Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oaUNY8P657.exe

Overview

General Information

Sample name:oaUNY8P657.exe
renamed because original name is a hash value
Original sample name:4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe
Analysis ID:1557202
MD5:4f0c8a81138b78a1f40ef1d383632130
SHA1:96b6c6ff5c5b1aa90014e975bb851d23acbed598
SHA256:4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Yara signature match

Classification

Process Tree

  • System is w10x64
  • oaUNY8P657.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\oaUNY8P657.exe" MD5: 4F0C8A81138B78A1F40EF1D383632130)
    • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • oaUNY8P657.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\oaUNY8P657.exe" MD5: 4F0C8A81138B78A1F40EF1D383632130)
      • sms561F.tmp (PID: 7508 cmdline: "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp" MD5: 8032A5E68376A879472C297749CDB4C4)
        • WerFault.exe (PID: 7752 cmdline: C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["left-noon.gl.at.ply.gg"], "Port": 60705, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "US11B.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\sms561F.tmpJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\sms561F.tmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\sms561F.tmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe912:$s6: VirtualBox
      • 0xe870:$s8: Win32_ComputerSystem
      • 0x11399:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x11436:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1154b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xff57:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe992:$s6: VirtualBox
          • 0xe8f0:$s8: Win32_ComputerSystem
          • 0x11419:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x114b6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x115cb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xffd7:$cnc4: POST / HTTP/1.1
          00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xe712:$s6: VirtualBox
            • 0xe670:$s8: Win32_ComputerSystem
            • 0x11199:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x11236:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x1134b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xfd57:$cnc4: POST / HTTP/1.1
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.sms561F.tmp.1e0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              4.0.sms561F.tmp.1e0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                4.0.sms561F.tmp.1e0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xe912:$s6: VirtualBox
                • 0xe870:$s8: Win32_ComputerSystem
                • 0x11399:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x11436:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x1154b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xff57:$cnc4: POST / HTTP/1.1

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Use Short Name Path in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp", CommandLine: "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\sms561F.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\sms561F.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\sms561F.tmp, ParentCommandLine: "C:\Users\user\Desktop\oaUNY8P657.exe", ParentImage: C:\Users\user\Desktop\oaUNY8P657.exe, ParentProcessId: 7456, ParentProcessName: oaUNY8P657.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp", ProcessId: 7508, ProcessName: sms561F.tmp

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: left-noon.gl.at.ply.ggAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpAvira: detection malicious, Label: TR/Spy.Gen
                Found malware configuration
                Source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["left-noon.gl.at.ply.gg"], "Port": 60705, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "US11B.exe"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpReversingLabs: Detection: 79%
                Multi AV Scanner detection for submitted file
                Source: oaUNY8P657.exeReversingLabs: Detection: 50%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: oaUNY8P657.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 4.0.sms561F.tmp.1e0000.0.unpackString decryptor: left-noon.gl.at.ply.gg
                Source: 4.0.sms561F.tmp.1e0000.0.unpackString decryptor: 60705
                Source: 4.0.sms561F.tmp.1e0000.0.unpackString decryptor: <123456789>
                Source: 4.0.sms561F.tmp.1e0000.0.unpackString decryptor: <Xwormmm>
                Source: 4.0.sms561F.tmp.1e0000.0.unpackString decryptor: US11B.exe
                Source: oaUNY8P657.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: mscorlib.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Management.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Management.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.pdbSystem.Core.ni.dllMicrosoft.VisualBasic.dllpD6 source: WER7417.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdbh source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Xml.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER7417.tmp.dmp.8.dr
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 4x nop then push rbx0_2_00007FF78CB221D6
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 4x nop then push rbx3_2_00007FF78CB221D6

