0x17c00	4e219e47d75907af82feccf982c4e1c5	False	0.7901726973684211	data	7.486122419985256	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x20a4	0x2200	8a075bd557d8724065fd4003a8212a3e	False	0.36580882352941174	data	5.504082787533202	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0xf7ff8	0x1800	4405d7de33fab4bc1cee794a960e08d4	False	0.2591145833333333	data	2.672636859110211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x114000	0x51d	0x600	53e979547d8c2ea86560ac45de08ae25	False	0.013020833333333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x115000	0x199a0	0x19a00	80a2deeeec59981320d358ee31e0e096	False	0.501733993902439	data	5.496159187462656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x127888	0x2	data			5.0
SELEWAVOLOVIDABIBAFILU	0x126c90	0xbf7	ASCII text, with very long lines (3063), with no line terminators	Turkish	Turkey	0.6033300685602351
RT_CURSOR	0x127890	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x1279c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x1159a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5748933901918977
RT_ICON	0x116848	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6462093862815884
RT_ICON	0x1170f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.701036866359447
RT_ICON	0x1177b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7521676300578035
RT_ICON	0x117d20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5238589211618258
RT_ICON	0x11a2c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6301594746716698
RT_ICON	0x11b370	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.644672131147541
RT_ICON	0x11bcf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7783687943262412
RT_ICON	0x11c1d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39685501066098083
RT_ICON	0x11d080	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5595667870036101
RT_ICON	0x11d928	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6261520737327189
RT_ICON	0x11dff0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x11e558	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.44394934333958724
RT_ICON	0x11f600	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43565573770491806
RT_ICON	0x11ff88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.48315602836879434
RT_ICON	0x120458	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5882196162046909
RT_ICON	0x121300	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6227436823104693
RT_ICON	0x121ba8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.527073732718894
RT_ICON	0x122270	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5982658959537572
RT_ICON	0x1227d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5825726141078839
RT_ICON	0x124d80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6456378986866792
RT_ICON	0x125e28	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6557377049180327
RT_ICON	0x1267b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7189716312056738
RT_STRING	0x12a138	0x44e	data			0.4500907441016334
RT_STRING	0x12a588	0x6f0	data			0.43074324324324326
RT_STRING	0x12ac78	0x5ec	data			0.44327176781002636
RT_STRING	0x12b268	0x50e	data			0.4474497681607419
RT_STRING	0x12b778	0x694	data			0.4245843230403801
RT_STRING	0x12be10	0x4e6	data			0.45614035087719296
RT_STRING	0x12c2f8	0x5ae	data			0.4449793672627235
RT_STRING	0x12c8a8	0x5cc	data			0.4474393530997305
RT_STRING	0x12ce78	0x72c	data			0.4297385620915033
RT_STRING	0x12d5a8	0x6ee	data			0.4222096956031567
RT_STRING	0x12dc98	0x81e	data			0.41915303176130897
RT_STRING	0x12e4b8	0x448	data			0.458029197080292
RT_STRING	0x12e900	0x9a	data			0.5974025974025974
RT_GROUP_CURSOR	0x129f68	0x22	data			1.088235294117647
RT_GROUP_ICON	0x126c18	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x11c160	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x1203f0	0x68	data	Turkish	Turkey	0.7115384615384616
RT_VERSION	0x129f90	0x1a8	data			0.5825471698113207