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: left-noon.gl.at.ply.gg
                Yara detected Generic Downloader
                Source: Yara matchFile source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: unknownDNS query: name: ip-api.com
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: sms561F.tmp, 00000004.00000002.1579490182.000000001B1ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micu
                Source: sms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.0000000002400000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.00000000023F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: sms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.drString found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_004022033_2_00402203
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00401F983_2_00401F98
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_004021DB3_2_004021DB
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00401F6F3_2_00401F6F
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC4811484_2_00007FFAAC481148
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC4873724_2_00007FFAAC487372
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC4861C64_2_00007FFAAC4861C6
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC4816594_2_00007FFAAC481659
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC4810F24_2_00007FFAAC4810F2
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC4821C94_2_00007FFAAC4821C9
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664
                Source: oaUNY8P657.exeStatic PE information: Number of sections : 18 > 10
                Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWizClient.exe4 vs oaUNY8P657.exe
                Source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: sms561F.tmp.3.dr, 2PFYT6fKVKtP258l.csCryptographic APIs: 'TransformFinalBlock'
                Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.csCryptographic APIs: 'TransformFinalBlock'
                Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.csCryptographic APIs: 'TransformFinalBlock'
                Source: sms561F.tmp.3.dr, 2PFYT6fKVKtP258l.csBase64 encoded string: 'rPuqQq1xOQbCQnrE4cq3Xs26BOFqQQv8fkMLyoFP3mFIfcMAXi9zpr4HpV3emTR4kkIpPbFiKpeip3fFC9mg'
                Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.csBase64 encoded string: 'QoM0VtExe81XcnZLEO3SM3sBMNMMGshqFTI06NW2EkIjr5SFk5zrB7vGunPUecofdrwAzpGpvPa3MxoWEIWG', 'J5eCkOtQfZsc0XN4pnjoW5hUYGSrxCBHFKzOJAoW6ZsSXJJXf5JpoiqPX285IGbpnW3jmTdFcEXjVjE8PpXU', 'ZEvC59Na6zoJgAE8FRZpal7eF8ajvJxnl45AXgmT5cVmrRixgpsBTdWgXweiQ4o3Y5QwJGEivlYCc7ljTLZk', 'mFulPueE5RKEZTKk8GQyJItfTzZH3oMRQ7R4F7E4PlxGrtlNNYPVp4cTipHD039pix8itKW8o1BXB1soM4qG'
                Source: classification engineClassification label: mal100.troj.evad.winEXE@7/6@1/1
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 0_2_00007FF78CB21450 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,0_2_00007FF78CB21450
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpMutant created: NULL
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7508
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpMutant created: \Sessions\1\BaseNamedObjects\FgDl5YTJAMA8a3S4
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
                Source: C:\Users\user\Desktop\oaUNY8P657.exeFile created: C:\Users\user~1\AppData\Local\Temp\sms561F.tmpJump to behavior
                Source: oaUNY8P657.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\oaUNY8P657.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: oaUNY8P657.exeReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe"
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe"
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Users\user\AppData\Local\Temp\sms561F.tmp "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe"Jump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Users\user\AppData\Local\Temp\sms561F.tmp "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: oaUNY8P657.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: oaUNY8P657.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: mscorlib.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Management.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Management.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.pdbSystem.Core.ni.dllMicrosoft.VisualBasic.dllpD6 source: WER7417.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.pdbh source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Xml.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7417.tmp.dmp.8.dr
                Source: Binary string: System.Core.ni.pdb source: WER7417.tmp.dmp.8.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER7417.tmp.dmp.8.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.Qn58Ydns0vSS4KeRMKOGcNopDzqwDcDkHdX2ES9OsP6Y9BWWSi3SuF8agxOO0WO15mENKIKc3OHJYJmyie8qU1Xcj,U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.FoU2PbuQD8JnrF7IKWp6OMwNkNSWrPSdF57ErpqX9vT6znJpXI64FljVixvQ46Pm2h1FZBxLsvTIkRrjTKl6knNMD,U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE._6RigNdzcvotYMmJS6U16u2yCAgrqsQh8Z9KFZiMmQMl7yP2OAN0XZZqO0Dmjyj6LBvYvyEQ3Z6j6ONUEUys24zm5V,U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.vypUA3oiLGxAFvRxTlknguPph3w0VcEFujOlqFnfI6P0pGGmKK1GVUepWNMnW0iCeOZiGu84HYeUjUEXwBMVXgxlY,CfOxDqrrlu3NvLEu.lHwfqQSpAbfiN3IY()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{MzDGpvkFkxueUC0I[2],CfOxDqrrlu3NvLEu.hIozlAtr03U5MtF3(Convert.FromBase64String(MzDGpvkFkxueUC0I[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { MzDGpvkFkxueUC0I[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs.Net Code: kBeA5MeiWf2bbj5tp0YDkgaCeztrGKF6ZnPxIyaJSuJ5VrVKFjh87xrqn5HRQaMHzKcO3JNnNO System.AppDomain.Load(byte[])
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs.Net Code: _3Iirrw5wIfKEI8SD System.AppDomain.Load(byte[])
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs.Net Code: _3Iirrw5wIfKEI8SD
                Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.cs.Net Code: zyOcyhiuwKGcUmq8 System.AppDomain.Load(byte[])
                Source: oaUNY8P657.exeStatic PE information: real checksum: 0x133cf should be: 0x2a5d8
                Source: sms561F.tmp.3.drStatic PE information: real checksum: 0x0 should be: 0x22e57
                Source: oaUNY8P657.exeStatic PE information: section name: .xdata
                Source: oaUNY8P657.exeStatic PE information: section name: /4
                Source: oaUNY8P657.exeStatic PE information: section name: /19
                Source: oaUNY8P657.exeStatic PE information: section name: /31
                Source: oaUNY8P657.exeStatic PE information: section name: /45
                Source: oaUNY8P657.exeStatic PE information: section name: /57
                Source: oaUNY8P657.exeStatic PE information: section name: /70
                Source: oaUNY8P657.exeStatic PE information: section name: /81
                Source: sms561F.tmp.3.dr, ZZY0kMSImmoTRszS.csHigh entropy of concatenated method names: '_7IVTtTcQI7aGvndt', 'uEQ71lTA2MCMxbvw', '_4BoSgaszw5Iy4eAH', '_9FOJheTGl08HwdTlDmlKcOlJV3', 'PURMgtnSsZQcEiMCzRaO1rvLi3', 'hD8euee6JJwU7hmtBhXtaruLOq', 'Q7jJjtBxODrzWyzrqfC2zIjNCd', 'AIw6wZS3KrTLB9oOI0xz6vdTiV', 'sX9e7zKrLVCp3iXqgE8Rr1llWa', 'PTJdgYinzBcsGQ52kYDxNkSOJK'
                Source: sms561F.tmp.3.dr, U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.csHigh entropy of concatenated method names: 'UzBps6fpp8QsyChO4HS08jfb43edsKm3UJ', 'x3tRJiMLynOThwr76IqFrTJ0QLexFcLiCP', 'oAiSvL14AyxYrNUMWf6I4ZLMX9E4Hn5bgB', 'NL7cMLH3i4zSQy47tiRsUHC4th9WMa8xgF'
                Source: sms561F.tmp.3.dr, 54qJ9nuCm42kYVfcKKKLcxZh1yBzrUOZUOKYADh0tX2vgbqCdmkuX8h3K.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'uxEAk38JOD8NrzrSDGhdspIXavg4QpfGdt', '_3Jm2QcrD1vk4T3iUyOOjT3suTtS8ijV5bh', 'XLp21V89RgXLntZ9NCqb7ifKyJbOaEELRB', 'aQ72rOcP3bGFEBOmEWzmcKZBM0KKkBXUEi'
                Source: sms561F.tmp.3.dr, Jm0j5mjozQ9zCcZx.csHigh entropy of concatenated method names: 'IkTuRcUhzkUGr4cp', 'JMm8DaPbu4ouVJlIoL86SG6SbcJrhQIritR8afuu85iEVXYv8L3hs0RwcS67fvRk2e', 'v8ZqP2g0K2hTNMxAlBbhQLIzzikXXYgvlYOobGZsy7Mvw43MTVwzqVtAe71RF6weN8', 'n1AklyhOz13CH86BMJ73VWxzo4GglkuaqPxUOVjbDC8PKyEV5hd9YyV8WaYebfFLtK', 'OXOEPq0ll3xpBwopsqkyGp7TXLGO5pAj2Eo81k4YpaU4PRHkDjiNg1l3iX4GbbqQOs'
                Source: sms561F.tmp.3.dr, Ux5xT5SdUDgrmJoYwkXZ4wPj9TszCC1UbemG1uUDQeFag98fKpJjriWIEJYvAT5JeU3ZRcThgCIknGrOw2vbdhXCg.csHigh entropy of concatenated method names: 'UzHOFA4VUd3iiJHLlRLT5m1VPBoz16haBPufTWd7ZVA23vbnRkU0CuCm2pTRQRMjXs0LdzRdlPZx6RiHLlimnPFJt', 'kHjfMRg5q7RpD34WVdDJM64d861pkZ3TDGtbPsbacWyUkNzdhJQ8YZaGaKc86pf9e6nUIQz99aK96b3IvoHQMex5s', 'VpsaG5I2MD4kMUGFk6hwdgCXWIy8o106pHamoQvxrTdEWyjrw9avITLVvPMsEYBx1Y0XT7zhuxbp0iG84mEEUixB0', 'wATTPfpRc10N0eufHRyVVoHsmMAtEdl5hnO38Rl2vpoKvTI2w2zk2Nv0Sy89UB6vC9X8GCoADvaC4Zfac0J51TlJr', 'QCAJYvJDTWIydB5yXGJGqG9fjSLLGyPHcjvGa6JLCvXvWvrB28kQodhez2I2x64fDM7uuzXCkxzNMHWTviNZeRjuS', 'D7Rosv8SiKfCVIZikT4ROx5G4Z4p3v61TsrzpydcQvh53rCwbziqa2R3DzcgAHu2qMk9QuzXKHR47JojfOx4T296R', '_9Ca0VrI51E2MUkIeYk6ftvJ1ahqLp0tSiHL5WvnUZRZgLI2ZUPPCOdL9zwK3b3xnLP088s8zjrIRNJ9cRwlBxMI9V', '_38fqEuegyVhrKBrsLiNrmwgJ1SnOFCffafGImGJcMa05gDGSKq7YAuQWyaiQwVJcSfyo36jwrFMPT9jNSuocpmfM2', '_79WmPsrHLl33ufsC4LsYyQFOh6crYOiqkL9rGLtmRSTRKjw91haNC66T6tC9BGQZwJrAzItcPG5dc9D55odIS0MFa', 'EiUzB5Q1VAbOeTFIhvkrGIL799E5Hg3w1r4BKnc68Ac63ZGqPIKu5VifnTP1W4YzxB7Rd8mzIOLnasyHbX08Xw3s0'
                Source: sms561F.tmp.3.dr, 2PFYT6fKVKtP258l.csHigh entropy of concatenated method names: 'ovJ69SMjolPj9MF5', 'CeqBJ7e9ZFYqv1UNgv5n6J0ocyYyCJ3OjHm73WfSSFkbYndeq1vinse0DCr63tpGycMuFybRGAX9X2OtKCk7', 'QgaurUKqWrvwJVa59QIYAkCQ6XEBD3wh80SZhu879n2VmrxZrFwiiBNclbFso80E1Ybs4UesgjkMMa0EyoLW', 'zqrlK2TEtLXi8eCzQmB77pmOgQ3LNr8ePoC242UBvpczjMrTLwblU4ZN5GNgPkq0LM6KpbPAxzuwaEpIiT6m', 'hh5odrhWvNu8lr2kA9Rvh22XzyJcbuyTnMf1mZTQ2eQ5GtgS54bgLJ2ygEs813CyJZ1BMksRMDZZsk8Qz5Zm'
                Source: sms561F.tmp.3.dr, GxjjaV2cUpDuUZiR.csHigh entropy of concatenated method names: '_2hFRviCosJqAAAku', 'O38Zj7OdzaOl1obR', 'QsccK2WP0FXimxh8', 'vZaFrjVVCQ5Mdg4UXVPQXA03HFp1pV2jyWwxn73K4LT58HfJWGCCUEEyFmov0NoTtg', 'na2WokX7EpIDJccJeBcJkTkN3TEXwBbkV3M42ps2Gah4qFzJuz4SGBy1iCwp9Gkj99', '_6ZlcJaM9J6FBzHTTUYTPrbXWpqjllkUzL1S6xGkctMSAAZUvSmO', 'fkzXpJ0nZaBkVC739qyLKRXm9KscK8iPtkDbqYIfunO7SZcUvOl', 'FgE6AThVg0ug7JhYWCQd9U1gIIdLRaSzidWtxtRz13OATIsG7If', 'R7XRtOaBRMMgW6BSHoUZkyHBKrALXwBI1Eb89VhzTl0bSbUZuNk', 'iijy5ZRjUEF0jvbzqNSYc0AWRMByS7MQaOgCtcvAz4Ss6RNdI2U'
                Source: sms561F.tmp.3.dr, 8AcBw83iTTZR0gzOLr4D7gMPEV1kMtgYpJXHnJwhGkoKVV8Q4esUC8oADm8sux5LS019SK7qTTVTv9FBj4VPUeMGz.csHigh entropy of concatenated method names: 'AHs9hYLZtHlvzhPB5egmLag6VVUND0ukDILJXfDpwCivkUAx2hAWqt2aBmfaGAOMAlT5jKWU62027iHiMjQbj60uI', '_3XOd53yGytMw0xVXZW9GjsWQMVxmVKE9LOimwKZ0l5EXvTG0nRb6QSfpA8k6sAIRzICC0q3HeoUGQyA7aCOFSqAqE', '_5wdxGPqPrGs9DzhtY9YatjiuMvXqfx3Qh6RkuEdSoMg57WhF8P8oebAaUS9VcSYTKDD8zURzdJx7J54s4tfLq1gRu', '_3OIeSsBy77psmlQA3gABEcuJYMOXz9b4pT3zPBfheophnYH7fEzFuFR8QoqNSDSGqryZ6cG4HLvxp5uDKvaMgTpRz', '_3EAy6OYn78QehlUvg9O3dcryr5VEt4ul9J04iTzxpbCRGjIoI9PeFWyk8torqPQSmXkMe1sv5kfT1AjzFuJ905IAg', 'xuOBzT4OUN2rOxBPWq4jdVyAJacIYPseni6iRj5uG8wk5WsRd2IyswUcIDqEyrwlReISqXCJGdcycOIIYgdzzguhW', '_8ebUR9S6nPyzTmWbvGFm3JcRqIBPylvJpaYR5aqTWuBbMlmSN0FPvltQWqpqIvHeBzLnQXOuoW', 'nZNrra2V1RvvxlNX3p7DZtJKMtpwIq0637OOcCDf4ZIUowrzwpc0EdoAU2pORdigjNyoBCuBAq', 'jLwd3zwzkLEU8BYtF0KLaBUelayoKyiZTe2IiNfdk2UhBZ3HFQTBIiESxb8DeR7DWQ7YtXYHvx', 'GioTMhUYsqPzfRxFwGqjaiaI9meiZh0Q3j3XF2aGTkOD3Gin3c6uh5Ge7cM4bWRyzk86tBquzp'
                Source: sms561F.tmp.3.dr, qscAgj4aPLGJ38vR.csHigh entropy of concatenated method names: 's7t483xDEddrktVx', 'S69T85VOd4y3bwhO', 'ug35Tss1pRsniwZg', 'R8SGq2kONKo5XjSH', 'xUglXcaJZqHHlkFWxplNlNPsr7W70E3Kmzs89NCNCWVAlrtWy6q', 'dHII5vmLBYQAhUhgszWSVzsIevuBl2tKWsGzg3GuqHlVEIJ7XaB', '_8b0MFfgkVAcyQp37764nAsZX8GITDTSnhGHB8Bo7QUsy1ULkIek', 'dDUXAmhif1eIqQPgu8aR4MbtxLUKn0pqhmK78q6b9TsmJGeOe6l', 'OOXu3EwIMu2kZ1GIH4uGMnEFIhyPNjNlhHOAZAeWFv3BP1W8jCU', 'hdbl6cTLNfFwmcjEXJKfTjPPKE4mTw5U7AUoZ4azaANBll7JHCo'
                Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.csHigh entropy of concatenated method names: 'BZBi7xApW8b9VeZsKqV74Hob6URHF0U7qBJxyUdOeP3RZ7I92LFa93QsclzS9jgoKcNeJYkHPk', 'kBeA5MeiWf2bbj5tp0YDkgaCeztrGKF6ZnPxIyaJSuJ5VrVKFjh87xrqn5HRQaMHzKcO3JNnNO', 'Wy3EMKMXP0xOOeRS75yH0SH12dnWmjTxbvzXhGtbVPvLu2WqJqcVS5S2JWJp3vruxJBYJwF2c4', '_6syQ1FNEp9LoDKGQG8IEYR5bEvFXgEqPXv8SdL1zYsVY24dPF1VCaCDR5Jp52Sh6cLe4MVHv3M', '_68zoW2eAfYPyeTKtwXzr5NoSJOdTZHObvVTLPeW0kdXGDMwlgO1FtAGUbjr35aUfrPnRNcnRYD', 'T1yZa7r0qpIPaLAYvIN7o5uALhB5hR1Pl0S4poLul3vYx5M84rxIft0RCevkClirA8pqvEKBDJ', 'OiaqDKql7eyByXmMBXPHKnhwAn8pLZhMKVEKWgs9Mx5nsQFsraOk7RmntpEpm89ODOLGsFkH2O', 'Brr5OtJlVzK2D88vAszYDISZmNR6ue3XOsHklYy17wiLDGYnQXNJb4hBHCsNuEXx2h4EuPFz4B', 'n1cm6SVhrxdk7TLga9qWAzujWP96MG3bLzciBJk8qILqCijftpgGPUPqKCDsJfUn3d9mzEBye0', '_5KJywWKXXbatDKz2'
                Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.csHigh entropy of concatenated method names: 'kFRgAy4ceH6sLvWU', '_55FZ68YNLufkVkYm', 'iMhSIAmSzNQwTrQT', '_2ncpsofLzCWtDE7V', 'WSHgnj4COP5DmpCo', 'UfIW6IRrWjwb8HBr', 'vZDPzR4ro93fiARX', 'DpfZq4FF1WqQb75o', 'AZz6uTt9Jv1sYycA', 'lCM3qwIKhEyacjsV'
                Source: sms561F.tmp.3.dr, cc0HsONsZA56M57M.csHigh entropy of concatenated method names: 'QuTpVFjs5LhShU7t', 'SlbqSbp4X3V7uCLt', 'qB60QbG21Hk9JdQw', 'XsJgWzdQoQ9wnK74', 'p7olRxmfiVujoiwJ', '_3QQijd5s0gqMxRi9', 'Do2gm9jNiZZCKvMl', '_8A21HtwwODJIgloB', 'RhjgRJF8pzBni2Ck', 'hqBaphWstNJ8LeF2'
                Source: C:\Users\user\Desktop\oaUNY8P657.exeFile created: C:\Users\user\AppData\Local\Temp\sms561F.tmpJump to dropped file
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.drBinary or memory string: SBIEDLL.DLLEBCQPZPPECY2J0TKFUUETJZ0U2QVRLEC4GSEXHANNPFMT7RZB6LKTR1Y9THG1RIIFL8CYZEQLAGMIGK9ZQ0OHCPPV0389XHAQKGWHO66OEQUNXBGHG18JI1FABXSOB4MEHR15D2AOACREJWFYPZOTTFCKVSTJPJ3QEV00EG0RE7BBJFEQYMKXWCRLQHDUBPVYUVULQYFKJXS6NFTXAEZQ8Q5DJ5HY5WXDNIMBMKGGFUO1YF0GMTAYE5CNDKG9FU0EALQICNT404AQ89Q0EEBAGXGETDLDEXRFDDSYNX2O4UCUCWUYPXMPBN4YAJEKIWQ3AQXRCMFBZO7TOP8XF5T8PWZSTA68FE9LHA0OWVQPLF2BJ7RFARMJPMSBGGULCMN8E7QSBRF7T9N1S2EIPKYVFCICREW9O4JXI2ME4HNPSI3JZDQNIIMAL65C4LPDLAAMOA0AQCEZBM2N1UJ11IYNFCOPBGQASSIWEZ4WQC0PAINFO
                Source: sms561F.tmp, 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpMemory allocated: 21E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpMemory allocated: 1A340000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeAPI coverage: 9.0 %
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: Amcache.hve.8.drBinary or memory string: VMware
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                Source: sms561F.tmp.3.drBinary or memory string: vmware
                Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                Source: sms561F.tmp, 00000004.00000002.1579490182.000000001B1ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpCode function: 4_2_00007FFAAC487B71 CheckRemoteDebuggerPresent,4_2_00007FFAAC487B71
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 0_2_00007FF78CB21180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,0_2_00007FF78CB21180
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 0_2_00007FF78CB283AC SetUnhandledExceptionFilter,0_2_00007FF78CB283AC
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 0_2_00007FF78CB22E61 SetUnhandledExceptionFilter,0_2_00007FF78CB22E61
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00007FF78CB283AC SetThreadContext,SetUnhandledExceptionFilter,WriteProcessMemory,__p__wenviron,3_2_00007FF78CB283AC
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00007FF78CB283AC SetThreadContext,SetUnhandledExceptionFilter,WriteProcessMemory,__p__wenviron,3_2_00007FF78CB283AC
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00007FF78CB283AC SetThreadContext,SetUnhandledExceptionFilter,WriteProcessMemory,__p__wenviron,3_2_00007FF78CB283AC
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00007FF78CB22E61 SetUnhandledExceptionFilter,3_2_00007FF78CB22E61
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 3_2_00007FF78CB21180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,3_2_00007FF78CB21180
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\Desktop\oaUNY8P657.exeCode function: 0_2_00007FF78CB21522 GetConsoleWindow,GetConsoleWindow,ShowWindow,memset,memset,GetModuleFileNameA,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,SetThreadContext,ResumeThread,ResumeThread,WaitForSingleObject,0_2_00007FF78CB21522
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\oaUNY8P657.exeMemory written: C:\Users\user\Desktop\oaUNY8P657.exe base: 400000 value starts with: 4D5AJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Users\user\Desktop\oaUNY8P657.exeThread register set: target process: 7456Jump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe"Jump to behavior
                Source: C:\Users\user\Desktop\oaUNY8P657.exeProcess created: C:\Users\user\AppData\Local\Temp\sms561F.tmp "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpQueries volume information: C:\Users\user\AppData\Local\Temp\sms561F.tmp VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\sms561F.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: oaUNY8P657.exe PID: 7456, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: sms561F.tmp PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: oaUNY8P657.exe PID: 7456, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: sms561F.tmp PID: 7508, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		311
                Process Injection                		3
                Virtualization/Sandbox Evasion                		OS Credential Dumping431
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory3
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
                Process Injection                		Security Account Manager1
                System Network Configuration Discovery                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS23
                System Information Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Obfuscated Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                oaUNY8P657.exe50%ReversingLabsWin64.Spyware.AsyncRAT
                oaUNY8P657.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\sms561F.tmp100%AviraTR/Spy.Gen
                C:\Users\user\AppData\Local\Temp\sms561F.tmp100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\sms561F.tmp79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                left-noon.gl.at.ply.gg100%Avira URL Cloudmalware
                http://go.micu0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ip-api.com/line/?fields=hostingfalse
                    		high
                    left-noon.gl.at.ply.ggtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://i.ibb.co/Dwrj41N/Image.pngoaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.drfalse
                      		high
                      http://upx.sf.netAmcache.hve.8.drfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://go.micusms561F.tmp, 00000004.00000002.1579490182.000000001B1ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.comsms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.0000000002400000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.00000000023F6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1557202
                            Start date and time:2024-11-17 19:19:08 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 46s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:oaUNY8P657.exe
                            renamed because original name is a hash value
                            Original Sample Name:4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@7/6@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 4
                            • Number of non-executed functions: 29
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.189.173.22
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.
                            • VT rate limit hit for: oaUNY8P657.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            14:59:16API Interceptor1x Sleep call for process: WerFault.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1IAdjMfB2A5.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            dkKMw0OlZ9.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                            • ip-api.com/json/?fields=225545
                            program.exeGet hashmaliciousBlank GrabberBrowse
                            • ip-api.com/json/?fields=225545
                            skuld.exeGet hashmaliciousSkuld StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                            • ip-api.com/line/?fields=hosting
                            svhost.exeGet hashmaliciousDCRatBrowse
                            • ip-api.com/line/?fields=hosting
                            Midnight.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            exe030.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comIAdjMfB2A5.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            dkKMw0OlZ9.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                            • 208.95.112.1
                            program.exeGet hashmaliciousBlank GrabberBrowse
                            • 208.95.112.1
                            skuld.exeGet hashmaliciousSkuld StealerBrowse
                            • 208.95.112.1
                            SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                            • 208.95.112.1
                            svhost.exeGet hashmaliciousDCRatBrowse
                            • 208.95.112.1
                            Midnight.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            exe030.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TUT-ASUSIAdjMfB2A5.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            dkKMw0OlZ9.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                            • 208.95.112.1
                            program.exeGet hashmaliciousBlank GrabberBrowse
                            • 208.95.112.1
                            skuld.exeGet hashmaliciousSkuld StealerBrowse
                            • 208.95.112.1
                            SolaraBostrappers.exeGet hashmaliciousDCRatBrowse
                            • 208.95.112.1
                            svhost.exeGet hashmaliciousDCRatBrowse
                            • 208.95.112.1
                            Midnight.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            exe030.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sms561F.tmp_942c3da8370deac9a4ef501abf272bdc1219b_47ac16bd_5ad1f071-b479-4c6d-8e86-ee4719fcda92\Report.wer

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):1.208255629454617
                            Encrypted:false
                            SSDEEP:192:7qJ987OrF0NxMP5iaWz8iyUp2lxPzuiFXZ24lO890:Wj87OaNxMQa48iMxPzuiFXY4lO8m
                            MD5:840D528E630F741A185B5F765E83E859
                            SHA1:43B0B974C070EB73AFEE6A8749D0C336667DD2ED
                            SHA-256:916B2819E65C966CA0C6B307FD623A5CD746041F27FA7879CBCE81E74BBC226F
                            SHA-512:C3D913048BC81D76B170B1497E7C43C812556E91A8C5F66E58C33F9F15266A9980F048E8B5A45D52D1ADE8AEF1786D0FE35DD6ED3C435D350582601159C62C2B
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.3.4.1.2.1.4.6.9.4.8.3.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.3.4.1.2.1.7.3.9.7.9.5.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.d.1.f.0.7.1.-.b.4.7.9.-.4.c.6.d.-.8.e.8.6.-.e.e.4.7.1.9.f.c.d.a.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.0.8.3.d.f.3.-.1.a.e.8.-.4.d.1.6.-.a.a.f.3.-.9.4.a.8.7.6.6.c.c.1.3.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.m.s.5.6.1.F...t.m.p.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.i.z.C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.4.-.0.0.0.1.-.0.0.1.4.-.0.4.4.6.-.6.f.5.4.1.d.3.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.7.b.1.3.3.8.4.2.3.3.f.7.0.1.7.8.1.c.2.7.1.4.1.1.d.e.4.3.5.2.0.0.0.0.0.0.0.0.!.0.0.0.0.d.6.a.9.6.c.5.2.8.7.f.1.d.7.6.b.4.1.f.6.0.5.e.c.a.e.b.1.6.8.8.d.2.0.8.c.7.2.0.a.!.s.m.s.5.6.1.F...t.m.p.....