Imports

DLL	Import
KERNEL32.dll	GetConsoleAliasesLengthW, CopyFileExW, GetNumaProcessorNode, OpenJobObjectA, ReadConsoleA, QueryDosDeviceA, GetEnvironmentStringsW, WaitForSingleObject, InterlockedCompareExchange, GetComputerNameW, GetNumaAvailableMemoryNode, BackupSeek, FreeEnvironmentStringsA, GetModuleHandleW, GetCommandLineA, GlobalAlloc, GetVolumeInformationA, GetConsoleMode, GetConsoleAliasExesLengthW, GetSystemTimeAdjustment, WriteConsoleOutputA, GetFileAttributesA, HeapCreate, GetBinaryTypeA, SetPriorityClass, GetStdHandle, GetLastError, GetProcAddress, MoveFileW, SearchPathA, LoadLibraryA, LocalAlloc, SetCalendarInfoW, SetCommMask, FindAtomA, CreatePipe, GetDefaultCommConfigA, GetModuleHandleA, BuildCommDCBA, PurgeComm, FatalAppExitA, WriteConsoleOutputAttribute, GetModuleFileNameW, SearchPathW, HeapFree, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, VirtualAlloc, HeapReAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize
USER32.dll	GetUserObjectInformationW, SetFocus
ADVAPI32.dll	ObjectPrivilegeAuditAlarmW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T09:35:10.765857+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	45.143.201.14	80	TCP
2024-10-01T09:36:16.864957+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	45.143.201.14	80	TCP
2024-10-01T09:36:17.927460+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	45.143.201.14	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 09:35:09.532390118 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:09.538450003 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:35:09.538595915 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:09.538768053 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:09.538780928 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:09.543766022 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:35:09.543872118 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:35:10.765750885 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:35:10.765795946 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:35:10.765856981 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:40.370755911 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:35:40.370873928 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:40.377882004 CEST	49736	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:35:40.383064032 CEST	80	49736	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:15.989099026 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:15.994004011 CEST	80	49738	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:15.994107962 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:15.994292974 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:15.994332075 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:15.999260902 CEST	80	49738	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:15.999272108 CEST	80	49738	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:16.813863993 CEST	80	49738	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:16.864957094 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.969856024 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.970535040 CEST	49739	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.975081921 CEST	80	49738	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:16.975156069 CEST	49738	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.975323915 CEST	80	49739	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:16.975547075 CEST	49739	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.975697994 CEST	49739	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.976521015 CEST	49739	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:16.980478048 CEST	80	49739	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:16.981245041 CEST	80	49739	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:17.877274036 CEST	80	49739	45.143.201.14	192.168.2.4
Oct 1, 2024 09:36:17.927459955 CEST	49739	80	192.168.2.4	45.143.201.14
Oct 1, 2024 09:36:21.932812929 CEST	49739	80	192.168.2.4	45.143.201.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 09:35:08.733119011 CEST	56557	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:35:09.530452013 CEST	53	56557	1.1.1.1	192.168.2.4
Oct 1, 2024 09:35:10.813580990 CEST	60043	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:35:10.824325085 CEST	53	60043	1.1.1.1	192.168.2.4
Oct 1, 2024 09:35:10.921781063 CEST	60576	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:35:11.078289986 CEST	53	60576	1.1.1.1	192.168.2.4
Oct 1, 2024 09:35:11.081444979 CEST	65149	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:35:11.231877089 CEST	53	65149	1.1.1.1	192.168.2.4
Oct 1, 2024 09:36:16.817858934 CEST	50355	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:36:16.827888012 CEST	53	50355	1.1.1.1	192.168.2.4
Oct 1, 2024 09:36:16.830265045 CEST	51474	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:36:16.878025055 CEST	53	51474	1.1.1.1	192.168.2.4
Oct 1, 2024 09:36:16.886065960 CEST	57619	53	192.168.2.4	1.1.1.1
Oct 1, 2024 09:36:16.933482885 CEST	53	57619	1.1.1.1	192.168.2.4
Oct 1, 2024 09:36:25.564203024 CEST	59710	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 09:35:08.733119011 CEST	192.168.2.4	1.1.1.1	0xff8d	Standard query (0)	unicexpertmagazine.pw	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:35:10.813580990 CEST	192.168.2.4	1.1.1.1	0x298b	Standard query (0)	ceoconstractionstore.pl	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:35:10.921781063 CEST	192.168.2.4	1.1.1.1	0xae8b	Standard query (0)	openclehardware.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:35:11.081444979 CEST	192.168.2.4	1.1.1.1	0x9754	Standard query (0)	informcoopirationunicolceo.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:16.817858934 CEST	192.168.2.4	1.1.1.1	0x8e5	Standard query (0)	ceoconstractionstore.pl	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:16.830265045 CEST	192.168.2.4	1.1.1.1	0xfea2	Standard query (0)	openclehardware.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:16.886065960 CEST	192.168.2.4	1.1.1.1	0xbc17	Standard query (0)	informcoopirationunicolceo.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:25.564203024 CEST	192.168.2.4	1.1.1.1	0x8f9	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 09:35:09.530452013 CEST	1.1.1.1	192.168.2.4	0xff8d	No error (0)	unicexpertmagazine.pw		45.143.201.14	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:35:10.824325085 CEST	1.1.1.1	192.168.2.4	0x298b	Name error (3)	ceoconstractionstore.pl	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:35:11.078289986 CEST	1.1.1.1	192.168.2.4	0xae8b	Name error (3)	openclehardware.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:35:11.231877089 CEST	1.1.1.1	192.168.2.4	0x9754	Name error (3)	informcoopirationunicolceo.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:16.827888012 CEST	1.1.1.1	192.168.2.4	0x8e5	Name error (3)	ceoconstractionstore.pl	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:16.878025055 CEST	1.1.1.1	192.168.2.4	0xfea2	Name error (3)	openclehardware.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:16.933482885 CEST	1.1.1.1	192.168.2.4	0xbc17	Name error (3)	informcoopirationunicolceo.ru	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 09:36:25.570992947 CEST	1.1.1.1	192.168.2.4	0x8f9	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

mvrswdonrbcmf.org

unicexpertmagazine.pw

hdfqubgmiehcd.net

rsswvdbjffron.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	45.143.201.14	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 09:35:09.538768053 CEST	288	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mvrswdonrbcmf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 260 Host: unicexpertmagazine.pw
Oct 1, 2024 09:35:09.538780928 CEST	260	OUT	Data Raw: a1 5f 79 54 83 31 5f bf c0 3c d7 cb 8f b5 2a 46 57 35 c6 53 17 c0 35 2b a8 51 ce 1a 01 8c 05 25 cf 5e d4 fc 3e a4 04 3b 5b bc cd 0f b5 45 12 33 db 73 6b 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be b9 1f 65 ac Data Ascii: _yT1_<FW5S5+Q%^>;[E3sk2m-^JrC)eEr%,Ai95Vn=#~E\<1=A\IsZ`AkgXrk({F'BJ<KF{kwXw9$ !kKs{}@.yR[Y7p
Oct 1, 2024 09:35:10.765750885 CEST	583	IN	HTTP/1.1 404 Not Found server: nginx/1.18.0 date: Tue, 01 Oct 2024 07:35:10 GMT content-type: text/html; charset=utf-8 transfer-encoding: chunked Data Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Oct 1, 2024 09:35:10.765795946 CEST	583	IN	HTTP/1.1 404 Not Found server: nginx/1.18.0 date: Tue, 01 Oct 2024 07:35:10 GMT content-type: text/html; charset=utf-8 transfer-encoding: chunked Data Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	45.143.201.14	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 09:36:15.994292974 CEST	288	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hdfqubgmiehcd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 245 Host: unicexpertmagazine.pw
Oct 1, 2024 09:36:15.994332075 CEST	245	OUT	Data Raw: a1 5f 79 54 83 31 5f bf c0 3c d7 cb 8f b5 2a 46 57 35 c6 53 17 c0 35 2b a8 51 ce 1a 01 8c 05 25 cf 5e d4 fc 3e a4 04 3b 5b bc cd 0f b5 45 12 33 db 73 6b 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be f8 09 6b a9 Data Ascii: _yT1_<FW5S5+Q%^>;[E3sk2m-^JrC)k C>-@+{j\}WM<pF0P=2vbL[vXD /B\|H$%MW~N4!HBo'v&qDh"OI'8\ome%
Oct 1, 2024 09:36:16.813863993 CEST	583	IN	HTTP/1.1 404 Not Found server: nginx/1.18.0 date: Tue, 01 Oct 2024 07:36:16 GMT content-type: text/html; charset=utf-8 transfer-encoding: chunked Data Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	45.143.201.14	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 09:36:16.975697994 CEST	288	OUT	POST /index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rsswvdbjffron.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 195 Host: unicexpertmagazine.pw
Oct 1, 2024 09:36:16.976521015 CEST	195	OUT	Data Raw: a1 5f 79 54 83 31 5f bf c0 3c d7 cb 8f b5 2a 46 57 35 c6 53 17 c0 35 2b a8 51 ce 1a 01 8c 05 25 cf 5e d4 fc 3e a4 04 3b 5b bc cd 0f b5 45 12 33 db 73 6b 1e cf 32 6d 2d d9 82 ec 5e cd da f3 84 e5 8c 8d e0 18 1d ce ca bf 4a 72 43 29 be e9 2d 73 dc Data Ascii: _yT1_<*FW5S5+Q%^>;[E3sk2m-^JrC)-st\6J:qQ9Qfy>)<a>4Nq1yKa~t4w !}dy~j'\|(>SuY=&
Oct 1, 2024 09:36:17.877274036 CEST	583	IN	HTTP/1.1 404 Not Found server: nginx/1.18.0 date: Tue, 01 Oct 2024 07:36:17 GMT content-type: text/html; charset=utf-8 transfer-encoding: chunked Data Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 [TRUNCATED] Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0