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7417.tmp.dmp

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:Mini DuMP crash report, 16 streams, Sun Nov 17 18:20:16 2024, 0x1205a4 type
                            Category:dropped
                            Size (bytes):439559
                            Entropy (8bit):3.113725737405662
                            Encrypted:false
                            SSDEEP:3072:GQjpebF78/Vz+nt1CCqkrLVy3+vBmXRIc4XIUAcSCPMfHP:5jpebaKlqWy3Q2X7Civ
                            MD5:67CD203A9D1706F9596D3F132E86E135
                            SHA1:BACF422D8F517CDA55650094726CC06625E6AE89
                            SHA-256:88D4AE14F3574731DD666E19E0EC90570DF064804484B8AB54BD5C0293752AA8
                            SHA-512:740396855CC7E86E93691969D33ED04DFF0DB273668D4B960899251DB7A3AFDED79DF3E939B829E787C0579B330F173B4FA461A290E104315F86AFE303611B0C
                            Malicious:false
                            Reputation:low
                            Preview:MDMP..a..... ........3:g........................d...........<...((......0...d(.......7..j...........l.......8...........T............@..Gt...........6...........8..............................................................................eJ.......9......Lw......................T.......T....3:g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B9A.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):8702
                            Entropy (8bit):3.697640471585611
                            Encrypted:false
                            SSDEEP:192:R6l7wVeJTtIek46Y5GjgmfZJCopDp89b82EfkP0m:R6lXJZV6Y4jgmfXCT8NfkJ
                            MD5:ACADD6BFC16175EE8E699D942B5D0CB7
                            SHA1:1F86D0524742038BEDC88C9D458C06794BF93AF2
                            SHA-256:DCA57623517AF0023B6235FC13C40DFE19CAB85989D30D97CA72196A1BB78500
                            SHA-512:F57F65DB67472E4BCB5E6B3F73CA6EE36A60020988E13C9C66E24BD2179052BE33F881DBC33A02F4F3B5D6F38366B2AF2E33C3AB98E2149D37FBDAF25E42B61B
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.0.8.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C08.tmp.xml

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4745
                            Entropy (8bit):4.427180456738418
                            Encrypted:false
                            SSDEEP:48:cvIwWl8zseNJg771I9DoWpW8VYaYm8M4JGLPF/Byq8v8LcVf9Rod:uIjfenI7YB7VmJwBWbVlRod
                            MD5:F65BC5E8EA48A17D6D2ECB6CE6ED5E4B
                            SHA1:0E0BCFA76397D75DE210781B54B4AD8368EBD004
                            SHA-256:619FE8D3D680D2D179FBA51A7FF5FDF0FC5726B17F9F2E135619B78A877C312F
                            SHA-512:733ADF962E94DFC6A50BD80808A28DB965EA9C0EEB25FC19E6781B85B1B91F1698E863FFFD36410670234830960CA614EAD157B4B23E4964207A4494064B0AE5
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="592402" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Temp\sms561F.tmp

                            Download File
                            Process:C:\Users\user\Desktop\oaUNY8P657.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:modified
                            Size (bytes):79392
                            Entropy (8bit):5.983605297716181
                            Encrypted:false
                            SSDEEP:1536:x5sFO8g/9VM5dQ+aomobhr3KXg6wzOB1SmOnU7Ua+GJ:x5sU9Vv4bbhr6SOB1S5nU7MGJ
                            MD5:8032A5E68376A879472C297749CDB4C4
                            SHA1:D6A96C5287F1D76B41F605ECAEB1688D208C720A
                            SHA-256:FA3DD88248218CD597232333C70E0996801817B003C234994102452712A23D1D
                            SHA-512:B75D6429844E643FC7920EFE1D30B15B0E631DED561F5F0021E105A68A729EBF308A23501C9136EFBF4637BB068DBA5C0056FF85195CD54D56E05205193D6C21
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, Author: ditekSHen
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 79%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.:g.................,...........K... ...`....@.. ....................................@.................................PK..K....`............................................................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H.......Hj..........&.....................................................(....*.r...p*. .(T.*..(....*.r#..p*. ^...*.s.........s.........s.........s.........*.ri..p*. .t..*.r...p*. 7V..*.r...p*. M.).*.r;..p*. ....*.r...p*. F...*..((...*.r;..p*.r...p*. S...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(S...*"(....+.*&(....&+.*.+5se... .... .'..of...(,...~....-.([...(Q...~....og...&.-.*.r...p*.r...p*. ...*.rc..p*. .a..*.r...p*. .O..*.r...p*. ...*.r5..p*.r{..p*. .x..*.r...p*. '.

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WerFault.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.413963638087642
                            Encrypted:false
                            SSDEEP:6144:s/cifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNb5+:ji58oSWIZBk2MM6AFBZo
                            MD5:60CECA282EC578206682FEAC46CF61C9
                            SHA1:BC604B0165A37E11C0AD419DBDF617895D2B1F5C
                            SHA-256:DD9FEC21C1952BC91AD3EB71D064121141ECF1E50942BEECCBC68BF78FD298D2
                            SHA-512:42AA3A934DB8018203EF14FB9936EF316B266FF41E5599D81A8FE7D8512B78A3F0CB2B8960E255FCDD6887B06925E4F49DA709FDAA7521D7431FFD717E6AD3A5
                            Malicious:false
                            Reputation:low
                            Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..X.9...............................................................................................................................................................................................................................................................................................................................................,.l........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (console) x86-64, for MS Windows
                            Entropy (8bit):7.5978739911000535
                            TrID:
                            • Win64 Executable Console (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:oaUNY8P657.exe
                            File size:118'784 bytes
                            MD5:4f0c8a81138b78a1f40ef1d383632130
                            SHA1:96b6c6ff5c5b1aa90014e975bb851d23acbed598
                            SHA256:4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42
                            SHA512:687dddf2a070acbb5eee3af912dc1461968a67b05992f76f5a77a5bb0d773ae1049c7e44386c4a44d5971ace7784a8601c2fc3f47f1f8dbbb06a7e04646bbf1c
                            SSDEEP:3072:oziOToQz31V4b1pCoLd7H7dwsIc6rmGBLYdLrfncO:+ToQzFjox7bCs5WmGVYVrfn
                            TLSH:65C3D04A2D6A04C4CED5617857FA0BFE9E98BC13514311D8F523F23E3CAA879163E8D9
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....<.e.d........&....'. .....................@.....................................3....`... ............................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x1400013f0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows cui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x65E93C0D [Thu Mar 7 04:01:17 2024 UTC]
                            TLS Callbacks:0x40001aa0, 0x1, 0x40001a70, 0x1
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:2c09257c32ec1acab9920857c33802f6

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            dec eax
                            mov eax, dword ptr [00003025h]
                            mov dword ptr [eax], 00000000h
                            call 00007FB1D105C09Fh
                            nop
                            nop
                            dec eax
                            add esp, 28h
                            ret
                            nop dword ptr [eax]
                            dec eax
                            sub esp, 28h
                            call 00007FB1D105DAACh
                            dec eax
                            cmp eax, 01h
                            sbb eax, eax
                            dec eax
                            add esp, 28h
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            dec eax
                            lea ecx, dword ptr [00000009h]
                            jmp 00007FB1D105C2F9h
                            nop dword ptr [eax+00h]
                            ret
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            nop
                            push ebp
                            dec eax
                            mov ebp, esp
                            dec eax
                            sub esp, 40h
                            mov dword ptr [ebp+10h], ecx
                            dec eax
                            mov dword ptr [ebp+18h], edx
                            dec esp
                            mov dword ptr [ebp+20h], eax
                            mov ecx, 00000000h
                            dec eax
                            mov eax, dword ptr [00006EFDh]
                            call eax
                            dec eax
                            mov dword ptr [ebp-10h], eax
                            mov eax, dword ptr [ebp+10h]
                            movzx eax, ax
                            dec eax
                            mov ecx, eax
                            dec eax
                            mov edx, dword ptr [ebp+18h]
                            dec eax
                            mov eax, dword ptr [ebp-10h]
                            dec ecx
                            mov eax, edx
                            dec eax
                            mov edx, ecx
                            dec eax
                            mov ecx, eax
                            dec eax
                            mov eax, dword ptr [00006EB6h]
                            call eax
                            dec eax
                            mov dword ptr [ebp-18h], eax
                            dec eax
                            cmp dword ptr [ebp-18h], 00000000h
                            je 00007FB1D105C363h
                            dec eax
                            mov edx, dword ptr [ebp-18h]
                            dec eax
                            mov eax, dword ptr [ebp-10h]
                            dec eax
                            mov ecx, eax
                            dec eax
                            mov eax, dword ptr [00006ED7h]
                            call eax

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x80000xc20.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb0000x16a60.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x27c.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x220000x94.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x40400x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x83340x258.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x1f380x20001643ab42acf57e13dea4cbe169d06d01False0.5467529296875data5.824830734340256IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x30000x1000x2000459eb45fdb9d8230163eac79b54aa22False0.19140625data1.4335270846780457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0x40000x5900x6008a88c6b726508e4de2f869e693a5a424False0.40625data4.074743957350813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .pdata0x50000x27c0x4008b192a1e8cff752787e94d1477ed0517False0.3564453125data2.7177913023306925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .xdata0x60000x1f40x2006d358da226cb542ba6972623ecde707eFalse0.44140625data3.744470074855023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .bss0x70000x1800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0x80000xc200xe00cf218a30062bcd2c9b5a6425174f9132False0.29910714285714285data3.7272213911388645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .CRT0x90000x600x20063601c0161d088a32e208b68ab6ede7aFalse0.068359375data0.28655982431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .tls0xa0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xb0000x16a600x16c00d4899949f12afd5602bfff3e53bba68fFalse0.8925137362637363data7.900720282264327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x220000x940x20055fe3e1e99784323308774e94d85f25bFalse0.2734375data1.7555367709711391IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /40x230000x500x200ecc0436b66fbbb18e229c28047e9129eFalse0.07421875data0.23653878450968063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /190x240000xfdd0x100060a9579b0c2e2805bac51be7f2edc5e2False0.389892578125Matlab v4 mat-file (little endian) @\001, rows 134283269, columns 0, imaginary5.248819951176151IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /310x250000xaf0x2003926a4e9348a2d2f293d468143da249aFalse0.296875data2.128627013155538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /450x260000xa40x20021da29633c5b054cff7bcd24e93edc7cFalse0.220703125data1.4891978798794558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /570x270000x480x20096127bf9b4a0503da8f97ccbc9448e2cFalse0.12109375data0.7016131348005825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /700x280000xa30x2008afdeafeeabf207c1cec78b6604a3502False0.27734375data2.4765286669598585IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            /810x290000x1f80x20083a4eb6d7602d34e40cc6d08d1fcfbf9False0.33203125data4.863091898681111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            BIN0xb0600x16a00data0.8966893991712708

                            Imports

                            DLLImport
                            KERNEL32.dllCreateProcessA, DeleteCriticalSection, EnterCriticalSection, FindResourceA, GetConsoleWindow, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetThreadContext, InitializeCriticalSection, LeaveCriticalSection, LoadResource, LockResource, ResumeThread, SetThreadContext, SetUnhandledExceptionFilter, SizeofResource, Sleep, TlsGetValue, VirtualAlloc, VirtualAllocEx, VirtualProtect, VirtualQuery, WaitForSingleObject, WriteProcessMemory
                            api-ms-win-crt-environment-l1-1-0.dll__p__environ, __p__wenviron
                            api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, calloc, free, malloc
                            api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                            api-ms-win-crt-private-l1-1-0.dll__C_specific_handler, memcpy
                            api-ms-win-crt-runtime-l1-1-0.dll__p___argc, __p___argv, __p___wargv, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, signal
                            api-ms-win-crt-stdio-l1-1-0.dll__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, fwrite
                            api-ms-win-crt-string-l1-1-0.dllmemset, strlen, strncmp
                            api-ms-win-crt-time-l1-1-0.dll__daylight, __timezone, __tzname, _tzset
                            USER32.dllShowWindow

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 17, 2024 19:20:13.452867031 CET4969980192.168.2.7208.95.112.1
                            Nov 17, 2024 19:20:13.459054947 CET8049699208.95.112.1192.168.2.7
                            Nov 17, 2024 19:20:13.459198952 CET4969980192.168.2.7208.95.112.1
                            Nov 17, 2024 19:20:13.466835976 CET4969980192.168.2.7208.95.112.1
                            Nov 17, 2024 19:20:13.471844912 CET8049699208.95.112.1192.168.2.7
                            Nov 17, 2024 19:20:14.092298985 CET8049699208.95.112.1192.168.2.7
                            Nov 17, 2024 19:20:14.133857965 CET4969980192.168.2.7208.95.112.1
                            Nov 17, 2024 19:20:36.498614073 CET4969980192.168.2.7208.95.112.1

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 17, 2024 19:20:13.432075977 CET5294853192.168.2.71.1.1.1
                            Nov 17, 2024 19:20:13.438996077 CET53529481.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 17, 2024 19:20:13.432075977 CET192.168.2.71.1.1.10xe30aStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 17, 2024 19:20:13.438996077 CET1.1.1.1192.168.2.70xe30aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749699208.95.112.1807508C:\Users\user\AppData\Local\Temp\sms561F.tmp
                            TimestampBytes transferredDirectionData
                            Nov 17, 2024 19:20:13.466835976 CET80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Nov 17, 2024 19:20:14.092298985 CET174INHTTP/1.1 200 OK
                            Date: Sun, 17 Nov 2024 18:20:13 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 5
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 74 72 75 65 0a
                            Data Ascii: true