Target ID:	0
Start time:	03:34:41
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\3312.PDF.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3312.PDF.scr" /S
Imagebase:	0x400000
File size:	219'648 bytes
MD5 hash:	4E30F8FA403546790A16A9B0E0C72F02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:34:49
Start date:	01/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:35:09
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\djjergw
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\djjergw
Imagebase:	0x400000
File size:	219'648 bytes
MD5 hash:	4E30F8FA403546790A16A9B0E0C72F02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:36:18
Start date:	01/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2580 -s 9020
Imagebase:	0x7ff6bce70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:36:21
Start date:	01/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	17.9%
Signature Coverage:	50%
Total number of Nodes:	156
Total number of Limit Nodes:	5

Executed Functions

Function 00418730 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041884B
SetFocus.USER32(00000000), ref: 00418854
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041885F
FindAtomA.KERNEL32(00000000), ref: 00418866
SearchPathA.KERNEL32(0041A3EC,0041A3D0,0041A3C8,00000000,?,?), ref: 0041888A
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418892
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004188AA
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 004188D1
CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188DD
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 004188F3
GetEnvironmentStringsW.KERNEL32 ref: 004188F9
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041893E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 0041894D
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418956
ObjectPrivilegeAuditAlarmW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041896B
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041897C
SetCommMask.KERNELBASE(00000000,00000000), ref: 004189A5
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004189BB
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 004189EA
GetComputerNameW.KERNEL32(?,?), ref: 004189FE
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418A04
GetBinaryType.KERNEL32(0041A404,?), ref: 00418A16
PurgeComm.KERNEL32(00000000,00000000), ref: 00418A1E
LoadLibraryA.KERNELBASE(0041A420), ref: 00418A92
MoveFileW.KERNEL32(00000000,00000000), ref: 00418AC7
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418AEE

Strings

k`, xrefs: 00418ACD
}$, xrefs: 00418AF5

Memory Dump Source

Source File: 00000000.00000002.1761335489.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3312.jbxd

Similarity

API ID: Console$CommFileObject$CompareExchangeInterlockedLengthNamePathSearch$AdjustmentAlarmAliasAliasesAtomAuditBinaryComputerConfigCopyCreateDefaultEnvironmentExesFindFocusInformationLibraryLoadMaskModeModuleMoveOutputPipePrivilegePurgeReadSingleStringsSystemTimeTypeUserWaitWrite
String ID: k`$}$
API String ID: 87775671-956986773
Opcode ID: af848128e07c8e7bc8c1a283e971220105452b3befcdffc31dcb9ba888bf08ed
Instruction ID: 345bacdf8fa8409494645b8175c494f1eca766bbd4a7b31c038ebc0919f88a2f
Opcode Fuzzy Hash: af848128e07c8e7bc8c1a283e971220105452b3befcdffc31dcb9ba888bf08ed
Instruction Fuzzy Hash: 3AB1C471901124ABCB209B65EC54BDF7B79EF49354F00806EF609A3161DB385E85CFAE

Function 004014DB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 243
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634

Strings

1, xrefs: 004014F1

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID: 1
API String ID: 1652636561-2212294583
Opcode ID: fc9ad0c17474763d406ce3553705aad449b4f49c1046925f20dec018cbeb3551
Instruction ID: 7f4d7c4657737381e02ab4131f106e217a3bc84f51a1891dc43a423f49ad99c1
Opcode Fuzzy Hash: fc9ad0c17474763d406ce3553705aad449b4f49c1046925f20dec018cbeb3551
Instruction Fuzzy Hash: 14718D71A00205FFEB209F91CC49FEF7BB8EF85B10F14412AF912BA2E5D6759905CA58

Function 00401529 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
Instruction ID: 138ec7ca1e8744eb65f40bd9736a53a73cefe8eecd72c79945fcbf62a21b6401
Opcode Fuzzy Hash: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
Instruction Fuzzy Hash: D9616E71900205FBEB209F95DC49FEB7BB8FF81B00F14412AFA12BA1E4D6749A05DB65

Function 00401534 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
Instruction ID: 46ca3ae5353e1b2bf85c7e7487c0bf4a09c0837efea8bedcf4105f5ea6450319
Opcode Fuzzy Hash: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
Instruction Fuzzy Hash: 81512971900245BFEF209F91CC48FEB7BB8EF85B00F14416AF912BA1A5D6749945CB24