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:13:20:06
                            Start date:17/11/2024
                            Path:C:\Users\user\Desktop\oaUNY8P657.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\oaUNY8P657.exe"
                            Imagebase:0x7ff78cb20000
                            File size:118'784 bytes
                            MD5 hash:4F0C8A81138B78A1F40EF1D383632130
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:13:20:06
                            Start date:17/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:13:20:06
                            Start date:17/11/2024
                            Path:C:\Users\user\Desktop\oaUNY8P657.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\oaUNY8P657.exe"
                            Imagebase:0x7ff78cb20000
                            File size:118'784 bytes
                            MD5 hash:4F0C8A81138B78A1F40EF1D383632130
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:13:20:07
                            Start date:17/11/2024
                            Path:C:\Users\user\AppData\Local\Temp\sms561F.tmp
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"
                            Imagebase:0x1e0000
                            File size:79'392 bytes
                            MD5 hash:8032A5E68376A879472C297749CDB4C4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, Author: ditekSHen
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 79%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:8
                            Start time:13:20:13
                            Start date:17/11/2024
                            Path:C:\Windows\System32\WerFault.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664
                            Imagebase:0xc00000
                            File size:570'736 bytes
                            MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:15%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:21.5%
                              Total number of Nodes:191
                              Total number of Limit Nodes:2
                              execution_graph 911 7ff78cb22460 912 7ff78cb22480 EnterCriticalSection 911->912 913 7ff78cb22472 911->913 914 7ff78cb224c3 LeaveCriticalSection 912->914 915 7ff78cb2249c 912->915 915->914 916 7ff78cb224be free 915->916 916->914 917 7ff78cb21aa0 918 7ff78cb21ab2 917->918 919 7ff78cb21ac2 918->919 922 7ff78cb224f0 918->922 921 7ff78cb21b15 923 7ff78cb224fe 922->923 924 7ff78cb225b0 922->924 925 7ff78cb22504 923->925 926 7ff78cb22512 923->926 929 7ff78cb22550 923->929 924->921 925->926 927 7ff78cb225d0 InitializeCriticalSection 925->927 926->921 927->926 928 7ff78cb22589 DeleteCriticalSection 928->926 929->926 929->928 930 7ff78cb22578 free 929->930 930->928 930->930 931 7ff78cb22ca0 932 7ff78cb22cad __tzname __timezone __daylight 931->932 978 7ff78cb222c0 signal 979 7ff78cb2235f signal 978->979 980 7ff78cb2227f 978->980 982 7ff78cb22373 979->982 980->978 981 7ff78cb2226d 980->981 983 7ff78cb21b40 984 7ff78cb21b5f __acrt_iob_func 983->984 988 7ff78cb22a70 __stdio_common_vfprintf 984->988 987 7ff78cb21bc5 988->987 938 7ff78cb22e61 SetUnhandledExceptionFilter 939 7ff78cb222e8 signal 940 7ff78cb222fa signal 939->940 941 7ff78cb2227f 939->941 942 7ff78cb2226d 940->942 941->942 943 7ff78cb222c0 signal 941->943 943->941 944 7ff78cb2235f signal 943->944 945 7ff78cb22373 944->945 946 7ff78cb22e29 VirtualQuery 947 7ff78cb223eb 948 7ff78cb22406 947->948 949 7ff78cb22410 947->949 949->948 950 7ff78cb22427 EnterCriticalSection LeaveCriticalSection 949->950 950->948 783 7ff78cb213f0 786 7ff78cb21180 783->786 785 7ff78cb21406 787 7ff78cb211b0 786->787 788 7ff78cb211cd 787->788 789 7ff78cb211b9 Sleep 787->789 794 7ff78cb211e1 788->794 842 7ff78cb22be0 __acrt_iob_func 788->842 789->787 790 7ff78cb212ef 801 7ff78cb21180 23 API calls 790->801 805 7ff78cb21303 790->805 792 7ff78cb2134c _initterm 793 7ff78cb21200 792->793 806 7ff78cb21e30 793->806 794->790 794->792 794->793 796 7ff78cb21228 SetUnhandledExceptionFilter _set_invalid_parameter_handler 828 7ff78cb21c40 796->828 798 7ff78cb21250 malloc 798->790 799 7ff78cb2127a 798->799 800 7ff78cb21280 strlen malloc memcpy 799->800 800->800 802 7ff78cb212b3 800->802 803 7ff78cb213e6 801->803 829 7ff78cb21522 802->829 803->785 805->785 808 7ff78cb21e60 806->808 827 7ff78cb21e4f 806->827 807 7ff78cb22140 810 7ff78cb22149 807->810 807->827 808->807 809 7ff78cb2205e 808->809 819 7ff78cb21eda 808->819 808->827 813 7ff78cb22171 809->813 818 7ff78cb22079 809->818 810->813 875 7ff78cb21cc0 810->875 811 7ff78cb22182 814 7ff78cb21c50 9 API calls 811->814 815 7ff78cb21c50 9 API calls 813->815 816 7ff78cb2218e 814->816 815->811 816->796 817 7ff78cb21cc0 9 API calls 820 7ff78cb2208a 817->820 818->820 819->809 819->811 819->813 819->818 819->820 822 7ff78cb21f41 819->822 819->827 820->817 820->818 845 7ff78cb21c50 820->845 822->819 822->820 823 7ff78cb21cc0 9 API calls 822->823 824 7ff78cb21fed 822->824 825 7ff78cb21ff0 822->825 823->822 824->825 826 7ff78cb22022 VirtualProtect 825->826 825->827 826->825 827->796 828->798 903 7ff78cb21a40 829->903 832 7ff78cb21558 833 7ff78cb21970 832->833 834 7ff78cb2165b memset memset 832->834 833->790 835 7ff78cb216aa CreateProcessA 834->835 835->833 836 7ff78cb21712 VirtualAlloc 835->836 837 7ff78cb21760 836->837 837->833 838 7ff78cb2176d VirtualAllocEx WriteProcessMemory 837->838 839 7ff78cb218ec 838->839 840 7ff78cb21907 SetThreadContext ResumeThread 839->840 841 7ff78cb217ff WriteProcessMemory WriteProcessMemory 839->841 840->833 841->839 905 7ff78cb22a70 __stdio_common_vfprintf 842->905 844 7ff78cb22c03 844->794 846 7ff78cb21c7c 845->846 847 7ff78cb21c96 __acrt_iob_func 846->847 848 7ff78cb21cb3 847->848 849 7ff78cb21d8e 848->849 850 7ff78cb21e12 848->850 852 7ff78cb21d4d VirtualQuery 848->852 856 7ff78cb21da0 VirtualProtect 848->856 849->820 851 7ff78cb21c50 4 API calls 850->851 859 7ff78cb21e21 851->859 852->848 853 7ff78cb21df7 852->853 853->850 855 7ff78cb21c50 4 API calls 853->855 854 7ff78cb21e4f 854->820 855->850 856->849 857 7ff78cb21dd8 GetLastError 856->857 858 7ff78cb21c50 4 API calls 857->858 858->848 859->854 860 7ff78cb2205e 859->860 865 7ff78cb22140 859->865 872 7ff78cb21eda 859->872 863 7ff78cb22171 860->863 870 7ff78cb22079 860->870 861 7ff78cb22182 864 7ff78cb21c50 4 API calls 861->864 862 7ff78cb21cc0 4 API calls 862->865 866 7ff78cb21c50 4 API calls 863->866 867 7ff78cb2218e 864->867 865->854 865->862 865->863 866->861 867->820 868 7ff78cb21cc0 VirtualQuery VirtualProtect GetLastError VirtualProtect 868->870 869 7ff78cb21c50 4 API calls 869->870 870->868 870->869 871 7ff78cb21cc0 VirtualQuery VirtualProtect GetLastError VirtualProtect 871->872 872->854 872->860 872->861 872->863 872->870 872->871 873 7ff78cb21fed 872->873 873->854 874 7ff78cb22022 VirtualProtect 873->874 874->873 881 7ff78cb21cd9 875->881 876 7ff78cb21d8e 876->810 877 7ff78cb21e12 878 7ff78cb21c50 5 API calls 877->878 886 7ff78cb21e21 878->886 879 7ff78cb21d4d VirtualQuery 880 7ff78cb21df7 879->880 879->881 880->877 882 7ff78cb21c50 5 API calls 880->882 881->876 881->877 881->879 883 7ff78cb21da0 VirtualProtect 881->883 882->877 883->876 884 7ff78cb21dd8 GetLastError 883->884 885 7ff78cb21c50 5 API calls 884->885 885->881 887 7ff78cb2205e 886->887 888 7ff78cb21eda 886->888 893 7ff78cb22140 886->893 902 7ff78cb21e4f 886->902 891 7ff78cb22171 887->891 896 7ff78cb22079 887->896 888->887 889 7ff78cb22182 888->889 888->891 888->896 899 7ff78cb21cc0 __acrt_iob_func VirtualQuery VirtualProtect GetLastError VirtualProtect 888->899 900 7ff78cb21fed 888->900 888->902 892 7ff78cb21c50 5 API calls 889->892 890 7ff78cb21cc0 5 API calls 890->893 894 7ff78cb21c50 5 API calls 891->894 897 7ff78cb2218e 892->897 893->890 893->891 893->902 894->889 895 7ff78cb21c50 5 API calls 895->896 896->895 898 7ff78cb21cc0 __acrt_iob_func VirtualQuery VirtualProtect GetLastError VirtualProtect 896->898 897->810 898->896 899->888 901 7ff78cb22022 VirtualProtect 900->901 900->902 901->900 902->810 904 7ff78cb21538 GetConsoleWindow 903->904 904->832 905->844 956 7ff78cb21a70 957 7ff78cb21a79 956->957 958 7ff78cb224f0 3 API calls 957->958 959 7ff78cb21a7d 957->959 960 7ff78cb21a95 958->960 961 7ff78cb22b30 962 7ff78cb22b50 961->962 963 7ff78cb22b60 __p___argc 962->963 964 7ff78cb22b6e 963->964 965 7ff78cb22b8d 964->965 966 7ff78cb22b84 _set_new_mode 964->966 966->965 989 7ff78cb21010 993 7ff78cb2104b 989->993 990 7ff78cb2106d _set_app_type 991 7ff78cb21077 __p__fmode __p__commode 990->991 994 7ff78cb2109c 991->994 992 7ff78cb210b0 992->991 993->990 993->992 1000 7ff78cb22690 strlen 1001 7ff78cb2270e 1000->1001 1002 7ff78cb226a5 1000->1002 1002->1001 1003 7ff78cb226f9 strncmp 1002->1003 1003->1001 1003->1002 967 7ff78cb22eb1 GetLastError 1004 7ff78cb22e91 InitializeCriticalSection 1005 7ff78cb221d6 1006 7ff78cb22201 1005->1006 1009 7ff78cb22261 1006->1009 1010 7ff78cb22310 1006->1010 1011 7ff78cb2223b 1006->1011 1016 7ff78cb22266 1006->1016 1007 7ff78cb222c0 signal 1008 7ff78cb2235f signal 1007->1008 1007->1009 1013 7ff78cb22373 1008->1013 1009->1007 1009->1016 1010->1009 1012 7ff78cb2234b signal 1010->1012 1011->1009 1014 7ff78cb2224b signal 1011->1014 1011->1016 1012->1016 1014->1009 1015 7ff78cb22337 signal 1014->1015 1015->1016

                              Callgraph

                              • Executed
                              • Not Executed
                              • Opacity -> Relevance
                              • Disassembly available
                              callgraph 0 Function_00007FF78CB283DC 1 Function_00007FF78CB2835C 2 Function_00007FF78CB22BE0 10 Function_00007FF78CB22A70 2->10 3 Function_00007FF78CB21BE0 3->10 4 Function_00007FF78CB21A60 5 Function_00007FF78CB22460 6 Function_00007FF78CB22C60 7 Function_00007FF78CB22E61 8 Function_00007FF78CB222E8 51 Function_00007FF78CB21C40 8->51 9 Function_00007FF78CB223EB 11 Function_00007FF78CB21BF0 11->10 12 Function_00007FF78CB227F0 13 Function_00007FF78CB21A70 14 Function_00007FF78CB224F0 13->14 14->51 15 Function_00007FF78CB213F0 22 Function_00007FF78CB21180 15->22 16 Function_00007FF78CB225F0 17 Function_00007FF78CB22870 18 Function_00007FF78CB22EF1 19 Function_00007FF78CB21B78 19->10 20 Function_00007FF78CB2837C 21 Function_00007FF78CB21C00 21->10 22->2 22->16 22->22 35 Function_00007FF78CB21522 22->35 39 Function_00007FF78CB21E30 22->39 22->51 52 Function_00007FF78CB21A40 22->52 23 Function_00007FF78CB22D81 24 Function_00007FF78CB22A10 25 Function_00007FF78CB21010 25->4 26 Function_00007FF78CB21410 31 Function_00007FF78CB22BA0 26->31 27 Function_00007FF78CB21C10 27->10 28 Function_00007FF78CB21990 29 Function_00007FF78CB22690 30 Function_00007FF78CB22E91 32 Function_00007FF78CB21AA0 32->14 33 Function_00007FF78CB22CA0 34 Function_00007FF78CB21C20 34->10 35->24 35->52 59 Function_00007FF78CB21450 35->59 36 Function_00007FF78CB22E29 37 Function_00007FF78CB283AC 38 Function_00007FF78CB21B30 39->24 42 Function_00007FF78CB227B0 39->42 48 Function_00007FF78CB21CC0 39->48 58 Function_00007FF78CB21C50 39->58 40 Function_00007FF78CB21130 49 Function_00007FF78CB22AC0 40->49 41 Function_00007FF78CB22B30 43 Function_00007FF78CB22730 44 Function_00007FF78CB228B0 45 Function_00007FF78CB21430 46 Function_00007FF78CB22AB0 47 Function_00007FF78CB22EB1 48->17 48->24 48->42 48->43 48->48 48->58 50 Function_00007FF78CB222C0 50->51 53 Function_00007FF78CB21B40 53->10 54 Function_00007FF78CB22640 55 Function_00007FF78CB22940 56 Function_00007FF78CB22BC3 57 Function_00007FF78CB22A50 58->17 58->24 58->42 58->43 58->48 58->57 58->58 60 Function_00007FF78CB221D6 60->51

                              Executed Functions

                              Function 00007FF78CB21522 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 231injectionmemorythreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: Process$MemoryWrite$AllocThreadVirtualmemset$ConsoleContextCreateResumeWindow
                              • String ID: @$BIN
                              • API String ID: 3291313312-1916819016
                              • Opcode ID: 1a268847dd2997d4c8cab54aa74c89ad69d0630918c7081ed8d1475344bec58a
                              • Instruction ID: 83b161c53b02419e5038aa1079d24fae1c77d8f05e164cc33302cf12c842c9ce
                              • Opcode Fuzzy Hash: 1a268847dd2997d4c8cab54aa74c89ad69d0630918c7081ed8d1475344bec58a
                              • Instruction Fuzzy Hash: 0FB117A2714BC48ADBB08F26D8803DA77A1F748B88F508029DF4C8BB68DF39D605C714
                              Function 00007FF78CB21180 Relevance: 12.1, APIs: 8, Instructions: 146sleepstringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: malloc$ExceptionFilterSleepUnhandled_set_invalid_parameter_handlermemcpystrlen
                              • String ID:
                              • API String ID: 959198572-0
                              • Opcode ID: 32f55c20c8e17e7084bc6d5cf4eebd07ec7162706a3819bd0cdbd2e2e0d47b08
                              • Instruction ID: 4a91912fea109d049a8d3ef948205f94803b55fee2d7d243ea572e9e592da219
                              • Opcode Fuzzy Hash: 32f55c20c8e17e7084bc6d5cf4eebd07ec7162706a3819bd0cdbd2e2e0d47b08
                              • Instruction Fuzzy Hash: 77516936E09EA281F710BB55E85067AEAA6BF48B90FE44431DD1C97795CE3CE841C720

                              Non-executed Functions

                              Function 00007FF78CB221D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: signal
                              • String ID: CCG
                              • API String ID: 1946981877-1584390748
                              • Opcode ID: bee6fa8d8bd77e57e6f40c5e4f9f5187d2327c2bcb5a54c27fe908d04117a730
                              • Instruction ID: f708a1949a43a31d5fe9f006731ee8b15127ce2098fe44342e630e2a9d9e6fc7
                              • Opcode Fuzzy Hash: bee6fa8d8bd77e57e6f40c5e4f9f5187d2327c2bcb5a54c27fe908d04117a730
                              • Instruction Fuzzy Hash: 1D21ED61E0CDA606FE6872E58440379AA81BF59770FB84536DA3DC33D5CD1EA881C233
                              Function 00007FF78CB283AC Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2871c3786c38ff363ceeed3cfb9e998bcd6ec10323208de28fe13ff7350e4d1
                              • Instruction ID: e1ae221f0c2752a24e89d6a7ee624bb666ae510db666be03311407bcf6a1dacd
                              • Opcode Fuzzy Hash: b2871c3786c38ff363ceeed3cfb9e998bcd6ec10323208de28fe13ff7350e4d1
                              • Instruction Fuzzy Hash: FE21EA9794EBE10BE3535A744C2506A7FA0A792D017AEC0BBD3C4836C7D81E6804C762
                              Function 00007FF78CB21450 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94089167d9ddb5ab5d94316dab6deeefcb531f2561a945b9df9eaae1c64a4e99
                              • Instruction ID: d13db904731a4155a8825bbfe78f1f2d766f6b3d8611c10ac769e836d3799f70
                              • Opcode Fuzzy Hash: 94089167d9ddb5ab5d94316dab6deeefcb531f2561a945b9df9eaae1c64a4e99
                              • Instruction Fuzzy Hash: EA21E5A2A04B5489EB40DFAAE8403AD2BB0B708B88F544435DE1D97B68DF38D950C760
                              Function 00007FF78CB22E61 Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36e89ffcd8262b68474e0e70ab5d93c5cfaddc58954e68d11aeb22d1cac9f659
                              • Instruction ID: 64902a408a254730c418c078304824673c18d4a77f2ff1c9c51a9f6f7345a52c
                              • Opcode Fuzzy Hash: 36e89ffcd8262b68474e0e70ab5d93c5cfaddc58954e68d11aeb22d1cac9f659
                              • Instruction Fuzzy Hash: 51A0021384DC5189F2001B00DC121B3956DF706246F546030902851491C92DD0418925
                              Function 00007FF78CB21C50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 73 7ff78cb21c50-7ff78cb21cd3 call 7ff78cb22d20 call 7ff78cb22d48 __acrt_iob_func call 7ff78cb22a50 call 7ff78cb22db8 83 7ff78cb21cd9-7ff78cb21ce7 73->83 84 7ff78cb21df0-7ff78cb21df2 73->84 86 7ff78cb21cf0-7ff78cb21cf6 83->86 85 7ff78cb21d18-7ff78cb21d26 call 7ff78cb22730 84->85 92 7ff78cb21d2c-7ff78cb21d74 call 7ff78cb22870 VirtualQuery 85->92 93 7ff78cb21e12-7ff78cb21e4d call 7ff78cb21c50 85->93 87 7ff78cb21cf8-7ff78cb21d05 86->87 88 7ff78cb21d0b-7ff78cb21d16 86->88 87->88 90 7ff78cb21d95-7ff78cb21d9c 87->90 88->85 88->86 99 7ff78cb21df7-7ff78cb21e08 92->99 100 7ff78cb21d7a-7ff78cb21d84 92->100 101 7ff78cb21e60-7ff78cb21eb7 call 7ff78cb227b0 call 7ff78cb22a10 93->101 102 7ff78cb21e4f-7ff78cb21e5f 93->102 99->93 103 7ff78cb21e0d call 7ff78cb21c50 99->103 104 7ff78cb21d8e 100->104 105 7ff78cb21d86-7ff78cb21d8c 100->105 101->102 114 7ff78cb21eb9-7ff78cb21ebf 101->114 103->93 104->90 105->104 106 7ff78cb21da0-7ff78cb21dd6 VirtualProtect 105->106 106->104 108 7ff78cb21dd8-7ff78cb21dec GetLastError call 7ff78cb21c50 106->108 108->84 115 7ff78cb22048-7ff78cb2204a 114->115 116 7ff78cb21ec5-7ff78cb21ec9 114->116 117 7ff78cb22140-7ff78cb22143 115->117 118 7ff78cb22050-7ff78cb22058 115->118 116->117 119 7ff78cb21ecf 116->119 117->102 122 7ff78cb22149 117->122 120 7ff78cb2205e 118->120 121 7ff78cb21ed2-7ff78cb21ed4 118->121 119->121 125 7ff78cb22070-7ff78cb22073 120->125 121->117 123 7ff78cb21eda-7ff78cb21ee0 121->123 124 7ff78cb22150-7ff78cb2216f call 7ff78cb21cc0 122->124 126 7ff78cb22182-7ff78cb221a2 call 7ff78cb21c50 123->126 127 7ff78cb21ee6-7ff78cb21eed 123->127 134 7ff78cb22171 124->134 129 7ff78cb22079-7ff78cb22088 125->129 130 7ff78cb22176-7ff78cb2217d call 7ff78cb21c50 125->130 142 7ff78cb221c9-7ff78cb221cd 126->142 143 7ff78cb221a4-7ff78cb221c8 126->143 127->102 132 7ff78cb21ef3-7ff78cb21f04 127->132 136 7ff78cb2208a-7ff78cb2208d 129->136 137 7ff78cb220f0-7ff78cb220f8 call 7ff78cb21cc0 129->137 130->126 139 7ff78cb21f63-7ff78cb21f7c 132->139 134->130 136->137 141 7ff78cb2208f-7ff78cb220a3 call 7ff78cb21c50 136->141 148 7ff78cb22100-7ff78cb22108 137->148 144 7ff78cb220a8-7ff78cb220b3 139->144 145 7ff78cb21f82 139->145 141->144 143->142 144->148 149 7ff78cb220b5-7ff78cb220ca 144->149 145->125 150 7ff78cb21f88-7ff78cb21f8b 145->150 153 7ff78cb2210a 148->153 154 7ff78cb220cc-7ff78cb220cf 148->154 149->154 157 7ff78cb220db-7ff78cb220e3 call 7ff78cb21cc0 149->157 151 7ff78cb21f8d-7ff78cb21f90 150->151 152 7ff78cb21f10-7ff78cb21f1d 150->152 151->130 158 7ff78cb21f96-7ff78cb21fa3 151->158 159 7ff78cb22128-7ff78cb22130 152->159 160 7ff78cb21f23-7ff78cb21f32 152->160 153->157 154->141 161 7ff78cb220d1-7ff78cb220d9 154->161 157->137 163 7ff78cb21fa9-7ff78cb21fb8 158->163 164 7ff78cb22110-7ff78cb22118 158->164 166 7ff78cb21f34-7ff78cb21f3b 159->166 167 7ff78cb22136 159->167 165 7ff78cb21f4b-7ff78cb21f5d call 7ff78cb21cc0 160->165 160->166 161->141 161->157 169 7ff78cb21fba-7ff78cb21fc1 163->169 170 7ff78cb21fd4-7ff78cb21fe7 call 7ff78cb21cc0 163->170 164->169 171 7ff78cb2211e 164->171 165->139 178 7ff78cb21ff0-7ff78cb21ff8 165->178 166->141 172 7ff78cb21f41-7ff78cb21f45 166->172 167->165 169->141 174 7ff78cb21fc7-7ff78cb21fce 169->174 170->139 179 7ff78cb21fed 170->179 171->170 172->141 172->165 174->141 174->170 178->102 180 7ff78cb21ffe-7ff78cb2200b 178->180 179->178 181 7ff78cb22010-7ff78cb22020 180->181 182 7ff78cb2202f-7ff78cb2203c 181->182 183 7ff78cb22022-7ff78cb2202d VirtualProtect 181->183 182->181 184 7ff78cb2203e 182->184 183->182 184->102
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FF78CB21E21,?,?,?,?,?,?,00007FF78CB24588,00000000,?), ref: 00007FF78CB21CA0
                              • VirtualQuery.KERNEL32 ref: 00007FF78CB21D6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: QueryVirtual__acrt_iob_func
                              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                              • API String ID: 4109086920-1534286854
                              • Opcode ID: 113019b010cfdea372466ba8fa872585d3c6fd2c84baa86eb644bb16eb746e1d
                              • Instruction ID: ff3716b0fe8d5be1a6bb08e7e731458547dccb9a6e70b6cd0d7a490e5b0c20bd
                              • Opcode Fuzzy Hash: 113019b010cfdea372466ba8fa872585d3c6fd2c84baa86eb644bb16eb746e1d
                              • Instruction Fuzzy Hash: 1151B232A08EA681EA10AF51E8406AAFF61FF88BE4FE44135DE4C57394DE3CE955C710
                              Function 00007FF78CB21E30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 227memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 185 7ff78cb21e30-7ff78cb21e4d 186 7ff78cb21e60-7ff78cb21eb7 call 7ff78cb227b0 call 7ff78cb22a10 185->186 187 7ff78cb21e4f-7ff78cb21e5f 185->187 186->187 192 7ff78cb21eb9-7ff78cb21ebf 186->192 193 7ff78cb22048-7ff78cb2204a 192->193 194 7ff78cb21ec5-7ff78cb21ec9 192->194 195 7ff78cb22140-7ff78cb22143 193->195 196 7ff78cb22050-7ff78cb22058 193->196 194->195 197 7ff78cb21ecf 194->197 195->187 200 7ff78cb22149 195->200 198 7ff78cb2205e 196->198 199 7ff78cb21ed2-7ff78cb21ed4 196->199 197->199 203 7ff78cb22070-7ff78cb22073 198->203 199->195 201 7ff78cb21eda-7ff78cb21ee0 199->201 202 7ff78cb22150-7ff78cb2216f call 7ff78cb21cc0 200->202 204 7ff78cb22182-7ff78cb221a2 call 7ff78cb21c50 201->204 205 7ff78cb21ee6-7ff78cb21eed 201->205 212 7ff78cb22171 202->212 207 7ff78cb22079-7ff78cb22088 203->207 208 7ff78cb22176-7ff78cb2217d call 7ff78cb21c50 203->208 220 7ff78cb221c9-7ff78cb221cd 204->220 221 7ff78cb221a4-7ff78cb221c8 204->221 205->187 210 7ff78cb21ef3-7ff78cb21f04 205->210 214 7ff78cb2208a-7ff78cb2208d 207->214 215 7ff78cb220f0-7ff78cb220f8 call 7ff78cb21cc0 207->215 208->204 217 7ff78cb21f63-7ff78cb21f7c 210->217 212->208 214->215 219 7ff78cb2208f-7ff78cb220a3 call 7ff78cb21c50 214->219 226 7ff78cb22100-7ff78cb22108 215->226 222 7ff78cb220a8-7ff78cb220b3 217->222 223 7ff78cb21f82 217->223 219->222 221->220 222->226 227 7ff78cb220b5-7ff78cb220ca 222->227 223->203 228 7ff78cb21f88-7ff78cb21f8b 223->228 231 7ff78cb2210a 226->231 232 7ff78cb220cc-7ff78cb220cf 226->232 227->232 235 7ff78cb220db-7ff78cb220e3 call 7ff78cb21cc0 227->235 229 7ff78cb21f8d-7ff78cb21f90 228->229 230 7ff78cb21f10-7ff78cb21f1d 228->230 229->208 236 7ff78cb21f96-7ff78cb21fa3 229->236 237 7ff78cb22128-7ff78cb22130 230->237 238 7ff78cb21f23-7ff78cb21f32 230->238 231->235 232->219 239 7ff78cb220d1-7ff78cb220d9 232->239 235->215 241 7ff78cb21fa9-7ff78cb21fb8 236->241 242 7ff78cb22110-7ff78cb22118 236->242 244 7ff78cb21f34-7ff78cb21f3b 237->244 245 7ff78cb22136 237->245 243 7ff78cb21f4b-7ff78cb21f5d call 7ff78cb21cc0 238->243 238->244 239->219 239->235 247 7ff78cb21fba-7ff78cb21fc1 241->247 248 7ff78cb21fd4-7ff78cb21fe7 call 7ff78cb21cc0 241->248 242->247 249 7ff78cb2211e 242->249 243->217 256 7ff78cb21ff0-7ff78cb21ff8 243->256 244->219 250 7ff78cb21f41-7ff78cb21f45 244->250 245->243 247->219 252 7ff78cb21fc7-7ff78cb21fce 247->252 248->217 257 7ff78cb21fed 248->257 249->248 250->219 250->243 252->219 252->248 256->187 258 7ff78cb21ffe-7ff78cb2200b 256->258 257->256 259 7ff78cb22010-7ff78cb22020 258->259 260 7ff78cb2202f-7ff78cb2203c 259->260 261 7ff78cb22022-7ff78cb2202d VirtualProtect 259->261 260->259 262 7ff78cb2203e 260->262 261->260 262->187
                              APIs
                              • VirtualProtect.KERNEL32(00007FF78CB27040,00007FF78CB27048,00000001,?,?,?,?,00007FFB2B31ADA0,00007FF78CB21228,?,?,?,00007FF78CB21406), ref: 00007FF78CB2202D
                              Strings
                              • Unknown pseudo relocation bit size %d., xrefs: 00007FF78CB22176
                              • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF78CB22094
                              • Unknown pseudo relocation protocol version %d., xrefs: 00007FF78CB22182
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                              • API String ID: 544645111-1286557213
                              • Opcode ID: 5b7a8940f0fc2f72f6df61a936c333ae77e306589e620a94ed3973a55f756175
                              • Instruction ID: 0a21b36cf9d2c26a679dc60d7c226859b511e6a4ad9cce14ed10b26393f81795
                              • Opcode Fuzzy Hash: 5b7a8940f0fc2f72f6df61a936c333ae77e306589e620a94ed3973a55f756175
                              • Instruction Fuzzy Hash: 6691B221E09DE281EA20BB65D80067AEA51BF50B74FA48231DE3C577D8DE3CEC01C621
                              Function 00007FF78CB21B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func
                              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 711238415-3474627141
                              • Opcode ID: ec1d69525b6318d8d8343cc1e8a892cdd36d554898d484f33c722af1ba2e46a4
                              • Instruction ID: 44f23e910d339e99c2b28e2139d0dc3750215f4da971c289a08eba3e6c337eaf
                              • Opcode Fuzzy Hash: ec1d69525b6318d8d8343cc1e8a892cdd36d554898d484f33c722af1ba2e46a4
                              • Instruction Fuzzy Hash: 1501C862908ED8C2D6169F1CE8011FAB774FFA975AF645321EB8C26620DF29D543C700
                              Function 00007FF78CB21BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 303 7ff78cb21be0-7ff78cb21be7 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-2713391170
                              • Opcode ID: 275f23618c2c71a317faf6ece10275cdf799d050ef905744da1420987ee42d9f
                              • Instruction ID: 5b91ca78ffc2b901313be918a5cc18d6896f57fd8f62e85a12595744ea4d5927
                              • Opcode Fuzzy Hash: 275f23618c2c71a317faf6ece10275cdf799d050ef905744da1420987ee42d9f
                              • Instruction Fuzzy Hash: E5F06213808E9482D2129F18A8001BBB774FF5E799FA55326EB8D26565DF2CD643C710
                              Function 00007FF78CB21BF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 307 7ff78cb21bf0-7ff78cb21bf7 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-4283191376
                              • Opcode ID: 1e6cd7a9a68ac3fafb46bace25494c5a3b24ec7900b807ee99d48c331c04c5e1
                              • Instruction ID: 64e63e800f1247fcb4e961c8e923794a11b1fec15b7733fe74fcdd8a2f52ba91
                              • Opcode Fuzzy Hash: 1e6cd7a9a68ac3fafb46bace25494c5a3b24ec7900b807ee99d48c331c04c5e1
                              • Instruction Fuzzy Hash: BDF06213908E9482D2129F18A8001BBB774FF5E799FA55326EF8D26565DF2CD643C710
                              Function 00007FF78CB21C00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 311 7ff78cb21c00-7ff78cb21c07 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-4064033741
                              • Opcode ID: 18d51c6244cb12bc5dd4f04bc353c537416c76c0457ae9358e107e74a2576210
                              • Instruction ID: 494a6e32aed9c5ee5f0865d97229b414683dccaea898b96aca9a5b85cdab806e
                              • Opcode Fuzzy Hash: 18d51c6244cb12bc5dd4f04bc353c537416c76c0457ae9358e107e74a2576210
                              • Instruction Fuzzy Hash: 6DF0C213808E9482D2029F18A8000BBB770FF5E799FA45326EB8D26424DF2CD643C710
                              Function 00007FF78CB21C10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 315 7ff78cb21c10-7ff78cb21c17 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-2187435201
                              • Opcode ID: 4965a13a53480363231e51f40e8bd960487f6ca1a47a5ae8a120c30841ef4640
                              • Instruction ID: de25ed8f7e6b5784b0ad41b5b69ff7d825deabdf6a27835290b3d9cb8fcd6e09
                              • Opcode Fuzzy Hash: 4965a13a53480363231e51f40e8bd960487f6ca1a47a5ae8a120c30841ef4640
                              • Instruction Fuzzy Hash: 16F06213818E9482D2129F18A8000BBB770FF5E799FA55326EB8D2A565DF2CD643D710
                              Function 00007FF78CB21C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 319 7ff78cb21c20-7ff78cb21c27 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-4273532761
                              • Opcode ID: dd1109fef1e44e27e33944e548427619ad9362c31daffd96fe08d1df9979e15b
                              • Instruction ID: db9c45bc4cc79fec864f17b37c45d1727cca9243e8f1b2dc42d916e4d6791d9d
                              • Opcode Fuzzy Hash: dd1109fef1e44e27e33944e548427619ad9362c31daffd96fe08d1df9979e15b
                              • Instruction Fuzzy Hash: 22F06213808E9482D2129F18A8000BBB770FF5E799FA55326EF8D26525DF2CD643D710
                              Function 00007FF78CB21B78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 323 7ff78cb21b78-7ff78cb21bde __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1298168844.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000000.00000002.1298149173.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298186368.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298204824.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298225752.00007FF78CB28000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1298243874.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-2468659920
                              • Opcode ID: 5c60b4d3e583521b1503455a1772254fd0060640fb2af6a87a6682de9bd8815d
                              • Instruction ID: c4a7ee88cd244ea56a9d8633b08ba0442ec2185b3a048651e0fa647e7945d326
                              • Opcode Fuzzy Hash: 5c60b4d3e583521b1503455a1772254fd0060640fb2af6a87a6682de9bd8815d
                              • Instruction Fuzzy Hash: 0DF03623918ED482D2129F28A8001ABB774FF5E799F655326EF8D3A525DF28D583C710