Function 00401541 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
Instruction ID: 68c08b8250816e380b35483fe5a52fcf5a4ffa7bf922b91d474b11e8be87ed95
Opcode Fuzzy Hash: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
Instruction Fuzzy Hash: 99512AB1900205BFEF209F95CC48FEB7BB8EF85B10F14412AFA12BA1E5D6749945CB24

Function 00401545 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
Instruction ID: b5c9534ba5f5358dff2a074a80b826bd55324152c05987841a878028393b6fdb
Opcode Fuzzy Hash: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
Instruction Fuzzy Hash: 94513AB1900245BFEF209F95CC48FEF7BB8EF85B00F14415AF911BA2A5D6749945CB24

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
Instruction ID: 8d6641cc39e0a23de402a6cd7af9a8bcce9404ceaedab19c941a5a8b34b5f284
Opcode Fuzzy Hash: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
Instruction Fuzzy Hash: 8C5119B1900205BFEF209F95CC48FEFBBB8EF85B00F14411AFA11AA2A5D6759945CB24

Function 00402FFA Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403122
NtTerminateProcess.NTDLL ref: 00403133

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
Instruction ID: 67905ead67b615cb9fd2ac39997d468ff33d28dd355ca5d175fe45067cf906e9
Opcode Fuzzy Hash: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
Instruction Fuzzy Hash: 8B414732618E0C4FD778EE6CA88966377D5E798351B1643AAD809D3389EE30D85183C5

Function 00830572 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0083059A
Module32First.KERNEL32(00000000,00000224), ref: 008305BA

Memory Dump Source

Source File: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_3312.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d3e869c47d3cf8c0250670bf5f8b2e1229a070a0b25b61cdfbb8766f33bf2d36
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 65F06D326017156BDB202AF9A89DB6E76ECFF89765F100529E646E10C0DBB0EC458EA1

Function 006A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006A024D

Strings

kernel32.dll, xrefs: 006A008F, 006A0095
cess, xrefs: 006A018D

Memory Dump Source

Source File: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_3312.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: edfa6b35737d46774f892f9e838a511c53124eeea6e349ba935a860513cbf214
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 0A526874A01229DFDB64CF58C985BA8BBB1BF09304F1480D9E94DAB351DB30AE95DF14

Function 004183F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00513D70), ref: 004184CF
GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041850C
VirtualProtect.KERNELBASE(00513BB4,00513D6C,00000040,?), ref: 0041852B

Strings

, xrefs: 00418435

Memory Dump Source

Source File: 00000000.00000002.1761335489.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3312.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 0211fdc64f03efc72d4e260aedab5929f5d5dea431bc9e9a5fc3155d62cc35c4
Instruction ID: 128802b458cc4b351c6b63df09879892f332cdb2aba605945024bc9f97aa87a6
Opcode Fuzzy Hash: 0211fdc64f03efc72d4e260aedab5929f5d5dea431bc9e9a5fc3155d62cc35c4
Instruction Fuzzy Hash: 08316F18508780CAE301DB79FC257823FAAAB75744F04D1ACD54C8B3B1D7BA1618E36E

Function 006A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,006A0223,?,?), ref: 006A0E19
SetErrorMode.KERNELBASE(00000000,?,?,006A0223,?,?), ref: 006A0E1E

Memory Dump Source

Source File: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_3312.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: a812bd8a4e5226da291cda7890492f087020d928e330f1a56def5d4e73e5cff5
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 90D0123114512877DB003A94DC09BCD7B1CDF09B62F008451FB0DD9180C770994046E5

Function 0040190E Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
Instruction ID: c3efed824753038ef125f202698f45fd900918c8f6410fb3a7b527937a7c5fc5
Opcode Fuzzy Hash: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
Instruction Fuzzy Hash: D811BFB220C204EBEB00AA908C52EAA3754AF05710F248137BA42791F1C57D9A13F75B

Function 00830231 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00830282

Memory Dump Source

Source File: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_3312.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3b90be4db438cabf248739df59b478c1ec59edaa163146ab298285ce5bcc87a1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 0F112B79A00208EFDB01DF98C985E99BBF5EF08351F058094FA489B362D371EA90DF80

Function 00401902 Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
Instruction ID: 207861a3759c1b147de2553678edefd9187cc257709d93c52e233f88d5e7a3be
Opcode Fuzzy Hash: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
Instruction Fuzzy Hash: B70169F1208209FBEB009A908D61EBA3668AB05760F700133BA13781F5D57C9A53E76B

Function 00401922 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
Instruction ID: 578df434b3d236032839297bc76fd9486bb072801922ad90ba2380d7086ecf03
Opcode Fuzzy Hash: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
Instruction Fuzzy Hash: 95F05EB1208209FBEF009F908D61EAA3729AF05710F644137BA52781F5D63CDA53EB1B

Function 0040192B Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
Instruction ID: b5d34a972f1ec939c421f577379ccf4d396b21f1793fd223155277739043cea6
Opcode Fuzzy Hash: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
Instruction Fuzzy Hash: 5AF05EB1218209FBEB009F908D61EBA3629AF05310F644177BA12781F5C63DDA23E75B

Function 0040193C Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
Instruction ID: c277f467d3f9426b8f9a73765fdcab00a649fd51b95b24d53f0d4f33e3e8ae71
Opcode Fuzzy Hash: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
Instruction Fuzzy Hash: F7F037B1108209FBDF009F94CD51EAA3729AF09310F644577BA12781F5C63DDA12E72B

Function 00401932 Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
Instruction ID: 30c85490bd3e36b3d7497cee73256dee3cb4488b2b17691bada95d8d1bd3f612
Opcode Fuzzy Hash: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
Instruction Fuzzy Hash: 33F037B1204205FBDF009F94CD91EAE3629AF05310F644173BA12791F5D67DDA12E75B

Function 004183C0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00513D6C,00418A52), ref: 004183C8