                              Execution Graph

                              Execution Coverage:5.9%
                              Dynamic/Decrypted Code Coverage:0.5%
                              Signature Coverage:0%
                              Total number of Nodes:204
                              Total number of Limit Nodes:1
                              execution_graph 1805 403847 1806 40386b 1805->1806 1807 4011b1 7 API calls 1806->1807 1808 403902 1807->1808 1784 403848 1785 40386b 1784->1785 1788 4011b1 1785->1788 1787 403902 1789 4011c1 1788->1789 1790 4012e3 1789->1790 1792 4012ff 1789->1792 1803 4039d0 perror 1790->1803 1793 401398 GetTempFileNameW 1792->1793 1802 4012f5 1792->1802 1794 4013e0 CreateFileW 1793->1794 1793->1802 1795 401459 WriteFile 1794->1795 1794->1802 1796 4014ab 1795->1796 1795->1802 1797 401575 CloseHandle 1796->1797 1796->1802 1798 401592 1797->1798 1797->1802 1799 401696 CreateProcessW 1798->1799 1798->1802 1800 40172a 1799->1800 1799->1802 1801 401747 ResumeThread 1800->1801 1800->1802 1801->1802 1802->1787 1804 417986 1803->1804 1814 7ff78cb22460 1815 7ff78cb22480 EnterCriticalSection 1814->1815 1816 7ff78cb22472 1814->1816 1817 7ff78cb224c3 LeaveCriticalSection 1815->1817 1818 7ff78cb2249c 1815->1818 1818->1817 1819 7ff78cb224be free 1818->1819 1819->1817 1986 7ff78cb21aa0 1987 7ff78cb21ab2 1986->1987 1988 7ff78cb224f0 3 API calls 1987->1988 1989 7ff78cb21ac2 1987->1989 1990 7ff78cb21b15 1988->1990 1991 7ff78cb22ca0 1992 7ff78cb22cad __tzname __timezone __daylight 1991->1992 1820 7ff78cb22e61 SetUnhandledExceptionFilter 1821 7ff78cb222e8 signal 1822 7ff78cb222fa signal 1821->1822 1823 7ff78cb2227f 1821->1823 1824 7ff78cb2226d 1822->1824 1823->1824 1825 7ff78cb222c0 signal 1823->1825 1825->1823 1826 7ff78cb2235f signal 1825->1826 1827 7ff78cb22373 1826->1827 1827->1827 1998 403911 1999 403960 1998->1999 2000 4011b1 7 API calls 1999->2000 2001 403999 2000->2001 1828 7ff78cb223eb 1829 7ff78cb22410 1828->1829 1830 7ff78cb22406 1828->1830 1829->1830 1831 7ff78cb22427 EnterCriticalSection LeaveCriticalSection 1829->1831 1831->1830 1832 7ff78cb213f0 1835 7ff78cb21180 1832->1835 1834 7ff78cb21406 1836 7ff78cb211b0 1835->1836 1837 7ff78cb211cd 1836->1837 1838 7ff78cb211b9 Sleep 1836->1838 1842 7ff78cb211e1 1837->1842 1878 7ff78cb22be0 __acrt_iob_func 1837->1878 1838->1836 1840 7ff78cb2134c _initterm 1841 7ff78cb21200 1840->1841 1855 7ff78cb21e30 1841->1855 1842->1840 1842->1841 1847 7ff78cb212ef 1842->1847 1844 7ff78cb21228 SetUnhandledExceptionFilter _set_invalid_parameter_handler 1873 7ff78cb21c40 1844->1873 1846 7ff78cb21250 malloc 1846->1847 1848 7ff78cb2127a 1846->1848 1849 7ff78cb21180 14 API calls 1847->1849 1854 7ff78cb21303 1847->1854 1850 7ff78cb21280 strlen malloc memcpy 1848->1850 1851 7ff78cb213e6 1849->1851 1850->1850 1852 7ff78cb212b3 1850->1852 1851->1834 1874 7ff78cb21522 1852->1874 1854->1834 1856 7ff78cb21e4f 1855->1856 1857 7ff78cb21e60 1855->1857 1856->1844 1857->1856 1858 7ff78cb2205e 1857->1858 1861 7ff78cb22140 1857->1861 1870 7ff78cb21eda 1857->1870 1862 7ff78cb22171 1858->1862 1868 7ff78cb22079 1858->1868 1860 7ff78cb22182 1863 7ff78cb21c50 9 API calls 1860->1863 1861->1856 1861->1862 1911 7ff78cb21cc0 1861->1911 1865 7ff78cb21c50 9 API calls 1862->1865 1864 7ff78cb2218e 1863->1864 1864->1844 1865->1860 1866 7ff78cb21cc0 9 API calls 1866->1868 1868->1866 1881 7ff78cb21c50 1868->1881 1869 7ff78cb21cc0 9 API calls 1869->1870 1870->1856 1870->1858 1870->1860 1870->1862 1870->1868 1870->1869 1871 7ff78cb21fed 1870->1871 1871->1856 1872 7ff78cb22022 VirtualProtect 1871->1872 1872->1871 1873->1846 1875 7ff78cb21538 1874->1875 1876 7ff78cb2165b memset memset 1875->1876 1877 7ff78cb216aa 1875->1877 1876->1877 1877->1847 1939 7ff78cb22a70 __stdio_common_vfprintf 1878->1939 1880 7ff78cb22c03 1880->1842 1882 7ff78cb21c7c 1881->1882 1883 7ff78cb21c96 __acrt_iob_func 1882->1883 1889 7ff78cb21cb3 1883->1889 1884 7ff78cb21d8e 1884->1868 1885 7ff78cb21e12 1886 7ff78cb21c50 4 API calls 1885->1886 1894 7ff78cb21e21 1886->1894 1887 7ff78cb21d4d VirtualQuery 1888 7ff78cb21df7 1887->1888 1887->1889 1888->1885 1890 7ff78cb21c50 4 API calls 1888->1890 1889->1884 1889->1885 1889->1887 1891 7ff78cb21da0 VirtualProtect 1889->1891 1890->1885 1891->1884 1892 7ff78cb21dd8 GetLastError 1891->1892 1893 7ff78cb21c50 4 API calls 1892->1893 1893->1889 1895 7ff78cb2205e 1894->1895 1898 7ff78cb22140 1894->1898 1906 7ff78cb21eda 1894->1906 1910 7ff78cb21e4f 1894->1910 1901 7ff78cb22171 1895->1901 1903 7ff78cb22079 1895->1903 1896 7ff78cb21cc0 4 API calls 1896->1898 1897 7ff78cb22182 1899 7ff78cb21c50 4 API calls 1897->1899 1898->1896 1898->1901 1898->1910 1900 7ff78cb2218e 1899->1900 1900->1868 1902 7ff78cb21c50 4 API calls 1901->1902 1902->1897 1904 7ff78cb21c50 4 API calls 1903->1904 1905 7ff78cb21cc0 VirtualQuery VirtualProtect GetLastError VirtualProtect 1903->1905 1904->1903 1905->1903 1906->1895 1906->1897 1906->1901 1906->1903 1907 7ff78cb21cc0 VirtualQuery VirtualProtect GetLastError VirtualProtect 1906->1907 1908 7ff78cb21fed 1906->1908 1906->1910 1907->1906 1909 7ff78cb22022 VirtualProtect 1908->1909 1908->1910 1909->1908 1910->1868 1917 7ff78cb21cd9 1911->1917 1912 7ff78cb21d8e 1912->1861 1913 7ff78cb21e12 1914 7ff78cb21c50 5 API calls 1913->1914 1922 7ff78cb21e21 1914->1922 1915 7ff78cb21d4d VirtualQuery 1916 7ff78cb21df7 1915->1916 1915->1917 1916->1913 1918 7ff78cb21c50 5 API calls 1916->1918 1917->1912 1917->1913 1917->1915 1919 7ff78cb21da0 VirtualProtect 1917->1919 1918->1913 1919->1912 1920 7ff78cb21dd8 GetLastError 1919->1920 1921 7ff78cb21c50 5 API calls 1920->1921 1921->1917 1923 7ff78cb2205e 1922->1923 1926 7ff78cb22140 1922->1926 1933 7ff78cb21eda 1922->1933 1938 7ff78cb21e4f 1922->1938 1927 7ff78cb22171 1923->1927 1934 7ff78cb22079 1923->1934 1924 7ff78cb21cc0 5 API calls 1924->1926 1925 7ff78cb22182 1928 7ff78cb21c50 5 API calls 1925->1928 1926->1924 1926->1927 1926->1938 1930 7ff78cb21c50 5 API calls 1927->1930 1929 7ff78cb2218e 1928->1929 1929->1861 1930->1925 1931 7ff78cb21cc0 __acrt_iob_func VirtualQuery VirtualProtect GetLastError VirtualProtect 1931->1934 1932 7ff78cb21c50 5 API calls 1932->1934 1933->1923 1933->1925 1933->1927 1933->1934 1935 7ff78cb21cc0 __acrt_iob_func VirtualQuery VirtualProtect GetLastError VirtualProtect 1933->1935 1936 7ff78cb21fed 1933->1936 1933->1938 1934->1931 1934->1932 1935->1933 1937 7ff78cb22022 VirtualProtect 1936->1937 1936->1938 1937->1936 1938->1861 1939->1880 1945 7ff78cb21a70 1946 7ff78cb21a79 1945->1946 1948 7ff78cb21a7d 1946->1948 1950 7ff78cb224f0 1946->1950 1949 7ff78cb21a95 1951 7ff78cb224fe 1950->1951 1952 7ff78cb225b0 1950->1952 1953 7ff78cb22504 1951->1953 1955 7ff78cb22512 1951->1955 1956 7ff78cb22550 1951->1956 1952->1949 1954 7ff78cb225d0 InitializeCriticalSection 1953->1954 1953->1955 1954->1955 1955->1949 1956->1955 1957 7ff78cb22589 DeleteCriticalSection 1956->1957 1958 7ff78cb22578 free 1956->1958 1957->1955 1958->1957 1958->1958 2002 7ff78cb22b30 2003 7ff78cb22b50 2002->2003 2004 7ff78cb22b60 __p___argc 2003->2004 2005 7ff78cb22b6e 2004->2005 2006 7ff78cb22b8d 2005->2006 2007 7ff78cb22b84 _set_new_mode 2005->2007 2007->2006 2008 7ff78cb222c0 signal 2009 7ff78cb2235f signal 2008->2009 2010 7ff78cb2227f 2008->2010 2012 7ff78cb22373 2009->2012 2010->2008 2011 7ff78cb2226d 2010->2011 2013 7ff78cb21b40 2014 7ff78cb21b5f __acrt_iob_func 2013->2014 2018 7ff78cb22a70 __stdio_common_vfprintf 2014->2018 2017 7ff78cb21bc5 2018->2017 1969 7ff78cb22e89 LeaveCriticalSection 1970 7ff78cb21010 1971 7ff78cb2104b 1970->1971 1972 7ff78cb2106d _set_app_type 1971->1972 1973 7ff78cb210b0 1971->1973 1974 7ff78cb21077 __p__fmode __p__commode 1972->1974 1973->1974 1975 7ff78cb2109c 1974->1975 1981 7ff78cb22690 strlen 1982 7ff78cb22720 1981->1982 1984 7ff78cb226a5 1981->1984 1983 7ff78cb2270e 1984->1982 1984->1983 1985 7ff78cb226f9 strncmp 1984->1985 1985->1983 1985->1984 2019 7ff78cb221d6 2021 7ff78cb22201 2019->2021 2020 7ff78cb22261 2022 7ff78cb22266 2020->2022 2025 7ff78cb222c0 signal 2020->2025 2021->2020 2021->2022 2023 7ff78cb2223b 2021->2023 2024 7ff78cb22310 2021->2024 2023->2020 2023->2022 2028 7ff78cb2224b signal 2023->2028 2024->2020 2027 7ff78cb2234b signal 2024->2027 2025->2020 2026 7ff78cb2235f signal 2025->2026 2029 7ff78cb22373 2026->2029 2027->2022 2028->2020 2030 7ff78cb22337 signal 2028->2030 2030->2022