Memory Dump Source

Source File: 00000000.00000002.1761335489.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3312.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: bf7e8b90cc3ff6e39906310c12a02d65c83cdbf560656bc42193d9e9982b9279
Instruction ID: c2961758425a8787823cb41888b9bba809d6f705acec62bde6717c0d90632542
Opcode Fuzzy Hash: bf7e8b90cc3ff6e39906310c12a02d65c83cdbf560656bc42193d9e9982b9279
Instruction Fuzzy Hash: A6B012F0A491009FD7008F54FD64B903FB4F358702F00C065F600C2164EB304908EB10

Non-executed Functions

Function 006A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 006A095F
l, xrefs: 006A0966
GetProcAddress., xrefs: 006A09DC, 006A09DF, 006A09E4

Memory Dump Source

Source File: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_3312.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 950ca7b9e5abbbfde5366c66b5014f758a29023b43122d8a2dbe4e0272f0e847
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 5B3137B6900609DFEB10DF99C880AAEBBF6FF49324F24504AD441A7311D771EA45CFA4

Function 004020EA Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f97d7e3c198c930df0e1e3726df986428e5bed6b78be6737e9bf24f670245c
Instruction ID: 1fe14f3d08a5ad6b2b8af3127fa4f425e7ffb0c359c280517f11db711c116789
Opcode Fuzzy Hash: 18f97d7e3c198c930df0e1e3726df986428e5bed6b78be6737e9bf24f670245c
Instruction Fuzzy Hash: 0A716C32400264DADB28EFBCC6CAE557370FB02F00B550BB6C5812F58ADB75B6198B96

Function 0082FE4F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_82d000_3312.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 37c188c7758a7bb730d7eacdf9a99ac3212b6f643a04555ec9e14fd00b4bcd8a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: B6117076340110AFD755DE59EC81EA673EAFB88720B2A8075EA04CB327E675EC41C760

Function 00402379 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c91299fc0d5ea6405d973304b2732cfb05cef970dc5b42c380558f1c3c8a50
Instruction ID: e7a2f1e1f2d18035c496875c0c2bba996cc0d18765e75913e3c7fd8bcbe23822
Opcode Fuzzy Hash: 14c91299fc0d5ea6405d973304b2732cfb05cef970dc5b42c380558f1c3c8a50
Instruction Fuzzy Hash: CA11533600420ADFD715EE219A89AA9BB21FB45704B5400BADE562B0C2A2BD7123970B

Function 0040237B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecd1a4c209d5f5235aa5223a66586c749e58f70271c2d5c11b30b858281451a
Instruction ID: d9f06ca26037506423ecc87bc330270b3b45d0e2ffab50e6a8e269eb556b0e13
Opcode Fuzzy Hash: 5ecd1a4c209d5f5235aa5223a66586c749e58f70271c2d5c11b30b858281451a
Instruction Fuzzy Hash: 7411533640820ADFD715EE21AA89AA6BB31FB45704F5400BBDE562B0C1E2BD7123D74B

Function 00402387 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c29bc3172a4a75054b17bc2abf467eb46d0d52112e2b03bc1234d3f1f3eeaba
Instruction ID: 8ab6e973ac2bde56534b905b9a6112487ad567182bc04a9cefd4a17b3c0f3d42
Opcode Fuzzy Hash: 2c29bc3172a4a75054b17bc2abf467eb46d0d52112e2b03bc1234d3f1f3eeaba
Instruction Fuzzy Hash: A6113636504206CFDB15DF20D9895A8B722FB45704B1400BACE522B0C1E37D7113D70B

Function 00402397 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fb1fcd810030a7c701492efe6b1583806f24c29ad391e8378491e72e53c4f9
Instruction ID: 10c1f8c9815bd1bae344db256f26ecf9b321a2c49f9f40fa9571263b21f216dd
Opcode Fuzzy Hash: c2fb1fcd810030a7c701492efe6b1583806f24c29ad391e8378491e72e53c4f9
Instruction Fuzzy Hash: 17113636404206CFD715DF10AA895A8B721BB55704B14007ACE521B0C1A3BD6113970B

Function 0040239B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad580f4852e8641318215a16f7c63f70c318642c86c98d9f634171b4294914d4
Instruction ID: f3401649f1529dc56ca8e0e6371485d35b9042d0b2056da4c8f47593e1f5965b
Opcode Fuzzy Hash: ad580f4852e8641318215a16f7c63f70c318642c86c98d9f634171b4294914d4
Instruction Fuzzy Hash: 7701263644420ACFDB1AEF11E9896E8B732FB55704B5401BACE565B0C1E37D6113D70B

Function 0040239E Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761315277.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3312.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d17a2e63e4f1915686b689582fba0273351ae16582c8cdc9572b60fe9b5c197
Instruction ID: ab8b863e00b9434e1dbf8970a3beebb42fa128e0550c32edf730788d57ebd560
Opcode Fuzzy Hash: 0d17a2e63e4f1915686b689582fba0273351ae16582c8cdc9572b60fe9b5c197
Instruction Fuzzy Hash: 1001263640434ACFCB16EF11E9895E4BB32BF45708B4801A6CE565B092E3793122D70B

Function 006A0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a0000_3312.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 9670c6dc6782615957e8167651f040a8d9d68a0a5bd5790f4f5c73451d1e142f
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 7E0184766016048FEB21EF64C804BEA33E6FF87315F4544A5D50697242E774AD418F90

Function 004185D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004185E4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004185F6
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418631
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041863F
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 0041864E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418660

Strings

-, xrefs: 0041866D

Memory Dump Source

Source File: 00000000.00000002.1761335489.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3312.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -
API String ID: 2332831159-2547889144
Opcode ID: aa3f3e16c2b8ad8159801690ebf91fd77c7334dd12e0fb43f0cb842b769be909
Instruction ID: dc09c9271f7556c4636e283841371480f1d2e1e0c911847624fe203bcff12d0a
Opcode Fuzzy Hash: aa3f3e16c2b8ad8159801690ebf91fd77c7334dd12e0fb43f0cb842b769be909
Instruction Fuzzy Hash: D411F931684304BBEB205FA4AD46BEE7F74EB09B12F214129FA04691C1CFB41E819B5F