                              Callgraph

                              • Executed
                              • Not Executed
                              • Opacity -> Relevance
                              • Disassembly available
                              callgraph 0 Function_00401BC0 53 Function_00401884 0->53 1 Function_00403847 89 Function_004011B1 1->89 2 Function_004039C7 3 Function_00417846 4 Function_00007FF78CB22BE0 25 Function_00007FF78CB22A70 4->25 5 Function_00007FF78CB21BE0 5->25 6 Function_00007FF78CB21A60 7 Function_00007FF78CB22460 8 Function_00007FF78CB22C60 9 Function_00403848 9->89 10 Function_00007FF78CB22E61 11 Function_004017CB 12 Function_0040314C 13 Function_004036CC 93 Function_004032BD 13->93 14 Function_00401DCE 15 Function_0040344E 15->93 16 Function_00007FF78CB222E8 82 Function_00007FF78CB21C40 16->82 17 Function_004039D0 18 Function_00007FF78CB223EB 19 Function_00007FF78CB225F0 20 Function_00007FF78CB213F0 37 Function_00007FF78CB21180 20->37 21 Function_00007FF78CB224F0 21->82 22 Function_00007FF78CB21BF0 22->25 23 Function_00007FF78CB21A70 23->21 24 Function_00007FF78CB227F0 26 Function_00007FF78CB22870 27 Function_00007FF78CB22EF1 28 Function_004021DB 95 Function_00401F3F 28->95 29 Function_004010DD 30 Function_00007FF78CB21B78 30->25 31 Function_00401C61 32 Function_004035E4 63 Function_00403396 32->63 87 Function_004034AA 32->87 33 Function_004010E4 33->0 33->32 34 Function_00007FF78CB2837C 35 Function_00401967 36 Function_00007FF78CB21C00 36->25 37->4 37->19 37->37 58 Function_00007FF78CB21522 37->58 68 Function_00007FF78CB21E30 37->68 37->82 83 Function_00007FF78CB21A40 37->83 38 Function_00007FF78CB22D81 39 Function_00007FF78CB28384 40 Function_00401F6F 40->95 41 Function_00007FF78CB22E89 42 Function_00007FF78CB22A10 43 Function_00007FF78CB21010 43->6 44 Function_00007FF78CB21410 54 Function_00007FF78CB22BA0 44->54 45 Function_00007FF78CB21C10 45->25 46 Function_00007FF78CB21990 47 Function_00007FF78CB22690 48 Function_0040177A 49 Function_0040347C 49->63 50 Function_00401000 51 Function_00403800 52 Function_00402203 52->95 55 Function_00007FF78CB21AA0 55->21 56 Function_00007FF78CB22CA0 57 Function_00007FF78CB21C20 57->25 58->42 58->83 92 Function_00007FF78CB21450 58->92 59 Function_0040370F 59->93 60 Function_00403911 60->89 61 Function_00401B92 61->53 62 Function_00403515 62->87 62->93 63->12 63->28 63->31 75 Function_0040309B 63->75 64 Function_00007FF78CB283AC 65 Function_00007FF78CB21130 80 Function_00007FF78CB22AC0 65->80 66 Function_00007FF78CB21430 67 Function_00007FF78CB21B30 68->42 69 Function_00007FF78CB227B0 68->69 79 Function_00007FF78CB21CC0 68->79 91 Function_00007FF78CB21C50 68->91 70 Function_00007FF78CB228B0 71 Function_00401F98 71->95 72 Function_00007FF78CB22730 73 Function_00007FF78CB22AB0 74 Function_00007FF78CB22B30 76 Function_0041789A 77 Function_00401D1D 78 Function_00401C1F 79->26 79->42 79->69 79->72 79->79 79->91 81 Function_00007FF78CB222C0 81->82 84 Function_00007FF78CB21B40 84->25 85 Function_00007FF78CB22640 86 Function_00007FF78CB22940 88 Function_00007FF78CB22BC3 89->17 89->33 89->50 90 Function_00007FF78CB22A50 91->26 91->42 91->69 91->72 91->79 91->90 91->91 93->14 93->31 93->40 93->77 94 Function_00007FF78CB221D6 94->82

                              Executed Functions

                              Function 004011B1 Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 377fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 4011b1-4012dd call 401000 call 4039b8 call 4039c0 * 7 call 4039c8 21 4012e3-4012fa call 4039d0 0->21 22 4012ff-401350 call 4010e4 0->22 27 401882-401883 21->27 28 401356-401384 22->28 29 40187d 22->29 28->29 31 40138a-401392 28->31 29->27 31->29 32 401398-4013da GetTempFileNameW 31->32 32->29 33 4013e0-401449 CreateFileW 32->33 34 401459-4014a5 WriteFile 33->34 35 40144f-401454 33->35 36 4014b0-4014b8 34->36 37 4014ab-40150e 34->37 35->27 39 4014be-4014d5 36->39 40 4014ef-4014f4 36->40 41 401514-40151c 37->41 42 401567-40156f 37->42 48 4014e0-4014e5 39->48 49 4014db-4014fe 39->49 40->27 43 401522-401539 41->43 44 401553-401558 41->44 46 401575-40158c CloseHandle 42->46 47 4015a6-4015ab 42->47 55 401544-401549 43->55 56 40153f-401562 43->56 44->27 50 401592-401681 call 4039a0 * 2 call 4039c0 46->50 51 401597-40159c 46->51 47->27 48->27 49->27 67 401687-401724 CreateProcessW 50->67 68 40168c-401691 50->68 51->27 55->27 56->27 70 40172a-401741 67->70 71 40172f-401734 67->71 68->27 73 401873-401878 70->73 74 401747-40176a ResumeThread 70->74 71->27 73->27 73->29 75 401770-401775 74->75 76 40177f-401787 74->76 75->27 77 40178d-4017d9 76->77 78 4017ef-4017f4 76->78 86 4017b7 77->86 87 4017db-4017e1 77->87 78->27 79 4017f9-401801 78->79 81 401864-401869 79->81 82 401807-40181e 79->82 81->27 84 40186e 81->84 89 401824 82->89 90 401829-40182e 82->90 84->29 88 4017ea 86->88 91 4017e3-4017e6 87->91 92 4017bc 87->92 88->79 93 401833-40184a 89->93 90->27 90->93 94 4017c1 91->94 95 4017e8 91->95 92->88 98 401850 93->98 99 401855-40185a 93->99 94->88 95->88 96 4017c6 95->96 96->88 100 40185f 98->100 99->27 99->100 100->84
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580609473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: File$CreateNameTemp
                              • String ID: CloseHandle$CreateFileW$CreateProcessW$Failed to allocate memory for decryptedData$GetTempFileNameW$GetTempPathW$ResumeThread$WaitForSingleObject$WriteFile$kernel32.dll$smss$tzgkZozTzU99DscsphE8S5tViNDFltAHUsQ1hpsZSSNMtssOrVAO1wHHImV5iu7k
                              • API String ID: 3817792521-1963680545
                              • Opcode ID: 8b2f88680915b736bfc22a386e4c78384dd67c8fcd555f67793947a398c48ee7
                              • Instruction ID: eabd43d7fcba3a17b02aeddb521bde4c856c53977638f60150cda4c28548f716
                              • Opcode Fuzzy Hash: 8b2f88680915b736bfc22a386e4c78384dd67c8fcd555f67793947a398c48ee7
                              • Instruction Fuzzy Hash: 0AE16E71705A1089EB509B6ACC4039923B4B708BE8F504677EE5DA77E4EB7CCA81D709