Function 00418606 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418631
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041863F
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 0041864E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418660

Strings

-, xrefs: 0041866D

Memory Dump Source

Source File: 00000000.00000002.1761335489.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3312.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -
API String ID: 1414951042-2547889144
Opcode ID: 86776cb80feb8b78d01717bac59e27429fa2b5433d03396783db491f30ffd1ff
Instruction ID: 3dc4560c4a2b73dc85cfe488574194b755ebb29c5387034dd9c2c55cc5f6870b
Opcode Fuzzy Hash: 86776cb80feb8b78d01717bac59e27429fa2b5433d03396783db491f30ffd1ff
Instruction Fuzzy Hash: F7F0C231685304ABDB219F94ED56BD97B60EB09B15F214258FA086E1C0CBB41E81DB8A

Function 00418690 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(0041A3A4,?,00000000), ref: 004186C7
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004186E2
HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00418705
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418714

Memory Dump Source

Source File: 00000000.00000002.1761335489.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_3312.jbxd

Similarity

API ID: CreateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 2776817195-0
Opcode ID: 9a4a35854e1a9fccc17e98839e81a7996436b36a760555773b20b47233558da8
Instruction ID: 169bd11126e9c70372d5ad919650aca72b348e6cd2082656d0e56df02b6a2308
Opcode Fuzzy Hash: 9a4a35854e1a9fccc17e98839e81a7996436b36a760555773b20b47233558da8
Instruction Fuzzy Hash: 2F01D8B0A40204ABD720EB64EC55BD97778EB1C301F00407BFA05A72D0DE745E84CB5D

Analysis Process: djjergwPID: 180, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	17.9%
Signature Coverage:	0%
Total number of Nodes:	156
Total number of Limit Nodes:	5

Executed Functions

Function 00418730 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041884B
SetFocus.USER32(00000000), ref: 00418854
ReadConsoleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041885F
FindAtomA.KERNEL32(00000000), ref: 00418866
SearchPathA.KERNEL32(0041A3EC,0041A3D0,0041A3C8,00000000,?,?), ref: 0041888A
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00418892
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004188AA
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 004188D1
CopyFileExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004188DD
CreatePipe.KERNEL32(?,00000000,00000000,00000000), ref: 004188F3
GetEnvironmentStringsW.KERNEL32 ref: 004188F9
WriteConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041893E
GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 0041894D
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00418956
ObjectPrivilegeAuditAlarmW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041896B
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0041897C
SetCommMask.KERNELBASE(00000000,00000000), ref: 004189A5
GetUserObjectInformationW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004189BB
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 004189EA
GetComputerNameW.KERNEL32(?,?), ref: 004189FE
GetConsoleAliasExesLengthW.KERNEL32 ref: 00418A04
GetBinaryType.KERNEL32(0041A404,?), ref: 00418A16
PurgeComm.KERNEL32(00000000,00000000), ref: 00418A1E
LoadLibraryA.KERNELBASE(0041A420), ref: 00418A92
MoveFileW.KERNEL32(00000000,00000000), ref: 00418AC7
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00418AEE

Strings

}$, xrefs: 00418AF5
k`, xrefs: 00418ACD

Memory Dump Source

Source File: 00000005.00000002.2038001720.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_djjergw.jbxd

Similarity

API ID: Console$CommFileObject$CompareExchangeInterlockedLengthNamePathSearch$AdjustmentAlarmAliasAliasesAtomAuditBinaryComputerConfigCopyCreateDefaultEnvironmentExesFindFocusInformationLibraryLoadMaskModeModuleMoveOutputPipePrivilegePurgeReadSingleStringsSystemTimeTypeUserWaitWrite
String ID: k`$}$
API String ID: 87775671-956986773
Opcode ID: af848128e07c8e7bc8c1a283e971220105452b3befcdffc31dcb9ba888bf08ed
Instruction ID: 345bacdf8fa8409494645b8175c494f1eca766bbd4a7b31c038ebc0919f88a2f
Opcode Fuzzy Hash: af848128e07c8e7bc8c1a283e971220105452b3befcdffc31dcb9ba888bf08ed
Instruction Fuzzy Hash: 3AB1C471901124ABCB209B65EC54BDF7B79EF49354F00806EF609A3161DB385E85CFAE

Function 004014DB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 243
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634

Strings

1, xrefs: 004014F1

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID: 1
API String ID: 1652636561-2212294583
Opcode ID: fc9ad0c17474763d406ce3553705aad449b4f49c1046925f20dec018cbeb3551
Instruction ID: 7f4d7c4657737381e02ab4131f106e217a3bc84f51a1891dc43a423f49ad99c1
Opcode Fuzzy Hash: fc9ad0c17474763d406ce3553705aad449b4f49c1046925f20dec018cbeb3551
Instruction Fuzzy Hash: 14718D71A00205FFEB209F91CC49FEF7BB8EF85B10F14412AF912BA2E5D6759905CA58

Function 00401529 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
Instruction ID: 138ec7ca1e8744eb65f40bd9736a53a73cefe8eecd72c79945fcbf62a21b6401
Opcode Fuzzy Hash: 9208168e61d895202d66972dbe02163783dcb6df2364333cde88f6d05e7d9971
Instruction Fuzzy Hash: D9616E71900205FBEB209F95DC49FEB7BB8FF81B00F14412AFA12BA1E4D6749A05DB65

Function 00401534 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
Instruction ID: 46ca3ae5353e1b2bf85c7e7487c0bf4a09c0837efea8bedcf4105f5ea6450319
Opcode Fuzzy Hash: bf712b81fe7c33e45fb91e121ae8a1411471c4f54e6f2b27f252d32f249b509c
Instruction Fuzzy Hash: 81512971900245BFEF209F91CC48FEB7BB8EF85B00F14416AF912BA1A5D6749945CB24

Function 00401541 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
Instruction ID: 68c08b8250816e380b35483fe5a52fcf5a4ffa7bf922b91d474b11e8be87ed95
Opcode Fuzzy Hash: fdd984ed4eabfdf3fe245d48b6addcc777c2a155290e4dc39758af1e8cc42314
Instruction Fuzzy Hash: 99512AB1900205BFEF209F95CC48FEB7BB8EF85B10F14412AFA12BA1E5D6749945CB24

Function 00401545 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
Instruction ID: b5c9534ba5f5358dff2a074a80b826bd55324152c05987841a878028393b6fdb
Opcode Fuzzy Hash: 9036e7d1caaa2f73f8ffe8f81ed6686f8338ecb8473fc941f507ff01140d436f
Instruction Fuzzy Hash: 94513AB1900245BFEF209F95CC48FEF7BB8EF85B00F14415AF911BA2A5D6749945CB24

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401634
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401652
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401693
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016C4
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016E6

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
Instruction ID: 8d6641cc39e0a23de402a6cd7af9a8bcce9404ceaedab19c941a5a8b34b5f284
Opcode Fuzzy Hash: 7e7aa486a7cba38a24c4655809e077ce32b0d632fdebb8ad14eb01bbdf3cd026
Instruction Fuzzy Hash: 8C5119B1900205BFEF209F95CC48FEFBBB8EF85B00F14411AFA11AA2A5D6759945CB24

Function 00402FFA Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 00403122
NtTerminateProcess.NTDLL ref: 00403133

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
Instruction ID: 67905ead67b615cb9fd2ac39997d468ff33d28dd355ca5d175fe45067cf906e9
Opcode Fuzzy Hash: be8e4cb5e493dd895ba0f666486257db29135dc3ef83a78b0b3b9a47898ca96e
Instruction Fuzzy Hash: 8B414732618E0C4FD778EE6CA88966377D5E798351B1643AAD809D3389EE30D85183C5

Function 005E003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005E024D

Strings

cess, xrefs: 005E018D
kernel32.dll, xrefs: 005E008F, 005E0095

Memory Dump Source

Source File: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5e0000_djjergw.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8d9f06940a44e2be45beeee2e4bbecad622b7844b54902dca0b4f5182f6b35db
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: A9526874A00269DFDB64CF59C984BA8BBB1BF09304F1480D9E94DAB391DB70AE85DF14

Function 004183F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00513D70), ref: 004184CF
GetProcAddress.KERNEL32(00000000,0041E298), ref: 0041850C
VirtualProtect.KERNELBASE(00513BB4,00513D6C,00000040,?), ref: 0041852B

Strings

, xrefs: 00418435

Memory Dump Source

Source File: 00000005.00000002.2038001720.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_djjergw.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 0211fdc64f03efc72d4e260aedab5929f5d5dea431bc9e9a5fc3155d62cc35c4
Instruction ID: 128802b458cc4b351c6b63df09879892f332cdb2aba605945024bc9f97aa87a6
Opcode Fuzzy Hash: 0211fdc64f03efc72d4e260aedab5929f5d5dea431bc9e9a5fc3155d62cc35c4
Instruction Fuzzy Hash: 08316F18508780CAE301DB79FC257823FAAAB75744F04D1ACD54C8B3B1D7BA1618E36E

Function 00610822 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0061084A
Module32First.KERNEL32(00000000,00000224), ref: 0061086A

Memory Dump Source

Source File: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_60d000_djjergw.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3a59b0cf86a0549b21c4c45f85ead23eddd10ebf11ac010becf6ce86b74f9df0
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BBF0C231600710ABEF603AB5A88CBEE72EDAF48324F140168E642911C0CBB0E8C586A1

Function 005E0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005E0223,?,?), ref: 005E0E19
SetErrorMode.KERNELBASE(00000000,?,?,005E0223,?,?), ref: 005E0E1E

Memory Dump Source

Source File: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5e0000_djjergw.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: cea14cca2211f37e0d6e011ac58af5d885f71300399aca2e74a7d4b784c7d1e3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 0FD0123114512877D7002A95DC09BCD7F1CDF05B62F008421FB0DD9080C7B0994046E5

Function 0040190E Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
Instruction ID: c3efed824753038ef125f202698f45fd900918c8f6410fb3a7b527937a7c5fc5
Opcode Fuzzy Hash: 2faec9f74094ce0f08c74674007c6dc18df4c3c5133ab61c0808bb95c55d4a7d
Instruction Fuzzy Hash: D811BFB220C204EBEB00AA908C52EAA3754AF05710F248137BA42791F1C57D9A13F75B

Function 006104E1 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00610532

Memory Dump Source

Source File: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0060D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_60d000_djjergw.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 921f8a554a71ccebb4b89bbc5a81b677b2b3d6c348ae118751e02bbc8b1790dd
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 41113F79A00208EFDB01DF98C985E98BBF5AF08350F098094F9489B361D771EA90DF80

Function 00401902 Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
Instruction ID: 207861a3759c1b147de2553678edefd9187cc257709d93c52e233f88d5e7a3be
Opcode Fuzzy Hash: 038fd76a8208d0ddfff32e2f40036fbca87feb8e69a48f33ff6f35dc682cef07
Instruction Fuzzy Hash: B70169F1208209FBEB009A908D61EBA3668AB05760F700133BA13781F5D57C9A53E76B

Function 00401922 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
Instruction ID: 578df434b3d236032839297bc76fd9486bb072801922ad90ba2380d7086ecf03
Opcode Fuzzy Hash: c88f444a594768d2d4fab485523800559cc166debe3a6fe30cf89bfb996ff5f6
Instruction Fuzzy Hash: 95F05EB1208209FBEF009F908D61EAA3729AF05710F644137BA52781F5D63CDA53EB1B