                              Non-executed Functions

                              Function 00007FF78CB21180 Relevance: 12.1, APIs: 8, Instructions: 146sleepstringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: malloc$ExceptionFilterSleepUnhandled_set_invalid_parameter_handlermemcpystrlen
                              • String ID:
                              • API String ID: 959198572-0
                              • Opcode ID: 32f55c20c8e17e7084bc6d5cf4eebd07ec7162706a3819bd0cdbd2e2e0d47b08
                              • Instruction ID: 4a91912fea109d049a8d3ef948205f94803b55fee2d7d243ea572e9e592da219
                              • Opcode Fuzzy Hash: 32f55c20c8e17e7084bc6d5cf4eebd07ec7162706a3819bd0cdbd2e2e0d47b08
                              • Instruction Fuzzy Hash: 77516936E09EA281F710BB55E85067AEAA6BF48B90FE44431DD1C97795CE3CE841C720
                              Function 00007FF78CB221D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: signal
                              • String ID: CCG
                              • API String ID: 1946981877-1584390748
                              • Opcode ID: bee6fa8d8bd77e57e6f40c5e4f9f5187d2327c2bcb5a54c27fe908d04117a730
                              • Instruction ID: f708a1949a43a31d5fe9f006731ee8b15127ce2098fe44342e630e2a9d9e6fc7
                              • Opcode Fuzzy Hash: bee6fa8d8bd77e57e6f40c5e4f9f5187d2327c2bcb5a54c27fe908d04117a730
                              • Instruction Fuzzy Hash: 1D21ED61E0CDA606FE6872E58440379AA81BF59770FB84536DA3DC33D5CD1EA881C233
                              Function 00007FF78CB21522 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 231COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: memset
                              • String ID: @$BIN
                              • API String ID: 2221118986-1916819016
                              • Opcode ID: 1a268847dd2997d4c8cab54aa74c89ad69d0630918c7081ed8d1475344bec58a
                              • Instruction ID: 83b161c53b02419e5038aa1079d24fae1c77d8f05e164cc33302cf12c842c9ce
                              • Opcode Fuzzy Hash: 1a268847dd2997d4c8cab54aa74c89ad69d0630918c7081ed8d1475344bec58a
                              • Instruction Fuzzy Hash: 0FB117A2714BC48ADBB08F26D8803DA77A1F748B88F508029DF4C8BB68DF39D605C714
                              Function 004021DB Relevance: 2.2, Strings: 1, Instructions: 979COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580609473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID: J4@
                              • API String ID: 0-1337615203
                              • Opcode ID: 96e0d14de975b23d2a02d8a1b8cb844d9f3b8914b3a0ea00572b5feefccb13d3
                              • Instruction ID: c981a641303732ace0aaf0e6c1c78286eb5573bbc2f65ce16192af0868213e14
                              • Opcode Fuzzy Hash: 96e0d14de975b23d2a02d8a1b8cb844d9f3b8914b3a0ea00572b5feefccb13d3
                              • Instruction Fuzzy Hash: 22727A62B021744CD764AB7348616BC3BE23749B89BC104EBBD8EA77D6DE3C8648D711
                              Function 00402203 Relevance: 2.2, Strings: 1, Instructions: 975COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580609473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID: J4@
                              • API String ID: 0-1337615203
                              • Opcode ID: 15f1cfc02df9505c01b21163f0f9ad1386d541124ebb7241b7cc116e2e865f36
                              • Instruction ID: b219ce202b3ac3bb6170aebe5e642140a1c9ba396f9e901d59a5659491273e33
                              • Opcode Fuzzy Hash: 15f1cfc02df9505c01b21163f0f9ad1386d541124ebb7241b7cc116e2e865f36
                              • Instruction Fuzzy Hash: A8727A62B021744CD764AB7348616BC3BE23749B89BC104EBBD8EA77C6DE3C8648D711
                              Function 00401F6F Relevance: .2, Instructions: 179COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580609473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 488d05d2e00176244e08c952148f5a4d12672dc47efef7bd7a6bb70b34a9e1ea
                              • Instruction ID: 4f068ff08c00f4e3ad025d9a024324002f699c1077911d1bedfd12ad2dd1a57b
                              • Opcode Fuzzy Hash: 488d05d2e00176244e08c952148f5a4d12672dc47efef7bd7a6bb70b34a9e1ea
                              • Instruction Fuzzy Hash: FF614483F0D2E45DDB15877700B22BD3FB1965674A34584D7EFEA5278AC92C8316E720
                              Function 00401F98 Relevance: .2, Instructions: 175COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580609473.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_400000_oaUNY8P657.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bed407f06197039d59fc6cf7541387df823bbabef7276a6b05298a082b3880c
                              • Instruction ID: 84ad7b54dd490618384922845c40554ef0ed41b810b90c3e4d7872b41251fe2e
                              • Opcode Fuzzy Hash: 5bed407f06197039d59fc6cf7541387df823bbabef7276a6b05298a082b3880c
                              • Instruction Fuzzy Hash: 0E613383F0D2E41DDB5587B700B22BD3FB19A5674A34584D7EFEA5278AC92C8316E720
                              Function 00007FF78CB21C50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 123 7ff78cb21c50-7ff78cb21cd3 call 7ff78cb22d20 call 7ff78cb22d48 __acrt_iob_func call 7ff78cb22a50 call 7ff78cb22db8 133 7ff78cb21cd9-7ff78cb21ce7 123->133 134 7ff78cb21df0-7ff78cb21df2 123->134 136 7ff78cb21cf0-7ff78cb21cf6 133->136 135 7ff78cb21d18-7ff78cb21d26 call 7ff78cb22730 134->135 142 7ff78cb21d2c-7ff78cb21d74 call 7ff78cb22870 VirtualQuery 135->142 143 7ff78cb21e12-7ff78cb21e4d call 7ff78cb21c50 135->143 137 7ff78cb21cf8-7ff78cb21d05 136->137 138 7ff78cb21d0b-7ff78cb21d16 136->138 137->138 140 7ff78cb21d95-7ff78cb21d9c 137->140 138->135 138->136 149 7ff78cb21df7-7ff78cb21e08 142->149 150 7ff78cb21d7a-7ff78cb21d84 142->150 151 7ff78cb21e60-7ff78cb21eb7 call 7ff78cb227b0 call 7ff78cb22a10 143->151 152 7ff78cb21e4f-7ff78cb21e5f 143->152 149->143 153 7ff78cb21e0d call 7ff78cb21c50 149->153 154 7ff78cb21d8e 150->154 155 7ff78cb21d86-7ff78cb21d8c 150->155 151->152 164 7ff78cb21eb9-7ff78cb21ebf 151->164 153->143 154->140 155->154 157 7ff78cb21da0-7ff78cb21dd6 VirtualProtect 155->157 157->154 158 7ff78cb21dd8-7ff78cb21dec GetLastError call 7ff78cb21c50 157->158 158->134 165 7ff78cb22048-7ff78cb2204a 164->165 166 7ff78cb21ec5-7ff78cb21ec9 164->166 167 7ff78cb22140-7ff78cb22143 165->167 168 7ff78cb22050-7ff78cb22058 165->168 166->167 169 7ff78cb21ecf 166->169 167->152 170 7ff78cb22149 167->170 171 7ff78cb2205e 168->171 172 7ff78cb21ed2-7ff78cb21ed4 168->172 169->172 173 7ff78cb22150-7ff78cb2216f call 7ff78cb21cc0 170->173 176 7ff78cb22070-7ff78cb22073 171->176 172->167 174 7ff78cb21eda-7ff78cb21ee0 172->174 186 7ff78cb22171 173->186 177 7ff78cb22182-7ff78cb221a2 call 7ff78cb21c50 174->177 178 7ff78cb21ee6-7ff78cb21eed 174->178 180 7ff78cb22079-7ff78cb22088 176->180 181 7ff78cb22176-7ff78cb2217d call 7ff78cb21c50 176->181 191 7ff78cb221c9-7ff78cb221cd 177->191 192 7ff78cb221a4-7ff78cb221c8 177->192 178->152 183 7ff78cb21ef3-7ff78cb21f04 178->183 188 7ff78cb2208a-7ff78cb2208d 180->188 189 7ff78cb220f0-7ff78cb220f8 call 7ff78cb21cc0 180->189 181->177 185 7ff78cb21f63-7ff78cb21f7c 183->185 193 7ff78cb220a8-7ff78cb220b3 185->193 194 7ff78cb21f82 185->194 186->181 188->189 190 7ff78cb2208f-7ff78cb220a3 call 7ff78cb21c50 188->190 197 7ff78cb22100-7ff78cb22108 189->197 190->193 192->191 193->197 198 7ff78cb220b5-7ff78cb220ca 193->198 194->176 199 7ff78cb21f88-7ff78cb21f8b 194->199 201 7ff78cb2210a 197->201 202 7ff78cb220cc-7ff78cb220cf 197->202 198->202 205 7ff78cb220db-7ff78cb220e3 call 7ff78cb21cc0 198->205 206 7ff78cb21f8d-7ff78cb21f90 199->206 207 7ff78cb21f10-7ff78cb21f1d 199->207 201->205 202->190 210 7ff78cb220d1-7ff78cb220d9 202->210 205->189 206->181 212 7ff78cb21f96-7ff78cb21fa3 206->212 208 7ff78cb22128-7ff78cb22130 207->208 209 7ff78cb21f23-7ff78cb21f32 207->209 214 7ff78cb21f34-7ff78cb21f3b 208->214 215 7ff78cb22136 208->215 213 7ff78cb21f4b-7ff78cb21f5d call 7ff78cb21cc0 209->213 209->214 210->190 210->205 217 7ff78cb21fa9-7ff78cb21fb8 212->217 218 7ff78cb22110-7ff78cb22118 212->218 213->185 228 7ff78cb21ff0-7ff78cb21ff8 213->228 214->190 221 7ff78cb21f41-7ff78cb21f45 214->221 215->213 219 7ff78cb21fba-7ff78cb21fc1 217->219 223 7ff78cb21fd4-7ff78cb21fe7 call 7ff78cb21cc0 217->223 218->219 220 7ff78cb2211e 218->220 219->190 226 7ff78cb21fc7-7ff78cb21fce 219->226 220->223 221->190 221->213 223->185 229 7ff78cb21fed 223->229 226->190 226->223 228->152 230 7ff78cb21ffe-7ff78cb2200b 228->230 229->228 231 7ff78cb22010-7ff78cb22020 230->231 232 7ff78cb2202f-7ff78cb2203c 231->232 233 7ff78cb22022-7ff78cb2202d VirtualProtect 231->233 232->231 234 7ff78cb2203e 232->234 233->232 234->152
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FF78CB21E21,?,?,?,?,?,?,00007FF78CB24588,00000000,?), ref: 00007FF78CB21CA0
                              • VirtualQuery.KERNEL32 ref: 00007FF78CB21D6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: QueryVirtual__acrt_iob_func
                              • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                              • API String ID: 4109086920-1534286854
                              • Opcode ID: 113019b010cfdea372466ba8fa872585d3c6fd2c84baa86eb644bb16eb746e1d
                              • Instruction ID: ff3716b0fe8d5be1a6bb08e7e731458547dccb9a6e70b6cd0d7a490e5b0c20bd
                              • Opcode Fuzzy Hash: 113019b010cfdea372466ba8fa872585d3c6fd2c84baa86eb644bb16eb746e1d
                              • Instruction Fuzzy Hash: 1151B232A08EA681EA10AF51E8406AAFF61FF88BE4FE44135DE4C57394DE3CE955C710
                              Function 00007FF78CB21E30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 227memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 277 7ff78cb21e30-7ff78cb21e4d 278 7ff78cb21e60-7ff78cb21eb7 call 7ff78cb227b0 call 7ff78cb22a10 277->278 279 7ff78cb21e4f-7ff78cb21e5f 277->279 278->279 284 7ff78cb21eb9-7ff78cb21ebf 278->284 285 7ff78cb22048-7ff78cb2204a 284->285 286 7ff78cb21ec5-7ff78cb21ec9 284->286 287 7ff78cb22140-7ff78cb22143 285->287 288 7ff78cb22050-7ff78cb22058 285->288 286->287 289 7ff78cb21ecf 286->289 287->279 290 7ff78cb22149 287->290 291 7ff78cb2205e 288->291 292 7ff78cb21ed2-7ff78cb21ed4 288->292 289->292 293 7ff78cb22150-7ff78cb2216f call 7ff78cb21cc0 290->293 296 7ff78cb22070-7ff78cb22073 291->296 292->287 294 7ff78cb21eda-7ff78cb21ee0 292->294 306 7ff78cb22171 293->306 297 7ff78cb22182-7ff78cb221a2 call 7ff78cb21c50 294->297 298 7ff78cb21ee6-7ff78cb21eed 294->298 300 7ff78cb22079-7ff78cb22088 296->300 301 7ff78cb22176-7ff78cb2217d call 7ff78cb21c50 296->301 311 7ff78cb221c9-7ff78cb221cd 297->311 312 7ff78cb221a4-7ff78cb221c8 297->312 298->279 303 7ff78cb21ef3-7ff78cb21f04 298->303 308 7ff78cb2208a-7ff78cb2208d 300->308 309 7ff78cb220f0-7ff78cb220f8 call 7ff78cb21cc0 300->309 301->297 305 7ff78cb21f63-7ff78cb21f7c 303->305 313 7ff78cb220a8-7ff78cb220b3 305->313 314 7ff78cb21f82 305->314 306->301 308->309 310 7ff78cb2208f-7ff78cb220a3 call 7ff78cb21c50 308->310 317 7ff78cb22100-7ff78cb22108 309->317 310->313 312->311 313->317 318 7ff78cb220b5-7ff78cb220ca 313->318 314->296 319 7ff78cb21f88-7ff78cb21f8b 314->319 321 7ff78cb2210a 317->321 322 7ff78cb220cc-7ff78cb220cf 317->322 318->322 325 7ff78cb220db-7ff78cb220e3 call 7ff78cb21cc0 318->325 326 7ff78cb21f8d-7ff78cb21f90 319->326 327 7ff78cb21f10-7ff78cb21f1d 319->327 321->325 322->310 330 7ff78cb220d1-7ff78cb220d9 322->330 325->309 326->301 332 7ff78cb21f96-7ff78cb21fa3 326->332 328 7ff78cb22128-7ff78cb22130 327->328 329 7ff78cb21f23-7ff78cb21f32 327->329 334 7ff78cb21f34-7ff78cb21f3b 328->334 335 7ff78cb22136 328->335 333 7ff78cb21f4b-7ff78cb21f5d call 7ff78cb21cc0 329->333 329->334 330->310 330->325 337 7ff78cb21fa9-7ff78cb21fb8 332->337 338 7ff78cb22110-7ff78cb22118 332->338 333->305 348 7ff78cb21ff0-7ff78cb21ff8 333->348 334->310 341 7ff78cb21f41-7ff78cb21f45 334->341 335->333 339 7ff78cb21fba-7ff78cb21fc1 337->339 343 7ff78cb21fd4-7ff78cb21fe7 call 7ff78cb21cc0 337->343 338->339 340 7ff78cb2211e 338->340 339->310 346 7ff78cb21fc7-7ff78cb21fce 339->346 340->343 341->310 341->333 343->305 349 7ff78cb21fed 343->349 346->310 346->343 348->279 350 7ff78cb21ffe-7ff78cb2200b 348->350 349->348 351 7ff78cb22010-7ff78cb22020 350->351 352 7ff78cb2202f-7ff78cb2203c 351->352 353 7ff78cb22022-7ff78cb2202d VirtualProtect 351->353 352->351 354 7ff78cb2203e 352->354 353->352 354->279
                              APIs
                              • VirtualProtect.KERNEL32(00007FF78CB27040,00007FF78CB27048,00000001,?,?,?,?,000086E8,00007FF78CB21228,?,?,?,00007FF78CB21406), ref: 00007FF78CB2202D
                              Strings
                              • Unknown pseudo relocation bit size %d., xrefs: 00007FF78CB22176
                              • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF78CB22094
                              • Unknown pseudo relocation protocol version %d., xrefs: 00007FF78CB22182
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                              • API String ID: 544645111-1286557213
                              • Opcode ID: 5b7a8940f0fc2f72f6df61a936c333ae77e306589e620a94ed3973a55f756175
                              • Instruction ID: 0a21b36cf9d2c26a679dc60d7c226859b511e6a4ad9cce14ed10b26393f81795
                              • Opcode Fuzzy Hash: 5b7a8940f0fc2f72f6df61a936c333ae77e306589e620a94ed3973a55f756175
                              • Instruction Fuzzy Hash: 6691B221E09DE281EA20BB65D80067AEA51BF50B74FA48231DE3C577D8DE3CEC01C621
                              Function 00007FF78CB21B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func
                              • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 711238415-3474627141
                              • Opcode ID: ec1d69525b6318d8d8343cc1e8a892cdd36d554898d484f33c722af1ba2e46a4
                              • Instruction ID: 44f23e910d339e99c2b28e2139d0dc3750215f4da971c289a08eba3e6c337eaf
                              • Opcode Fuzzy Hash: ec1d69525b6318d8d8343cc1e8a892cdd36d554898d484f33c722af1ba2e46a4
                              • Instruction Fuzzy Hash: 1501C862908ED8C2D6169F1CE8011FAB774FFA975AF645321EB8C26620DF29D543C700
                              Function 00007FF78CB21BE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 426 7ff78cb21be0-7ff78cb21be7 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-2713391170
                              • Opcode ID: 275f23618c2c71a317faf6ece10275cdf799d050ef905744da1420987ee42d9f
                              • Instruction ID: 5b91ca78ffc2b901313be918a5cc18d6896f57fd8f62e85a12595744ea4d5927
                              • Opcode Fuzzy Hash: 275f23618c2c71a317faf6ece10275cdf799d050ef905744da1420987ee42d9f
                              • Instruction Fuzzy Hash: E5F06213808E9482D2129F18A8001BBB774FF5E799FA55326EB8D26565DF2CD643C710
                              Function 00007FF78CB21BF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 430 7ff78cb21bf0-7ff78cb21bf7 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-4283191376
                              • Opcode ID: 1e6cd7a9a68ac3fafb46bace25494c5a3b24ec7900b807ee99d48c331c04c5e1
                              • Instruction ID: 64e63e800f1247fcb4e961c8e923794a11b1fec15b7733fe74fcdd8a2f52ba91
                              • Opcode Fuzzy Hash: 1e6cd7a9a68ac3fafb46bace25494c5a3b24ec7900b807ee99d48c331c04c5e1
                              • Instruction Fuzzy Hash: BDF06213908E9482D2129F18A8001BBB774FF5E799FA55326EF8D26565DF2CD643C710
                              Function 00007FF78CB21C00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 434 7ff78cb21c00-7ff78cb21c07 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-4064033741
                              • Opcode ID: 18d51c6244cb12bc5dd4f04bc353c537416c76c0457ae9358e107e74a2576210
                              • Instruction ID: 494a6e32aed9c5ee5f0865d97229b414683dccaea898b96aca9a5b85cdab806e
                              • Opcode Fuzzy Hash: 18d51c6244cb12bc5dd4f04bc353c537416c76c0457ae9358e107e74a2576210
                              • Instruction Fuzzy Hash: 6DF0C213808E9482D2029F18A8000BBB770FF5E799FA45326EB8D26424DF2CD643C710
                              Function 00007FF78CB21C10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 438 7ff78cb21c10-7ff78cb21c17 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-2187435201
                              • Opcode ID: 4965a13a53480363231e51f40e8bd960487f6ca1a47a5ae8a120c30841ef4640
                              • Instruction ID: de25ed8f7e6b5784b0ad41b5b69ff7d825deabdf6a27835290b3d9cb8fcd6e09
                              • Opcode Fuzzy Hash: 4965a13a53480363231e51f40e8bd960487f6ca1a47a5ae8a120c30841ef4640
                              • Instruction Fuzzy Hash: 16F06213818E9482D2129F18A8000BBB770FF5E799FA55326EB8D2A565DF2CD643D710
                              Function 00007FF78CB21C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 442 7ff78cb21c20-7ff78cb21c27 __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-4273532761
                              • Opcode ID: dd1109fef1e44e27e33944e548427619ad9362c31daffd96fe08d1df9979e15b
                              • Instruction ID: db9c45bc4cc79fec864f17b37c45d1727cca9243e8f1b2dc42d916e4d6791d9d
                              • Opcode Fuzzy Hash: dd1109fef1e44e27e33944e548427619ad9362c31daffd96fe08d1df9979e15b
                              • Instruction Fuzzy Hash: 22F06213808E9482D2129F18A8000BBB770FF5E799FA55326EF8D26525DF2CD643D710
                              Function 00007FF78CB21B78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 446 7ff78cb21b78-7ff78cb21bde __acrt_iob_func call 7ff78cb22a70
                              APIs
                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF78CB21B98
                                • Part of subcall function 00007FF78CB22A70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF78CB22C03,?,?,00007FF78CB27040,00007FF78CB21341), ref: 00007FF78CB22A98
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.1580956009.00007FF78CB21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78CB20000, based on PE: true
                              • Associated: 00000003.00000002.1580925542.00007FF78CB20000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1580985212.00007FF78CB23000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581010156.00007FF78CB24000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581038589.00007FF78CB28000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB44000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000003.00000002.1581068482.00007FF78CB48000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_7ff78cb20000_oaUNY8P657.jbxd
                              Similarity
                              • API ID: __acrt_iob_func__stdio_common_vfprintf
                              • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                              • API String ID: 2168557111-2468659920
                              • Opcode ID: 5c60b4d3e583521b1503455a1772254fd0060640fb2af6a87a6682de9bd8815d
                              • Instruction ID: c4a7ee88cd244ea56a9d8633b08ba0442ec2185b3a048651e0fa647e7945d326
                              • Opcode Fuzzy Hash: 5c60b4d3e583521b1503455a1772254fd0060640fb2af6a87a6682de9bd8815d
                              • Instruction Fuzzy Hash: 0DF03623918ED482D2129F28A8001ABB774FF5E799F655326EF8D3A525DF28D583C710

                              Execution Graph

                              Execution Coverage:9.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:100%
                              Total number of Nodes:3
                              Total number of Limit Nodes:0
                              execution_graph 3050 7ffaac487b71 3052 7ffaac487b8b CheckRemoteDebuggerPresent 3050->3052 3053 7ffaac487c2f 3052->3053

                              Executed Functions

                              Function 00007FFAAC487B71 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 280 7ffaac487b71-7ffaac487b89 281 7ffaac487bdb-7ffaac487c2d CheckRemoteDebuggerPresent 280->281 282 7ffaac487b8b-7ffaac487bd8 280->282 286 7ffaac487c2f 281->286 287 7ffaac487c35-7ffaac487c78 281->287 282->281 286->287
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1580218776.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ffaac480000_sms561F.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: ed7168e30d9c53dfbc5bec4172090893ee7dc01ef47be0087d2b1e5c92107288
                              • Instruction ID: 71d8dd0dee1af3813383e1d3f76c5100ef2f80d47b0ea57f28b837ea07d18ee8
                              • Opcode Fuzzy Hash: ed7168e30d9c53dfbc5bec4172090893ee7dc01ef47be0087d2b1e5c92107288
                              • Instruction Fuzzy Hash: B731247180871C8FDB58DF68C88A6F97BE0EF65321F04816AD489D7252DB34A846CB91