Function 0040192B Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
Instruction ID: b5d34a972f1ec939c421f577379ccf4d396b21f1793fd223155277739043cea6
Opcode Fuzzy Hash: 45864dc147576a9e119c499a9794f12b744a0bfa5c226a532e69094f16d3b09b
Instruction Fuzzy Hash: 5AF05EB1218209FBEB009F908D61EBA3629AF05310F644177BA12781F5C63DDA23E75B

Function 0040193C Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
Instruction ID: c277f467d3f9426b8f9a73765fdcab00a649fd51b95b24d53f0d4f33e3e8ae71
Opcode Fuzzy Hash: 14db16c3e861f19ad5dfd30c38be67768c01ca1c8fcdc6992631d9b2414dadb5
Instruction Fuzzy Hash: F7F037B1108209FBDF009F94CD51EAA3729AF09310F644577BA12781F5C63DDA12E72B

Function 00401932 Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040194E

Part of subcall function 00401529: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015E4
Part of subcall function 00401529: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401611

Memory Dump Source

Source File: 00000005.00000002.2037979246.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_djjergw.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
Instruction ID: 30c85490bd3e36b3d7497cee73256dee3cb4488b2b17691bada95d8d1bd3f612
Opcode Fuzzy Hash: d565b972daf1ea01d692af33d09a01f0ed4f5aa4668cdc6292c3b22aaefac0ec
Instruction Fuzzy Hash: 33F037B1204205FBDF009F94CD91EAE3629AF05310F644173BA12791F5D67DDA12E75B

Function 004183C0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00513D6C,00418A52), ref: 004183C8

Memory Dump Source

Source File: 00000005.00000002.2038001720.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_djjergw.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: bf7e8b90cc3ff6e39906310c12a02d65c83cdbf560656bc42193d9e9982b9279
Instruction ID: c2961758425a8787823cb41888b9bba809d6f705acec62bde6717c0d90632542
Opcode Fuzzy Hash: bf7e8b90cc3ff6e39906310c12a02d65c83cdbf560656bc42193d9e9982b9279
Instruction Fuzzy Hash: A6B012F0A491009FD7008F54FD64B903FB4F358702F00C065F600C2164EB304908EB10

Non-executed Functions

Function 004185D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004185E4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004185F6
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418631
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041863F
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 0041864E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418660

Strings

-, xrefs: 0041866D

Memory Dump Source

Source File: 00000005.00000002.2038001720.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_djjergw.jbxd

Similarity

API ID: AvailableBackupBuildCalendarCommEnvironmentFreeInfoMemoryNodeNumaObjectOpenSeekStrings
String ID: -
API String ID: 2332831159-2547889144
Opcode ID: aa3f3e16c2b8ad8159801690ebf91fd77c7334dd12e0fb43f0cb842b769be909
Instruction ID: dc09c9271f7556c4636e283841371480f1d2e1e0c911847624fe203bcff12d0a
Opcode Fuzzy Hash: aa3f3e16c2b8ad8159801690ebf91fd77c7334dd12e0fb43f0cb842b769be909
Instruction Fuzzy Hash: D411F931684304BBEB205FA4AD46BEE7F74EB09B12F214129FA04691C1CFB41E819B5F

Function 00418606 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00418631
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041863F
OpenJobObjectA.KERNEL32(00000000,00000000,0041A388), ref: 0041864E
BackupSeek.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00418660

Strings

-, xrefs: 0041866D

Memory Dump Source

Source File: 00000005.00000002.2038001720.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_djjergw.jbxd

Similarity

API ID: AvailableBackupCalendarInfoMemoryNodeNumaObjectOpenSeek
String ID: -
API String ID: 1414951042-2547889144
Opcode ID: 86776cb80feb8b78d01717bac59e27429fa2b5433d03396783db491f30ffd1ff
Instruction ID: 3dc4560c4a2b73dc85cfe488574194b755ebb29c5387034dd9c2c55cc5f6870b
Opcode Fuzzy Hash: 86776cb80feb8b78d01717bac59e27429fa2b5433d03396783db491f30ffd1ff
Instruction Fuzzy Hash: F7F0C231685304ABDB219F94ED56BD97B60EB09B15F214258FA086E1C0CBB41E81DB8A

Function 00418690 Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(0041A3A4,?,00000000), ref: 004186C7
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004186E2
HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 00418705
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 00418714

Memory Dump Source

Source File: 00000005.00000002.2038001720.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_djjergw.jbxd

Similarity

API ID: CreateDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 2776817195-0
Opcode ID: 9a4a35854e1a9fccc17e98839e81a7996436b36a760555773b20b47233558da8
Instruction ID: 169bd11126e9c70372d5ad919650aca72b348e6cd2082656d0e56df02b6a2308
Opcode Fuzzy Hash: 9a4a35854e1a9fccc17e98839e81a7996436b36a760555773b20b47233558da8
Instruction Fuzzy Hash: 2F01D8B0A40204ABD720EB64EC55BD97778EB1C301F00407BFA05A72D0DE745E84CB5D

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3312.PDF.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_2a3bef5b-cedb-4c43-8137-0eaf458f5331\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF96.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC6.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002d.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002e.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Windows[4].json

C:\Users\user\AppData\Roaming\djjergw

C:\Users\user\AppData\Roaming\djjergw:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
3312.PDF.scr

Function 00418730 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 310
libraryfilesynchronizationCOMMON

Function 004014DB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 243
nativeCOMMON

Function 00401529 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Function 00401534 Relevance: 10.7, APIs: 7, Instructions: 177
nativeCOMMON

Function 00401541 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 00401545 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Function 00402FFA Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 00830572 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 006A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004183F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 006A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0040190E Relevance: 1.3, APIs: 1, Instructions: 66
sleepCOMMON

Function 00830231 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON